Edit tour

Windows Analysis Report
recibatt- 533152.msi

Overview

General Information

Sample name:	recibatt- 533152.msi
Analysis ID:	1550807
MD5:	11105a08f6af4e6a60e108b3b9bb0c88
SHA1:	c94c02c332c4afe0e31535715dfb84ad4a616469
SHA256:	c5aafe04e4c9245071fe974fe6642ca5378a6aaeba5bdda794849dd81b7b17c6
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

AI detected suspicious sample

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 3632 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\recibatt- 533152.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 764 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 5088 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 15497AE5CC6D6E4EC5CBD7A95A3BBC9F MD5: 9D09DC1EDA745A5F87553048E57620CF)

WebExperienceHostApp.exe (PID: 3892 cmdline: "C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe" MD5: 53AB9B8198E8AD8D3A043F40E72B1AB1)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T08:09:26.406228+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.6	49752	TCP
2024-11-07T08:10:05.950434+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.6	60005	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Aplication_files\vcruntime140_1_app.dll

ReversingLabs: Detection: 33%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 88.7% probability

Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcomp140_app.amd64.pdb source: vcomp140_app.dll.2.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\vccorlib140_app.amd64.pdb source: vccorlib140_app.dll.2.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\msvcp140_app.amd64.pdb source: WebExperienceHostApp.exe, 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmp, msvcp140_app.dll.2.dr
Source:	Binary string: WebExperienceHostApp.pdb&& source: WebExperienceHostApp.exe, 00000004.00000000.2143737432.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmp, WebExperienceHostApp.exe, 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmp, WebExperienceHostApp.exe.2.dr
Source:	Binary string: WebExperienceHostApp.pdb source: WebExperienceHostApp.exe, 00000004.00000000.2143737432.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmp, WebExperienceHostApp.exe, 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmp, WebExperienceHostApp.exe.2.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\vccorlib140_app.amd64.pdbGCTL source: vccorlib140_app.dll.2.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcruntime140_app.amd64.pdb source: WebExperienceHostApp.exe, 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmp, vcruntime140_app.dll.2.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcomp140_app.amd64.pdbGCTL source: vcomp140_app.dll.2.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcamp140_app.amd64.pdb source: vcamp140_app.dll.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: recibatt- 533152.msi, MSI1367.tmp.2.dr, MSI124A.tmp.2.dr, MSI12B8.tmp.2.dr, MSI12E8.tmp.2.dr, MSI1327.tmp.2.dr, 711101.msi.2.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcamp140_app.amd64.pdbGCTL source: vcamp140_app.dll.2.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe

Code function: 4_2_00007FFD9373A230 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,

4_2_00007FFD9373A230

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.6:49752
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.6:60005

Source: WebExperienceHostApp.exe, WebExperienceHostApp.exe, 00000004.00000002.2144871459.000000006057F000.00000020.00000001.01000000.00000005.sdmp, vcruntime140_1_app.dll.2.dr

String found in binary or memory: https://dumperbr.blob.core.windows.net/brastop/brasil.zip

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\711101.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI124A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI12B8.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI12E8.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1327.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1367.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{9295EB37-D0C2-4849-8522-3C24732E7204}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI13C6.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI124A.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD93742430	4_2_00007FFD93742430
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD93749C50	4_2_00007FFD93749C50
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD9374B3A0	4_2_00007FFD9374B3A0
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD93763300	4_2_00007FFD93763300
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD93746B3C	4_2_00007FFD93746B3C
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD9373FA60	4_2_00007FFD9373FA60
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD9375BA60	4_2_00007FFD9375BA60
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD93755290	4_2_00007FFD93755290
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD9373B2C8	4_2_00007FFD9373B2C8
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD93754A10	4_2_00007FFD93754A10
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD937669A0	4_2_00007FFD937669A0
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD9376C0E8	4_2_00007FFD9376C0E8
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD93751120	4_2_00007FFD93751120
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD9373E8D0	4_2_00007FFD9373E8D0
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD9376C7E0	4_2_00007FFD9376C7E0
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD937657E0	4_2_00007FFD937657E0
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD93763808	4_2_00007FFD93763808
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD93765010	4_2_00007FFD93765010
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD9374E810	4_2_00007FFD9374E810
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD9376A038	4_2_00007FFD9376A038
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD937497A0	4_2_00007FFD937497A0
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD9373D7B0	4_2_00007FFD9373D7B0
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD937467BC	4_2_00007FFD937467BC
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD9375AFD0	4_2_00007FFD9375AFD0
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD93757714	4_2_00007FFD93757714
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD93755F40	4_2_00007FFD93755F40
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD9374D660	4_2_00007FFD9374D660
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD93751680	4_2_00007FFD93751680
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD9373C6B0	4_2_00007FFD9373C6B0
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD9376FEBA	4_2_00007FFD9376FEBA
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD93754E50	4_2_00007FFD93754E50
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD9374C500	4_2_00007FFD9374C500
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD9376AD0C	4_2_00007FFD9376AD0C
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD93746464	4_2_00007FFD93746464
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD93752CA0	4_2_00007FFD93752CA0
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFDA46D7238	4_2_00007FFDA46D7238

Source: recibatt- 533152.msi

Binary or memory string: OriginalFilenameAICustAct.dllF vs recibatt- 533152.msi

Source: classification engine

Classification label: mal52.winMSI@6/30@0/0

Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe

Code function: 4_2_00007FFD9373A690 GetDiskFreeSpaceExW,_invalid_parameter_noinfo_noreturn,

4_2_00007FFD9373A690

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML1509.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DFF570B2719849D4C8.TMP

Jump to behavior

Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\recibatt- 533152.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 15497AE5CC6D6E4EC5CBD7A95A3BBC9F
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe "C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 15497AE5CC6D6E4EC5CBD7A95A3BBC9F	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe "C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe"	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Section loaded: vcruntime140_1_app.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Section loaded: vcruntime140_1_app.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Section loaded: execmodelproxy.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A66AEDC-93C3-4ACC-BA96-08F5716429F7}\InProcServer32

Jump to behavior

Source: recibatt- 533152.msi

Static file information: File size 5582848 > 1048576

Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcomp140_app.amd64.pdb source: vcomp140_app.dll.2.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\vccorlib140_app.amd64.pdb source: vccorlib140_app.dll.2.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\msvcp140_app.amd64.pdb source: WebExperienceHostApp.exe, 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmp, msvcp140_app.dll.2.dr
Source:	Binary string: WebExperienceHostApp.pdb&& source: WebExperienceHostApp.exe, 00000004.00000000.2143737432.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmp, WebExperienceHostApp.exe, 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmp, WebExperienceHostApp.exe.2.dr
Source:	Binary string: WebExperienceHostApp.pdb source: WebExperienceHostApp.exe, 00000004.00000000.2143737432.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmp, WebExperienceHostApp.exe, 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmp, WebExperienceHostApp.exe.2.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\vccorlib140_app.amd64.pdbGCTL source: vccorlib140_app.dll.2.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcruntime140_app.amd64.pdb source: WebExperienceHostApp.exe, 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmp, vcruntime140_app.dll.2.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcomp140_app.amd64.pdbGCTL source: vcomp140_app.dll.2.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcamp140_app.amd64.pdb source: vcamp140_app.dll.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: recibatt- 533152.msi, MSI1367.tmp.2.dr, MSI124A.tmp.2.dr, MSI12B8.tmp.2.dr, MSI12E8.tmp.2.dr, MSI1327.tmp.2.dr, 711101.msi.2.dr
Source:	Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcamp140_app.amd64.pdbGCTL source: vcamp140_app.dll.2.dr

Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe

Code function: 4_2_00007FF67CFC2AA0 RoGetActivationFactory,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,RoGetActivationFactory,LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_00007FF67CFC2AA0

Source: vcruntime140_app.dll.2.dr	Static PE information: section name: _RDATA
Source: vcruntime140_1_app.dll.2.dr	Static PE information: section name: .didata

Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD9376D180 pushfq ; retf 0000h		4_2_00007FFD9376D181
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Code function: 4_2_00007FFD9376F6C4 pushfq ; ret		4_2_00007FFD9376F6C5

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1327.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Aplication_files\vccorlib140_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI12B8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1367.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Aplication_files\vcruntime140_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Aplication_files\vcomp140_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Aplication_files\msvcp140_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Aplication_files\vcruntime140_1_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI12E8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI124A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Aplication_files\vcamp140_app.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1327.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI12B8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1367.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI12E8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI124A.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1327.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Aplication_files\vccorlib140_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI12B8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1367.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Aplication_files\vcomp140_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI12E8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI124A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Aplication_files\vcamp140_app.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe

API coverage: 1.4 %

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe

Code function: 4_2_00007FFD9373A230 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,

4_2_00007FFD9373A230

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe

Code function: 4_2_00007FF67CFC40E0 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

4_2_00007FF67CFC40E0

Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe

Code function: 4_2_00007FF67CFC2AA0 RoGetActivationFactory,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,RoGetActivationFactory,LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_00007FF67CFC2AA0

Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe

Code function: 4_2_00007FF67CFC6840 GetProcessHeap,HeapFree,

4_2_00007FF67CFC6840

Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe

Code function: ___lc_locale_name_func,GetLocaleInfoEx,

4_2_00007FFD9375FAE0

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe

Code function: 4_2_00007FF67CFC1954 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_00007FF67CFC1954

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	1 DLL Side-Loading	1 Process Injection	21 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	12 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
recibatt- 533152.msi	0%	ReversingLabs
recibatt- 533152.msi	2%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Aplication_files\msvcp140_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Aplication_files\msvcp140_app.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Aplication_files\vcamp140_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Aplication_files\vcamp140_app.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Aplication_files\vccorlib140_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Aplication_files\vcomp140_app.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Aplication_files\vcruntime140_1_app.dll	33%	ReversingLabs	Win64.Trojan.SpywareX
C:\Users\user\AppData\Local\Aplication_files\vcruntime140_app.dll	0%	ReversingLabs
C:\Windows\Installer\MSI124A.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI12B8.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI12E8.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1327.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1367.tmp	0%	ReversingLabs

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1550807
Start date and time:	2024-11-07 08:08:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	recibatt- 533152.msi
Detection:	MAL
Classification:	mal52.winMSI@6/30@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Aplication_files\msvcp140_app.dll	2024.0198840 298135.msi	Get hash	malicious	Unknown	Browse
	hForm.0198840 739798.msi	Get hash	malicious	Unknown	Browse
	ust_019821730-0576383.msi	Get hash	malicious	Unknown	Browse
	Br_i421i2-2481-125_754864.msi	Get hash	malicious	Unknown	Browse
	181_960.msi	Get hash	malicious	Unknown	Browse
	232_786.msi	Get hash	malicious	Unknown	Browse
	zHsIxYcmJV.msi	Get hash	malicious	Unknown	Browse
	18847_9.msi	Get hash	malicious	Unknown	Browse
	pdfmensla29189205823825.msi	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe	2024.0198840 298135.msi	Get hash	malicious	Unknown	Browse
	hForm.0198840 739798.msi	Get hash	malicious	Unknown	Browse
	ust_019821730-0576383.msi	Get hash	malicious	Unknown	Browse
	Br_i421i2-2481-125_754864.msi	Get hash	malicious	Unknown	Browse
	181_960.msi	Get hash	malicious	Unknown	Browse
	232_786.msi	Get hash	malicious	Unknown	Browse
	zHsIxYcmJV.msi	Get hash	malicious	Unknown	Browse
	18847_9.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\711103.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	2935
Entropy (8bit):	5.591557707688313
Encrypted:	false
SSDEEP:	48:doA3UAAARsKc8h5JTt1/joFAPfMHlM+6wOoAqAIpHLFLWZqLRJdAzjAX6GAqAjA4:dVyAy/A5r18FAPUHl/DAvi6yAN
MD5:	A9864C632C48258788AA5095B264CF88
SHA1:	B6F99BACBD9C9BBC2BE35C8CF21E574E74A34143
SHA-256:	D5E70E0B18907177F121A4629830AAA6EDCA3766B7F5D9485CC6CDE3A2D76D09
SHA-512:	C253A391D38BA95A3740CEA1638A55941C8E5BAAC335012AC312C5FF2BE8BC19D94C5022BD49E231450178CFFFD3D590ADA6973FB7FBE8BBCD2BBF8AC8ED0545
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@%.gY.@.....@.....@.....@.....@.....@......&.{9295EB37-D0C2-4849-8522-3C24732E7204}#.Download do Adobe Acrobat Reader DC..recibatt- 533152.msi.@.....@.....@.....@........&.{E6B9894C-DC78-4FA5-8EA1-84A7EA523557}.....@.....@.....@.....@.......@.....@.....@.......@....#.Download do Adobe Acrobat Reader DC......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]....ProcessComponents%.Atualizando o registro de componentes..&.{F9FE1C61-2153-4A73-8BB0-34860E521A0E}&.{9295EB37-D0C2-4849-8522-3C24732E7204}.@......&.{FDDFCF6B-7820-4D71-B1DC-47547F9EC123}&.{9295EB37-D0C2-4849-8522-3C24732E7204}.@......&.{8C847FF7-2577-404B-9C97-418D9AB92486}&.{9295EB37-D0C2-4849-8522-3C24732E7204}.@......&.{279D4CFC-343D-4108-A357-FD8FE3BE41F9}&.{9295EB37-D0C2-4849-8522-3C24732E7204}.@......&.{8A98CBD9-FB2E-4EB2-AEC6-E267618B3896}&.{9295EB37-D0C2-4849-8522-3C24732E7204}.@......&.{50BBD372-76BD-493F-AAA5-B9D4757EF233}&.{9295EB37-D0C2-4849-8

C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	55808
Entropy (8bit):	5.776679906561504
Encrypted:	false
SSDEEP:	1536:11fhFN4g5OkVtgaUFAUoBMmDxdgUhpzz:1RhL5RAFADTxzz
MD5:	53AB9B8198E8AD8D3A043F40E72B1AB1
SHA1:	51F27E895808A806D2EA7F22CD91C50C4C7CDF5F
SHA-256:	1E9CD852EF2E7233E12090ED41BA99019D533CC07EDADFE5095CD0DDACC4FC1E
SHA-512:	7A7FE0BA46A92D0A5CE8A1ABFBEE97BA8F5EA3A7F8898D1DE6024ECC3C3209F159FB76B11B08B7ECAA6F152DEE974BD68316A06485E8CA6EE14EBC8C63DBC6FE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: 2024.0198840 298135.msi, Detection: malicious, Browse Filename: hForm.0198840 739798.msi, Detection: malicious, Browse Filename: ust_019821730-0576383.msi, Detection: malicious, Browse Filename: Br_i421i2-2481-125_754864.msi, Detection: malicious, Browse Filename: 181_960.msi, Detection: malicious, Browse Filename: 232_786.msi, Detection: malicious, Browse Filename: zHsIxYcmJV.msi, Detection: malicious, Browse Filename: 18847_9.msi, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a.r.2.r.2.r.2U..3.r.2U..3.r.2U..3.r.2U..3.r.2..d2.r.2.r.2.r.2...3.r.2...2.r.2...3.r.2Rich.r.2................PE..d...Gg.d.........."..........Z.................@............................. ......@\....`............................................................................................p...............................8............................................text...\........................... ..`.rdata...8.......:..................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Aplication_files\msvcp140_app.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	571168
Entropy (8bit):	6.509615420946833
Encrypted:	false
SSDEEP:	12288:tZeEtnsE9Diw9NF9WPz81b5q1ilJpr8hpEygKlvwWAIQEKZm+jWodEEVTJd34/:tZe6yg7LIQEKZm+jWodEEJJdc
MD5:	15DD460E592E59C2CE7F553328739DFC
SHA1:	BA2BAB7649C7FBC18E3FF38B71368839A5588657
SHA-256:	F7F46F09AA38B6FAA5DBFD2B192EB9A5D63E9D5EEC482624FC20E6686F59098D
SHA-512:	31330DB59F930C4E2923074FFC6ED051D68916B3F7EFD09EDD11B7E51A0F58BB6DDC576F306FF2195E717A1B5B44316A3A7B11FE4C9E17BEC255EA8E8068F0DE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: 2024.0198840 298135.msi, Detection: malicious, Browse Filename: hForm.0198840 739798.msi, Detection: malicious, Browse Filename: ust_019821730-0576383.msi, Detection: malicious, Browse Filename: Br_i421i2-2481-125_754864.msi, Detection: malicious, Browse Filename: 181_960.msi, Detection: malicious, Browse Filename: 232_786.msi, Detection: malicious, Browse Filename: zHsIxYcmJV.msi, Detection: malicious, Browse Filename: 18847_9.msi, Detection: malicious, Browse Filename: pdfmensla29189205823825.msi, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P.p.1h#.1h#.1h#.I.#.1h#.1i#91h#,Fi".1h#,Fl".1h#,Fk".1h#,Fm".1h#,Fh".1h#,F.#.1h#,Fj".1h#Rich.1h#........................PE..d.....Za.........." .....@...X......./..............................................=T....`Q.........................................4..@...@................p...9...... 7......0......T...........................0...8............P...............................text....>.......@.................. ..`.rdata..D....P.......D..............@..@.data... 9...0......................@....pdata...9...p...:...8..............@..@.rsrc................r..............@..@.reloc..0............v..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Aplication_files\vcamp140_app.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	397664
Entropy (8bit):	6.3562644384745655
Encrypted:	false
SSDEEP:	6144:9fLtIx4FFDinA8Jh9XFHG/s9yrFp28s0C0KJ9fBIv9wCOfeC61S9HIl:xi6FFDaA+XVG/s9yrFpBGJtKwCJeIl
MD5:	71B3CACB316C4AEDDC8CE2D82FEA307A
SHA1:	883D5ACD1E14C85C1BA7B793F74E03C0FACD0684
SHA-256:	8768E0E8C9BD1670D7896E2968E70810AF822B461439DE7453B2E5873BFB3A00
SHA-512:	274424A039919DFC5510462D9D129550DB5D5BED1C735496D24CAC96EE1DE798BDB1DD832804DEEBD81307DCF1D6A778275262BC7F6E9E498AB1F751CAA20BBB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,h..h...h...h....y..n....fw.j...aq..H...h........~..a....~..s....~..`....~..l....~..d....~..i....~u.i...h...i....~..i...Richh...........................PE..d.....Za.........." .........B......0A.......................................0......Y.....`Q........................................0...08..`P..........`$.......5......`1... ..(...\|#..T....................%..(....#..8............................................text............................... ..`.rdata..............................@..@.data...X3...p...,...P..............@....pdata...5.......6...\|..............@..@.rsrc...`$.......&..................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Aplication_files\vccorlib140_app.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	333088
Entropy (8bit):	5.973829257868023
Encrypted:	false
SSDEEP:	6144:Azdy9XA1tDhdU+XbrzZSW1t9o7VUI0ltsT:Ao9W3dPXb4SHoKts
MD5:	900E194755EE739953D15C29E7E692E9
SHA1:	1DE7533C302EABA2CE0D5C09204228522824B723
SHA-256:	594BABC5ED05826AAF2AEC0750BE135EFF2876C9B941D2E99B6B1E278073C96A
SHA-512:	3DD25BD5EC4746A74A14B399A469B0C7ACEC0BC9222800841AFF6E92616D2FBB43DDB2FB7F5EE33D58FED45A00CF8B4931B04D4C07699BD30F1780E9D82BB6A4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5..q...q...q...x...]...q..........v......k......y......u......`......p.....v.p......p...Richq...........PE..d.....Za.........." .....t...v.......s....................................... ............`Q.............................................>.............................. /..............T...............................8............................................text...vs.......t.................. ..`.rdata..l............x..............@..@.data........ ......................@....pdata........... ..................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Aplication_files\vcomp140_app.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	61960
Entropy (8bit):	6.313785957582955
Encrypted:	false
SSDEEP:	1536:FzxzJ+xpDMmwsLMFD0WfLSxwKoUhw/1Yd5ZkD:FzxzJQpDHwQMFD0WuwKoUG/i2D
MD5:	E3FC37B45BA6D33AFACC2B26F935D442
SHA1:	805241C0C6AE7745A2CEBDFE8F8FABA3E5EAA0FA
SHA-256:	1187781D8AE000F52FDD0B1F69C46EE680CE18CC8934D107CB96456CDDC0B737
SHA-512:	3E63CDD375644A77C5951CD087443688C2F7573D6DB3BCE28600DB89F86E398C693B0B6EB24ABF96FD50162265D184B8CCA4AC74A7E5222CB0FB2D1B50B66D4C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m...)c..)c..)c.. ...1c..)c...c......*c......,c....../c......,c......'c......(c....{.(c......(c..Rich)c..................PE..d.....Za.........." .....x...`.......b....................................... ......[.....`Q........................................@..........................(........&......$.......T...............................8............................................text....w.......x.................. ..`.rdata..n........0...\|..............@..@.data...............................@....pdata..(...........................@..@.rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Aplication_files\vcruntime140_1_app.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12441088
Entropy (8bit):	6.190667472308874
Encrypted:	false
SSDEEP:	98304:gizfGfD+QuWERJKi8dE0bFzOP0eCTXfligzJC:tfaDhyRJKiz0bROEXfD
MD5:	2BAD29EEEF537AB4156D51FD469D37EC
SHA1:	FA4AB3DCDCD7482618ADE2BD7CF6DFFA07B57BA5
SHA-256:	CA2832FB349D18556F198F673B2E32783F8384732DCB0E4111780B3956D52ED0
SHA-512:	261339E50E8CC7B4D84A70B4E031374D34A77A4C70274561AE6613F412215F39EF6649CC4901B6843088DA9E42EAD33FF38B4966DD16A031020330908FDB8D74
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 33%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d....Rse.........." ......}...@..... .\|.......@..............................P............`.......................... ..........................h4... ...&'......\..............\|.......................................................h....P..(....................text... .}.......}................. ..`.data...h.....}.......}.............@....bss.....................................idata..h4.......6.................@....didata.(....P......................@....edata..............................@..@.rdata..E...........................@..@.reloc..\|...........................@..B.pdata...\.......^...R..............@..@.rsrc....&'.. ...&'.................@..@.............P.....................@..@........................................

C:\Users\user\AppData\Local\Aplication_files\vcruntime140_app.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	97632
Entropy (8bit):	6.409755640490607
Encrypted:	false
SSDEEP:	1536:upMm/eng35aehvWy3YevkYdmBaNBkKh8ehNK7TT0ecbe+4Z9Vvl:u2W9Lv9dVN1h8eLK7TwecbeVZDN
MD5:	27F73C8DAA6DF0A0769FBC0F28D2E955
SHA1:	A4FD3745C70C8C10D0DCCB9E2B56786D58BA7049
SHA-256:	FFF797E284CC21447515C478D1F97B89EFB2A49A6CCEF7D7F94B4DF76B5789DF
SHA-512:	B9A0823E42A57187838D5B10C169E2CC3A586AC92EAB82E4F915A83623131BA23E6D43C01E2356995AB7A94414DBB58D104BCC7966E5A5FC321F3EBD6CBD3663
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........F..~...~...~......~.......~.}.}...~.}.z...~.}.{...~.}.~...~.}.....~.}.\|...~.Rich..~.........................PE..d.....Za.........." .........b............................................................`Q........................................`A..8....I..,............p.......V..`'..........(+..T............................+..8...............h............................text............................... ..`.rdata..D@.......B..................@..@.data........`.......<..............@....pdata.......p.......@..............@..@_RDATA...............L..............@..@.rsrc................N..............@..@.reloc...............T..............@..B........................................................................................................................................................................................................................

C:\Windows\Installer\711101.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {E6B9894C-DC78-4FA5-8EA1-84A7EA523557}, Number of Words: 10, Subject: Download do Adobe Acrobat Reader DC, Author: Adobe Acrobat Reader DC, Name of Creating Application: Download do Adobe Acrobat Reader DC, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o Download do Adobe Acrobat Reader DC., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Dec 8 17:32:11 2023, Number of Pages: 200
Category:	dropped
Size (bytes):	5582848
Entropy (8bit):	7.858382469808083
Encrypted:	false
SSDEEP:	98304:j+XJVn3iZ6UWWriB1xZ3i0RG9GnPKYc08KUS0+R5ltTX4kfkoMBI7EutfSLHS:ihiqyiPry0OGnDJUSbR5XLhOI7Epr
MD5:	11105A08F6AF4E6A60E108B3B9BB0C88
SHA1:	C94C02C332C4AFE0E31535715DFB84AD4A616469
SHA-256:	C5AAFE04E4C9245071FE974FE6642CA5378A6AAEBA5BDDA794849DD81B7B17C6
SHA-512:	3FDF3E1C52A54EF7755B9C3A1FE96BDC47F929F7829FCFA93219B1B648C4F7859BB5944A3BBA55025F6C92973BB63428041FA0B5ECE2D3FA8EBFF55BF0074438
Malicious:	false
Preview:	......................>...................V...................................F.......b.......o...............................................{...\|...}...~...............................................................................................................................................................................................................................................................................................................................................................................................#...4........................................................................................... ...!..."...-...2...%...&...'...(...)...*...+...,.........../...0...1...5...3...<...?...6...7...8...9...:...;...E...=...>.......@...A...B...C...D...............H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI124A.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469389454249605
Encrypted:	false
SSDEEP:	6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
MD5:	B7A6A99CBE6E762C0A61A8621AD41706
SHA1:	92F45DD3ED3AAEAAC8B488A84E160292FF86281E
SHA-256:	39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
SHA-512:	A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI12B8.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469389454249605
Encrypted:	false
SSDEEP:	6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
MD5:	B7A6A99CBE6E762C0A61A8621AD41706
SHA1:	92F45DD3ED3AAEAAC8B488A84E160292FF86281E
SHA-256:	39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
SHA-512:	A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI12E8.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469389454249605
Encrypted:	false
SSDEEP:	6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
MD5:	B7A6A99CBE6E762C0A61A8621AD41706
SHA1:	92F45DD3ED3AAEAAC8B488A84E160292FF86281E
SHA-256:	39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
SHA-512:	A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI1327.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469389454249605
Encrypted:	false
SSDEEP:	6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
MD5:	B7A6A99CBE6E762C0A61A8621AD41706
SHA1:	92F45DD3ED3AAEAAC8B488A84E160292FF86281E
SHA-256:	39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
SHA-512:	A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI1367.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469389454249605
Encrypted:	false
SSDEEP:	6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
MD5:	B7A6A99CBE6E762C0A61A8621AD41706
SHA1:	92F45DD3ED3AAEAAC8B488A84E160292FF86281E
SHA-256:	39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
SHA-512:	A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI13C6.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	3955
Entropy (8bit):	5.4918013037565885
Encrypted:	false
SSDEEP:	48:MoA3UAAA4HAqAhAqAYZ+iSvkW/CTtHY/joKCw+q3dAK/yy+RAqAGbrV6kuL47AXo:MVyAHQ82AK8Pwk57i6b0Ar
MD5:	BC4D737F8E0F0338E0DA2BB361C3EE9D
SHA1:	D9226CB6B066F86FFD195842C691BE574FD8D888
SHA-256:	35CB48BD8EB07A5DB31D8922AD9F4E5D5C2E8703986E3D73C015CFAE6D0E3DC1
SHA-512:	FD753D1EA8F55FF1CA141681A0EC4EF171524D5CBA2B3D61EE04E707E99AD7DDF2EE2194EF2B1E47010B1887BBC79A82B241CD98E2F223F20DE752D19CBC803B
Malicious:	false
Preview:	...@IXOS.@.....@%.gY.@.....@.....@.....@.....@.....@......&.{9295EB37-D0C2-4849-8522-3C24732E7204}#.Download do Adobe Acrobat Reader DC..recibatt- 533152.msi.@.....@.....@.....@........&.{E6B9894C-DC78-4FA5-8EA1-84A7EA523557}.....@.....@.....@.....@.......@.....@.....@.......@....#.Download do Adobe Acrobat Reader DC......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]...@.......@........ProcessComponents%.Atualizando o registro de componentes...@.....@.....@.]....&.{F9FE1C61-2153-4A73-8BB0-34860E521A0E}P.01:\Software\Adobe Acrobat Reader DC\Download do Adobe Acrobat Reader DC\Version.@.......@.....@.....@......&.{FDDFCF6B-7820-4D71-B1DC-47547F9EC123}..C:\Users\Public\Documents\.@.......@.....@.....@......&.{8C847FF7-2577-404B-9C97-418D9AB92486}^.C:\Users\user\AppData\Roaming\Adobe Acrobat Reader DC\Download do Adobe Acrobat Reader DC\.@.......@.....@.....@......&.{279D4CFC-343D-4108-A357-FD8FE3BE41F9}A.C:\Users\user

C:\Windows\Installer\SourceHash{9295EB37-D0C2-4849-8522-3C24732E7204}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1669326359554415
Encrypted:	false
SSDEEP:	12:JSbX72Fj1aAGiLIlHVRp3h/7777777777777777777777777vDHFG0Ec3AjIY1lN:JCQI5zE0U8F
MD5:	BCDFC96311004CB7314441ACDA010FCC
SHA1:	DE8DDE0292E1503544005633E17E28A7ADAF198B
SHA-256:	FC45C7033112DDA1D4A0D9E5DDE9A4C036E4A7735788FD22BEF25B92ED92DE5A
SHA-512:	D1AF629D4F1288D93BF48FDE472C742DC1AC52BD0312E0AFC1D8A105915BBF2EC08E1EF0222B405DB74433AF3E122D75CE2F16EE7A0486F6678D0EFD41006569
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.6220676228287565
Encrypted:	false
SSDEEP:	48:88PhTuRc06WXJmjT5cU/DxVZVISNVZVKAEbCyRvBMVZVISNVZVAT/Q:ThT19jTSU/PLIaLRwCQ8LIaLc
MD5:	FEC104096935A5B05414276358DC79C2
SHA1:	EDE075FB1222B46A8798B5658949D985D817F4E8
SHA-256:	E0F1DB534186B50D9C688564A8F885DFD15162EBD2CF2056452B7B22417099A2
SHA-512:	19D296C1D357DAA0760150A1E23120547BE12588F3DB46D9F8766A67B45EC6D4D89CF32F3AB92B6A0CBF021D35983B2575D424AB6C0215024C0B6299243D381F
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	360000
Entropy (8bit):	5.362993793540055
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau6:zTtbmkExhMJCIpEV
MD5:	C2CA1F5208747A92A9C9A13026ED788E
SHA1:	5028983E1D35A1A8E9648C851519BD156271272D
SHA-256:	76DC09AB8CFFEB1601E768DFF618F2C1158B774F8C45D9D1957E22741488DC67
SHA-512:	13DE0BB1A70B22147B2BCE80C3DB8DF13D49D46C3BDB77AF2F6B8C5FCB2EED0CD53DC2C9441CF4CB2EE2BD02E63716F3447329391BEFAF97A8CA93C59417A352
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF3A86FBC234ACA344.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF446ED56DE899A873.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07410766463530244
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOGU8uEUdR3AjlHkYVky6lYt/:2F0i8n0itFzDHFG0Ec3AjIY1
MD5:	A431980C7B69C73EDA8EEF6CD8D3CC8A
SHA1:	982F67D19E56F7890BEF6015A33A02F77E112D1A
SHA-256:	2662AFA0C219BE3AE767E9C92909D60D0940F14D72520F1116D4C5377EB21375
SHA-512:	16310A2290B5C858239FC564890A69FE10842F56E68D58275A35F03919FC4FF7FC1D8ECAD3F8A980DA5B36A9DC562239ECCB0E8959D546BCA00FEE07F195A84D
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4693D6F38400A101.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2967794648603375
Encrypted:	false
SSDEEP:	48:QeLusrI+CFXJBT5VbU/DxVZVISNVZVKAEbCyRvBMVZVISNVZVAT/Q:HLXOpTjbU/PLIaLRwCQ8LIaLc
MD5:	7AA9ED3D9E100CB7B8B4E5748FD6D4EF
SHA1:	B8D3FC5547F047FBA2C07A7AA1FE3C5E2E83988E
SHA-256:	63C115BFBEC0281177BFE5877BA80DB35D128E9D4ADF5678CF2433E085304D4C
SHA-512:	51B1B31D227274A41619A5C40935626E50009A07215498B1C36D52ED65B5D2E9A3D44FB52BDE0077CC2E9D4D772CEAF652040D43E9761BFCF06B359BFDE9796C
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF485036A346646AA1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2967794648603375
Encrypted:	false
SSDEEP:	48:QeLusrI+CFXJBT5VbU/DxVZVISNVZVKAEbCyRvBMVZVISNVZVAT/Q:HLXOpTjbU/PLIaLRwCQ8LIaLc
MD5:	7AA9ED3D9E100CB7B8B4E5748FD6D4EF
SHA1:	B8D3FC5547F047FBA2C07A7AA1FE3C5E2E83988E
SHA-256:	63C115BFBEC0281177BFE5877BA80DB35D128E9D4ADF5678CF2433E085304D4C
SHA-512:	51B1B31D227274A41619A5C40935626E50009A07215498B1C36D52ED65B5D2E9A3D44FB52BDE0077CC2E9D4D772CEAF652040D43E9761BFCF06B359BFDE9796C
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF76A60FBCE0F23EC4.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8D1E4238889C8842.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.6220676228287565
Encrypted:	false
SSDEEP:	48:88PhTuRc06WXJmjT5cU/DxVZVISNVZVKAEbCyRvBMVZVISNVZVAT/Q:ThT19jTSU/PLIaLRwCQ8LIaLc
MD5:	FEC104096935A5B05414276358DC79C2
SHA1:	EDE075FB1222B46A8798B5658949D985D817F4E8
SHA-256:	E0F1DB534186B50D9C688564A8F885DFD15162EBD2CF2056452B7B22417099A2
SHA-512:	19D296C1D357DAA0760150A1E23120547BE12588F3DB46D9F8766A67B45EC6D4D89CF32F3AB92B6A0CBF021D35983B2575D424AB6C0215024C0B6299243D381F
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFCFBA0D4EAFFE3299.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD441F4492135CBC4.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD7F8DAA78953787C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE4B751A4FC4156EA.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2967794648603375
Encrypted:	false
SSDEEP:	48:QeLusrI+CFXJBT5VbU/DxVZVISNVZVKAEbCyRvBMVZVISNVZVAT/Q:HLXOpTjbU/PLIaLRwCQ8LIaLc
MD5:	7AA9ED3D9E100CB7B8B4E5748FD6D4EF
SHA1:	B8D3FC5547F047FBA2C07A7AA1FE3C5E2E83988E
SHA-256:	63C115BFBEC0281177BFE5877BA80DB35D128E9D4ADF5678CF2433E085304D4C
SHA-512:	51B1B31D227274A41619A5C40935626E50009A07215498B1C36D52ED65B5D2E9A3D44FB52BDE0077CC2E9D4D772CEAF652040D43E9761BFCF06B359BFDE9796C
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF55BA998BE25A171.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.6220676228287565
Encrypted:	false
SSDEEP:	48:88PhTuRc06WXJmjT5cU/DxVZVISNVZVKAEbCyRvBMVZVISNVZVAT/Q:ThT19jTSU/PLIaLRwCQ8LIaLc
MD5:	FEC104096935A5B05414276358DC79C2
SHA1:	EDE075FB1222B46A8798B5658949D985D817F4E8
SHA-256:	E0F1DB534186B50D9C688564A8F885DFD15162EBD2CF2056452B7B22417099A2
SHA-512:	19D296C1D357DAA0760150A1E23120547BE12588F3DB46D9F8766A67B45EC6D4D89CF32F3AB92B6A0CBF021D35983B2575D424AB6C0215024C0B6299243D381F
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF570B2719849D4C8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.16072709847614883
Encrypted:	false
SSDEEP:	48:ZQSThVZVISNVZVEVZVISNVZVKAEbCyRvB7Q/P:Z9LIaL0LIaLRwCQM/P
MD5:	DDFF75AC5260C7FEF7CD8CD0F5325C52
SHA1:	4211444DE66457ABC982493D44A0AE9827D90994
SHA-256:	EDABCDC039C8B048BF64849451214CEF1E4BD5AC816B1006DFE97BBA7C5EF220
SHA-512:	F0DFE7E1986CB024BE8A25F7610DA878213EEBA6E53ABABB853A8BD02BF06B8A74C4DFDD14849BC0001229672157C99E64EC28F6004F2304005E06BB0F4FCFEE
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {E6B9894C-DC78-4FA5-8EA1-84A7EA523557}, Number of Words: 10, Subject: Download do Adobe Acrobat Reader DC, Author: Adobe Acrobat Reader DC, Name of Creating Application: Download do Adobe Acrobat Reader DC, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o Download do Adobe Acrobat Reader DC., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Dec 8 17:32:11 2023, Number of Pages: 200
Entropy (8bit):	7.858382469808083
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	recibatt- 533152.msi
File size:	5'582'848 bytes
MD5:	11105a08f6af4e6a60e108b3b9bb0c88
SHA1:	c94c02c332c4afe0e31535715dfb84ad4a616469
SHA256:	c5aafe04e4c9245071fe974fe6642ca5378a6aaeba5bdda794849dd81b7b17c6
SHA512:	3fdf3e1c52a54ef7755b9c3a1fe96bdc47f929f7829fcfa93219b1b648c4f7859bb5944a3bba55025f6c92973bb63428041fa0b5ece2d3fa8ebff55bf0074438
SSDEEP:	98304:j+XJVn3iZ6UWWriB1xZ3i0RG9GnPKYc08KUS0+R5ltTX4kfkoMBI7EutfSLHS:ihiqyiPry0OGnDJUSbR5XLhOI7Epr
TLSH:	CB461225B3C7C522C55C01BBF959FE4E0479BF63073041E7B6F93AAE98B08C16279A52
File Content Preview:	........................>...................V...................................F.......b.......o...............................................{...\|...}...~..................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 08:09:27.686803102 CET	53	55884	1.1.1.1	192.168.2.6

Target ID:	0
Start time:	02:09:08
Start date:	07/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\recibatt- 533152.msi"
Imagebase:	0x7ff734900000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:09:08
Start date:	07/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff734900000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	02:09:08
Start date:	07/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 15497AE5CC6D6E4EC5CBD7A95A3BBC9F
Imagebase:	0x2a0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:09:10
Start date:	07/11/2024
Path:	C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe"
Imagebase:	0x7ff67cfc0000
File size:	55'808 bytes
MD5 hash:	53AB9B8198E8AD8D3A043F40E72B1AB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.7%
Total number of Nodes:	344
Total number of Limit Nodes:	8

Executed Functions

Function 00007FF67CFC2AA0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 192
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-1 ref: 00007FF67CFC2B06
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF67CFC2B15
LoadLibraryW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-1 ref: 00007FF67CFC2B4E
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF67CFC2B5D

Strings

RoGetActivationFactory, xrefs: 00007FF67CFC2B0E
DllGetActivationFactory, xrefs: 00007FF67CFC2CC3
CoIncrementMTAUsage, xrefs: 00007FF67CFC2B56
combase.dll, xrefs: 00007FF67CFC2AFF, 00007FF67CFC2B47

Memory Dump Source

Source File: 00000004.00000002.2147078672.00007FF67CFC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67CFC0000, based on PE: true

Associated: 00000004.00000002.2147061005.00007FF67CFC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147114846.00007FF67CFCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147133143.00007FF67CFCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff67cfc0000_WebExperienceHostApp.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 2574300362-4036682018
Opcode ID: 47d738070b0af0edd47e385eed6e46aaa3c203f272d590f42774a49a749df1a6
Instruction ID: 6390b39dad49da212073e5eb51f64f0e4653e6b692f4c1dcd86f06990010bbd0
Opcode Fuzzy Hash: 47d738070b0af0edd47e385eed6e46aaa3c203f272d590f42774a49a749df1a6
Instruction Fuzzy Hash: CD814B63B29A8284FB20DB61D8502BD27A0FF54B98F545635DE1D977A8EF3CE495C300

Function 00007FF67CFC54F4 Relevance: 24.1, APIs: 15, Strings: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC5554
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC5578
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC559C
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC55C0
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC55E4
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC5608
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC562C
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC5650
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC5674
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC5698
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC56BC
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC56E0
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC5704
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC5728
_CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC5740

Part of subcall function 00007FF67CFC301C: GetErrorInfo.OLEAUT32(?,?,?,?,?,?,?,?,?,00007FF67CFC5735), ref: 00007FF67CFC306B
Part of subcall function 00007FF67CFC301C: SysFreeString.OLEAUT32 ref: 00007FF67CFC30FA

Strings

bad allocation, xrefs: 00007FF67CFC5533

Memory Dump Source

Source File: 00000004.00000002.2147078672.00007FF67CFC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67CFC0000, based on PE: true

Associated: 00000004.00000002.2147061005.00007FF67CFC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147114846.00007FF67CFCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147133143.00007FF67CFCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff67cfc0000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrow$ErrorFreeInfoString
String ID: bad allocation
API String ID: 1975901121-2104205924
Opcode ID: 0933e274a7c38970862a05a2fb4c41735afd250a0c49872c24e88f4e3a59b920
Instruction ID: f1336687a029f8c03599add78d03ec6fb0c249607fd5cc180a57fe4cd86cc4da
Opcode Fuzzy Hash: 0933e274a7c38970862a05a2fb4c41735afd250a0c49872c24e88f4e3a59b920
Instruction Fuzzy Hash: 87613F23F3998795FB34EB60D8811F92371AF94348F609732D50CD74A6AE6CF94A9380

Function 00007FF67CFC5D10 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 289
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslwr_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF67CFC601B

Part of subcall function 00007FF67CFC54F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC5554
Part of subcall function 00007FF67CFC54F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC5578
Part of subcall function 00007FF67CFC54F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC559C
Part of subcall function 00007FF67CFC54F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC55C0
Part of subcall function 00007FF67CFC54F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC55E4
Part of subcall function 00007FF67CFC54F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC5608
Part of subcall function 00007FF67CFC54F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC562C
Part of subcall function 00007FF67CFC54F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC5650
Part of subcall function 00007FF67CFC54F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC5674
Part of subcall function 00007FF67CFC54F4: _CxxThrowException.VCRUNTIME140_APP ref: 00007FF67CFC5698

Part of subcall function 00007FF67CFC4FF8: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF67CFC31F2,?,?,?,?,?,?,?,?,?,00007FF67CFC5735), ref: 00007FF67CFC501A
Part of subcall function 00007FF67CFC4FF8: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF67CFC31F2,?,?,?,?,?,?,?,?,?,00007FF67CFC5735), ref: 00007FF67CFC5027

LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF67CFC6151
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF67CFC6166
RoInitialize.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF67CFC6179

Strings

ms-cxh://getstarted/?surface=start, xrefs: 00007FF67CFC5D31
getstarted, xrefs: 00007FF67CFC5D43
StartApplication, xrefs: 00007FF67CFC615C
WebExperienceHost.dll, xrefs: 00007FF67CFC614A

Memory Dump Source

Source File: 00000004.00000002.2147078672.00007FF67CFC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67CFC0000, based on PE: true

Associated: 00000004.00000002.2147061005.00007FF67CFC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147114846.00007FF67CFCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147133143.00007FF67CFCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff67cfc0000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrow$Heap$AddressFreeInitializeLibraryLoadProcProcess_wcslwr_s
String ID: StartApplication$WebExperienceHost.dll$getstarted$ms-cxh://getstarted/?surface=start
API String ID: 708943818-2938634902
Opcode ID: e8c37fcd8af3848a00225ce46d0b1f18bbe59973078c324ef50a8d7345a33e00
Instruction ID: ed5a1bf1bd0023ba9c80e07a00e351106fa6d9d233f45231459bfddc735798ba
Opcode Fuzzy Hash: e8c37fcd8af3848a00225ce46d0b1f18bbe59973078c324ef50a8d7345a33e00
Instruction Fuzzy Hash: 02D10C2372DAC692EB71AB14E4503BA6761FF94784F445231E68DC36EADF2CE548C700

Function 00007FF67CFC158C Relevance: 10.6, APIs: 7, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF67CFC159B
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF67CFC15B0
__scrt_release_startup_lock.LIBCMT ref: 00007FF67CFC161E
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67CFC166C
_get_wide_winmain_command_line.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67CFC1679
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67CFC16A2
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67CFC16F7

Memory Dump Source

Source File: 00000004.00000002.2147078672.00007FF67CFC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67CFC0000, based on PE: true

Associated: 00000004.00000002.2147061005.00007FF67CFC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147114846.00007FF67CFCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147133143.00007FF67CFCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff67cfc0000_WebExperienceHostApp.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_initialize_crt__scrt_release_startup_lock_cexit_exit_get_wide_winmain_command_line_register_thread_local_exe_atexit_callback
String ID:
API String ID: 3863933208-0
Opcode ID: 334a747d7520e6ee41ddac6c63d8f888343b0ad2c4d77d698ff4bb8d04e6e29e
Instruction ID: 8e960a0691b122371f45f29895b4600bcf17edc9feab16d25db61fe08cfb49b6
Opcode Fuzzy Hash: 334a747d7520e6ee41ddac6c63d8f888343b0ad2c4d77d698ff4bb8d04e6e29e
Instruction Fuzzy Hash: D7316C23F2D9C346FB38AB6594613B92291AF42384F488735E50EC76E3DE2DA4249240

Function 00007FFD93738370 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFD93738413
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFD93738424

Strings

ios_base::badbit set, xrefs: 00007FFD937383DC
ios_base::eofbit set, xrefs: 00007FFD937383EE
ios_base::failbit set, xrefs: 00007FFD937383E7

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 18c4eb03d72117c3613aa7784f1bf35228662092d537acc2669780a054874281
Instruction ID: 54d67c78c517f05e85586db33b3272992ab0e7904065617d874e82ce79347446
Opcode Fuzzy Hash: 18c4eb03d72117c3613aa7784f1bf35228662092d537acc2669780a054874281
Instruction Fuzzy Hash: CB210362B08646A2EA28CB94F5A13BD3364FF04784FA40031D64D57B91CF3CF5A9C300

Function 00007FF67CFC27BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF67CFC3238: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF67CFC26C9), ref: 00007FF67CFC3252

InterlockedPushEntrySList.API-MS-WIN-CORE-INTERLOCKED-L1-1-0 ref: 00007FF67CFC288D

Strings

Windows.ApplicationModel.AppInstance, xrefs: 00007FF67CFC27E9
$, xrefs: 00007FF67CFC27F4

Memory Dump Source

Source File: 00000004.00000002.2147078672.00007FF67CFC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67CFC0000, based on PE: true

Associated: 00000004.00000002.2147061005.00007FF67CFC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147114846.00007FF67CFCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147133143.00007FF67CFCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff67cfc0000_WebExperienceHostApp.jbxd

Similarity

API ID: EntryInterlockedListPushabort
String ID: $$Windows.ApplicationModel.AppInstance
API String ID: 1923770069-1542873791
Opcode ID: 4ddd20ba726a00b9b6211fbdb94cfa68b2457837ad145f8ff0950f50f8d1477a
Instruction ID: b2bf08140d6ad7dde578cca4b8482d39b67fdc1e832ad70a6e76ee787720e53d
Opcode Fuzzy Hash: 4ddd20ba726a00b9b6211fbdb94cfa68b2457837ad145f8ff0950f50f8d1477a
Instruction Fuzzy Hash: D231F562B25A8698FB20DB61D8913BC2374FF58788F804632CE0D976A8DF3CE549C340

Function 00007FFDA46D6430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlPcToFileHeader.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFDA46D6474
RaiseException.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDA46D64BA

Strings

csm, xrefs: 00007FFDA46D64A7

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 3a8fa3ff98e3fc415a503cae1c61ec6dd809c1b335de595b54931dad9c86390a
Instruction ID: 8687015d4febe9ca03525fd55c47b131e9f2e6823585e1b5d45186091071729b
Opcode Fuzzy Hash: 3a8fa3ff98e3fc415a503cae1c61ec6dd809c1b335de595b54931dad9c86390a
Instruction Fuzzy Hash: 51114F32609B8182EB118F15F5902AA77E5FB89B84F1C9235DE8C07B6ADF3DD5518704

Function 00007FF67CFC301C Relevance: 4.6, APIs: 3, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetErrorInfo.OLEAUT32(?,?,?,?,?,?,?,?,?,00007FF67CFC5735), ref: 00007FF67CFC306B
SysFreeString.OLEAUT32 ref: 00007FF67CFC30FA
SysFreeString.OLEAUT32 ref: 00007FF67CFC31FB

Part of subcall function 00007FF67CFC5748: iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FF67CFC31AE,?,?,?,?,?,?,?,?,?,00007FF67CFC5735), ref: 00007FF67CFC5775

Part of subcall function 00007FF67CFC4FF8: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF67CFC31F2,?,?,?,?,?,?,?,?,?,00007FF67CFC5735), ref: 00007FF67CFC501A
Part of subcall function 00007FF67CFC4FF8: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF67CFC31F2,?,?,?,?,?,?,?,?,?,00007FF67CFC5735), ref: 00007FF67CFC5027

Memory Dump Source

Source File: 00000004.00000002.2147078672.00007FF67CFC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67CFC0000, based on PE: true

Associated: 00000004.00000002.2147061005.00007FF67CFC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147114846.00007FF67CFCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147133143.00007FF67CFCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff67cfc0000_WebExperienceHostApp.jbxd

Similarity

API ID: Free$HeapString$ErrorInfoProcessiswspace
String ID:
API String ID: 1871405674-0
Opcode ID: af1a7296eed4c721050ecdce830b80138dec2ab0313aaa0980fcd02fb34735b4
Instruction ID: 8d4ed42720da7994f58610de10e0a104995ccaeb6c37c9c55356d0d7ff20e483
Opcode Fuzzy Hash: af1a7296eed4c721050ecdce830b80138dec2ab0313aaa0980fcd02fb34735b4
Instruction Fuzzy Hash: AD610533B25A8685EF20DB65D4500BC27B0BF48B88B588A32DE1D97B59CF3CE445C350

Function 00007FF67CFC251C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF67CFC3238: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF67CFC26C9), ref: 00007FF67CFC3252

InterlockedPushEntrySList.API-MS-WIN-CORE-INTERLOCKED-L1-1-0 ref: 00007FF67CFC260D

Strings

Windows.Foundation.Uri, xrefs: 00007FF67CFC254B

Memory Dump Source

Source File: 00000004.00000002.2147078672.00007FF67CFC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67CFC0000, based on PE: true

Associated: 00000004.00000002.2147061005.00007FF67CFC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147114846.00007FF67CFCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147133143.00007FF67CFCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff67cfc0000_WebExperienceHostApp.jbxd

Similarity

API ID: EntryInterlockedListPushabort
String ID: Windows.Foundation.Uri
API String ID: 1923770069-1377045113
Opcode ID: 33188ad3fb2252c7f0eb815770db843d7374c1caf147856433e6f14bfcdb147e
Instruction ID: bd800e5c34bff10d23539bcc33f7ac931eec17307ab66c56f2181b7885401942
Opcode Fuzzy Hash: 33188ad3fb2252c7f0eb815770db843d7374c1caf147856433e6f14bfcdb147e
Instruction Fuzzy Hash: 16413B33B25A8699EB24DF60D8503F92371EF04788F804632DA0D87A99DF3CE119D340

Function 00007FFD93742100 Relevance: 3.0, APIs: 2, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD9373439B,?,?,?,00007FFD93735AE1), ref: 00007FFD93742114

Part of subcall function 00007FFD93734D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD93742134,?,?,?,00007FFD9373439B,?,?,?,00007FFD93735AE1), ref: 00007FFD93734D32
Part of subcall function 00007FFD93734D10: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD93742134,?,?,?,00007FFD9373439B,?,?,?,00007FFD93735AE1), ref: 00007FFD93734D58
Part of subcall function 00007FFD93734D10: memcpy.VCRUNTIME140_APP(?,?,?,00007FFD93742134,?,?,?,00007FFD9373439B,?,?,?,00007FFD93735AE1), ref: 00007FFD93734D70

setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD9373439B,?,?,?,00007FFD93735AE1), ref: 00007FFD9374213E

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: setlocale$freemallocmemcpy
String ID:
API String ID: 1663771476-0
Opcode ID: 8737389535b3fe6aa3b246914114041b48a8b76be02f41534b42691da87bcca8
Instruction ID: d28488332f22ba09998fd366bda3a115c1529952a9bad71d6229a1b79d49737c
Opcode Fuzzy Hash: 8737389535b3fe6aa3b246914114041b48a8b76be02f41534b42691da87bcca8
Instruction Fuzzy Hash: 2AF0B422B0864253EF6DCBA3E5A40B6B365AF44781B5C8439CE0E5B750FE3CE054C300

Function 00007FFD93733930 Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFD93768040: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFD93733832,?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,?,?), ref: 00007FFD9376804F

std::_Facet_Register.LIBCPMT ref: 00007FFD93733A0B

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: Facet_Register_lock_localesstd::_
String ID:
API String ID: 3986400115-0
Opcode ID: 9c1b0536e791d20bf9ccb3a21b4d26e33d38cb7de666908c62162abcb65010a3
Instruction ID: b9bd595ae2417a8858c3cce841726219bf39ff560b7b5078a09246b06922a01d
Opcode Fuzzy Hash: 9c1b0536e791d20bf9ccb3a21b4d26e33d38cb7de666908c62162abcb65010a3
Instruction Fuzzy Hash: 61319322B0DA4681FB399B95F4642B97379EB44BA4F280131EE5D673A5DF3CE842C310

Function 00007FF67CFC480C Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF67CFC48A7

Memory Dump Source

Source File: 00000004.00000002.2147078672.00007FF67CFC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67CFC0000, based on PE: true

Associated: 00000004.00000002.2147061005.00007FF67CFC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147114846.00007FF67CFCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147133143.00007FF67CFCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff67cfc0000_WebExperienceHostApp.jbxd

Similarity

API ID: AcquireExclusiveLock
String ID:
API String ID: 4021432409-0
Opcode ID: f9d6cbe01079829e05a430424aa4c4ad0151c1e49743e8a65c4ac967d15e688f
Instruction ID: 79fbc99509b82fd403563df6f00889805d4fd1bc4da48a4cd78fb947e3845250
Opcode Fuzzy Hash: f9d6cbe01079829e05a430424aa4c4ad0151c1e49743e8a65c4ac967d15e688f
Instruction Fuzzy Hash: D7215E23F285C286FB30AB11E8403B96761FF94794F440735D91C875E9CE2CE484C700

Function 60D18320 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2144871459.000000006057F000.00000020.00000001.01000000.00000005.sdmp, Offset: 60550000, based on PE: true

Associated: 00000004.00000002.2144854909.0000000060550000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2144871459.0000000060551000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145537289.0000000060D2E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145556378.0000000060D2F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145570405.0000000060D31000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145583544.0000000060D36000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145596878.0000000060D38000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145609803.0000000060D39000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145622310.0000000060D3A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145636231.0000000060D3B000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145650629.0000000060D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145664497.0000000060D46000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145686962.0000000060D4B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145701530.0000000060D4C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145716934.0000000060D53000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145731726.0000000060D54000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145731726.0000000060D68000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145783343.0000000060D8C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145802175.0000000060D8E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145820384.0000000060D8F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145836438.0000000060D90000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145856327.0000000060DA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145870873.0000000060DA7000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145896935.0000000060DD2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145914544.0000000060DD4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145931454.0000000060DDF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145931454.0000000060DE3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145961500.0000000060DE5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145977235.0000000060DEA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2145995896.0000000060E00000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2146012325.0000000060E03000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2146031714.0000000060E05000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2146046573.0000000060E06000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2146064481.0000000060E0E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2146064481.0000000060E10000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60550000_WebExperienceHostApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a2f7d7fc0a6a1e55da4a38034f0bb9b5d6a1e148aac52d95cc05664a352e3a
Instruction ID: 5e79a02e745164fe2c197131ded8a1d4768d8d661f3403d1da9a59b97b6f8ab5
Opcode Fuzzy Hash: a2a2f7d7fc0a6a1e55da4a38034f0bb9b5d6a1e148aac52d95cc05664a352e3a
Instruction Fuzzy Hash: F9F01736200B81DECB24CF75E8903D93BA5F36939CF140016EA4D87B18DB30C695CB80

Non-executed Functions

Function 00007FFDA46D7238 Relevance: 90.2, APIs: 36, Strings: 15, Instructions: 900COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D72E9
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D73B6
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D7400
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D7421
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D748E
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D74A0

Strings

`template static data member constructor helper', xrefs: 00007FFDA46D7D05
`template static data member destructor helper', xrefs: 00007FFDA46D7D4B
public: , xrefs: 00007FFDA46D7F9C
}' , xrefs: 00007FFDA46D7450, 00007FFDA46D799C
extern "C" , xrefs: 00007FFDA46D805F
static , xrefs: 00007FFDA46D7E4A
`vtordispex{, xrefs: 00007FFDA46D787D
`adjustor{, xrefs: 00007FFDA46D796E
`vtordisp{, xrefs: 00007FFDA46D790F
[thunk]:, xrefs: 00007FFDA46D8006
/, xrefs: 00007FFDA46D7D52
private: , xrefs: 00007FFDA46D7F40
virtual , xrefs: 00007FFDA46D7EC5
protected: , xrefs: 00007FFDA46D7F72
`local static destructor helper', xrefs: 00007FFDA46D7CC4

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID: /$[thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual $}'
API String ID: 2943138195-2884338863
Opcode ID: 7932c554000090ef297f9a02f93cd5f0d571843c599553f7c19302f600fa71c8
Instruction ID: c087f17238160352b276bd63c3ca8861a228132774df55c1001bf835e0b27970
Opcode Fuzzy Hash: 7932c554000090ef297f9a02f93cd5f0d571843c599553f7c19302f600fa71c8
Instruction Fuzzy Hash: 94926173A19B8286EB40CB14E4E02EEB7A0FB85344F586135EA8D477AADF7CD544CB44

Function 00007FFD9376FEBA Relevance: 34.3, APIs: 16, Strings: 3, Instructions: 1065COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFD9377006D
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFD93770081

Strings

ios_base::badbit set, xrefs: 00007FFD9377002E, 00007FFD93770242, 00007FFD93770445, 00007FFD9377065A, 00007FFD9377086E, 00007FFD93770A71, 00007FFD93770C86, 00007FFD93770E9A
ios_base::eofbit set, xrefs: 00007FFD93770042, 00007FFD93770256, 00007FFD93770459, 00007FFD9377066E, 00007FFD93770882, 00007FFD93770A85, 00007FFD93770C9A, 00007FFD93770EAE
ios_base::failbit set, xrefs: 00007FFD9377003B, 00007FFD9377024F, 00007FFD937702A3, 00007FFD93770452, 00007FFD93770667, 00007FFD9377087B, 00007FFD937708CF, 00007FFD93770A7E, 00007FFD93770C93, 00007FFD93770EA7, 00007FFD93770F00

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 63270dc61fe217df1c8448f0cbf6375be5a82b8859e87c3c27386a3adc6e9e90
Instruction ID: ec0c9c459001b6966b0d58764585e8e0ad3000f85961ff0a2cc66f0b62b24d74
Opcode Fuzzy Hash: 63270dc61fe217df1c8448f0cbf6375be5a82b8859e87c3c27386a3adc6e9e90
Instruction Fuzzy Hash: FEA28A22709B8982EF24CF9AE4A03A9B764FB85F95F148036DA8E13B65DF7DD445C700

Function 00007FFD93763808 Relevance: 27.8, APIs: 14, Strings: 1, Instructions: 1514COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140_APP ref: 00007FFD93763BCD
memchr.VCRUNTIME140_APP ref: 00007FFD93763FBA
memchr.VCRUNTIME140_APP ref: 00007FFD937641F4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93764C28
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93764C2F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93764C36
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93764C3D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93764C44
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93764C4B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93764C52
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93764C59
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93764C60
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93764C67
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93764DFA

Strings

0123456789-, xrefs: 00007FFD937639A6, 00007FFD93763BEF, 00007FFD93763FD8, 00007FFD9376420B

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memchr
String ID: 0123456789-
API String ID: 2740501399-3850129594
Opcode ID: 83d2e7bdc1caf0c4015a5f28662ff156985bf06449f06aa87c59ae0b43f22276
Instruction ID: 640cd247f5ae7958eba10e951352176d6f7e6c94cc9487f6a9775217bad6cc50
Opcode Fuzzy Hash: 83d2e7bdc1caf0c4015a5f28662ff156985bf06449f06aa87c59ae0b43f22276
Instruction Fuzzy Hash: 40E2BC22B09A8589EB208FAAD4B43BE3779FB44B98F545131DA5E277A5CF3CD491C301

Function 00007FFD9376C0E8 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 224COMMON

Download Yara Rule

APIs

iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9376C15C
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9376C189
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD9376C193
btowc.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFD9376C19F
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9376C1CB
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9376C1F9
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9376C30D
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9376C336

Strings

0, xrefs: 00007FFD9376C1C2
0, xrefs: 00007FFD9376C1B2

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: iswdigit$btowclocaleconv
String ID: 0$0
API String ID: 240710166-203156872
Opcode ID: f25cfa4c62369a9808755e00a142ea6129f249c9ed0bca85ae697669705b357f
Instruction ID: ab2e602534c01bbc5b5fada282a26a28689e4e8bf69936ecadaddd01b65ea88d
Opcode Fuzzy Hash: f25cfa4c62369a9808755e00a142ea6129f249c9ed0bca85ae697669705b357f
Instruction Fuzzy Hash: 07814677B0854387E7354F65D8B027A73AAFF84B49F484131DF8A56290EB3DE865C602

Function 00007FFD9373D7B0 Relevance: 17.1, APIs: 7, Strings: 2, Instructions: 1324COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140_APP ref: 00007FFD9373DD3D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9373DF87
memchr.VCRUNTIME140_APP ref: 00007FFD9373E09D
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD9373E188
memchr.VCRUNTIME140_APP ref: 00007FFD9373E35C
memchr.VCRUNTIME140_APP ref: 00007FFD9373E7A8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9373E890

Strings

0123456789ABCDEFabcdef-+XxPp, xrefs: 00007FFD9373D8D5, 00007FFD9373DD78, 00007FFD9373E0D3, 00007FFD9373E37E, 00007FFD9373E7CA
$, xrefs: 00007FFD9373DC2A

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: memchr$_invalid_parameter_noinfo_noreturn$localeconv
String ID: $$0123456789ABCDEFabcdef-+XxPp
API String ID: 2141594249-3344005635
Opcode ID: 977cf47f29f2a8f28e83db93fd44151f08d7bc9cd05665774f6a172dc86905d1
Instruction ID: 947bca92a031d5d0fc8c43f707d672ce86524af5bb0279ae6fd29f5124e4d5c1
Opcode Fuzzy Hash: 977cf47f29f2a8f28e83db93fd44151f08d7bc9cd05665774f6a172dc86905d1
Instruction Fuzzy Hash: 4DD29533709A8589EB699F9AE1A027C3779EB44F94F649031DA5D277A1CF3DE852C300

Function 00007FFD9373C6B0 Relevance: 17.0, APIs: 8, Strings: 1, Instructions: 1276COMMON

Download Yara Rule

Strings

0123456789-+Ee, xrefs: 00007FFD9373C80B, 00007FFD9373CB0A, 00007FFD9373CE92, 00007FFD9373D1A4, 00007FFD9373D6AB

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID:
String ID: 0123456789-+Ee
API String ID: 0-1347306980
Opcode ID: 8a8eef6ea48c1dcaaf896da1b674f1f61d889f311a6dd7990e35ec2479345b38
Instruction ID: 31e1e9709c5acf6824ee8a1e247a0be7cf49d3827bd28ff5b6f554d753c2f9c1
Opcode Fuzzy Hash: 8a8eef6ea48c1dcaaf896da1b674f1f61d889f311a6dd7990e35ec2479345b38
Instruction Fuzzy Hash: B6C2A526B09A8685EB699F99E0A027C3779FB41F94F648031DE5D277A5CF3DE852C300

Function 00007FFD9376AD0C Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 247COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140_APP ref: 00007FFD9376AD8E
memchr.VCRUNTIME140_APP ref: 00007FFD9376ADD9
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD9376ADF2
memchr.VCRUNTIME140_APP ref: 00007FFD9376AE2D
memchr.VCRUNTIME140_APP ref: 00007FFD9376AE75
isdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9376AF8C
isdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9376AFB4

Strings

0123456789abcdefABCDEF, xrefs: 00007FFD9376AD7B, 00007FFD9376AD9E, 00007FFD9376ADE8, 00007FFD9376AE3A
0, xrefs: 00007FFD9376AE1C

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: memchr$isdigit$localeconv
String ID: 0$0123456789abcdefABCDEF
API String ID: 1981154758-1185640306
Opcode ID: 47080461fdb72a4bc559756aa2ea0f6e1f8a764b3b904aecea474129a19d88a8
Instruction ID: 5db554ccac4e24c11792ab269924db0fe0da3b03962bec39e80ca0f0693b048e
Opcode Fuzzy Hash: 47080461fdb72a4bc559756aa2ea0f6e1f8a764b3b904aecea474129a19d88a8
Instruction Fuzzy Hash: B7916BB2B0859647F7718B64D4702BE3BA8FB44B4DF489035DE8A63685CA3CE916C743

Function 00007FFD93751680 Relevance: 12.0, APIs: 5, Strings: 1, Instructions: 1526COMMON

Download Yara Rule

APIs

_Find_elem.LIBCPMT ref: 00007FFD937520C5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93752AA9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93752AB0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93752AB7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93752C66

Strings

0123456789-, xrefs: 00007FFD9375181A, 00007FFD93751A7C, 00007FFD93751E77, 00007FFD937520D0

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Find_elem
String ID: 0123456789-
API String ID: 2867937686-3850129594
Opcode ID: b14931fd472b40645d27b5a95acc8c6e665534d485ad77f27e7d9b469a2a64a5
Instruction ID: 25d2021be4a4c64ef75e5462ceadedc0ddcb0a73635c2ccccf3a2ed731eb01a3
Opcode Fuzzy Hash: b14931fd472b40645d27b5a95acc8c6e665534d485ad77f27e7d9b469a2a64a5
Instruction Fuzzy Hash: 6DE2AE26B19B958AEF648FA9D4A027D3778FB44B84F549035DA4E277A4CF3DD882C700

Function 00007FFD93752CA0 Relevance: 12.0, APIs: 5, Strings: 1, Instructions: 1526COMMON

Download Yara Rule

APIs

_Find_elem.LIBCPMT ref: 00007FFD937536E5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD937540C9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD937540D0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD937540D7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93754286

Strings

0123456789-, xrefs: 00007FFD93752E3A, 00007FFD9375309C, 00007FFD93753497, 00007FFD937536F0

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Find_elem
String ID: 0123456789-
API String ID: 2867937686-3850129594
Opcode ID: 9a529bd8226e3188403c01f721c91254f1c48c0f7f560601f1bd5291169c5e3b
Instruction ID: 1b6a8a0e6d5a3bc71c6f26f1dba0f892db27dd3153b884b0fad200bf5b85e9f2
Opcode Fuzzy Hash: 9a529bd8226e3188403c01f721c91254f1c48c0f7f560601f1bd5291169c5e3b
Instruction Fuzzy Hash: 17E29F22B19B9589FB648FA9D4A027D3778FB44B84F549036EA4E277A4CF3DD842C710

Function 00007FFD937657E0 Relevance: 11.2, APIs: 7, Instructions: 661COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93765A39
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93765AB3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93765B31
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93765FDB

Part of subcall function 00007FFD93741DB0: memcpy.VCRUNTIME140_APP(?,?,?,?,00000000,00007FFD9373C21C), ref: 00007FFD93741E0B
Part of subcall function 00007FFD93741DB0: memset.VCRUNTIME140_APP(?,?,?,?,00000000,00007FFD9373C21C), ref: 00007FFD93741E18

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93766027
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9376606D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD937660EC

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpymemset
String ID:
API String ID: 2613654500-0
Opcode ID: b01032cb335723ba4be964af104a56bb7b3906e80541883ba96dbf4a7885703b
Instruction ID: 17a18fd121341ba3f42b70b09ac51df032c9b736d06b5879611327fdb0da6920
Opcode Fuzzy Hash: b01032cb335723ba4be964af104a56bb7b3906e80541883ba96dbf4a7885703b
Instruction Fuzzy Hash: B652D422B08B8686FB208FA5D4682AD7776FB54BA8F044131DE8D27B95DF3CE494C740

Function 00007FFD9376C7E0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 239COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD9376C87E
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9376CA64
iswdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9376CA8D

Strings

0, xrefs: 00007FFD9376C848
0123456789abcdefABCDEF, xrefs: 00007FFD9376C851, 00007FFD9376C8B4
0, xrefs: 00007FFD9376C8AE

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: iswdigit$localeconv
String ID: 0$0$0123456789abcdefABCDEF
API String ID: 2634821343-613610638
Opcode ID: 49174df5c4cdc396e0c5235f3f105a11f693802dc7eaefa8f2b40817c63aabed
Instruction ID: 5ba51410284a8d390c54c8efcf758aeb869cc6b3bb4507c8041aa6322caa6f3f
Opcode Fuzzy Hash: 49174df5c4cdc396e0c5235f3f105a11f693802dc7eaefa8f2b40817c63aabed
Instruction Fuzzy Hash: 2B814626F0825747EB318F64D87127A76A8FB54B48F089031DF8A67A84EB3DE861C741

Function 00007FFD9373A230 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD93739DEC: memcpy.VCRUNTIME140_APP ref: 00007FFD93739E3A

FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFD9373A2C6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9373A38A

Part of subcall function 00007FFD93739D70: memcpy.VCRUNTIME140_APP ref: 00007FFD93739DB1

FindClose.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFD9373A317
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9373A32C

Strings

., xrefs: 00007FFD9373A2E4
., xrefs: 00007FFD9373A2F3

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: Findmemcpy$CloseFileFirst_invalid_parameter_noinfo_noreturnwcscpy_s
String ID: .$.
API String ID: 2624417167-3769392785
Opcode ID: b54155074bf5bdd9a68a963a018a7fba49ecd6018a5380948614d025b80af060
Instruction ID: a9bc8e93f80949d9a2c36bd0edc8a20ffdeb253691707a2946f0a9e8e0a5f293
Opcode Fuzzy Hash: b54155074bf5bdd9a68a963a018a7fba49ecd6018a5380948614d025b80af060
Instruction Fuzzy Hash: 5441D222B1868186EA74DFA5F8653BA7364FB887A4F504231EE9D236D4DF7CD480C701

Function 00007FFD9374E810 Relevance: 10.1, APIs: 3, Strings: 2, Instructions: 1354COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9374EFF3
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD9374F21D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9374F98B

Strings

$, xrefs: 00007FFD9374ECAE
0123456789ABCDEFabcdef-+XxPp, xrefs: 00007FFD9374E93A, 00007FFD9374EDF4, 00007FFD9374F151, 00007FFD9374F440, 00007FFD9374F8C3

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$localeconv
String ID: $$0123456789ABCDEFabcdef-+XxPp
API String ID: 1825414929-3344005635
Opcode ID: aaa7e4684dea0de9e9086490142b97dde05b5b67a6d3a14f4f169e42f5d3e4e7
Instruction ID: e19ed709f8b96424e379fe90df80368200f71cdf1e2847e658f1053a557723f3
Opcode Fuzzy Hash: aaa7e4684dea0de9e9086490142b97dde05b5b67a6d3a14f4f169e42f5d3e4e7
Instruction Fuzzy Hash: A0D27F36B09A4685EB648F9AD1A417C37AAFB40F94B549431DE4E27BA0CF3DF891C310

Function 00007FFD9374D660 Relevance: 10.1, APIs: 3, Strings: 2, Instructions: 1354COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9374DE43
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD9374E06D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9374E7DB

Strings

$, xrefs: 00007FFD9374DAFE
0123456789ABCDEFabcdef-+XxPp, xrefs: 00007FFD9374D78A, 00007FFD9374DC44, 00007FFD9374DFA1, 00007FFD9374E290, 00007FFD9374E713

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$localeconv
String ID: $$0123456789ABCDEFabcdef-+XxPp
API String ID: 1825414929-3344005635
Opcode ID: 86556c306f232d31921ec4d15b433fc9dda67ad9f9b6300d480a215ede20281a
Instruction ID: fe5f2907d6b86d5c250c38bcb6a23d3ecc50eddc71ebe7a436de1bd3cde1b0f8
Opcode Fuzzy Hash: 86556c306f232d31921ec4d15b433fc9dda67ad9f9b6300d480a215ede20281a
Instruction Fuzzy Hash: C7D27F26B09A4685EB618F9AD1A417C37AAFB40F94B549031DF9D27BA1CF3DE891C310

Function 00007FFD9374B3A0 Relevance: 10.1, APIs: 4, Strings: 1, Instructions: 1304COMMON

Download Yara Rule

Strings

0123456789-+Ee, xrefs: 00007FFD9374B4FD, 00007FFD9374B7FD, 00007FFD9374BB82, 00007FFD9374BEAD, 00007FFD9374C401

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID:
String ID: 0123456789-+Ee
API String ID: 0-1347306980
Opcode ID: a10a18ac66ba2a4b9f7cde72f4e60308c5d3c6f7e0bdff66e84d04cfa45a5f4d
Instruction ID: c447b487d430748e699bf6c6ac478cda7d8c68b2489a03fe6073f5701a93eff9
Opcode Fuzzy Hash: a10a18ac66ba2a4b9f7cde72f4e60308c5d3c6f7e0bdff66e84d04cfa45a5f4d
Instruction Fuzzy Hash: DCC28E26B09A46D5EB748F9AD1A427D37AAFB54F84F548031DA8E277A4CF3DE851C300

Function 00007FFD9374C500 Relevance: 10.1, APIs: 4, Strings: 1, Instructions: 1304COMMON

Download Yara Rule

Strings

0123456789-+Ee, xrefs: 00007FFD9374C65D, 00007FFD9374C95D, 00007FFD9374CCE2, 00007FFD9374D00D, 00007FFD9374D561

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID:
String ID: 0123456789-+Ee
API String ID: 0-1347306980
Opcode ID: 975c390083cc323f49d0a25d7e2a16abc720d2ccfd826877c86762ac604253f7
Instruction ID: dd19e78c9e0a8aeb6c1eb3293a35123c01f2a3023bb08930a3ff09d18506279a
Opcode Fuzzy Hash: 975c390083cc323f49d0a25d7e2a16abc720d2ccfd826877c86762ac604253f7
Instruction Fuzzy Hash: 57C28E2AB09A8696EB708F9AD16427D376AFB44F84B548031DF8E27795DF3DE851C300

Function 00007FFD93757714 Relevance: 9.6, APIs: 6, Instructions: 626COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93757987
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93757A19
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93757ABC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93757F78
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93757FCA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93758011

Part of subcall function 00007FFD9375F6C4: memcpy.VCRUNTIME140_APP(?,?,?,?,?,00007FFD93749A2E), ref: 00007FFD9375F728

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID:
API String ID: 3063020102-0
Opcode ID: eebc192cbd0a987a80d3a00d6f6e2cac622f7362e9ae47966162b1b65651f233
Instruction ID: 850bdaec2ddb10eb141c98551d4afe7204a9329640ad054088b1dc5dd634057e
Opcode Fuzzy Hash: eebc192cbd0a987a80d3a00d6f6e2cac622f7362e9ae47966162b1b65651f233
Instruction Fuzzy Hash: 3652A362B18BC596EB24CFA9D8A42BD7365FB44B98F405531EA4D23B95EF3CE581C300

Function 00007FFD93749C50 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON

Download Yara Rule

APIs

strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD93749CEE
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD93749D01
strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD93749D16
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9374A074
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9374A0C2

Part of subcall function 00007FFD9375F6C4: memcpy.VCRUNTIME140_APP(?,?,?,?,?,00007FFD93749A2E), ref: 00007FFD9375F728

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemcpy
String ID:
API String ID: 2354928869-0
Opcode ID: 243aefc0258b0b269433c76fd2b4b90c39a714807ae03ccb53dd7d940baafd4e
Instruction ID: 05ace8679409b42532d074b56d8ad09005436a019817c55bbf2a5527bcc769cc
Opcode Fuzzy Hash: 243aefc0258b0b269433c76fd2b4b90c39a714807ae03ccb53dd7d940baafd4e
Instruction Fuzzy Hash: ADE16E22B09B4599EB20CFA6D4646AC7376FB49B98B504136DE4D27B98DF38E44AC300

Function 00007FFD937497A0 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON

Download Yara Rule

APIs

strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9374983E
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD93749851
strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD93749866
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93749BC4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93749C12

Part of subcall function 00007FFD9375F6C4: memcpy.VCRUNTIME140_APP(?,?,?,?,?,00007FFD93749A2E), ref: 00007FFD9375F728

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemcpy
String ID:
API String ID: 2354928869-0
Opcode ID: 9a6a9a5831d60da9de16aa5e4a4b682bd4daa7348588c6784df99043229ce472
Instruction ID: c86b60843ab589d24821a000eb48c2deed9a1706b0fafcd7e8db0c09fa8c7c27
Opcode Fuzzy Hash: 9a6a9a5831d60da9de16aa5e4a4b682bd4daa7348588c6784df99043229ce472
Instruction Fuzzy Hash: F7E16D22B09B4599FB20DFA6D4642BC7376FB49B98B514136DE4D27B98DF38E44AC300

Function 00007FFD9373E8D0 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 641COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140_APP ref: 00007FFD9373EE18
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9373F081
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9373F0FB

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00007FFD9373E970, 00007FFD9373EE38

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memchr
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2740501399-2799312399
Opcode ID: b41d6cc7be76b3909485a6c58d98804c70bedfa68c8fcabdfaa25af99012b850
Instruction ID: b16bc6638521ea2d3e4866553585d5b5650f2c90e59e8fc71b2a5ed2c90bfff8
Opcode Fuzzy Hash: b41d6cc7be76b3909485a6c58d98804c70bedfa68c8fcabdfaa25af99012b850
Instruction Fuzzy Hash: 4952C823B0DA8689EB698FA9E0A017C3779FB01B94B645431DE5E27B95CF3DE456C300

Function 00007FFD93755290 Relevance: 5.3, APIs: 3, Instructions: 808COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD93768040: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFD93733832,?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,?,?), ref: 00007FFD9376804F

Part of subcall function 00007FFD93782B1C: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD93735AA8), ref: 00007FFD93782B36

Part of subcall function 00007FFD937543B0: localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,00000001,00007FFD9374A86C), ref: 00007FFD937543F1

_W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFD9373FF19), ref: 00007FFD93755D6B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFD9373FF19), ref: 00007FFD93755D80
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFD9373FF19), ref: 00007FFD93755D97

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: free$Gettnames_lock_localeslocaleconvmalloc
String ID:
API String ID: 2855664287-0
Opcode ID: e268c45b8f4311e6bc6082d674872a96692c70c2bb4a740e82dc8fb3dc99b52e
Instruction ID: 2eccbc519d0f88fb2599aa7013235942dec52bb83af9dfa7614fd5990481844c
Opcode Fuzzy Hash: e268c45b8f4311e6bc6082d674872a96692c70c2bb4a740e82dc8fb3dc99b52e
Instruction Fuzzy Hash: 7F823C61F0DB4685EB699BE1D8B02B933B9EF54794F484435EA4E67395EF3CE8428300

Function 00007FFD93755F40 Relevance: 5.3, APIs: 3, Instructions: 808COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD93768040: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFD93733832,?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,?,?), ref: 00007FFD9376804F

Part of subcall function 00007FFD93782B1C: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD93735AA8), ref: 00007FFD93782B36

Part of subcall function 00007FFD937544F8: localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,00000001,00007FFD9374AA1C), ref: 00007FFD93754539
Part of subcall function 00007FFD937544F8: _Getvals.LIBCPMT ref: 00007FFD93754575

_W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFD9373FF08), ref: 00007FFD93756A1B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFD9373FF08), ref: 00007FFD93756A30
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFD9373FF08), ref: 00007FFD93756A47

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: free$GettnamesGetvals_lock_localeslocaleconvmalloc
String ID:
API String ID: 4046447902-0
Opcode ID: bedf28c8c434659652b56425a752b8efcb6f46d13c27a4a9a6688eff6c901d28
Instruction ID: 39f65cee5aa72d910ed6466ea056d4923e1cccfbfaf427fc72dfb7732621a97d
Opcode Fuzzy Hash: bedf28c8c434659652b56425a752b8efcb6f46d13c27a4a9a6688eff6c901d28
Instruction Fuzzy Hash: B1825B61F09B0685EB7A9BE1D8B02B933B9EF54784F445435EA4E67395EF3CE8528300

Function 00007FFD93765010 Relevance: 5.0, APIs: 3, Instructions: 503COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD937628E0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD937629E2

Part of subcall function 00007FFD93768040: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFD93733832,?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,?,?), ref: 00007FFD9376804F

_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFD9373FEF7,?,?,?,?,?,?,?,00007FFD9373F897), ref: 00007FFD9376572D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFD9373FEF7,?,?,?,?,?,?,?,00007FFD9373F897), ref: 00007FFD93765742
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFD9373FEF7,?,?,?,?,?,?,?,00007FFD9373F897), ref: 00007FFD93765750

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: free$Gettnames_invalid_parameter_noinfo_noreturn_lock_locales
String ID:
API String ID: 962949324-0
Opcode ID: ca63c23946b59551808c2ed41c9c37c66fdc98cf6e1290c6b37f3c5997b2e07b
Instruction ID: cd826f005e1218436d959b489b77b9c6b51ffe4cd478558d0149d08985c66410
Opcode Fuzzy Hash: ca63c23946b59551808c2ed41c9c37c66fdc98cf6e1290c6b37f3c5997b2e07b
Instruction Fuzzy Hash: 49325D61B09A0685FAB59BA1D8742B932BDEF44B98F444035DA4E73792EF3CE861D301

Function 00007FF67CFC40E0 Relevance: 4.7, APIs: 3, Instructions: 208threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF67CFC41FD
IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00007FF67CFC4328
OutputDebugStringW.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00007FF67CFC439E

Memory Dump Source

Source File: 00000004.00000002.2147078672.00007FF67CFC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67CFC0000, based on PE: true

Associated: 00000004.00000002.2147061005.00007FF67CFC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147114846.00007FF67CFCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147133143.00007FF67CFCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff67cfc0000_WebExperienceHostApp.jbxd

Similarity

API ID: CurrentDebugDebuggerOutputPresentStringThread
String ID:
API String ID: 4268342597-0
Opcode ID: b37a80acf4bc01ee0b7c53ce3a5b8644b15933e38540d10309bab3a19def6f90
Instruction ID: ef3fd58d6a99fd7b23e5dc2af765ee26be078dd370a9c66b4c93e4b40b14b55b
Opcode Fuzzy Hash: b37a80acf4bc01ee0b7c53ce3a5b8644b15933e38540d10309bab3a19def6f90
Instruction Fuzzy Hash: E0915823B297C286EB75AF25A4403796BA1FF95B84F188639DA9D83794DF3CE440D700

Function 00007FFD93754A10 Relevance: 3.3, APIs: 2, Instructions: 297COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93754DBD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93754E0B

Part of subcall function 00007FFD9375F6C4: memcpy.VCRUNTIME140_APP(?,?,?,?,?,00007FFD93749A2E), ref: 00007FFD9375F728

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID:
API String ID: 3063020102-0
Opcode ID: 9ca4dc071eb19751b6358c9b2cf898d5059c564fb8bdd1c327911aa1a6c5f0b9
Instruction ID: 17b3579079d4a2ce84fc67e41efaadba18a3cccdafed689f49c34780b9f90340
Opcode Fuzzy Hash: 9ca4dc071eb19751b6358c9b2cf898d5059c564fb8bdd1c327911aa1a6c5f0b9
Instruction Fuzzy Hash: F0D16022B09B859AFB24CFE5D4602AD7376EB48B98F444532DE5D27B98DF38E446C340

Function 00007FFD93754E50 Relevance: 3.3, APIs: 2, Instructions: 297COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD937551FD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9375524B

Part of subcall function 00007FFD9375F6C4: memcpy.VCRUNTIME140_APP(?,?,?,?,?,00007FFD93749A2E), ref: 00007FFD9375F728

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID:
API String ID: 3063020102-0
Opcode ID: 79d540ea51c9c8684db26c2c73061a7d9b057795865d6f807bc3eefad819df45
Instruction ID: 691d87fccecc5e2f6319d58ed1641794ef1bba7873cd71dcbb9959c8cbcf49c7
Opcode Fuzzy Hash: 79d540ea51c9c8684db26c2c73061a7d9b057795865d6f807bc3eefad819df45
Instruction Fuzzy Hash: DED16E22B09B459AFB24CFE5D4642AD7376EB48B98F444132DE4E27B99DF38E446C340

Function 00007FFD93746B3C Relevance: 3.3, APIs: 2, Instructions: 254COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140_APP ref: 00007FFD93746BC1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93746C8D

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemset
String ID:
API String ID: 1654775311-0
Opcode ID: f488e61922aef436b5504598907c68809d2f9e99bad861a33ddb3e8b3e903fc0
Instruction ID: ea18a69dfd310a3034798af7304e7b1d5d7f33bb24c30352737b0f198be24067
Opcode Fuzzy Hash: f488e61922aef436b5504598907c68809d2f9e99bad861a33ddb3e8b3e903fc0
Instruction Fuzzy Hash: 7FA1AF62B0869286FB208BE6D4646BD37BABF55B98F548035DE4D37B94DF38E481C300

Function 00007FFD937467BC Relevance: 3.3, APIs: 2, Instructions: 254COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140_APP ref: 00007FFD93746841
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9374690D

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemset
String ID:
API String ID: 1654775311-0
Opcode ID: c071987ddd9203034660ba9ef37eb721160e54cc667c50a7604a29b6ba024e6c
Instruction ID: 30b287ce87a0f82ce1e8e0755d7eea502fc69d4cf634272b3c2ac442b35ee277
Opcode Fuzzy Hash: c071987ddd9203034660ba9ef37eb721160e54cc667c50a7604a29b6ba024e6c
Instruction Fuzzy Hash: 75A1B162F0879286FB208BE595646BD37BABB51B98F558035DE4D27B94CF3CE481C300

Function 00007FFD93746464 Relevance: 3.2, APIs: 2, Instructions: 250COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140_APP ref: 00007FFD937464E2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD937465A6

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemset
String ID:
API String ID: 1654775311-0
Opcode ID: bb337b9f9481757840d770474c2193e23b0367878493d4b4d325679eebeba086
Instruction ID: a3f81ed330ab2a63c767fe1f2d46941e4decfb9b3332e6a0d20af2ce33f739a8
Opcode Fuzzy Hash: bb337b9f9481757840d770474c2193e23b0367878493d4b4d325679eebeba086
Instruction Fuzzy Hash: 22A1AF62B086928AFB25CFA595643BD3BBBAB05B98F144035CE8E27795CF3CE441C300

Function 00007FFD9373B2C8 Relevance: 3.2, APIs: 2, Instructions: 248COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140_APP ref: 00007FFD9373B346
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9373B40A

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemset
String ID:
API String ID: 1654775311-0
Opcode ID: 00d1b1d28c26761a56a170c2d61dfcc133020e5adfdd53a827a558dcc67b8241
Instruction ID: aa92074034ab2d6da747fe4d9093cac44fc4196215e4b18c0f629b667081497e
Opcode Fuzzy Hash: 00d1b1d28c26761a56a170c2d61dfcc133020e5adfdd53a827a558dcc67b8241
Instruction Fuzzy Hash: 72A1A262B096918AFB29CFE5A4602BD3BBAAF45B94F244035DE9E27795CF3CD445C300

Function 00007FFD9373A690 Relevance: 3.1, APIs: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD93739DEC: memcpy.VCRUNTIME140_APP ref: 00007FFD93739E3A

GetDiskFreeSpaceExW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFD9373A775
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9373A7DF

Part of subcall function 00007FFD93739B28: memcpy.VCRUNTIME140_APP ref: 00007FFD93739C07

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpy$DiskFreeSpace_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3001910822-0
Opcode ID: f83b6692a73cea2080cbce9cadfd327f0b4a4e597a4eabc9e5dd105b028ec53d
Instruction ID: d30390189ad488be1d7e9e83006f7972aa0f9a87530c4efe800ef8b3271ee7f3
Opcode Fuzzy Hash: f83b6692a73cea2080cbce9cadfd327f0b4a4e597a4eabc9e5dd105b028ec53d
Instruction Fuzzy Hash: 6C414C32B14B4198EB10CFA1D8916EC37B9BB48BA8F545625CE5D23B98DF38D085C340

Function 00007FFD9375FAE0 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD9375FAE9
GetLocaleInfoEx.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFD9375FB02

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: InfoLocale___lc_locale_name_func
String ID:
API String ID: 3366915261-0
Opcode ID: 3aefda838095f36d881641da190c0c7e9a60875fb69119685df66e715777b3d5
Instruction ID: aca80cee98f578c2c83d5dd2c8fc0a03060b51526a42aeb5092436838d0ec42a
Opcode Fuzzy Hash: 3aefda838095f36d881641da190c0c7e9a60875fb69119685df66e715777b3d5
Instruction Fuzzy Hash: 66F05E32F6C346C2E3784AE9C8747393264EB44716F800A31D10F526D0CA6DD5478B01

Function 00007FF67CFC6840 Relevance: 2.5, APIs: 2, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67CFC6CB0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF67CFC6878,?,?,?,00007FF67CFC67A6), ref: 00007FF67CFC6CE7
Part of subcall function 00007FF67CFC6CB0: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF67CFC6878,?,?,?,00007FF67CFC67A6), ref: 00007FF67CFC6CF5
Part of subcall function 00007FF67CFC6CB0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF67CFC6878,?,?,?,00007FF67CFC67A6), ref: 00007FF67CFC6D13
Part of subcall function 00007FF67CFC6CB0: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF67CFC6878,?,?,?,00007FF67CFC67A6), ref: 00007FF67CFC6D21

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF67CFC67A6), ref: 00007FF67CFC6878
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF67CFC67A6), ref: 00007FF67CFC6886

Memory Dump Source

Source File: 00000004.00000002.2147078672.00007FF67CFC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67CFC0000, based on PE: true

Associated: 00000004.00000002.2147061005.00007FF67CFC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147114846.00007FF67CFCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147133143.00007FF67CFCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff67cfc0000_WebExperienceHostApp.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: a68e7e4fe1941a500d191343365a08a660e1818aa2e30098428ebe8c5584bd35
Instruction ID: c5c418b5d7a1ab521c292d901c95ab13fe346e8efda9161508a282ae702cce69
Opcode Fuzzy Hash: a68e7e4fe1941a500d191343365a08a660e1818aa2e30098428ebe8c5584bd35
Instruction Fuzzy Hash: 16F06D23F29A9182EB649F12E580269A370FF44F90F084131DF8A57B99CE3CE4528700

Function 00007FFD9375BA60 Relevance: .8, Instructions: 774COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c20a8d291a807d67d3ebe4593626ecfcd307b17876e71668de1d50c8bdd57507
Instruction ID: 18c70b02fc7139da04f9a54cc6afa6ad4c6547df605c682b5a95eb6b16453d18
Opcode Fuzzy Hash: c20a8d291a807d67d3ebe4593626ecfcd307b17876e71668de1d50c8bdd57507
Instruction Fuzzy Hash: 4672F666B08B8686EB688F96D5A037937A5FB44F88F548131DE4D277A1CF3DD892C300

Function 00007FFD9375AFD0 Relevance: .8, Instructions: 774COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df20000e928d061a69dc3360d5981c551a07d285a3d79d4502343c2dcc2793e1
Instruction ID: 468a3472bbd5a227c9fde7cb6acafddb808c017297b9ce5612c998e9ecc0f82f
Opcode Fuzzy Hash: df20000e928d061a69dc3360d5981c551a07d285a3d79d4502343c2dcc2793e1
Instruction Fuzzy Hash: 29722826B09B8586EB688F96D5A027D73A4FB44F88F548432DE4D277A1CF3DE852C310

Function 00007FFD937669A0 Relevance: .7, Instructions: 738COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd043e71901fc21d66483f827b5135cf1f195ccc252076dba90067cad4e0e69
Instruction ID: fb4d08bd29527e0c552bdc60db95b2c0901497791e05478e3b204c944bfb54c8
Opcode Fuzzy Hash: 5fd043e71901fc21d66483f827b5135cf1f195ccc252076dba90067cad4e0e69
Instruction Fuzzy Hash: 4E724972B08A8596EB258F5AD5B027C37A8FB44F88F548132DA5D277A1DF3DE4A1C301

Function 00007FFD93751120 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e156633b7f18a88654c026383be2ae0ceb209a8ba85a82a8b42f20027217c75e
Instruction ID: 830f6768ac882c089ab42d2a9b29c03a9746de582c5553152d5593e344293709
Opcode Fuzzy Hash: e156633b7f18a88654c026383be2ae0ceb209a8ba85a82a8b42f20027217c75e
Instruction Fuzzy Hash: 4F022A26B09B4689EF658FA9C46037C37A5EB44F8AF559031CA0E67795CF3DD886C310

Function 00007FFD93763300 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db00362e69b124af2a9ba7d26aeb2bcb1db837013d4a32a9d6dd9abda21b49d
Instruction ID: 472af44cdd6e60315fe108e9f0f18816195988c4bfd9439533213455a211d52f
Opcode Fuzzy Hash: 3db00362e69b124af2a9ba7d26aeb2bcb1db837013d4a32a9d6dd9abda21b49d
Instruction Fuzzy Hash: 10026E22B09A4989FB618F6AC4B037C37A5AB44F9CF549031CA1E277A5CF3DD856C721

Function 00007FFD9373FA60 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _lock_locales
String ID:
API String ID: 3756862740-0
Opcode ID: 9c6f57f6fe4f8df524f15fd5fdb067607200c0e3db0c4d161015478e316bba9a
Instruction ID: 25981cec30ddf18231ea2c31658d34d7c75872b4331f74ae280647597c09f4a7
Opcode Fuzzy Hash: 9c6f57f6fe4f8df524f15fd5fdb067607200c0e3db0c4d161015478e316bba9a
Instruction Fuzzy Hash: 3DE16D61B0AA0285EA7A9BA5E8702F932BCFF547D4F544535EA4D733A6DF3CE8418300

Function 00007FFD93742430 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98c1b88eb9c640e9ce4bb8c213d6810a72f27032ed787440f2bc18eff2a669a
Instruction ID: 709f55df09a9ff9dcea92a0c40cfff82395e49f590f9d1670445fef85f407c79
Opcode Fuzzy Hash: a98c1b88eb9c640e9ce4bb8c213d6810a72f27032ed787440f2bc18eff2a669a
Instruction Fuzzy Hash: 2D61E3B2B15B0482EF20CF9AE468769B25AFB88BC4F158536DE4D57B54EE3CE560C700

Function 00007FFDA46D8918 Relevance: 54.6, APIs: 3, Strings: 28, Instructions: 354COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D8E23
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D8E5B
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D8E95

Strings

signed , xrefs: 00007FFDA46D8DF0
char, xrefs: 00007FFDA46D89EB
UNKNOWN, xrefs: 00007FFDA46D8D76
auto, xrefs: 00007FFDA46D8C2B
__int64, xrefs: 00007FFDA46D8BBB
long, xrefs: 00007FFDA46D89B5
wchar_t, xrefs: 00007FFDA46D8D8E
unsigned , xrefs: 00007FFDA46D8DE0
__int8, xrefs: 00007FFDA46D8B24
char8_t, xrefs: 00007FFDA46D8C19
<unknown>, xrefs: 00007FFDA46D8C0A
float, xrefs: 00007FFDA46D8A6D
volatile, xrefs: 00007FFDA46D8D11
__w64 , xrefs: 00007FFDA46D8B30
void, xrefs: 00007FFDA46D8A7F
__int32, xrefs: 00007FFDA46D8BCA
const, xrefs: 00007FFDA46D8CC9
__int16, xrefs: 00007FFDA46D8B12
char32_t, xrefs: 00007FFDA46D8D9D
long , xrefs: 00007FFDA46D8A2A
volatile, xrefs: 00007FFDA46D8CE4
short, xrefs: 00007FFDA46D89D9
__int128, xrefs: 00007FFDA46D8BAC
decltype(auto), xrefs: 00007FFDA46D8DAC
int, xrefs: 00007FFDA46D89C7
bool, xrefs: 00007FFDA46D8D42
char16_t, xrefs: 00007FFDA46D8D51
double, xrefs: 00007FFDA46D8A41

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
API String ID: 2943138195-1388207849
Opcode ID: 37cd17523382c81690176946402e2147554894c591ccd7ecb33aaa85e6f6bad3
Instruction ID: 691a39928b21cbfddefda13151ac36da60d01bc8dba0e5ccc1b53c2febe81689
Opcode Fuzzy Hash: 37cd17523382c81690176946402e2147554894c591ccd7ecb33aaa85e6f6bad3
Instruction Fuzzy Hash: 59F15E63F0AA1285FB148B64D4E82FC27B1BB16744F4C6536CA1E16BBADF6CA504C748

Function 00007FF67CFC3AE0 Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 170windowthreadCOMMON

Download Yara Rule

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF67CFC3C0B
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF67CFC3C8C

Strings

Msg:[%ws] , xrefs: 00007FF67CFC3CF1
%hs(%d) tid(%x) %08X %ws, xrefs: 00007FF67CFC3CAE
, xrefs: 00007FF67CFC3CD6
(caller: %p) , xrefs: 00007FF67CFC3C77
[%hs], xrefs: 00007FF67CFC3D4C
Exception, xrefs: 00007FF67CFC3BAA
%hs(%u)\%hs!%p: , xrefs: 00007FF67CFC3C40
[%hs(%hs)], xrefs: 00007FF67CFC3D33
ReturnNt, xrefs: 00007FF67CFC3B9D
LogNt, xrefs: 00007FF67CFC3B85
ReturnHr, xrefs: 00007FF67CFC3B96
CallContext:[%hs] , xrefs: 00007FF67CFC3D0C
LogHr, xrefs: 00007FF67CFC3B7E
%hs!%p: , xrefs: 00007FF67CFC3C59
FailFast, xrefs: 00007FF67CFC3B71

Memory Dump Source

Source File: 00000004.00000002.2147078672.00007FF67CFC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67CFC0000, based on PE: true

Associated: 00000004.00000002.2147061005.00007FF67CFC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147114846.00007FF67CFCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147133143.00007FF67CFCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff67cfc0000_WebExperienceHostApp.jbxd

Similarity

API ID: CurrentFormatMessageThread
String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$LogNt$Msg:[%ws] $ReturnHr$ReturnNt$[%hs(%hs)]$[%hs]
API String ID: 2411632146-1363043106
Opcode ID: 5c63f51611423cf63e7b47493f3111f8813da6670d8a67703035579ad02dc22e
Instruction ID: bfa86dc0fc40619eac234348527e5ecb783a789c7a2179b34848af5f3ba777cb
Opcode Fuzzy Hash: 5c63f51611423cf63e7b47493f3111f8813da6670d8a67703035579ad02dc22e
Instruction Fuzzy Hash: 37716A23B296C281EB78DB55A5446B967A0FF48BC8F444636ED4D87798DF3CE548C340

Function 00007FFDA46DC0EC Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 289COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC17D
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC1B6
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC28A
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC29B
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC303
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC313
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC35F
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC371
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC4E3

Part of subcall function 00007FFDA46DE098: Replicator::operator[].LIBVCRUNTIME ref: 00007FFDA46DE0F2

DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC565
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC574

Strings

`anonymous namespace', xrefs: 00007FFDA46DC443

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+$Replicator::operator[]
String ID: `anonymous namespace'
API String ID: 3863519203-3062148218
Opcode ID: 180c6269b417ee698a575686cc6b4d1958a01edd13727ba1ef1c9a4d3a0f115e
Instruction ID: 6ca2e6f20cbfb5849906fd785183dc836bff57e8f2436dc120f92e943b60e184
Opcode Fuzzy Hash: 180c6269b417ee698a575686cc6b4d1958a01edd13727ba1ef1c9a4d3a0f115e
Instruction Fuzzy Hash: 81E17B73A0AB8689EB10CF24D4E01ED77A0FB8A784F886131EA4D17B6ADF38D515C704

Function 00007FFDA46DCF40 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 356COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DD2F6
atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FFDA46D8568), ref: 00007FFDA46DD3A7
DName::DName.LIBVCRUNTIME ref: 00007FFDA46DD3E6
swprintf_s.PGOCR ref: 00007FFDA46DD406
DName::DName.LIBVCRUNTIME ref: 00007FFDA46DD416
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DD466

Strings

`generic-class-parameter-, xrefs: 00007FFDA46DD477
NULL, xrefs: 00007FFDA46DD00A
nullptr, xrefs: 00007FFDA46DD12D
lambda, xrefs: 00007FFDA46DD308
`template-type-parameter-, xrefs: 00007FFDA46DD487
`generic-method-parameter-, xrefs: 00007FFDA46DD433

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: NameName::Name::operator+$atolswprintf_s
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$lambda$nullptr
API String ID: 1620834350-2441609178
Opcode ID: a29e71e536bdf6e447e3ff857d12b2a59669ef8e6c250949fd0826cea6345cbe
Instruction ID: 45865b67e3069a0e821606b315eb0300e3104dda29c83f130ff98e2a9deaf396
Opcode Fuzzy Hash: a29e71e536bdf6e447e3ff857d12b2a59669ef8e6c250949fd0826cea6345cbe
Instruction Fuzzy Hash: B8F18973F0AA0294FB14AB64C9F51FD27A1AF47344F4D2136CA0E16BBBCE3CA5458248

Function 00007FFDA46DA558 Relevance: 22.9, APIs: 15, Instructions: 355COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DA5A9
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DA672
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DA6BB
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DA6CC

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 79b7bf95ee04f70869f45912711fcc0273f108ef1dfd3bc8f68c2be49afff2d4
Instruction ID: 000186247386d6015a17b9ecaa5e754fbb172ffba8d367da9dcf7e3d39ae84c4
Opcode Fuzzy Hash: 79b7bf95ee04f70869f45912711fcc0273f108ef1dfd3bc8f68c2be49afff2d4
Instruction Fuzzy Hash: F0F16A77F0AA8299EB10DF64D4A01EC37B1EB0634CB486135EA4D57BAADF78D509C348

Function 00007FFD93732740 Relevance: 18.2, APIs: 12, Instructions: 240COMMON

Download Yara Rule

APIs

__strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD93732786
__strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD937327AB
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFD937327EB
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFD9373288E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD937328F5
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFD93732930
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD93732952
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFD9373297B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD937329DB
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFD93732A13
CompareStringEx.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFD93732A46
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD93732A73

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: ByteCharMultiWide$__strncntfreemalloc$CompareInfoString
String ID:
API String ID: 3420081407-0
Opcode ID: 8b6a2b54a2774314e61cfe64b8eab3a827394a4d764bd27520b14f448ccade5b
Instruction ID: 6a68e3027d364dfcce7ce0206048ab80710beefbc1221c1cb7d0407b49fdd0e0
Opcode Fuzzy Hash: 8b6a2b54a2774314e61cfe64b8eab3a827394a4d764bd27520b14f448ccade5b
Instruction Fuzzy Hash: EAA1D362B0878646FB388BA5E4A03B976A9FF44BE4F684231DE5D267C4DF7CE4458300

Function 00007FFDA46D2CF4 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FFDA46D2D51

Part of subcall function 00007FFDA46D5050: __GetUnwindTryBlock.LIBCMT ref: 00007FFDA46D5093
Part of subcall function 00007FFDA46D5050: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FFDA46D50B8

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFDA46D2E29
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D2E36
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FFDA46D3080
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D30AE

Part of subcall function 00007FFDA46D6770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDA46D23AE), ref: 00007FFDA46D677E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D3174
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDA46D31A9

Strings

csm, xrefs: 00007FFDA46D2DD2
csm, xrefs: 00007FFDA46D2E4E
csm, xrefs: 00007FFDA46D2D6B

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: BlockFrameHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 4223619315-393685449
Opcode ID: edc5f55d8364ed346ae9e81db86cccb1f66bda3bd14ed8078bac2ea6355eac48
Instruction ID: 2931a4831f15f19033d8a373c7943255ea9652d37190fcd8ac4ec9a5bab638a7
Opcode Fuzzy Hash: edc5f55d8364ed346ae9e81db86cccb1f66bda3bd14ed8078bac2ea6355eac48
Instruction Fuzzy Hash: 1DE17D73B09B4286EB609B65D4903ED77A0FB4AB98F182135EA4D57B66CF38E481C704

Function 00007FFDA46DE098 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

Replicator::operator[].LIBVCRUNTIME ref: 00007FFDA46DE0F2

Strings

generic-type-, xrefs: 00007FFDA46DE1A6
template-parameter-, xrefs: 00007FFDA46DE15F
`template-parameter-, xrefs: 00007FFDA46DE192
`generic-type-, xrefs: 00007FFDA46DE1D9

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: Replicator::operator[]
String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 3676697650-3207858774
Opcode ID: 068e360b79be31260e9f0f338d3f50443f14e550a52f9abb55243442d8c120c9
Instruction ID: c0c29001c7f6ed7dd236fb76e679e25166b6e24130c3b57dd5e348d689a86020
Opcode Fuzzy Hash: 068e360b79be31260e9f0f338d3f50443f14e550a52f9abb55243442d8c120c9
Instruction Fuzzy Hash: 87914933B0AE4689EB508F25D4E12F937A1AB4A748F8C6132DA4D437A6DF3CE545C748

Function 00007FFD93747038 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD9376BAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB00
Part of subcall function 00007FFD9376BAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB08
Part of subcall function 00007FFD9376BAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB11
Part of subcall function 00007FFD9376BAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB2D

_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD9374B06E), ref: 00007FFD93747083
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD9374B06E), ref: 00007FFD937470A3
_Maklocstr.LIBCPMT ref: 00007FFD937470BD
_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD9374B06E), ref: 00007FFD937470C6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD9374B06E), ref: 00007FFD937470E6
_Maklocstr.LIBCPMT ref: 00007FFD93747100
_Maklocstr.LIBCPMT ref: 00007FFD93747115

Part of subcall function 00007FFD93734D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD93742134,?,?,?,00007FFD9373439B,?,?,?,00007FFD93735AE1), ref: 00007FFD93734D32
Part of subcall function 00007FFD93734D10: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD93742134,?,?,?,00007FFD9373439B,?,?,?,00007FFD93735AE1), ref: 00007FFD93734D58
Part of subcall function 00007FFD93734D10: memcpy.VCRUNTIME140_APP(?,?,?,00007FFD93742134,?,?,?,00007FFD9373439B,?,?,?,00007FFD93735AE1), ref: 00007FFD93734D70

Strings

:AM:am:PM:pm, xrefs: 00007FFD9374710E
:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFD937470F0
:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFD937470AD

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: Maklocstrfree$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 2460671452-35662545
Opcode ID: 68a3b1b276eb7da605c86357e63600b8dc1e5b54f3908e2d283bd71975fe3a53
Instruction ID: 640c04bad91da8242ad5b3f3d557d0e380e70fb1327932ee8ee77caa960fc271
Opcode Fuzzy Hash: 68a3b1b276eb7da605c86357e63600b8dc1e5b54f3908e2d283bd71975fe3a53
Instruction Fuzzy Hash: 72319122B04B8686EB20DFA1E8542B933BAFB88F84F498131DA4D63755DF3CE185C300

Function 00007FFD93732B70 Relevance: 16.7, APIs: 11, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD93732BB7
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFD93732BE3
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD93732C53
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFD93732C8C
LCMapStringEx.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFD93732CC3
LCMapStringEx.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFD93732D1C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD93732D82
LCMapStringEx.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFD93732DCA
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFD93732E0C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD93732E20
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD93732E3D

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: ByteCharMultiStringWide$freemalloc$__strncnt
String ID:
API String ID: 1733283546-0
Opcode ID: 7481873b54e877f7fc9af2c00e2f3984987d914e500c084b73b5f1e45f384833
Instruction ID: 829f47fb8742e7fff0dcdf6a9797819dfc0e251273ffd497a2daec0eb2d67c4e
Opcode Fuzzy Hash: 7481873b54e877f7fc9af2c00e2f3984987d914e500c084b73b5f1e45f384833
Instruction Fuzzy Hash: 9B818032B1974186EB348FA1E4A437972A9FB48BE9F244235EA5E27BD4DF3CD4458700

Function 00007FFD93769DE0 Relevance: 16.7, APIs: 11, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD9376A764: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD93769BB2), ref: 00007FFD9376A78A
Part of subcall function 00007FFD9376A764: isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD93769BB2), ref: 00007FFD9376A7F4

_Stoflt.LIBCPMT ref: 00007FFD93769E64
_FXp_setw.LIBCPMT ref: 00007FFD93769E7E
_FXp_setw.LIBCPMT ref: 00007FFD93769E91
_FXp_setn.LIBCPMT ref: 00007FFD93769ED5
_FXp_addx.LIBCPMT ref: 00007FFD93769EE7
_FXp_setw.LIBCPMT ref: 00007FFD93769F3E
_FXp_setw.LIBCPMT ref: 00007FFD93769F51
_FXp_setn.LIBCPMT ref: 00007FFD93769E9C

Part of subcall function 00007FFD93761384: _FXp_setw.LIBCPMT ref: 00007FFD937613BD

_FXp_setn.LIBCPMT ref: 00007FFD93769F5C
_FXp_setn.LIBCPMT ref: 00007FFD93769F95
_FXp_addx.LIBCPMT ref: 00007FFD93769FA7

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: Xp_setw$Xp_setn$Xp_addx$Stofltisspaceisxdigit
String ID:
API String ID: 3166507417-0
Opcode ID: a2a4b0507d6de304d91fa30e7ec2a10c1d98e7d84d314cc1b7b0df0453b4069f
Instruction ID: cbaab2215a49eba4219a7401a23f39d675a52bdf393cc0f84f92073d203eb9ec
Opcode Fuzzy Hash: a2a4b0507d6de304d91fa30e7ec2a10c1d98e7d84d314cc1b7b0df0453b4069f
Instruction Fuzzy Hash: 05619122F085429AFB20DBE2C4B06FD3729AB5974CF514136DE0D73A89DE38A95AC301

Function 00007FFD9377A100 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 229COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFD9377A30E
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFD9377A31F
std::ios_base::failure::failure.LIBCPMT ref: 00007FFD9377A362
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFD9377A373
std::ios_base::failure::failure.LIBCPMT ref: 00007FFD9377A3ED
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFD9377A3FE

Strings

ios_base::badbit set, xrefs: 00007FFD9377A2D6, 00007FFD9377A32A, 00007FFD9377A380, 00007FFD9377A3B4, 00007FFD9377A410
ios_base::eofbit set, xrefs: 00007FFD9377A2E9, 00007FFD9377A33D, 00007FFD9377A3C8
ios_base::failbit set, xrefs: 00007FFD9377A2E2, 00007FFD9377A336, 00007FFD9377A3C1

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: a6b4dea8a168317dac851dd429efa45bd2771e1e18792c249c39bd327d446b57
Instruction ID: 1688dc02b0bbca1cdefbee0c05a334ac398cb0d6b56be6a5c8a77f625cd555d5
Opcode Fuzzy Hash: a6b4dea8a168317dac851dd429efa45bd2771e1e18792c249c39bd327d446b57
Instruction Fuzzy Hash: BC91CD22B08A4692FB74CF89E4A13B93764FB84B85F548036CA4E277A5DF7DD446C301

Function 00007FFDA46D9E5C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D9EB8
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D9FE6

Strings

struct , xrefs: 00007FFDA46DA00A
`unknown ecsu', xrefs: 00007FFDA46D9E84
coclass , xrefs: 00007FFDA46D9F9F
union , xrefs: 00007FFDA46DA013
cointerface , xrefs: 00007FFDA46D9F8D
enum , xrefs: 00007FFDA46D9FA8
class , xrefs: 00007FFDA46D9FFB

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
API String ID: 2943138195-1464470183
Opcode ID: 2a39ff73fab8a5f8cf54c613ca86ba6d613e7bbbceaec38d40d1587625a9a752
Instruction ID: a622a1406a7b7acb868e190e2688a85c57d4a03734c07c3128958ae2d328e557
Opcode Fuzzy Hash: 2a39ff73fab8a5f8cf54c613ca86ba6d613e7bbbceaec38d40d1587625a9a752
Instruction Fuzzy Hash: 01515C72F1AA1288FB14CB64E8E05FD27B1BB06388F586135DA0D57BA6DF78E5058704

Function 00007FFD9376BE90 Relevance: 15.2, APIs: 10, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD9376C618: iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD9376BC62), ref: 00007FFD9376C63E
Part of subcall function 00007FFD9376C618: iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD9376BC62), ref: 00007FFD9376C6B6

_FXp_setw.LIBCPMT ref: 00007FFD9376BF2E
_FXp_setw.LIBCPMT ref: 00007FFD9376BF41
_FXp_setn.LIBCPMT ref: 00007FFD9376BF85
_FXp_addx.LIBCPMT ref: 00007FFD9376BF97
_FXp_setw.LIBCPMT ref: 00007FFD9376BFEE
_FXp_setw.LIBCPMT ref: 00007FFD9376C001
_FXp_setn.LIBCPMT ref: 00007FFD9376BF4C

Part of subcall function 00007FFD93761384: _FXp_setw.LIBCPMT ref: 00007FFD937613BD

_FXp_setn.LIBCPMT ref: 00007FFD9376C00C
_FXp_setn.LIBCPMT ref: 00007FFD9376C045
_FXp_addx.LIBCPMT ref: 00007FFD9376C057

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: Xp_setw$Xp_setn$Xp_addx$iswspaceiswxdigit
String ID:
API String ID: 3781602613-0
Opcode ID: b37f4c65fcaae6089a39f6864dfb20dfbddd16cc03fc4d6b826aaf6d26e5b500
Instruction ID: 93c5028cf2541a70fe5b54697be0007d4eba1944b7c74507bf445cda9c078609
Opcode Fuzzy Hash: b37f4c65fcaae6089a39f6864dfb20dfbddd16cc03fc4d6b826aaf6d26e5b500
Instruction Fuzzy Hash: 2961B226F089469AF720DFE2C4B02FD3729AB5874CF504136DE0D73A99DE39E55A8701

Function 00007FFDA46D85D8 Relevance: 15.2, APIs: 10, Instructions: 150COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D86A2
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D86B2
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D86FE
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D870E
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D871E
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D8791
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D87A2
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D87B4
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D87E0
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D87EF

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: dffebbea1b9ec54e41ee59c5f9df16e35c1e11239b438fd42c02bfbe0f2f9bce
Instruction ID: 5e8f2456f0d5d83d4be69dc71d68560392ace17159b224311672a1a6bdbef716
Opcode Fuzzy Hash: dffebbea1b9ec54e41ee59c5f9df16e35c1e11239b438fd42c02bfbe0f2f9bce
Instruction Fuzzy Hash: D7617B63F05B5298FB00CBA1D8A41EC27B2BB45788F486436DE1D2BBAADF78D545C344

Function 00007FFDA46D31C0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFDA46D335E
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D336B

Part of subcall function 00007FFDA46D6770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDA46D23AE), ref: 00007FFDA46D677E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D3619
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D3664
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDA46D3699

Strings

csm, xrefs: 00007FFDA46D3387
csm, xrefs: 00007FFDA46D32A5
csm, xrefs: 00007FFDA46D3307

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 211107550-393685449
Opcode ID: 85374f18d14079de111c801c7233a0368ceba0e7784a87de6593dae95347d848
Instruction ID: 74fbbcd3d95a6fad6fc3e3615a99d8becc8d2c92ac7a65df53df2f30d8f9c380
Opcode Fuzzy Hash: 85374f18d14079de111c801c7233a0368ceba0e7784a87de6593dae95347d848
Instruction Fuzzy Hash: 75E18F73B0AA818AE7109F28D4E03ED77A0FB46788F196135DA8D47B66CF38E585C744

Function 00007FFD9376AB10 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9376AB4D
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9376ABEB
memchr.VCRUNTIME140_APP ref: 00007FFD9376ABFD
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9376AC38
memchr.VCRUNTIME140_APP ref: 00007FFD9376AC46
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9376ACC6

Strings

0, xrefs: 00007FFD9376AB88
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00007FFD9376ABF4, 00007FFD9376AC07

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: memchrtolower$_errnoisspace
String ID: 0$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3508154992-2692187688
Opcode ID: 28ebbe5085ce22d7c59ed57fe41f67953adc3779f489bac788e36eaca0986cc2
Instruction ID: b34c75b74b425e75be75985f24f0dfa966e4864e71798a10ad35a8657bd9e624
Opcode Fuzzy Hash: 28ebbe5085ce22d7c59ed57fe41f67953adc3779f489bac788e36eaca0986cc2
Instruction Fuzzy Hash: 1C510852B0C7C646EBB18BA8947037977E9AF45798F484034CD9E267D5DE3CE8528B03

Function 00007FFDA46DBB38 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DBCEC

Part of subcall function 00007FFDA46D8918: DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D8E23
Part of subcall function 00007FFDA46D8918: DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D8E5B

DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DBC9E

Strings

std::nullptr_t , xrefs: 00007FFDA46DBC2A
void, xrefs: 00007FFDA46DBB82
cli::pin_ptr<, xrefs: 00007FFDA46DBCB5
cli::array<, xrefs: 00007FFDA46DBC6B
void , xrefs: 00007FFDA46DBBAA
std::nullptr_t, xrefs: 00007FFDA46DBC17

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
API String ID: 2943138195-2239912363
Opcode ID: e0836a3629a813ef90ef895af03e740072fc2db4661fc217a7dce682d3bfee39
Instruction ID: 6d71782eabd7fcfb2adfbd16260f7a09fed6bc0c0a21cb64567b7581efecfc2c
Opcode Fuzzy Hash: e0836a3629a813ef90ef895af03e740072fc2db4661fc217a7dce682d3bfee39
Instruction Fuzzy Hash: B0515CA2F0AB5588FB11CB61D8A12FD37B0BB0AB45F486135DA4D127AADF7C9144C708

Function 00007FFD93736BD0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFD93736C24
_CxxThrowException.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,00007FFD93736650,?,?,?,00007FFD9373838D), ref: 00007FFD93736C35
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFD93736C62
std::ios_base::failure::failure.LIBCPMT ref: 00007FFD93736CA5
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFD93736CB6

Strings

ios_base::badbit set, xrefs: 00007FFD93736BEC, 00007FFD93736C40, 00007FFD93736C6D
ios_base::eofbit set, xrefs: 00007FFD93736BFF, 00007FFD93736C80
ios_base::failbit set, xrefs: 00007FFD93736BD0, 00007FFD93736BF8, 00007FFD93736C79

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrow$std::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1099746521-1866435925
Opcode ID: a6bf273394677bb2e99abd8e534fce184576f9646bbe71793b055ca8774240fa
Instruction ID: 6658b054e396b8cbeb10b19ed391b4c8978e1b56f30df98a06f185943a871543
Opcode Fuzzy Hash: a6bf273394677bb2e99abd8e534fce184576f9646bbe71793b055ca8774240fa
Instruction Fuzzy Hash: 9C212762B19546A6FA3CCB84E8E22F93369EF50344FA84035D50E165A6EF3CE549C700

Function 00007FFD93779E80 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 171COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFD9377A08E
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFD9377A09F
std::ios_base::failure::failure.LIBCPMT ref: 00007FFD9377A0E2
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFD9377A0F3

Strings

ios_base::badbit set, xrefs: 00007FFD9377A056, 00007FFD9377A0AA
ios_base::eofbit set, xrefs: 00007FFD9377A069, 00007FFD9377A0BD
ios_base::failbit set, xrefs: 00007FFD9377A062, 00007FFD9377A0B6

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 9cb79d3691d168e0564d9f4c501592dad693ea5c078e9f50b8527a96bed53c60
Instruction ID: 21a7f6a3d44702e8aae35d12c4615ca74cbda6985dea4158ec5cac9a29b4b6f8
Opcode Fuzzy Hash: 9cb79d3691d168e0564d9f4c501592dad693ea5c078e9f50b8527a96bed53c60
Instruction Fuzzy Hash: 9D61BE22709A4A86EB74CF89E4A13B93765FB80F85F548036CA4E677A5DF7DD446C300

Function 00007FFD93744BB0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166fileCOMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFD93744C54
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFD93744C65
fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD93744D41
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD93744DCD

Strings

ios_base::badbit set, xrefs: 00007FFD93744C1D
ios_base::eofbit set, xrefs: 00007FFD93744C2F
ios_base::failbit set, xrefs: 00007FFD93744C28

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowfputwcfwritestd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1428583292-1866435925
Opcode ID: a7380e94e6d0c0f3b865c1dec62774918b944c1c4d491e2328d2bb9d19e9cd10
Instruction ID: 8fb7029934a0935124544151c875170f5df5572e6d9ac20e09aa351da1731e7c
Opcode Fuzzy Hash: a7380e94e6d0c0f3b865c1dec62774918b944c1c4d491e2328d2bb9d19e9cd10
Instruction Fuzzy Hash: 4761BD32708A8295EB20CFA5E4A42BE33A9FB04B88F954032EB4D67794DF38E555C700

Function 00007FFDA46D5F4A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA46D6430: RtlPcToFileHeader.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFDA46D6474
Part of subcall function 00007FFDA46D6430: RaiseException.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDA46D64BA

RtlPcToFileHeader.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFDA46D5FE7
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00007FFDA46D6043

Strings

Access violation - no RTTI data!, xrefs: 00007FFDA46D5F4A, 00007FFDA46D616B
Attempted a typeid of nullptr pointer!, xrefs: 00007FFDA46D6125
Bad dynamic_cast!, xrefs: 00007FFDA46D60B2
Bad read pointer - no RTTI data!, xrefs: 00007FFDA46D6148

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
API String ID: 1852475696-928371585
Opcode ID: 6b9ef99d590b32f0c659d059e5f7edc288c3d0282fa246750663d343d086c454
Instruction ID: 61d3c4f673a865225e0d08a14a3d30bc9f90b9f11231a5b280a02d4729c538d7
Opcode Fuzzy Hash: 6b9ef99d590b32f0c659d059e5f7edc288c3d0282fa246750663d343d086c454
Instruction Fuzzy Hash: 20518F63B1AE4696DE20DB60E8E16F963A0FB46B84F486131DA4D07B76DE3CE505C704

Function 00007FFD93779C20 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 160COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFD93779E13
_CxxThrowException.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD9376CB58), ref: 00007FFD93779E24
std::ios_base::failure::failure.LIBCPMT ref: 00007FFD93779E67
_CxxThrowException.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD9376CB58), ref: 00007FFD93779E78

Strings

ios_base::badbit set, xrefs: 00007FFD93779DDB, 00007FFD93779E2F
ios_base::eofbit set, xrefs: 00007FFD93779DEE, 00007FFD93779E42
ios_base::failbit set, xrefs: 00007FFD93779DE7, 00007FFD93779E3B

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 36d0e9059c3f7a5d91012be966453ad462b8d1acf47367d5311b1a054c73d7d8
Instruction ID: 65bb21cbaf5674790ae62eb2865969d2d31a2652c511fcec95d51f03dde50caa
Opcode Fuzzy Hash: 36d0e9059c3f7a5d91012be966453ad462b8d1acf47367d5311b1a054c73d7d8
Instruction Fuzzy Hash: B961E022B09A4585EB34CF99E4A03B93765FB81F89F548036CA4E273A5CFBCD446C300

Function 00007FFD9376A900 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9376A94A
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9376A9DC
memchr.VCRUNTIME140_APP ref: 00007FFD9376A9EE
tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9376AA23
memchr.VCRUNTIME140_APP ref: 00007FFD9376AA31
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9376AAAF

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00007FFD9376A9E5, 00007FFD9376A9FB

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: memchrtolower$_errnoisspace
String ID: 0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3508154992-4256519037
Opcode ID: c43dd37b695d77a9b309dd68fdeaa8cc30da9b2a4874080a3472f04000c7b43e
Instruction ID: 28a7fc63988e9bbdda94132365d759b9211bb1b838b1bb0dba8850e0602991ca
Opcode Fuzzy Hash: c43dd37b695d77a9b309dd68fdeaa8cc30da9b2a4874080a3472f04000c7b43e
Instruction Fuzzy Hash: 74512B52B0C7C646F7B14EA499B03797698BF85B98F194031CD8E62794DE3CE812C703

Function 00007FFD9373B0F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFD9373B181
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFD9373B192
std::ios_base::failure::failure.LIBCPMT ref: 00007FFD9373B287
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFD9373B298

Strings

ios_base::badbit set, xrefs: 00007FFD9373B14A, 00007FFD9373B250
ios_base::eofbit set, xrefs: 00007FFD9373B15C, 00007FFD9373B262
ios_base::failbit set, xrefs: 00007FFD9373B155, 00007FFD9373B25B

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: 4b79d5893f130ff8fdc1ea0ab7b7df0118dd7d56f78d91c6625c63aa5aa301b0
Instruction ID: 430864fbebd1910729afbd7d7b0d9814e0c0dd7182585a53d71166fba39010e2
Opcode Fuzzy Hash: 4b79d5893f130ff8fdc1ea0ab7b7df0118dd7d56f78d91c6625c63aa5aa301b0
Instruction Fuzzy Hash: D3518E62B0894981EB24CF99E4E02A977A4FB84F89F644131EA1E977B5DF3CE945C340

Function 00007FF67CFC5204 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

__std_exception_copy.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,00007FF67CFC505F,?,?,00000000,00007FF67CFC32B7), ref: 00007FF67CFC526A
_CxxThrowException.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,00007FF67CFC505F,?,?,00000000,00007FF67CFC32B7), ref: 00007FF67CFC5286
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF67CFC505F,?,?,00000000,00007FF67CFC32B7), ref: 00007FF67CFC528C
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF67CFC505F,?,?,00000000,00007FF67CFC32B7), ref: 00007FF67CFC5299
_CxxThrowException.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,00007FF67CFC505F,?,?,00000000,00007FF67CFC32B7), ref: 00007FF67CFC52D0

Strings

bad allocation, xrefs: 00007FF67CFC52AB
length, xrefs: 00007FF67CFC524F

Memory Dump Source

Source File: 00000004.00000002.2147078672.00007FF67CFC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67CFC0000, based on PE: true

Associated: 00000004.00000002.2147061005.00007FF67CFC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147114846.00007FF67CFCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147133143.00007FF67CFCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff67cfc0000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionHeapThrow$AllocProcess__std_exception_copy
String ID: bad allocation$length
API String ID: 1592919366-1253776366
Opcode ID: ad62b17777bdb2592f32d953bdb081b6088459a80fef08f55ac007a4efa72339
Instruction ID: 4ad45d6600ac39014c9990004a893d38150530789790cf5ee3d217bf2c5ee243
Opcode Fuzzy Hash: ad62b17777bdb2592f32d953bdb081b6088459a80fef08f55ac007a4efa72339
Instruction Fuzzy Hash: 72311A22F25B8289FB10DB65E8801A937B4FF58744B548636DA5C93765EF3CE196C340

Function 00007FFD93761CE4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD9376BAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB00
Part of subcall function 00007FFD9376BAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB08
Part of subcall function 00007FFD9376BAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB11
Part of subcall function 00007FFD9376BAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB2D

_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFD93762EAE), ref: 00007FFD93761D2F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFD93762EAE), ref: 00007FFD93761D4F
_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFD93762EAE), ref: 00007FFD93761D72
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00007FFD93762EAE), ref: 00007FFD93761D92

Part of subcall function 00007FFD93734D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD93742134,?,?,?,00007FFD9373439B,?,?,?,00007FFD93735AE1), ref: 00007FFD93734D32
Part of subcall function 00007FFD93734D10: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD93742134,?,?,?,00007FFD9373439B,?,?,?,00007FFD93735AE1), ref: 00007FFD93734D58
Part of subcall function 00007FFD93734D10: memcpy.VCRUNTIME140_APP(?,?,?,00007FFD93742134,?,?,?,00007FFD9373439B,?,?,?,00007FFD93735AE1), ref: 00007FFD93734D70

Strings

:AM:am:PM:pm, xrefs: 00007FFD93761DBA
:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFD93761D9C
:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFD93761D59

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 1539549574-35662545
Opcode ID: 098d413dcb5924b6020e165d67e324c57de685152ce5448261965bf7dc3e88b3
Instruction ID: fd9ff26fc04ac78c00eeb1ca4eac18a7192c474c0ce3dbbac341fba0439ed6ba
Opcode Fuzzy Hash: 098d413dcb5924b6020e165d67e324c57de685152ce5448261965bf7dc3e88b3
Instruction Fuzzy Hash: 15316B22B04B8586EB24DF62E8642A977B9FB89F84F498531DA4D63756DF3CE181C340

Function 00007FFD93747140 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD9376BAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB00
Part of subcall function 00007FFD9376BAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB08
Part of subcall function 00007FFD9376BAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB11
Part of subcall function 00007FFD9376BAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB2D

_W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD9374B15E), ref: 00007FFD93747182
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD9374B15E), ref: 00007FFD937471A2
_W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD9374B15E), ref: 00007FFD937471C0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFD9374B15E), ref: 00007FFD937471E0

Part of subcall function 00007FFD93734D90: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD937471DD,?,?,?,?,?,?,?,?,?,00007FFD9374B15E), ref: 00007FFD93734DB9
Part of subcall function 00007FFD93734D90: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD937471DD,?,?,?,?,?,?,?,?,?,00007FFD9374B15E), ref: 00007FFD93734DE8
Part of subcall function 00007FFD93734D90: memcpy.VCRUNTIME140_APP(?,?,00000000,00007FFD937471DD,?,?,?,?,?,?,?,?,?,00007FFD9374B15E), ref: 00007FFD93734DFF

Strings

:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFD937471AC
:AM:am:PM:pm, xrefs: 00007FFD937471FA
:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFD937471EA

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 1539549574-3743323925
Opcode ID: 23b0d397a768917b381d48ffc544097c40ac7a10155b45c2e50111aa9d8ed0a0
Instruction ID: 9edccca5dd1b27dc5d0346cf65fccb9876823b31d7dee696315ada73cbd0bd31
Opcode Fuzzy Hash: 23b0d397a768917b381d48ffc544097c40ac7a10155b45c2e50111aa9d8ed0a0
Instruction Fuzzy Hash: 1B212B22B08B4686EB24DF61E86426973B5FB89F94F884134DA4E63755EF3CE581C740

Function 00007FFDA46D27DC Relevance: 12.2, APIs: 8, Instructions: 150COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D2896
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D28B5
__AdjustPointer.LIBCMT ref: 00007FFDA46D28F6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D2903
__AdjustPointer.LIBCMT ref: 00007FFDA46D293F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D2954
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D2999
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D29A0

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: 74333b6a48d437a1e49e0d4a5d17a7efd967f5fe4f1c704e53a008d29b640736
Instruction ID: 4ca4653d3db9b9eeab1296222bbd3edbead8f3e94b007021381d32dd2b83a776
Opcode Fuzzy Hash: 74333b6a48d437a1e49e0d4a5d17a7efd967f5fe4f1c704e53a008d29b640736
Instruction Fuzzy Hash: 89518523F0BE4281FBA58B1294E46F96394EF4AB90F0D6435DA4D0A7BBDF2CD4458308

Function 00007FFDA46D25F8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D26B0
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D26CE
__AdjustPointer.LIBCMT ref: 00007FFDA46D270F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D271C
__AdjustPointer.LIBCMT ref: 00007FFDA46D2758
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D276D
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D27B2
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D27B9

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: 989c255742605067f4820ea93a2b17caff81b7e2dba0dcbb6734dfe784c1ce87
Instruction ID: f1e8b6f150fb0dd69874adae54c052ba36aad1c085e865cf1b766a60e5b312b7
Opcode Fuzzy Hash: 989c255742605067f4820ea93a2b17caff81b7e2dba0dcbb6734dfe784c1ce87
Instruction Fuzzy Hash: F8519233B0BF8282EBB59B1094E06F962A0AF46F94F0D6435DA4D067B7DE2CD481D358

Function 00007FF67CFC75C0 Relevance: 12.1, APIs: 8, Instructions: 100synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FF67CFC863A), ref: 00007FF67CFC75E1

Memory Dump Source

Source File: 00000004.00000002.2147078672.00007FF67CFC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67CFC0000, based on PE: true

Associated: 00000004.00000002.2147061005.00007FF67CFC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147114846.00007FF67CFCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147133143.00007FF67CFCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff67cfc0000_WebExperienceHostApp.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: c270f8cfd8f0d8f66238c3edc3ee7643a8d2669a33f0277de5b9c3fb38bf199e
Instruction ID: ee4fe0692ecd14a131889353e53f30933245f2afeaff5317ff3683368d6660ca
Opcode Fuzzy Hash: c270f8cfd8f0d8f66238c3edc3ee7643a8d2669a33f0277de5b9c3fb38bf199e
Instruction Fuzzy Hash: 78414933B2C6C382F7708B29E81427A62A1AF84794F604732E95EC7AD5DF3CE4549A01

Function 00007FFDA46D678C Relevance: 12.1, APIs: 8, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDA46D65F9,?,?,?,?,00007FFDA46DF862,?,?,?,?,?), ref: 00007FFDA46D67AB
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDA46D65F9,?,?,?,?,00007FFDA46DF862,?,?,?,?,?), ref: 00007FFDA46D67B9
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDA46D65F9,?,?,?,?,00007FFDA46DF862,?,?,?,?,?), ref: 00007FFDA46D6838

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: 73257c1383fe11a646b3e382a487d65d8038cd0931d20de145042498fb19a519
Instruction ID: ef54d092ab60cf712f9efa7401ee2cd91f461ece706ada2308a05a83dcc8bcc5
Opcode Fuzzy Hash: 73257c1383fe11a646b3e382a487d65d8038cd0931d20de145042498fb19a519
Instruction Fuzzy Hash: 1D215A31F0B65282FF508B25A9E51F522D1AF4ABA0F0C6634C96E033F6DE3CA485D714

Function 00007FFD9376A3E0 Relevance: 10.7, APIs: 7, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD9376A764: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD93769BB2), ref: 00007FFD9376A78A
Part of subcall function 00007FFD9376A764: isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD93769BB2), ref: 00007FFD9376A7F4

_Stoflt.LIBCPMT ref: 00007FFD9376A46B
_Xp_setn.LIBCPMT ref: 00007FFD9376A4A6
_Xp_setn.LIBCPMT ref: 00007FFD9376A4E1
_Xp_addx.LIBCPMT ref: 00007FFD9376A4F4
_Xp_setn.LIBCPMT ref: 00007FFD9376A572
_Xp_setn.LIBCPMT ref: 00007FFD9376A5AD
_Xp_addx.LIBCPMT ref: 00007FFD9376A5C1

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
String ID:
API String ID: 578106097-0
Opcode ID: 3851c44bb3e18abf273238eade94902fa9b0e404bf02cb7abefa916df54b760b
Instruction ID: 3ab5bfb6457c0607c1c9e2e2dda520a6faab6be525fccf96d64dcd08b47a3dbe
Opcode Fuzzy Hash: 3851c44bb3e18abf273238eade94902fa9b0e404bf02cb7abefa916df54b760b
Instruction Fuzzy Hash: 1E61E862B1C64292E771DEA5E4B06BE7724FB8434CF504532EE4E73686DE3CD85A8702

Function 00007FFD93769B60 Relevance: 10.7, APIs: 7, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD9376A764: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD93769BB2), ref: 00007FFD9376A78A
Part of subcall function 00007FFD9376A764: isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD93769BB2), ref: 00007FFD9376A7F4

_Stoflt.LIBCPMT ref: 00007FFD93769BEB
_Xp_setn.LIBCPMT ref: 00007FFD93769C26
_Xp_setn.LIBCPMT ref: 00007FFD93769C61
_Xp_addx.LIBCPMT ref: 00007FFD93769C74
_Xp_setn.LIBCPMT ref: 00007FFD93769CF2
_Xp_setn.LIBCPMT ref: 00007FFD93769D2D
_Xp_addx.LIBCPMT ref: 00007FFD93769D41

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
String ID:
API String ID: 578106097-0
Opcode ID: 7ef03c6b0ac55c9f3de200f3f581fb418e73a4acab4f040e0592480e320118bd
Instruction ID: 1fedf42f46fab5aea9193f70e0fdbfef2484b70753e66c8eb22312ce7c43d037
Opcode Fuzzy Hash: 7ef03c6b0ac55c9f3de200f3f581fb418e73a4acab4f040e0592480e320118bd
Instruction Fuzzy Hash: 7D61E722B1C64282E761DEA1E4B02FE7765FB96748F500132EE4E37689DF3CD4598701

Function 00007FFDA46DDE8C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DDF00
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DDF0F

Part of subcall function 00007FFDA46DC0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC17D
Part of subcall function 00007FFDA46DC0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC1B6
Part of subcall function 00007FFDA46DC0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC4E3

DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DDFAF
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DDFBF
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DE06B

Strings

{for , xrefs: 00007FFDA46DDF38

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID: {for
API String ID: 2943138195-864106941
Opcode ID: 4da1d55eb30090646db3391131cdf7cb9f61c82d1a62715605f5e77d0e00937e
Instruction ID: a886c40c1be29cde2108193395d459fcdc3e4ace8d8def35e1f74b538bb68188
Opcode Fuzzy Hash: 4da1d55eb30090646db3391131cdf7cb9f61c82d1a62715605f5e77d0e00937e
Instruction Fuzzy Hash: 00517073B09E85A9FB019F24D4913E877A1EB46748F88A031EA4C47BA6DF7CD554C348

Function 00007FFD93742F8C Relevance: 10.6, APIs: 7, Instructions: 121threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFD93742FBF
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFD93742FDA
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFD93743012
xtime_get.LIBCPMT ref: 00007FFD9374304E
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFD93743075
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFD937430AE
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFD937430F2

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: CurrentThread$xtime_get
String ID:
API String ID: 1104475336-0
Opcode ID: d839657264835679f194a2d385972008e0cfee51125028d57ca34eedcb85d6ac
Instruction ID: 028d33f56398388718194002885f7ee53d71fadc83edad51c67afea10139629d
Opcode Fuzzy Hash: d839657264835679f194a2d385972008e0cfee51125028d57ca34eedcb85d6ac
Instruction Fuzzy Hash: 30513E32B08A4686FB708F95E4A827973AAFB44B51F504131DA8E636A0DF3CF895C710

Function 00007FFD9373B8E0 Relevance: 10.6, APIs: 7, Instructions: 110COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFD93761D6E), ref: 00007FFD9373B9B0
memset.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFD93761D6E), ref: 00007FFD9373B9C0
memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFD93761D6E), ref: 00007FFD9373B9D5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFD93761D6E), ref: 00007FFD9373BA09
memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFD93761D6E), ref: 00007FFD9373BA13
memset.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFD93761D6E), ref: 00007FFD9373BA23
memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFD93761D6E), ref: 00007FFD9373BA33

Part of subcall function 00007FFD93782B1C: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD93735AA8), ref: 00007FFD93782B36

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpy$memset$_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2538139528-0
Opcode ID: 7b415068a4c640b8c640764b52e96af6a407be4c779bc6c3d2290d0abf82017c
Instruction ID: 8b205a152bc7e009bec2b2bf8d9523ae9e4056b83d09f01ab907bde5d09f9849
Opcode Fuzzy Hash: 7b415068a4c640b8c640764b52e96af6a407be4c779bc6c3d2290d0abf82017c
Instruction Fuzzy Hash: 7641EB61B08A8192EE28DF96F4942ADB359FB44BD1F644532EF5D1BB95DE7CD041C300

Function 00007FFD93746010 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFD937460B4
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFD937460C5
setvbuf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD937460FE

Strings

ios_base::badbit set, xrefs: 00007FFD9374607D, 00007FFD937460D0
ios_base::eofbit set, xrefs: 00007FFD9374608F
ios_base::failbit set, xrefs: 00007FFD93746088

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowsetvbufstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2924853686-1866435925
Opcode ID: 257351d2f7990be225dd041c9f546b2110cac130ca75bce730c79efb961a91b5
Instruction ID: ef182a9f8971de06ea2217ac7a6b90ad07d05e78130f853e2d58133f29328fd9
Opcode Fuzzy Hash: 257351d2f7990be225dd041c9f546b2110cac130ca75bce730c79efb961a91b5
Instruction Fuzzy Hash: 5141E072B14B4AD6EB64CFA4E4603A833B9FB14B88F444135CA4C57695DF3DE594C740

Function 00007FFD93754640 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD9375466E

Part of subcall function 00007FFD9376BAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB00
Part of subcall function 00007FFD9376BAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB08
Part of subcall function 00007FFD9376BAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB11
Part of subcall function 00007FFD9376BAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB2D

_Maklocstr.LIBCPMT ref: 00007FFD937546E7
_Maklocstr.LIBCPMT ref: 00007FFD937546FD
_Getvals.LIBCPMT ref: 00007FFD937547A2

Strings

false, xrefs: 00007FFD937546E0
true, xrefs: 00007FFD937546F6

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: Maklocstr$Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
String ID: false$true
API String ID: 2626534690-2658103896
Opcode ID: 5664b1567b62ae62c0f8fe292401d714ff7bdf959bacf5a14bd7daf587284b16
Instruction ID: e6ab3c31e886c05da0e12e72c1433e37583f9178842be9ad3547839a311da103
Opcode Fuzzy Hash: 5664b1567b62ae62c0f8fe292401d714ff7bdf959bacf5a14bd7daf587284b16
Instruction Fuzzy Hash: F7415C22B08B819AF720CFB4E4501ED33B5FB9874CB405226EE4D27A59EF38D596C340

Function 00007FFDA46DD490 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDA46DCB59), ref: 00007FFDA46DD553
DName::DName.LIBVCRUNTIME ref: 00007FFDA46DD572

Strings

void, xrefs: 00007FFDA46DD4D6
`template-parameter, xrefs: 00007FFDA46DD580

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: NameName::atol
String ID: `template-parameter$void
API String ID: 2130343216-4057429177
Opcode ID: a4afb4ade66f9edee0c19d8103b502900d10ca38c7d8001433fbf0f12611f871
Instruction ID: 57eb69f7eaf418a5e0bc11b02056b0f67547f47b99e0b7ca1b0e9f8bb9d465a0
Opcode Fuzzy Hash: a4afb4ade66f9edee0c19d8103b502900d10ca38c7d8001433fbf0f12611f871
Instruction Fuzzy Hash: F8417E22F0AB5688FB009B64D8A12FD23B1BB4A788F986135DE0D17B66DF7CD445C304

Function 00007FFDA46DA03C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DA12F

Strings

int , xrefs: 00007FFDA46DA0AD
unsigned , xrefs: 00007FFDA46DA103
long , xrefs: 00007FFDA46DA09E
short , xrefs: 00007FFDA46DA0BC
char , xrefs: 00007FFDA46DA0C5

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID: char $int $long $short $unsigned
API String ID: 2943138195-3894466517
Opcode ID: f77c1a21e8a5255c030ffbae0acc1ad348c329aa0d52326646e2d78e6bd60f9e
Instruction ID: 53b6798a748c362034ecf27aaf30ce5bcad65484ee3eac5046ee707fdcab8ab4
Opcode Fuzzy Hash: f77c1a21e8a5255c030ffbae0acc1ad348c329aa0d52326646e2d78e6bd60f9e
Instruction Fuzzy Hash: 7A416D73F1EA1688EB158F28D8A41FC37B1BB0A748F48A135CA0C56B6ADF789544C708

Function 00007FFDA46D8334 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFDA46D81B0: Replicator::operator[].LIBVCRUNTIME ref: 00007FFDA46D8271

DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D83E6

Strings

void, xrefs: 00007FFDA46D8458
,..., xrefs: 00007FFDA46D83B4
..., xrefs: 00007FFDA46D8423
<ellipsis>, xrefs: 00007FFDA46D8433
,<ellipsis>, xrefs: 00007FFDA46D83C4

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 1405650943-2211150622
Opcode ID: f28504a20d34ee970dce6c75821cee4d56fce513430e27d12ea41e2fafb3b26a
Instruction ID: 90be4d01bf22da17c301f8aff49946df509aa104fb4afa6056007ace2b3e8a12
Opcode Fuzzy Hash: f28504a20d34ee970dce6c75821cee4d56fce513430e27d12ea41e2fafb3b26a
Instruction Fuzzy Hash: 0A413772F0AB4688F7118B68D8A52F93BE0AB0A308F8C6531CA5C12776DF7CA545C348

Function 00007FF67CFC2224 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,00007FF67CFC4F8E,?,?,00000000,00007FF67CFC2BE4), ref: 00007FF67CFC22AF
memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,00007FF67CFC4F8E,?,?,00000000,00007FF67CFC2BE4), ref: 00007FF67CFC22C1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FF67CFC4F8E,?,?,00000000,00007FF67CFC2BE4), ref: 00007FF67CFC2300
memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,00007FF67CFC4F8E,?,?,00000000,00007FF67CFC2BE4), ref: 00007FF67CFC230A
memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,00007FF67CFC4F8E,?,?,00000000,00007FF67CFC2BE4), ref: 00007FF67CFC231C

Strings

.dll, xrefs: 00007FF67CFC22B7, 00007FF67CFC2312

Memory Dump Source

Source File: 00000004.00000002.2147078672.00007FF67CFC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67CFC0000, based on PE: true

Associated: 00000004.00000002.2147061005.00007FF67CFC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147114846.00007FF67CFCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147133143.00007FF67CFCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff67cfc0000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturn
String ID: .dll
API String ID: 2665656946-2738580789
Opcode ID: a66b6c263dc034fa741bc5a32a4f0581ce01679e33cbc66ecdda2b758b859d84
Instruction ID: 17c2fa08aab296a83f063158cc9e9ba4d71bab4c0e06e3679053cfc2ccd763fe
Opcode Fuzzy Hash: a66b6c263dc034fa741bc5a32a4f0581ce01679e33cbc66ecdda2b758b859d84
Instruction Fuzzy Hash: 5431B473B2478295EF24AB16E8042A96361FF09BE0F544331DE6C8B796DE3CE145C340

Function 00007FFD9373BFA0 Relevance: 9.3, APIs: 6, Instructions: 339stringCOMMON

Download Yara Rule

APIs

strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9373C039
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD9373C04C
strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9373C061
memset.VCRUNTIME140_APP ref: 00007FFD9373C0ED
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9373C3DF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9373C42A

Part of subcall function 00007FFD93741DB0: memcpy.VCRUNTIME140_APP(?,?,?,?,00000000,00007FFD9373C21C), ref: 00007FFD93741E0B
Part of subcall function 00007FFD93741DB0: memset.VCRUNTIME140_APP(?,?,?,?,00000000,00007FFD9373C21C), ref: 00007FFD93741E18

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemsetstrcspn$localeconvmemcpy
String ID:
API String ID: 1584136638-0
Opcode ID: 8dafaba8b704e5f69c0de98c99f15135745e3cc4b1ac50646b6a12bab98680f1
Instruction ID: d5526f4c3684b5fe6166fef3da6d14da740eec67cb62de6f969034930aef83fc
Opcode Fuzzy Hash: 8dafaba8b704e5f69c0de98c99f15135745e3cc4b1ac50646b6a12bab98680f1
Instruction Fuzzy Hash: DCE1B326B09A8689FB25CBF9E4642EC3775AB48B98F644131DE4D27795DF3CD44AC300

Function 00007FFD93760BAC Relevance: 9.2, APIs: 6, Instructions: 241COMMONLIBRARYCODE

Download Yara Rule

APIs

_FDunscale.LIBCPMT ref: 00007FFD93760BE7
_FDunscale.LIBCPMT ref: 00007FFD93760C9E

Part of subcall function 00007FFD93760A70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFD9375FAC4), ref: 00007FFD93760A79

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: Dunscale$_errno
String ID:
API String ID: 2900277114-0
Opcode ID: 26d5f5b2e3ea1aa057a5f7cbe3a3d7afd4593294d0901e6a324c55da06569687
Instruction ID: 4dbf4cc1318056569842975d493681e8cf52b4d1435c478fc73a1428a2907a2b
Opcode Fuzzy Hash: 26d5f5b2e3ea1aa057a5f7cbe3a3d7afd4593294d0901e6a324c55da06569687
Instruction Fuzzy Hash: B6A1E232F0C6969AE724DEA685B00BC3366FF1535CF544335EA0A32599EF38B4B58702

Function 00007FFD93769170 Relevance: 9.2, APIs: 6, Instructions: 241COMMONLIBRARYCODE

Download Yara Rule

APIs

_Dunscale.LIBCPMT ref: 00007FFD937691AB
_Dunscale.LIBCPMT ref: 00007FFD93769263

Part of subcall function 00007FFD93760A70: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFD9375FAC4), ref: 00007FFD93760A79

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: Dunscale$_errno
String ID:
API String ID: 2900277114-0
Opcode ID: 4a9116921bccdd9ba7c2602bfe8ee50023c841c5ca163e05a24b87156944a414
Instruction ID: f3db9f655b780393ddec71671979349ae2a82cbdf0ddfcd1a24fcba480cb31d8
Opcode Fuzzy Hash: 4a9116921bccdd9ba7c2602bfe8ee50023c841c5ca163e05a24b87156944a414
Instruction Fuzzy Hash: 88A1A426F18A46CAD721DEB584701BE376AFF5B798F504231EA0E36585DF38A0A6C301

Function 00007FFD93738ED0 Relevance: 9.2, APIs: 6, Instructions: 179COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD93738F81

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: fgetc
String ID:
API String ID: 2807381905-0
Opcode ID: c47d75ecaef4418c9a9eda3c759bfce1d66e83964e9075376022e2f6ad13729b
Instruction ID: 9555ee260af8596b18e6e2f4027abb5c159087d65f84e41989523eb412cd31b2
Opcode Fuzzy Hash: c47d75ecaef4418c9a9eda3c759bfce1d66e83964e9075376022e2f6ad13729b
Instruction Fuzzy Hash: 56818D73705A86D9EB288F65D0A03EC33A9FB49B98F655232EA1D93B94DF39D454C300

Function 00007FFD9376BC10 Relevance: 9.2, APIs: 6, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD9376C618: iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD9376BC62), ref: 00007FFD9376C63E
Part of subcall function 00007FFD9376C618: iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD9376BC62), ref: 00007FFD9376C6B6

_Xp_setn.LIBCPMT ref: 00007FFD9376BCD6
_Xp_setn.LIBCPMT ref: 00007FFD9376BD11
_Xp_addx.LIBCPMT ref: 00007FFD9376BD24
_Xp_setn.LIBCPMT ref: 00007FFD9376BDA2
_Xp_setn.LIBCPMT ref: 00007FFD9376BDDD
_Xp_addx.LIBCPMT ref: 00007FFD9376BDF1

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
String ID:
API String ID: 3490103321-0
Opcode ID: 39543d00ebafefd8952b4e756ae2cd2037a97f14381c482cd10f3362f5f158b2
Instruction ID: af72d24a20ae83207cb6326a5abb4c094a676217c4bbdc8b73ef357335f813cc
Opcode Fuzzy Hash: 39543d00ebafefd8952b4e756ae2cd2037a97f14381c482cd10f3362f5f158b2
Instruction Fuzzy Hash: 6C61D622B1CA4282E761DEA2E4B02FE7765FB86748F500136EE4E37685DF3CD5598701

Function 00007FFD9376C3A0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD9376C618: iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD9376BC62), ref: 00007FFD9376C63E
Part of subcall function 00007FFD9376C618: iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD9376BC62), ref: 00007FFD9376C6B6

_Xp_setn.LIBCPMT ref: 00007FFD9376C466
_Xp_setn.LIBCPMT ref: 00007FFD9376C4A1
_Xp_addx.LIBCPMT ref: 00007FFD9376C4B4
_Xp_setn.LIBCPMT ref: 00007FFD9376C532
_Xp_setn.LIBCPMT ref: 00007FFD9376C56D
_Xp_addx.LIBCPMT ref: 00007FFD9376C581

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
String ID:
API String ID: 3490103321-0
Opcode ID: ab2c1903a197715ea7e3e3c2686b46453cfce31a95e7e05e4ed8f6f14867bc67
Instruction ID: 92c748cfb506d49d0000b21110970242723afb60f706cc9716b43a28cd2e8038
Opcode Fuzzy Hash: ab2c1903a197715ea7e3e3c2686b46453cfce31a95e7e05e4ed8f6f14867bc67
Instruction Fuzzy Hash: F461D726B1C64292E721DFA1E8B01BE7724FB8474CF504532EE4E73686DE3DE8598701

Function 00007FFD93739990 Relevance: 9.1, APIs: 6, Instructions: 114COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP ref: 00007FFD93739A81
memcpy.VCRUNTIME140_APP ref: 00007FFD93739A91
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93739AD0
memcpy.VCRUNTIME140_APP ref: 00007FFD93739ADA
memcpy.VCRUNTIME140_APP ref: 00007FFD93739AEA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFD93739B19

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: f0a2371f67f01567ff011bb773714b527b9dc57e519c18b817672b899ec6101e
Instruction ID: ec52664db59f6f137f0553f10a649632d22079f632c987400d1974ace7f48f9d
Opcode Fuzzy Hash: f0a2371f67f01567ff011bb773714b527b9dc57e519c18b817672b899ec6101e
Instruction Fuzzy Hash: CF41176270464592EE289B96F4A42B9B35AEB05FE0F644731DF6D17BD5DE7CE041C300

Function 00007FFDA46D6310 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

__unDName.LIBVCRUNTIME ref: 00007FFDA46D6366
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA46D63A9
strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA46D63D3
InterlockedPushEntrySList.API-MS-WIN-CORE-INTERLOCKED-L1-1-0 ref: 00007FFDA46D63F0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA46D63FC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDA46D6405

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
String ID:
API String ID: 3741236498-0
Opcode ID: c517e515e802a775e35de6fec8931573401190a97ffe2b49cc87937b1faed4ca
Instruction ID: 648afd32359c2781ac39b9ec4e10da12b2a2b64479a548f885ecacfb5737385c
Opcode Fuzzy Hash: c517e515e802a775e35de6fec8931573401190a97ffe2b49cc87937b1faed4ca
Instruction Fuzzy Hash: 35310722B1AB5180EF11CF16A8945EA63A0FF5AFD0B5D6535DE2D033A2EE3DD842C344

Function 00007FFD93732F00 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFD93735F46), ref: 00007FFD93732F09
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD93735F46), ref: 00007FFD93732F1B
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFD93735F46), ref: 00007FFD93732F2A
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFD93735F46), ref: 00007FFD93732F90
___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFD93735F46), ref: 00007FFD93732F9E
_wcsdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFD93735F46), ref: 00007FFD93732FB1

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: __pctype_func$___lc_codepage_func___lc_locale_name_func_wcsdupcalloc
String ID:
API String ID: 490008815-0
Opcode ID: 7e2d64ff5f2067317982a7033377e252d5ce5b17cfc21e58bbf341ac59cb7a38
Instruction ID: a589e6594422f779cdf0be14f8cf4b70099ebc13ed53e1b81c529dcb058cfeb9
Opcode Fuzzy Hash: 7e2d64ff5f2067317982a7033377e252d5ce5b17cfc21e58bbf341ac59cb7a38
Instruction Fuzzy Hash: DD215E22E08B8583E7158F78D5512787374FBA9B59F25A224CF8C16212EF79E2D5C340

Function 00007FFDA46D38CC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA46D6770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDA46D23AE), ref: 00007FFDA46D677E

EncodePointer.API-MS-WIN-CORE-UTIL-L1-1-0 ref: 00007FFDA46D393C
_CallSETranslator.LIBVCRUNTIME ref: 00007FFDA46D3987
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D3BB5

Strings

MOC, xrefs: 00007FFDA46D3950
RCC, xrefs: 00007FFDA46D3958

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 8b97f7e3628963cc3eaf161c7556eeb719c29ae86539a23f4aa773f98f5ce27b
Instruction ID: 637a8b7239b4a25cfc1f3ffdb2fda2e5d1597a358670e205072948b5d2d58514
Opcode Fuzzy Hash: 8b97f7e3628963cc3eaf161c7556eeb719c29ae86539a23f4aa773f98f5ce27b
Instruction Fuzzy Hash: E0918F73B09B818AE710CF65E4902ED77A0FB45788F18512AEB8D17B6ADF38D195C704

Function 00007FFDA46DB880 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DBB20

Strings

std::nullptr_t , xrefs: 00007FFDA46DBAB0
std::nullptr_t, xrefs: 00007FFDA46DBAD9
volatile , xrefs: 00007FFDA46DB8E7, 00007FFDA46DBA18
volatile, xrefs: 00007FFDA46DB8F6, 00007FFDA46DBA27

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
API String ID: 2943138195-757766384
Opcode ID: 7c6913d2299fbb63ca99d8148b6e837cf7c47692d9984bc2afced068521c9eb9
Instruction ID: ae6eff836c9af0d815f8e5f5db4b5038a24a9ee65e3d69bcf271fa408f6807b4
Opcode Fuzzy Hash: 7c6913d2299fbb63ca99d8148b6e837cf7c47692d9984bc2afced068521c9eb9
Instruction Fuzzy Hash: AD714A72B0AA4284FB148F15D8A11F967A5BF06B85F8C6135CA4D07BAEDF3CA654C308

Function 00007FFDA46D36B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA46D6770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDA46D23AE), ref: 00007FFDA46D677E

EncodePointer.API-MS-WIN-CORE-UTIL-L1-1-0 ref: 00007FFDA46D36FC
_CallSETranslator.LIBVCRUNTIME ref: 00007FFDA46D374B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D38C3

Strings

MOC, xrefs: 00007FFDA46D3710
RCC, xrefs: 00007FFDA46D3719

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 521ae79be483757eb474348e7632ba4031803828054df45ba905b23fe122da5c
Instruction ID: cc2c3cd2a75406be8e7e5d2a242833175248e0cf5a48f099796e20f0cfac09fd
Opcode Fuzzy Hash: 521ae79be483757eb474348e7632ba4031803828054df45ba905b23fe122da5c
Instruction Fuzzy Hash: 39614A73B09E858AEB10CB65D4903ED77A0FB49B88F085225DE4D17BA9CB78E184C748

Function 00007FFD9376A764 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD93769BB2), ref: 00007FFD9376A78A
isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD93769BB2), ref: 00007FFD9376A79B
isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD93769BB2), ref: 00007FFD9376A7F4
isalnum.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD93769BB2), ref: 00007FFD9376A8A4

Strings

(, xrefs: 00007FFD9376A898

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: isspace$isalnumisxdigit
String ID: (
API String ID: 3355161242-3887548279
Opcode ID: e4c8b5f9a1eedea8ab66487062a0c964c7a231e5b0b0ae06890dc159a5d96cfd
Instruction ID: 3fe871a47eef9f26c12fc15d691ffe2217eeef4ba29e8ba4b54233fb719191ab
Opcode Fuzzy Hash: e4c8b5f9a1eedea8ab66487062a0c964c7a231e5b0b0ae06890dc159a5d96cfd
Instruction Fuzzy Hash: 5341BC96F0828306FBB14FB095743F57BA99F21B8CF18A031CA9917586DE1DF8169B13

Function 00007FFD9376C618 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD9376BC62), ref: 00007FFD9376C63E
iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD9376BC62), ref: 00007FFD9376C64F
iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFD9376BC62), ref: 00007FFD9376C6B6

Strings

(, xrefs: 00007FFD9376C787

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: iswspace$iswxdigit
String ID: (
API String ID: 3812816871-3887548279
Opcode ID: af74e7a852e4c75f6a718f3a8d1f3b3ec46cce7310ff1cc0720302810e8eb93a
Instruction ID: 019d8ea7df2d9c267a50ed867956b2e93e4a9cfcdde502b884fb403d38a678f0
Opcode Fuzzy Hash: af74e7a852e4c75f6a718f3a8d1f3b3ec46cce7310ff1cc0720302810e8eb93a
Instruction Fuzzy Hash: 7F51A6AAF0815385EB345FE195342B972F9EF30F9CF488036DA4926494EF3EE8618311

Function 00007FFDA46D5560 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 132COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFDA46D5629

Strings

RCC, xrefs: 00007FFDA46D55AE
MOC, xrefs: 00007FFDA46D55A2
csm, xrefs: 00007FFDA46D55C4
csm, xrefs: 00007FFDA46D5710

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: FileHeader
String ID: MOC$RCC$csm$csm
API String ID: 104395404-1441736206
Opcode ID: e47b9c62b142ec837dc56d6eeb4aaf33c41ea22ad6153d04f5b8a65e6047be76
Instruction ID: 9253ccf76ff1b888a0cf5ee9e1f058995485df30213dc3bc2b4b3e5a1d7a6c93
Opcode Fuzzy Hash: e47b9c62b142ec837dc56d6eeb4aaf33c41ea22ad6153d04f5b8a65e6047be76
Instruction Fuzzy Hash: E4517173F0AA5187EB649B2594A13BD26A0FF86B94F586031DE4C43BB6CF3CE4418609

Function 00007FFD937544F8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD9376BAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB00
Part of subcall function 00007FFD9376BAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB08
Part of subcall function 00007FFD9376BAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB11
Part of subcall function 00007FFD9376BAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB2D

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,00000001,00007FFD9374AA1C), ref: 00007FFD93754539

Part of subcall function 00007FFD9373B610: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD93761D6E,?,?,?,?,?,?,?,?,00000000,00007FFD93762EAE), ref: 00007FFD9373B63B
Part of subcall function 00007FFD9373B610: memcpy.VCRUNTIME140_APP(?,?,00000000,00007FFD93761D6E,?,?,?,?,?,?,?,?,00000000,00007FFD93762EAE), ref: 00007FFD9373B657

_Getvals.LIBCPMT ref: 00007FFD93754575

Strings

$+xv, xrefs: 00007FFD9375461E
$+xv, xrefs: 00007FFD937545A7
+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v, xrefs: 00007FFD937545AE

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
API String ID: 3848194746-3573081731
Opcode ID: 2a1dead84669e62d4c6aa20b34b7046138b1e70ef67a0d10036ed14bfbe73e3f
Instruction ID: c2160d3c1e2d434d124b82d4f4e152efda9bfa9e36bff664fd0b887c4012123f
Opcode Fuzzy Hash: 2a1dead84669e62d4c6aa20b34b7046138b1e70ef67a0d10036ed14bfbe73e3f
Instruction Fuzzy Hash: A841E032B08B819BEB78CFA5D5A056E7BA4FB44781B044235DB8963E11DF38F562CB00

Function 00007FFD937547CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD937547FA

Part of subcall function 00007FFD9376BAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB00
Part of subcall function 00007FFD9376BAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB08
Part of subcall function 00007FFD9376BAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB11
Part of subcall function 00007FFD9376BAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB2D

_Maklocstr.LIBCPMT ref: 00007FFD93754873
_Maklocstr.LIBCPMT ref: 00007FFD93754889

Strings

false, xrefs: 00007FFD9375486C
true, xrefs: 00007FFD93754882

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
String ID: false$true
API String ID: 309754672-2658103896
Opcode ID: b86e9ff55447f8bb7dd7b80b7493685c570f732746a915be5b888df3f4acdba4
Instruction ID: adaa96047cc5159e270d792d694ee6844f2ba6002ac187277bc0e8a4fa099480
Opcode Fuzzy Hash: b86e9ff55447f8bb7dd7b80b7493685c570f732746a915be5b888df3f4acdba4
Instruction Fuzzy Hash: C2418D23B18B859AE720CFB0E4901ED33B4FB48788B405126EE4E27B19DF38D5A5C394

Function 00007FFD93738CB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00007FFD93738D07
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFD93738D18

Strings

ios_base::badbit set, xrefs: 00007FFD93738CCF
ios_base::eofbit set, xrefs: 00007FFD93738CE2
ios_base::failbit set, xrefs: 00007FFD93738CDB

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrowstd::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2003779279-1866435925
Opcode ID: a2b70420098d26693de4527d37465282da3bca17158f06936729b8f78c388bff
Instruction ID: 85f8fceea5cabe416781cf7222229a982383442b8ef63ac1da9ab4c7ccf1f50b
Opcode Fuzzy Hash: a2b70420098d26693de4527d37465282da3bca17158f06936729b8f78c388bff
Instruction Fuzzy Hash: 06F0D662B19546A6EE7CCB84E8A16F933A6FB40304FB44435D24E175A5DF3CE54AC740

Function 00007FFD93745220 Relevance: 7.7, APIs: 5, Instructions: 177COMMON

Download Yara Rule

APIs

fgetwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD937452D4

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: fgetwc
String ID:
API String ID: 2948136663-0
Opcode ID: 5d0bd3b3671dd2de51b020413378f813fd9af0de5620b63b9d479feaafa28656
Instruction ID: d8297c140aa880827544e176c4cfc08d74f233be9be6657063dc7ae80ab9dd5e
Opcode Fuzzy Hash: 5d0bd3b3671dd2de51b020413378f813fd9af0de5620b63b9d479feaafa28656
Instruction Fuzzy Hash: 4C818F73B05A41C9EB60CFA9D0A43AC33AAFB48BA9F555132EA4D57B98DF39D454C300

Function 00007FFD9373B784 Relevance: 7.6, APIs: 5, Instructions: 101COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,00000000,00007FFD93761D6E), ref: 00007FFD9373B84B
memset.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,00000000,00007FFD93761D6E), ref: 00007FFD9373B859
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FFD93761D6E), ref: 00007FFD9373B892
memcpy.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,00000000,00007FFD93761D6E), ref: 00007FFD9373B89C
memset.VCRUNTIME140_APP(?,?,?,?,?,?,?,?,?,?,00000000,00007FFD93761D6E), ref: 00007FFD9373B8AA

Part of subcall function 00007FFD93782B1C: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD93735AA8), ref: 00007FFD93782B36

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpymemset$_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 3375828981-0
Opcode ID: 6f4a34c3589a7d23e4e271cc679256edd1debc67f1c1ab71833d9f73d2c9430a
Instruction ID: 2b4b21885779bcd8bd6480559d2a9b1a2f1746c52f794496bda9c8ae25f8c7aa
Opcode Fuzzy Hash: 6f4a34c3589a7d23e4e271cc679256edd1debc67f1c1ab71833d9f73d2c9430a
Instruction Fuzzy Hash: 9B310925B0868291EE28DF96B5643BDB399FB04BD0F684531EF5D1BB86CE7CE0419340

Function 00007FFDA46D9CC4 Relevance: 7.6, APIs: 5, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFDA46D9D3D
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D9D5F
DName::DName.LIBVCRUNTIME ref: 00007FFDA46D9D72
DName::DName.LIBVCRUNTIME ref: 00007FFDA46D9DA9
DName::DName.LIBVCRUNTIME ref: 00007FFDA46D9DB4

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: NameName::$Name::operator+
String ID:
API String ID: 826178784-0
Opcode ID: 58c7f08e817265fdc996fa836f6f1a6d952153b3f959fa2b3b32e8b1553b858e
Instruction ID: 0bf5f42e3df565ee5af2aec34f0f72eecacc5af9534a9bd9347e837b8d9aea11
Opcode Fuzzy Hash: 58c7f08e817265fdc996fa836f6f1a6d952153b3f959fa2b3b32e8b1553b858e
Instruction Fuzzy Hash: 5D414433B0AE5585EB10CB21D8E11FC37B4BB16B84B986432DA4E533A6EF38E559C304

Function 00007FF67CFC5C80 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00004221D4C4E3A3,00007FF67CFC5077,?,?,00000000,00007FF67CFC32B7,?,?,?,00007FF67CFC3297,?,?,00000000,00007FF67CFC5D42), ref: 00007FF67CFC5CA2
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00004221D4C4E3A3,00007FF67CFC5077,?,?,00000000,00007FF67CFC32B7,?,?,?,00007FF67CFC3297,?,?,00000000,00007FF67CFC5D42), ref: 00007FF67CFC5CAE
memset.VCRUNTIME140_APP(?,?,00004221D4C4E3A3,00007FF67CFC5077,?,?,00000000,00007FF67CFC32B7,?,?,?,00007FF67CFC3297,?,?,00000000,00007FF67CFC5D42), ref: 00007FF67CFC5CE7
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00004221D4C4E3A3,00007FF67CFC5077,?,?,00000000,00007FF67CFC32B7,?,?,?,00007FF67CFC3297,?,?,00000000,00007FF67CFC5D42), ref: 00007FF67CFC5CF6
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00004221D4C4E3A3,00007FF67CFC5077,?,?,00000000,00007FF67CFC32B7,?,?,?,00007FF67CFC3297,?,?,00000000,00007FF67CFC5D42), ref: 00007FF67CFC5D02

Memory Dump Source

Source File: 00000004.00000002.2147078672.00007FF67CFC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67CFC0000, based on PE: true

Associated: 00000004.00000002.2147061005.00007FF67CFC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147114846.00007FF67CFCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147133143.00007FF67CFCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff67cfc0000_WebExperienceHostApp.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$memset
String ID:
API String ID: 577239450-0
Opcode ID: 9367a4d55e890f3ae2d68fb533305932e09a24cd37a727d6c0f3e9578350c234
Instruction ID: 9b15bdd954ac12eb746adeaaace6af4639aa5f4e43b520b34134a5f440621d20
Opcode Fuzzy Hash: 9367a4d55e890f3ae2d68fb533305932e09a24cd37a727d6c0f3e9578350c234
Instruction Fuzzy Hash: BD01A723F2EBE282FB349BA1A4042796150BF54FC0F184632DE09D7789CE2DA4419300

Function 00007FFD93734BF0 Relevance: 7.5, APIs: 6, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD93742170: setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FFD93734BFE,?,?,00000000,00007FFD93735B0B), ref: 00007FFD9374217F

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD93735B0B), ref: 00007FFD93734C07
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD93735B0B), ref: 00007FFD93734C1B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD93735B0B), ref: 00007FFD93734C2F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD93735B0B), ref: 00007FFD93734C43
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD93735B0B), ref: 00007FFD93734C57
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD93735B0B), ref: 00007FFD93734C6B

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: free$setlocale
String ID:
API String ID: 294139027-0
Opcode ID: ec2947436e03ee684cb70bb826a4a9021d29c8d7d003c080e4c03139d84977b6
Instruction ID: be150a4254dcba6c1bdb04bcc4f7db587ad7db577e8f9dc65b93995c28d0480a
Opcode Fuzzy Hash: ec2947436e03ee684cb70bb826a4a9021d29c8d7d003c080e4c03139d84977b6
Instruction Fuzzy Hash: 8D11AC12706B0586EF6D9FE1D4B933973B4EF48F59F280534C50A1A548CFBDE894D290

Function 00007FFD937433F0 Relevance: 7.5, APIs: 5, Instructions: 17COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD937433FE
fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD9374340A
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD93743415
fputc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD93743423
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93743429

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: __acrt_iob_func$abortfputcfputs
String ID:
API String ID: 2697642930-0
Opcode ID: aee1c2c9c76fa389c21114d33f76dd71eb7fbf57215ad3c44bcd325c68c615ae
Instruction ID: 2e9512b6f17d44c1c0c1d75601e8196b402202fa9262e0bfc8b389d178fcad6c
Opcode Fuzzy Hash: aee1c2c9c76fa389c21114d33f76dd71eb7fbf57215ad3c44bcd325c68c615ae
Instruction Fuzzy Hash: 1BE0B6A4B1A60283EB285BA1BCA8234763BAF48B63F240038C91F56765DE3C54448221

Function 00007FFD93767D40 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93767DB4
_Strftime.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFD93767DF3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93767ED9

Part of subcall function 00007FFD93740120: memset.VCRUNTIME140_APP ref: 00007FFD93740168

Strings

!%x, xrefs: 00007FFD93767D72

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: Strftime_errno_invalid_parameter_noinfo_noreturnmemset
String ID: !%x
API String ID: 3810971073-1893981228
Opcode ID: ace867cac6d922fdf45cf98f8f1924e58bc32f1dff1343da71478c459ec0add8
Instruction ID: 06afff1a39a42c664c6941c1c745957f406338e14acc930a753d003675c9e1f2
Opcode Fuzzy Hash: ace867cac6d922fdf45cf98f8f1924e58bc32f1dff1343da71478c459ec0add8
Instruction Fuzzy Hash: 9D81BB22B08A8585FB24CBA5E8603BC3769EB48BCCF544531DE5D2778ADF3CD4958341

Function 00007FF67CFC8520 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF67CFC85F6
OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF67CFC86E2
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF67CFC87B8

Strings

_p0, xrefs: 00007FF67CFC85A9

Memory Dump Source

Source File: 00000004.00000002.2147078672.00007FF67CFC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67CFC0000, based on PE: true

Associated: 00000004.00000002.2147061005.00007FF67CFC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147114846.00007FF67CFCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147133143.00007FF67CFCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff67cfc0000_WebExperienceHostApp.jbxd

Similarity

API ID: OpenSemaphore$ErrorLast
String ID: _p0
API String ID: 3042991519-2437413317
Opcode ID: e1651974c0d4eb00dff02a0b90013a07eae932ebbb22d0f2ffa93ef9d7cfcb72
Instruction ID: da03691c96f0182d7e265aab5e24cc9065daf7c618705d2d8e51139223e9dd1b
Opcode Fuzzy Hash: e1651974c0d4eb00dff02a0b90013a07eae932ebbb22d0f2ffa93ef9d7cfcb72
Instruction Fuzzy Hash: 51718123B29AC292EB61DB64D4901BA63A0FF84790F904632EA4E87795EF7CD905C700

Function 00007FFD9375CFB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP ref: 00007FFD9375D11C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9375D209

Strings

%.0Lf, xrefs: 00007FFD9375D04D
0123456789-, xrefs: 00007FFD9375D054

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemcpy
String ID: %.0Lf$0123456789-
API String ID: 931391446-3094241602
Opcode ID: e9d311e3a2d0453829feae00b2cc32a2770a8b394b8cd978c89192b67e3cf306
Instruction ID: 1270e112cc07545d11fdc79caf453a550dd8a5b7c57cd25f9e858be616fc2098
Opcode Fuzzy Hash: e9d311e3a2d0453829feae00b2cc32a2770a8b394b8cd978c89192b67e3cf306
Instruction Fuzzy Hash: 2E716F63B19B5599EB24CFE5E4A42AD3375EB48B98F404036DE4D27B98DE3CD84AC340

Function 00007FFD93767850 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140_APP ref: 00007FFD93767951
memcpy.VCRUNTIME140_APP ref: 00007FFD937679B2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93767A9C

Strings

0123456789-, xrefs: 00007FFD937678F2

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemchrmemcpy
String ID: 0123456789-
API String ID: 4232306570-3850129594
Opcode ID: b66fa995d862786ad70c83aa3692fa7ff2d0f80ca9987ad818803cdf48cd1475
Instruction ID: 37dd8bd5e9559253432ac09633a3e1fa4c43cf5d9274a9347c01d2346634ee9e
Opcode Fuzzy Hash: b66fa995d862786ad70c83aa3692fa7ff2d0f80ca9987ad818803cdf48cd1475
Instruction Fuzzy Hash: 47718F22B09B8599FB21CBB5E4602AC37B5EB45BD8F440436DE8D27B99CE3CD456C300

Function 00007FFD93767AD0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

swprintf_s.PGOCR ref: 00007FFD93767B6A
memset.VCRUNTIME140_APP ref: 00007FFD93767C22
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93767D09

Part of subcall function 00007FFD9373B678: memset.VCRUNTIME140_APP(?,?,?,?,?,?,00000000,00007FFD93761D6E), ref: 00007FFD9373B71B

Strings

%.0Lf, xrefs: 00007FFD93767B5A

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: memset$_invalid_parameter_noinfo_noreturnswprintf_s
String ID: %.0Lf
API String ID: 1248405305-1402515088
Opcode ID: ec13666b7fd0f09e99187055b236b0abcd58ba996a916074fadd5549c94d382e
Instruction ID: fbed84869182043066e04973ebe1abd404398093a03286cc3958af0fabc15a33
Opcode Fuzzy Hash: ec13666b7fd0f09e99187055b236b0abcd58ba996a916074fadd5549c94d382e
Instruction Fuzzy Hash: 1D61B222B08B859AEB21CBB6E4A02AD7779EB45B98F144135DE4D37B5ADF3CD055C300

Function 00007FFDA46D4068 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA46D6770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDA46D23AE), ref: 00007FFDA46D677E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D41E7

Strings

csm, xrefs: 00007FFDA46D40B7
, xrefs: 00007FFDA46D4138
csm, xrefs: 00007FFDA46D4221

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: abort
String ID: $csm$csm
API String ID: 4206212132-1512788406
Opcode ID: 181858bddd0f771f635e266b645b507512d406852fa62591119b22970761e9c7
Instruction ID: 5cca31f5594b9343575c7d04b13283ecbd7bdd0867a9cb094fc0945537afe81d
Opcode Fuzzy Hash: 181858bddd0f771f635e266b645b507512d406852fa62591119b22970761e9c7
Instruction Fuzzy Hash: 8971B437B0AA9186D7608F25D4E06F977A0FB06B84F289135DA4C47BA6CF3CD951C744

Function 00007FFDA46DE970 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

_IsNonwritableInCurrentImage.LIBCMT ref: 00007FFDA46DEA30
RtlUnwindEx.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0(?,?,?,?,?,?,?,00007FFDA46DE735), ref: 00007FFDA46DEA7F

Strings

csm, xrefs: 00007FFDA46DEA16
f, xrefs: 00007FFDA46DE9AE

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind
String ID: csm$f
API String ID: 451473138-629598281
Opcode ID: 596fc2b158a4246977d309a96ad6f7813b01e1ac3dbcf012ac6f28eb0dcb6cc7
Instruction ID: 2cfe74ed437580d38422cd6df131a011cc4764480e3f084f341471000642ee1f
Opcode Fuzzy Hash: 596fc2b158a4246977d309a96ad6f7813b01e1ac3dbcf012ac6f28eb0dcb6cc7
Instruction Fuzzy Hash: 1051F633B0AE428AEB94CB11E594AA93795FB46B88F5C9130DD0E0375ADF78F841C708

Function 00007FFDA46D3E40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA46D6770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDA46D23AE), ref: 00007FFDA46D677E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D3F37
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFDA46D3F47

Strings

csm, xrefs: 00007FFDA46D3E8A
csm, xrefs: 00007FFDA46D3F99

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: Frameabort$EmptyHandler3::StateUnwind
String ID: csm$csm
API String ID: 4108983575-3733052814
Opcode ID: 6cc9a4182677805c38e53337c324a2a6144c6831a4eccc363549fdf53aa87d8e
Instruction ID: ebf7ce0115fa508573f191a87e096b8e78b727e560be472ba15c026eca966e75
Opcode Fuzzy Hash: 6cc9a4182677805c38e53337c324a2a6144c6831a4eccc363549fdf53aa87d8e
Instruction Fuzzy Hash: 61519533B09A8286EB648F1194943A977A0EB56B84F1C6135DA8C47BE7CF3CE490C708

Function 00007FFD93732560 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140_APP ref: 00007FFD937325A2
RaiseException.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFD937326B8
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD937326DD

Strings

csm, xrefs: 00007FFD93732606

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: Exception$RaiseThrowabort
String ID: csm
API String ID: 3758033050-1018135373
Opcode ID: dfa6e63e12c7d75b43cf8b279f64167cec423cec088571d2c799f5e25e408b82
Instruction ID: d7b83ea3574f3cab223cdd05cd6bc8960abcbcd963a008d20512e8af3261e3db
Opcode Fuzzy Hash: dfa6e63e12c7d75b43cf8b279f64167cec423cec088571d2c799f5e25e408b82
Instruction Fuzzy Hash: 38517E23A04BC9C6EB25CF28D4A03A83364FB58B98F259321DA5D17796DF39E5D5C300

Function 00007FF67CFC6AF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104synchronizationCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF67CFC6B1F
CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF67CFC6B6B

Part of subcall function 00007FF67CFC8A00: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF67CFC8A3A

Strings

Local\SM0:%lu:%lu:%hs, xrefs: 00007FF67CFC6B35
x, xrefs: 00007FF67CFC6B2D

Memory Dump Source

Source File: 00000004.00000002.2147078672.00007FF67CFC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67CFC0000, based on PE: true

Associated: 00000004.00000002.2147061005.00007FF67CFC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147114846.00007FF67CFCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147133143.00007FF67CFCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff67cfc0000_WebExperienceHostApp.jbxd

Similarity

API ID: CreateCurrentErrorLastMutexProcess
String ID: Local\SM0:%lu:%lu:%hs$x
API String ID: 3298007088-452036900
Opcode ID: 0a12aa2f88bb20d10652bc4003f766e7430386beed50e6a6e1fb266b87b09c82
Instruction ID: 729b578b06541adffcec5733efa11c02577cbf8aec3141b5bbc9affcacb92cfa
Opcode Fuzzy Hash: 0a12aa2f88bb20d10652bc4003f766e7430386beed50e6a6e1fb266b87b09c82
Instruction Fuzzy Hash: E2411D3372CAC291EB60DB25E4946AA6360EF94784F405232FA8EC7A96DE7CD545C740

Function 00007FFD937543B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD9376BAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB00
Part of subcall function 00007FFD9376BAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB08
Part of subcall function 00007FFD9376BAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB11
Part of subcall function 00007FFD9376BAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB2D

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,00000001,00007FFD9374A86C), ref: 00007FFD937543F1

Part of subcall function 00007FFD9373B610: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD93761D6E,?,?,?,?,?,?,?,?,00000000,00007FFD93762EAE), ref: 00007FFD9373B63B
Part of subcall function 00007FFD9373B610: memcpy.VCRUNTIME140_APP(?,?,00000000,00007FFD93761D6E,?,?,?,?,?,?,?,?,00000000,00007FFD93762EAE), ref: 00007FFD9373B657

Part of subcall function 00007FFD93746EBC: _Maklocstr.LIBCPMT ref: 00007FFD93746EEC
Part of subcall function 00007FFD93746EBC: _Maklocstr.LIBCPMT ref: 00007FFD93746F0B
Part of subcall function 00007FFD93746EBC: _Maklocstr.LIBCPMT ref: 00007FFD93746F2A

Strings

$+xv, xrefs: 00007FFD9375445F
+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v, xrefs: 00007FFD93754466
$+xv, xrefs: 00007FFD937544D6

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
API String ID: 2904694926-3573081731
Opcode ID: e76dbe75405fbdaedae8952bdfdeb617f0b0a78e7a50d76c276933190faa78df
Instruction ID: 145059a2c166864e4c571c6da21222ec9679132d9114af120dc41e95f55e76e9
Opcode Fuzzy Hash: e76dbe75405fbdaedae8952bdfdeb617f0b0a78e7a50d76c276933190faa78df
Instruction Fuzzy Hash: F441C132B08B819BE738CFA195A056E7BA4FB45B82B044235DB8D63E11DF78F562C700

Function 00007FFD9373FA00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD9373F984
setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD9373F996
setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD9373FA1B

Part of subcall function 00007FFD93734D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD93742134,?,?,?,00007FFD9373439B,?,?,?,00007FFD93735AE1), ref: 00007FFD93734D32
Part of subcall function 00007FFD93734D10: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD93742134,?,?,?,00007FFD9373439B,?,?,?,00007FFD93735AE1), ref: 00007FFD93734D58
Part of subcall function 00007FFD93734D10: memcpy.VCRUNTIME140_APP(?,?,?,00007FFD93742134,?,?,?,00007FFD9373439B,?,?,?,00007FFD93735AE1), ref: 00007FFD93734D70

Strings

bad locale name, xrefs: 00007FFD9373F9E5

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: setlocale$freemallocmemcpy
String ID: bad locale name
API String ID: 1663771476-1405518554
Opcode ID: d094a8940004dce9378923e4909419ca7b3449e962a542eb783f077e1d48bd15
Instruction ID: c2ebba7a1c90f4c15d9104aa59a72843117b442389a7877c220a26c1a963defb
Opcode Fuzzy Hash: d094a8940004dce9378923e4909419ca7b3449e962a542eb783f077e1d48bd15
Instruction Fuzzy Hash: 5731CC22F0C64251FF79DB96B86017A73A5EF45BC0F688436DA8DA7795DE3CE4818300

Function 00007FFD93764E34 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD9376BAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB00
Part of subcall function 00007FFD9376BAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB08
Part of subcall function 00007FFD9376BAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB11
Part of subcall function 00007FFD9376BAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB2D

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFD93762CE8), ref: 00007FFD93764E75

Part of subcall function 00007FFD9373B610: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD93761D6E,?,?,?,?,?,?,?,?,00000000,00007FFD93762EAE), ref: 00007FFD9373B63B
Part of subcall function 00007FFD9373B610: memcpy.VCRUNTIME140_APP(?,?,00000000,00007FFD93761D6E,?,?,?,?,?,?,?,?,00000000,00007FFD93762EAE), ref: 00007FFD9373B657

Strings

$+xv, xrefs: 00007FFD93764EE3
+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v, xrefs: 00007FFD93764EEA
$+xv, xrefs: 00007FFD93764F5A

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
API String ID: 3376215315-3573081731
Opcode ID: e747cb05a516fb7cb06c3540bad08c0af1c8a589c04e394ce18014a6d7ffc13d
Instruction ID: 4625a52d5758812a0884f40616f2e7751784c44193ed7d790df7ab246b78aa6d
Opcode Fuzzy Hash: e747cb05a516fb7cb06c3540bad08c0af1c8a589c04e394ce18014a6d7ffc13d
Instruction Fuzzy Hash: 3741CD32B08B818BE735CF21A5A04BE7BA8FB45785B084235DB8D63E11DB78E575CB00

Function 00007FFDA46DA430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFDA46DA494

Strings

%lf, xrefs: 00007FFDA46DA4DA

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: NameName::
String ID: %lf
API String ID: 1333004437-2891890143
Opcode ID: 3f49dcae742c8bfa69eabadb2c79b2d4ceee00cf0999bfe9215d1b8c6cd360a0
Instruction ID: bee4c08b26dfac2818d6c9138bc3b2c40e17c47baaca1dca246c8de6c0e0098a
Opcode Fuzzy Hash: 3f49dcae742c8bfa69eabadb2c79b2d4ceee00cf0999bfe9215d1b8c6cd360a0
Instruction Fuzzy Hash: 98319673B0DA8185EA20CF21E8A12FA77A0FB4A784F886131E98D47766CF3CD501C748

Function 00007FF67CFC5108 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,00000000,?,?,00007FF67CFC31E9,?,?,?,?,?,?,?,?), ref: 00007FF67CFC514F
GetErrorInfo.OLEAUT32(?,?,?,?,00000000,?), ref: 00007FF67CFC5182

Strings

RoOriginateLanguageException, xrefs: 00007FF67CFC5148
combase.dll, xrefs: 00007FF67CFC5139

Memory Dump Source

Source File: 00000004.00000002.2147078672.00007FF67CFC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67CFC0000, based on PE: true

Associated: 00000004.00000002.2147061005.00007FF67CFC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147114846.00007FF67CFCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147133143.00007FF67CFCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff67cfc0000_WebExperienceHostApp.jbxd

Similarity

API ID: AddressErrorInfoProc
String ID: RoOriginateLanguageException$combase.dll
API String ID: 4049917127-3996158991
Opcode ID: 7466db823831db908e735f918de8e8c27db00bf53b94701007ad3cb2b1cff79f
Instruction ID: 8f4e8b36d5de316fb1646f7368ee519e50bfda9556eb0f6decb8f6ce006d11b3
Opcode Fuzzy Hash: 7466db823831db908e735f918de8e8c27db00bf53b94701007ad3cb2b1cff79f
Instruction Fuzzy Hash: 6D314623B29E9694FB20DB64D8553BC2370BF48788F804A36DA0D976A9DF3CE558C340

Function 00007FF67CFC7900 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF67CFC7983
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF67CFC799A

Strings

WilFailureNotifyWatchers, xrefs: 00007FF67CFC7990
kernelbase.dll, xrefs: 00007FF67CFC797C

Memory Dump Source

Source File: 00000004.00000002.2147078672.00007FF67CFC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67CFC0000, based on PE: true

Associated: 00000004.00000002.2147061005.00007FF67CFC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147114846.00007FF67CFCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147133143.00007FF67CFCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff67cfc0000_WebExperienceHostApp.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: WilFailureNotifyWatchers$kernelbase.dll
API String ID: 1646373207-2571501353
Opcode ID: 9a7db6e43057bd728f2ef62b898599da06f6ef90415e870cb48878db2bb90548
Instruction ID: aa612578cd6eeee35a700f37598b2e100fee17cb48f9ac8695d5eaa7c1320f03
Opcode Fuzzy Hash: 9a7db6e43057bd728f2ef62b898599da06f6ef90415e870cb48878db2bb90548
Instruction Fuzzy Hash: CE312B33B29BC185EB648F28E495139B7A0FF49B54B14423AEA8D83764EF3CE544DB00

Function 00007FFD9373A3C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON

Download Yara Rule

APIs

FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFD9373A3F2
FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFD9373A423
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9373A442

Strings

., xrefs: 00007FFD9373A3FC

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: FileFindNext$wcscpy_s
String ID: .
API String ID: 544952861-248832578
Opcode ID: e8055660fd5f3a0e6e4367fb8295474a2c920e569d81a9d24aaffc670c06c300
Instruction ID: 43ac1bff851ac90cf4ef7bd0553d34dd736b0b6ad7d36f9b52d94a5a59e7923a
Opcode Fuzzy Hash: e8055660fd5f3a0e6e4367fb8295474a2c920e569d81a9d24aaffc670c06c300
Instruction Fuzzy Hash: 8921C662B0C68282FBB48FA5F8A93B933A4EF48794F544131DA8D53694DF3DD445C701

Function 00007FFD93736BB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140_APP ref: 00007FFD93736C62
std::ios_base::failure::failure.LIBCPMT ref: 00007FFD93736CA5
_CxxThrowException.VCRUNTIME140_APP ref: 00007FFD93736CB6

Strings

ios_base::badbit set, xrefs: 00007FFD93736C40, 00007FFD93736C6D

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: ExceptionThrow$std::ios_base::failure::failure
String ID: ios_base::badbit set
API String ID: 1099746521-3882152299
Opcode ID: a934e826d32ede37d3e5b424d5656a2318ae423a750d11c43174206a3af171af
Instruction ID: 341c40d1ed96b8759b4e688db458d97cfab094d6e930fc968cebbeb0e681de95
Opcode Fuzzy Hash: a934e826d32ede37d3e5b424d5656a2318ae423a750d11c43174206a3af171af
Instruction Fuzzy Hash: B7012B61B1950691F73CCA95E8E15BD3256EF80744F348135D60E27999DE3CF505C240

Function 00007FFDA46D2410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA46D6770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDA46D23AE), ref: 00007FFDA46D677E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D244E

Strings

RCC, xrefs: 00007FFDA46D2420
csm, xrefs: 00007FFDA46D2430
MOC, xrefs: 00007FFDA46D2428

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: abortterminate
String ID: MOC$RCC$csm
API String ID: 661698970-2671469338
Opcode ID: 47db328f9ad3fe6785f7c33411a4be44342857283f86d96f95ada9c86e643c8e
Instruction ID: 2e21534d6cac1b3e119f846cf09bb87bc6263a4c9a9791fe7b95769e9446879d
Opcode Fuzzy Hash: 47db328f9ad3fe6785f7c33411a4be44342857283f86d96f95ada9c86e643c8e
Instruction Fuzzy Hash: 22F03C37A19A0681EB905F21E1D11F936B4EB49745F0D6031DB4806363CF3CD8A0CA45

Function 00007FF67CFC8800 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF67CFC881F
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF67CFC882F

Strings

kernelbase.dll, xrefs: 00007FF67CFC8815
RaiseFailFastException, xrefs: 00007FF67CFC8828

Memory Dump Source

Source File: 00000004.00000002.2147078672.00007FF67CFC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67CFC0000, based on PE: true

Associated: 00000004.00000002.2147061005.00007FF67CFC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147114846.00007FF67CFCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147133143.00007FF67CFCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff67cfc0000_WebExperienceHostApp.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RaiseFailFastException$kernelbase.dll
API String ID: 1646373207-919018592
Opcode ID: 9cee964bd7aab848cc37a03405ac079c2a0f27fdeb4b8e053aa243852f3d0080
Instruction ID: 35899655b15d1e30281886d17a4e7e786a1a76a3540d3607dcd4f092f43948d3
Opcode Fuzzy Hash: 9cee964bd7aab848cc37a03405ac079c2a0f27fdeb4b8e053aa243852f3d0080
Instruction Fuzzy Hash: DBF03026B2ABD181EB248B13F8940256761FF88FC0B445A35EE5D87B68CE2CE441C700

Function 00007FFDA46D99DC Relevance: 6.2, APIs: 4, Instructions: 193COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFDA46DC0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC17D
Part of subcall function 00007FFDA46DC0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC1B6
Part of subcall function 00007FFDA46DC0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC4E3

DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D9B37
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D9B96
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D9BC8
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D9BD8

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: e0e856a0689efcaa77ef655b2ee01dfdabc08d004ac59cec928a27a07a1ba9ac
Instruction ID: be247082af8f5a62c54d07f0ec3c4701f6b25eb1bb08e85b51944c76e35932e2
Opcode Fuzzy Hash: e0e856a0689efcaa77ef655b2ee01dfdabc08d004ac59cec928a27a07a1ba9ac
Instruction Fuzzy Hash: D4916F73F0AA5289FB108B60D4A03EC37B1BB46708F596035DE4D577A6EF78A849C348

Function 00007FFDA46DA16C Relevance: 6.1, APIs: 4, Instructions: 133COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFDA46DA21E
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DA22E
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DA24B

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID:
API String ID: 168861036-0
Opcode ID: db26575aafbf47d1ebfcb41f0a44ab5eea3fe5a11d01272e410fccac97833c0a
Instruction ID: e7319687ca3fd2f421a214bda6bd3015afbbb2abcd986c7e0118243063c08e9b
Opcode Fuzzy Hash: db26575aafbf47d1ebfcb41f0a44ab5eea3fe5a11d01272e410fccac97833c0a
Instruction Fuzzy Hash: 69516C72B1EA5289EB118F21E8A07FD37A1AB4A744F8C6031DA0D477A6DF7D9441C748

Function 00007FFD93739B28 Relevance: 6.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP ref: 00007FFD93739C07
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93739C4A
memcpy.VCRUNTIME140_APP ref: 00007FFD93739C54
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFD93739C87

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 7371046f5cd766d1bffe046c2d59978eee7b4bc23b1b826026726add19b89a48
Instruction ID: 7806fb95d1d5b9ab80b4c3619e91e972d8862cb559c0d3839aed7adf34b7df9a
Opcode Fuzzy Hash: 7371046f5cd766d1bffe046c2d59978eee7b4bc23b1b826026726add19b89a48
Instruction Fuzzy Hash: 70310561B0864181EA28DF96F5A427AB39AEF05BE0F644630DE3D17BD5DE7CE041C304

Function 00007FFD937474F8 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,0000003F,00000000,00000048,00007FFD93746EF1), ref: 00007FFD937475D7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,0000003F,00000000,00000048,00007FFD93746EF1), ref: 00007FFD9374762B
memcpy.VCRUNTIME140_APP(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,0000003F,00000000,00000048,00007FFD93746EF1), ref: 00007FFD93747635
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFD93747679

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 6a3fb9a081d1040bcb31cb8976ecef3be5baf333ccd0691446595d407ef7610f
Instruction ID: 51e7742ca2afc5e9cd7b2759fb039aa9cc2c9057b4db64c92ec4ee21abd58cec
Opcode Fuzzy Hash: 6a3fb9a081d1040bcb31cb8976ecef3be5baf333ccd0691446595d407ef7610f
Instruction Fuzzy Hash: 4D41F561B08696A1ED24DB96E568279B35BEB04FE0F544631EE3D1BBD8EE3CE041C300

Function 00007FFD93760818 Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

_FXp_setw.LIBCPMT ref: 00007FFD93760877
_FXp_movx.LIBCPMT ref: 00007FFD93760887

Part of subcall function 00007FFD93761064: memcpy.VCRUNTIME140_APP(?,?,00000004,00007FFD9376088C), ref: 00007FFD9376107A

Part of subcall function 00007FFD93760FEC: ldexp.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,00007FFD9376089C), ref: 00007FFD93761020

_FXp_movx.LIBCPMT ref: 00007FFD937608CE
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD93760947

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: Xp_movx$Xp_setw_errnoldexpmemcpy
String ID:
API String ID: 2233944734-0
Opcode ID: 5f6e89d24b1cfb7bdbc1a0da2f84e74a13c0c09dfe02f17bd2c73ce5df9fcb8a
Instruction ID: 408bcc927d18f2200cc0fbc9447c233569ee3cf5ae0796652b41ab36d03cd216
Opcode Fuzzy Hash: 5f6e89d24b1cfb7bdbc1a0da2f84e74a13c0c09dfe02f17bd2c73ce5df9fcb8a
Instruction Fuzzy Hash: B6412B22F1CA4686F7719BAA90712B97368BF48748F144630EA4D33299DF3CF5168702

Function 00007FFD93733110 Relevance: 6.1, APIs: 4, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD9373312D
___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD93733137
islower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD93733174
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD937331CE

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcislower
String ID:
API String ID: 2234106055-0
Opcode ID: ba68687bd1084c1fd20868618680cfa2efd6f955821d8f547e74609adf00972e
Instruction ID: 9f6c83a3c89ee5c311eb6cb8b1650319aa7df78fc579e5af9f7053ef5c306f6d
Opcode Fuzzy Hash: ba68687bd1084c1fd20868618680cfa2efd6f955821d8f547e74609adf00972e
Instruction Fuzzy Hash: B131B362B0CB5282F7398B56B86037D7AA5FB84B91F284035DA8D17799DF3CE485C720

Function 00007FFD93732FD0 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD93732FE7
___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD93732FF1
isupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD93733027
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFD93733087

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcisupper
String ID:
API String ID: 3857474680-0
Opcode ID: 23ab1e88ae2b3b9f22ff4d2e2df039963f5cd33ef94b97e970288bced12dc4c5
Instruction ID: e7caab2a81218b8af236482dff1ffb413c10887ce018cd80d14cd5ac26752106
Opcode Fuzzy Hash: 23ab1e88ae2b3b9f22ff4d2e2df039963f5cd33ef94b97e970288bced12dc4c5
Instruction Fuzzy Hash: C331D572B0C74682F7398B55E8A03BD76A6EB80B91F284035DACD17795DE3CE484C720

Function 00007FFD93739F60 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD93739CD0: CreateFile2.API-MS-WIN-CORE-FILE-L1-2-0 ref: 00007FFD93739D00

GetFileInformationByHandleEx.API-MS-WIN-CORE-FILE-L2-1-0 ref: 00007FFD93739FCB
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FFD93739FDA
GetFileInformationByHandleEx.API-MS-WIN-CORE-FILE-L2-1-0 ref: 00007FFD9373A00D
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FFD9373A01C

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: Handle$CloseFileInformation$CreateFile2
String ID:
API String ID: 1163284826-0
Opcode ID: c98a8f08e21ed10e916e511ab44b33d144b6336d3769b1fd7808e17c69bf46a3
Instruction ID: 8be99df54ab6b9c5935cddc76e1703447653ca0ca310c64dfb878f2be06eab88
Opcode Fuzzy Hash: c98a8f08e21ed10e916e511ab44b33d144b6336d3769b1fd7808e17c69bf46a3
Instruction Fuzzy Hash: 6131F422F0460985FB64CBB1E4612FE33B4AB04BA8F504731CD2D277D4EE3998818340

Function 00007FFDA46DC5A8 Relevance: 6.1, APIs: 4, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFDA46DE098: Replicator::operator[].LIBVCRUNTIME ref: 00007FFDA46DE0F2

Part of subcall function 00007FFDA46DC0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC17D
Part of subcall function 00007FFDA46DC0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC1B6
Part of subcall function 00007FFDA46DC0EC: DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC4E3

DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC626
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC635
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC6B2
DName::operator+.LIBVCRUNTIME ref: 00007FFDA46DC6C1

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+$Replicator::operator[]
String ID:
API String ID: 3863519203-0
Opcode ID: 137f35b8ab8777edeeea4d3d93e268a54653f94e00eb99c599d23a709cf02532
Instruction ID: b81ebe5554affd19f3731c625e3982f461e6c0f984d4c8b0641c002dd45887ce
Opcode Fuzzy Hash: 137f35b8ab8777edeeea4d3d93e268a54653f94e00eb99c599d23a709cf02532
Instruction Fuzzy Hash: 93414673B09B85C9EB01CF64D8A53EC37B0BB4AB48F98A025DA4D577A6DF789441C704

Function 00007FFD9376B9C0 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,00000000,?,?,?,00007FFD9375F441), ref: 00007FFD9376BA07
memcpy.VCRUNTIME140_APP(?,00000000,?,?,?,00007FFD9375F441), ref: 00007FFD9376BA2B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFD9375F441), ref: 00007FFD9376BA38
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFD9375F441), ref: 00007FFD9376BAAB

Part of subcall function 00007FFD93732E70: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD93732E9A
Part of subcall function 00007FFD93732E70: LCMapStringEx.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFD93732EDE

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: String___lc_locale_name_funcfreemallocmemcpywcsnlen
String ID:
API String ID: 2888714520-0
Opcode ID: f175193b6c3cb69a186ef12907c31e75d148df82e888f905f451e463fc05ba55
Instruction ID: b7f14ebab4dcf33dff9826de6e550c4bd910eb20d661839a1c8af4c4acd97577
Opcode Fuzzy Hash: f175193b6c3cb69a186ef12907c31e75d148df82e888f905f451e463fc05ba55
Instruction Fuzzy Hash: 5E210621B18BD285E6309F57A86052ABBD8FB46BE8F584231DE6D27BD4DF3CD4118340

Function 00007FFD9373AA30 Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

_wfsopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD9373AAD1
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD9373AADF
_wfsopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD9373AB10
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD9373AB2B

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _wfsopen$fclosefseek
String ID:
API String ID: 1261181034-0
Opcode ID: 4b2da362127e04f405fab03e2eb1a3b31cc41c713e6c08ffbf6b669a431fb480
Instruction ID: 98b0ac3aac9e0a56cd911418bed276057f553cd8f4c25bda461fff1c9506b53d
Opcode Fuzzy Hash: 4b2da362127e04f405fab03e2eb1a3b31cc41c713e6c08ffbf6b669a431fb480
Instruction Fuzzy Hash: E821B421B2964541EBBD8B46B5A5B2672EAFF84F44F284138CE4E53B90DF3DE8018701

Function 00007FFD9373A920 Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

_fsopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD9373A9C1
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD9373A9CF
_fsopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD9373AA00
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD9373AA1B

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _fsopen$fclosefseek
String ID:
API String ID: 410343947-0
Opcode ID: f64390f3235c326aca300763c1886b7c3d144e41e05b7a6f6191a3c4a7674b13
Instruction ID: 72fb6f9b39e0088405656793bda75f6d03a220eac282018b032ad35a7f58099d
Opcode Fuzzy Hash: f64390f3235c326aca300763c1886b7c3d144e41e05b7a6f6191a3c4a7674b13
Instruction Fuzzy Hash: 9321F521B2974642FBBD8B46B46573572AABF88F84F195138CE4E63B94DF3DE8418300

Function 00007FFD9376B060 Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,00007FFD9376612B), ref: 00007FFD9376B094
___lc_collate_cp_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,00007FFD9376612B), ref: 00007FFD9376B09E

Part of subcall function 00007FFD93732740: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD93732786
Part of subcall function 00007FFD93732740: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD937327AB
Part of subcall function 00007FFD93732740: GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFD937327EB

memcmp.VCRUNTIME140_APP(?,?,?,?,?,?,00000000,00007FFD9376612B), ref: 00007FFD9376B0C1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,00007FFD9376612B), ref: 00007FFD9376B0FF

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: __strncnt$Info___lc_collate_cp_func___lc_locale_name_func_errnomemcmp
String ID:
API String ID: 3421985146-0
Opcode ID: 9a4f074f7fe3bee5cb6c30750c332483e251a416c8866ebaadee7a14ac30e426
Instruction ID: ecc07c6b474eecd0bb0b972bbbc7e0cda41374e5ae533c401c1e0a8da32e08ea
Opcode Fuzzy Hash: 9a4f074f7fe3bee5cb6c30750c332483e251a416c8866ebaadee7a14ac30e426
Instruction Fuzzy Hash: AB219231B08B4186EB248F5B94A0029B6E8FB89FD5F544135DB5D63B95CF3CE4118701

Function 00007FFD93769070 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD937428BC: FormatMessageA.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFD937428E2

memcpy.VCRUNTIME140_APP ref: 00007FFD937690D9

Part of subcall function 00007FFD93733474: memcpy.VCRUNTIME140_APP(?,?,?,00007FFD93736B5F,?,?,?,00007FFD937347EC), ref: 00007FFD93733516

memcpy.VCRUNTIME140_APP ref: 00007FFD93769115
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FFD9376913B

Strings

unknown error, xrefs: 00007FFD937690CF

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: memcpy$FormatFreeLocalMessage
String ID: unknown error
API String ID: 1603595190-3078798498
Opcode ID: 393403b6a1f1d4d4069c48657dc765f8cbe8dc40f65fc9da209a8faca06826de
Instruction ID: a54bd2398d3a3f102eaffedb48688eeaea70bbe3a6f4d6dc0b44f89e07ea4b6b
Opcode Fuzzy Hash: 393403b6a1f1d4d4069c48657dc765f8cbe8dc40f65fc9da209a8faca06826de
Instruction Fuzzy Hash: E021B036708B9586E7288F66E52422D7BAAEB45FC8F184034DB8D1774ACF3CE560C741

Function 00007FFD9376BAE0 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB00
___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB08
___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB11
__pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB2D

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_func
String ID:
API String ID: 3203701943-0
Opcode ID: e28adfae1c249bda0afd0f7cf76bd22d5b083521ec3e54fdc1464557419da4a5
Instruction ID: 3a6dbe91a342267a5fa17bab2bc8634b960f907d0cc3ce558cbaeb61db6c9332
Opcode Fuzzy Hash: e28adfae1c249bda0afd0f7cf76bd22d5b083521ec3e54fdc1464557419da4a5
Instruction Fuzzy Hash: F70104A2F14B9187EB158FBAD860038B7B0FB58F99B148235DA0E87714DA3CD0D2C700

Function 00007FFD937324C8 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD93732530

Strings

csm, xrefs: 00007FFD937324FA
MOC, xrefs: 00007FFD937324EA
RCC, xrefs: 00007FFD937324F2

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: malloc
String ID: MOC$RCC$csm
API String ID: 2803490479-2671469338
Opcode ID: 99de963a1fe55b9bd7a0891b46763f532adfc88203a95788734ee6b425dadccb
Instruction ID: 0c05b63d5d77c4f800f89172ddfbc89f512eea13f0aeb586a9562042b4a64b24
Opcode Fuzzy Hash: 99de963a1fe55b9bd7a0891b46763f532adfc88203a95788734ee6b425dadccb
Instruction Fuzzy Hash: DD018461F0820686EF7D5E91F1B427D73A9AF58BC4F389071DB0D57795CE2CEA818602

Function 00007FFD9373A4E0 Relevance: 6.0, APIs: 4, Instructions: 37fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD93739CD0: CreateFile2.API-MS-WIN-CORE-FILE-L1-2-0 ref: 00007FFD93739D00

SetFilePointerEx.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFD9373A514
SetEndOfFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFD9373A523
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FFD9373A536
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFD9373A541

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: File$CloseCreateErrorFile2HandleLastPointer
String ID:
API String ID: 3074824862-0
Opcode ID: 0cd72fde80447eeb56bad4721d4aaa63301966e39746875d89a672b024a734dd
Instruction ID: f4b9da89b38a8d47a8b5fc76c92d0ea6931afff4f421adb58671befef9a2ed07
Opcode Fuzzy Hash: 0cd72fde80447eeb56bad4721d4aaa63301966e39746875d89a672b024a734dd
Instruction Fuzzy Hash: A3F0D121F1865243FBB48BE6786262A32B4AF49BF0BA45230ED2D53BC4CE2DD4428700

Function 00007FFD9375D4D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140_APP ref: 00007FFD9375D63C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9375D729

Strings

0123456789-, xrefs: 00007FFD9375D574

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemcpy
String ID: 0123456789-
API String ID: 931391446-3850129594
Opcode ID: 7264b870818fb0f69d8a1a77900bcf26002443e7252339213ad7f73e304bd3b5
Instruction ID: 25715c35908e2f19aa4967a05d8547beb59883c5854a9a62b7d81cae382ed006
Opcode Fuzzy Hash: 7264b870818fb0f69d8a1a77900bcf26002443e7252339213ad7f73e304bd3b5
Instruction Fuzzy Hash: 22716D62B19B5599EB24CFE5E4A02AC3379EB48B98F404136DE4D27B98DF38D44AC340

Function 00007FFD9375D240 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON

Download Yara Rule

APIs

swprintf_s.PGOCR ref: 00007FFD9375D2DD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9375D490

Strings

%.0Lf, xrefs: 00007FFD9375D2CD

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnswprintf_s
String ID: %.0Lf
API String ID: 296878162-1402515088
Opcode ID: 3b16c76f99806dfa4a0cf6affe3c77ff5d81f2a5c6144b3f11b4eac95df9b14a
Instruction ID: 8cf17a2b6dbc35d1f3b829835cd373d7c5df6f778443995d7942887021430d0e
Opcode Fuzzy Hash: 3b16c76f99806dfa4a0cf6affe3c77ff5d81f2a5c6144b3f11b4eac95df9b14a
Instruction Fuzzy Hash: A471B322B18B8586EB21CBE6E4602AD7376EF98B95F004132DE4D27B69DF3CD046C300

Function 00007FFD9375D760 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON

Download Yara Rule

APIs

swprintf_s.PGOCR ref: 00007FFD9375D7FD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9375D9B0

Strings

%.0Lf, xrefs: 00007FFD9375D7ED

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnswprintf_s
String ID: %.0Lf
API String ID: 296878162-1402515088
Opcode ID: b571ce2853cddf76524b4741eca339f0dced9dcfb565cacf30ea4cebfa2c42ba
Instruction ID: 2e8561b6d387ff70655a22d082073ea4620deb0a903972bb7a775dbdec3f4b84
Opcode Fuzzy Hash: b571ce2853cddf76524b4741eca339f0dced9dcfb565cacf30ea4cebfa2c42ba
Instruction Fuzzy Hash: CB719322B18B8586EB21CBE6E4602AD7375EF54B94F104136DE4D27B69DF3CE446C340

Function 00007FFD93769990 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FFD93769999

Strings

invalid random_device value, xrefs: 00007FFD937699AC

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: rand_s
String ID: invalid random_device value
API String ID: 863162693-3926945683
Opcode ID: 5bf917cb6cc27b8f8c101cf21685ef46c4f3be592fb91b1d19001d2cd564a4a4
Instruction ID: 2f63d94d2c681458983e4e893a74782c5f607e6e75b5d6ae9f3c9513765ebaff
Opcode Fuzzy Hash: 5bf917cb6cc27b8f8c101cf21685ef46c4f3be592fb91b1d19001d2cd564a4a4
Instruction Fuzzy Hash: 0A51E422F18A86C5F3728F7488B11B973ADBF17788F148732E50E36595DF2CA4A28601

Function 00007FFDA46D4730 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA46D6770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDA46D23AE), ref: 00007FFDA46D677E

_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFDA46D4806
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46D4864

Strings

csm, xrefs: 00007FFDA46D490A

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: abort$CreateFrameInfo
String ID: csm
API String ID: 2697087660-1018135373
Opcode ID: 809b0197d0f15b3009e55adb189ff641ea3fee3a4527357fb56d218a418e2097
Instruction ID: eca45dcb9246ac4a610f529ebf069952fb8a5f3fe657a58fc094be92a5259cc3
Opcode Fuzzy Hash: 809b0197d0f15b3009e55adb189ff641ea3fee3a4527357fb56d218a418e2097
Instruction Fuzzy Hash: A2512D77B1AA8586D6609B16E4903AE77A4FB8AB90F181134DB8D07B66CF3CD451CB04

Function 00007FFD93743440 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD937435E4
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFD9374361D

Strings

Windows.Foundation.Diagnostics.AsyncCausalityTracer, xrefs: 00007FFD937435DD

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: ActivationCreateFactoryReferenceStringWindows
String ID: Windows.Foundation.Diagnostics.AsyncCausalityTracer
API String ID: 1966789792-167870777
Opcode ID: 7c7924330cc76eb3eba570e8f5a043d3487a3d96d7dca579302cae01b3451e79
Instruction ID: 645fc88f6e0dc222b935afdb6d5deb36928188cae949ecfe0b648c0dd4dc6c8e
Opcode Fuzzy Hash: 7c7924330cc76eb3eba570e8f5a043d3487a3d96d7dca579302cae01b3451e79
Instruction Fuzzy Hash: E131C421B18A4683FB24CBA5E4A83B93365FF89B85F500032DA4D57795CF3DE551C310

Function 00007FFD937436D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140_APP ref: 00007FFD937437E0
CoGetObjectContext.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FFD93743803

Strings

Context callback failed., xrefs: 00007FFD937437C3

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: ContextExceptionObjectThrow
String ID: Context callback failed.
API String ID: 1677907432-1244723342
Opcode ID: e19a649699645cc43410b51faacb8ed42f9f502b8979f275351cd23fa70905b7
Instruction ID: 528e784f8ab05939087ff71f6f65be944d28c6c00ee86381e50a9fa2009a73a7
Opcode Fuzzy Hash: e19a649699645cc43410b51faacb8ed42f9f502b8979f275351cd23fa70905b7
Instruction Fuzzy Hash: 9031AE62B08A0682FF718FA5E8E437933A9FF44B84F544136DA8D566A4DF3CE494C710

Function 00007FFD93733280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFD937332B5

Part of subcall function 00007FFD93782B1C: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD93735AA8), ref: 00007FFD93782B36

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFD937357AA,?,?,?,00007FFD937343F8), ref: 00007FFD937332AE

Strings

ios_base::failbit set, xrefs: 00007FFD937332CE

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID: ios_base::failbit set
API String ID: 1934640635-3924258884
Opcode ID: 86b4e5238144139d03474f40a88081f60eccb49d5d50e335382d98dbc759b6c8
Instruction ID: 9ff37fdac2560197ad4b4e94d3ad12209fed23098665619b83ebea04e9d651d3
Opcode Fuzzy Hash: 86b4e5238144139d03474f40a88081f60eccb49d5d50e335382d98dbc759b6c8
Instruction Fuzzy Hash: 3221FD21B0DB8285EA34CB51F5502A9B398FB4CBE0F684631EE9C53B94EF3CC5418700

Function 00007FFDA46D98C8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDA46D99C6

Strings

void, xrefs: 00007FFDA46D9928
void , xrefs: 00007FFDA46D9950

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: Name::operator+
String ID: void$void
API String ID: 2943138195-3746155364
Opcode ID: 1fd1239767cdba175521d54b038567421754ad18fe50b3a3e7fd3ac15f670715
Instruction ID: c252e77ef81127a40d2594a34572f38b8485aa5ce65ff3044b6907f3e3fbcf1d
Opcode Fuzzy Hash: 1fd1239767cdba175521d54b038567421754ad18fe50b3a3e7fd3ac15f670715
Instruction Fuzzy Hash: FC313A72F19B5588FB01CB64E8910ED37B0BB49748B486136DE4E57B6AEF389148C748

Function 00007FFD9373F220 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFD9373C674), ref: 00007FFD9373F244

Part of subcall function 00007FFD9376BAE0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB00
Part of subcall function 00007FFD9376BAE0: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB08
Part of subcall function 00007FFD9376BAE0: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB11
Part of subcall function 00007FFD9376BAE0: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFD93736043), ref: 00007FFD9376BB2D

Strings

false, xrefs: 00007FFD9373F29C
true, xrefs: 00007FFD9373F2B3

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
String ID: false$true
API String ID: 2502581279-2658103896
Opcode ID: 9b59a3e52013d521e33c9098de8e5753f24b95a6832a3519e6095e988c635fb6
Instruction ID: f80cf751d6e62eb32caefd73586b410d2bc169f7e8ea2c8ee66794ec6e80cc9e
Opcode Fuzzy Hash: 9b59a3e52013d521e33c9098de8e5753f24b95a6832a3519e6095e988c635fb6
Instruction Fuzzy Hash: B3218027608B8591EB34DF61E4A03AA37B4FB987A8F544532DA8D1735ACF3CD155C780

Function 00007FFD937435A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD937435E4
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFD9374361D

Strings

Windows.Foundation.Diagnostics.AsyncCausalityTracer, xrefs: 00007FFD937435DD

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: ActivationCreateFactoryReferenceStringWindows
String ID: Windows.Foundation.Diagnostics.AsyncCausalityTracer
API String ID: 1966789792-167870777
Opcode ID: 44bba69f27772335a2dabfed7dfb8568543d36035e0c3b799b1208cc61387a4d
Instruction ID: bd027dcf8b9cb1d40c03d80e08a8692baae77347ddc05eab81393beb8f90eb8c
Opcode Fuzzy Hash: 44bba69f27772335a2dabfed7dfb8568543d36035e0c3b799b1208cc61387a4d
Instruction Fuzzy Hash: 90218922B18A8682FB208B66E4A83793379FB49B89F500132DA4D5B768CF3DE544C300

Function 00007FFDA46D608F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA46D6430: RtlPcToFileHeader.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFDA46D6474
Part of subcall function 00007FFDA46D6430: RaiseException.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDA46D64BA

RtlPcToFileHeader.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFDA46D60FF

Strings

Access violation - no RTTI data!, xrefs: 00007FFDA46D608F
Bad dynamic_cast!, xrefs: 00007FFDA46D60B2

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: FileHeader$ExceptionRaise
String ID: Access violation - no RTTI data!$Bad dynamic_cast!
API String ID: 3685223789-3176238549
Opcode ID: a6639cd7f69626a89f4ca9d3667c59b83a4044ca09e137da1a34bb00ff92109c
Instruction ID: 402585f221c3190c3e5174ef264335d0ac5ad4396175222a17cd443638fa6f9b
Opcode Fuzzy Hash: a6639cd7f69626a89f4ca9d3667c59b83a4044ca09e137da1a34bb00ff92109c
Instruction Fuzzy Hash: 8E014062B2BE4695EE409B14E8E26F96360FF96B44F487031D54E06777EF6CD508C304

Function 00007FFDA46DE720 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA46DE970: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFDA46DEA30
Part of subcall function 00007FFDA46DE970: RtlUnwindEx.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0(?,?,?,?,?,?,?,00007FFDA46DE735), ref: 00007FFDA46DEA7F

Part of subcall function 00007FFDA46D6770: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDA46D23AE), ref: 00007FFDA46D677E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA46DE75A

Strings

csm, xrefs: 00007FFDA46DE73B
f, xrefs: 00007FFDA46DE735

Memory Dump Source

Source File: 00000004.00000002.2147282353.00007FFDA46D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA46D0000, based on PE: true

Associated: 00000004.00000002.2147263148.00007FFDA46D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147303832.00007FFDA46E1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147320675.00007FFDA46E6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2147336830.00007FFDA46E7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffda46d0000_WebExperienceHostApp.jbxd

Similarity

API ID: CurrentImageNonwritableUnwindabortterminate
String ID: csm$f
API String ID: 4189928240-629598281
Opcode ID: 6b267538cdc2106bb9cc523324cb098b503f0df6c4cb79035cd1b191454f8ac5
Instruction ID: 7778065f97b55a5171bade2afb564ec836a31622f5a07671f7ade948546a961f
Opcode Fuzzy Hash: 6b267538cdc2106bb9cc523324cb098b503f0df6c4cb79035cd1b191454f8ac5
Instruction Fuzzy Hash: A1E06C37E09F4641DBD05B11E1D51FD26A4EF16794F1C6034D64C06767CE3CD8508649

Function 00007FFD937362E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFD937362ED

Part of subcall function 00007FFD93734D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD93742134,?,?,?,00007FFD9373439B,?,?,?,00007FFD93735AE1), ref: 00007FFD93734D32
Part of subcall function 00007FFD93734D10: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD93742134,?,?,?,00007FFD9373439B,?,?,?,00007FFD93735AE1), ref: 00007FFD93734D58
Part of subcall function 00007FFD93734D10: memcpy.VCRUNTIME140_APP(?,?,?,00007FFD93742134,?,?,?,00007FFD9373439B,?,?,?,00007FFD93735AE1), ref: 00007FFD93734D70

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD9373630A

Strings

:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFD93736315

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: free$Getmonthsmallocmemcpy
String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December
API String ID: 1628830074-4232081075
Opcode ID: 0e3ca20c2d103951e4d7d7801fc3e20d684566a9d28fb9907ec1b8d7555c0598
Instruction ID: bf27d09a1e72276d59d9d1d3d2a12945ed6e807b2580f1af361ad89371628ef1
Opcode Fuzzy Hash: 0e3ca20c2d103951e4d7d7801fc3e20d684566a9d28fb9907ec1b8d7555c0598
Instruction Fuzzy Hash: 44E06D22B08B4182EB289F62F4953797374EF08BD5F640030DA0D16754DF3CD894C380

Function 00007FFD93736270 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFD9373627D

Part of subcall function 00007FFD93734D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD93742134,?,?,?,00007FFD9373439B,?,?,?,00007FFD93735AE1), ref: 00007FFD93734D32
Part of subcall function 00007FFD93734D10: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFD93742134,?,?,?,00007FFD9373439B,?,?,?,00007FFD93735AE1), ref: 00007FFD93734D58
Part of subcall function 00007FFD93734D10: memcpy.VCRUNTIME140_APP(?,?,?,00007FFD93742134,?,?,?,00007FFD9373439B,?,?,?,00007FFD93735AE1), ref: 00007FFD93734D70

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD9373629A

Strings

:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFD937362A5

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: free$Getdaysmallocmemcpy
String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 1347072587-3283725177
Opcode ID: e3e5c3688c4805bfe07b39f3b0bc76f695c360df353ad2bd69f5daf1469f8f09
Instruction ID: 9563a2583d94e08fb66ddaf5311ba658dc7b97bd2a6f28407bb5d3397133aa4e
Opcode Fuzzy Hash: e3e5c3688c4805bfe07b39f3b0bc76f695c360df353ad2bd69f5daf1469f8f09
Instruction Fuzzy Hash: B9E06D21719B8282EF249FA1F49437AB374EF48B95F588030DA0D1A754DF3CD884C340

Function 00007FFD937369E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFD937369ED

Part of subcall function 00007FFD93734D90: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD937471DD,?,?,?,?,?,?,?,?,?,00007FFD9374B15E), ref: 00007FFD93734DB9
Part of subcall function 00007FFD93734D90: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD937471DD,?,?,?,?,?,?,?,?,?,00007FFD9374B15E), ref: 00007FFD93734DE8
Part of subcall function 00007FFD93734D90: memcpy.VCRUNTIME140_APP(?,?,00000000,00007FFD937471DD,?,?,?,?,?,?,?,?,?,00007FFD9374B15E), ref: 00007FFD93734DFF

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD93736A0A

Strings

:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFD93736A15

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: free$Getmonthsmallocmemcpy
String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece
API String ID: 1628830074-2030377133
Opcode ID: 27da167e1864dcdf294359a8b0a44747903f76c57d9256877098d303ea31171d
Instruction ID: 2f48854a312ac88d733acee6390c0a0d484b6034441b12ad11b2d150f7120675
Opcode Fuzzy Hash: 27da167e1864dcdf294359a8b0a44747903f76c57d9256877098d303ea31171d
Instruction Fuzzy Hash: 95E03921718B4192EA648FA1F4D43697368EF08B95F945034DA0E26754DE3CD8C4C380

Function 00007FFD93736990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFD9373699D

Part of subcall function 00007FFD93734D90: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD937471DD,?,?,?,?,?,?,?,?,?,00007FFD9374B15E), ref: 00007FFD93734DB9
Part of subcall function 00007FFD93734D90: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFD937471DD,?,?,?,?,?,?,?,?,?,00007FFD9374B15E), ref: 00007FFD93734DE8
Part of subcall function 00007FFD93734D90: memcpy.VCRUNTIME140_APP(?,?,00000000,00007FFD937471DD,?,?,?,?,?,?,?,?,?,00007FFD9374B15E), ref: 00007FFD93734DFF

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD937369BA

Strings

:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFD937369C5

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: free$Getdaysmallocmemcpy
String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 1347072587-3283725177
Opcode ID: f597a48114be3c6915887c42bc8e5feb8ace438d66b9616608920e23ae2e9610
Instruction ID: e3c255c02f126f12bfa6f78cd5361d2072a70a612d71bec0d2a8033ede72726b
Opcode Fuzzy Hash: f597a48114be3c6915887c42bc8e5feb8ace438d66b9616608920e23ae2e9610
Instruction Fuzzy Hash: B3E06D22708B4192EB248F51F49437973B4EF08BA5F651134DA0D16754DF3CD884C740

Function 00007FF67CFC7750 Relevance: 5.1, APIs: 4, Instructions: 88memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67CFC4580: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF67CFC53C5,?,?,00000000,00007FF67CFC5353), ref: 00007FF67CFC458F
Part of subcall function 00007FF67CFC4580: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF67CFC53C5,?,?,00000000,00007FF67CFC5353), ref: 00007FF67CFC459D
Part of subcall function 00007FF67CFC4580: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF67CFC53C5,?,?,00000000,00007FF67CFC5353), ref: 00007FF67CFC45B2

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF67CFC780C
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF67CFC781A

Memory Dump Source

Source File: 00000004.00000002.2147078672.00007FF67CFC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67CFC0000, based on PE: true

Associated: 00000004.00000002.2147061005.00007FF67CFC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147114846.00007FF67CFCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147133143.00007FF67CFCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff67cfc0000_WebExperienceHostApp.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 468bbb36f5f0524bfad220df1c36bc57dc39595cc71b805c81501286b27ccc0c
Instruction ID: 76680db6015f5ee3431a4109cfddde0fd37d826f5729db4c98700aeca7485e5b
Opcode Fuzzy Hash: 468bbb36f5f0524bfad220df1c36bc57dc39595cc71b805c81501286b27ccc0c
Instruction Fuzzy Hash: 12316263B2C98286E730EB25D4512BA6361FF98B84F558232EA4DC7696EF3CE545C700

Function 00007FF67CFC6CB0 Relevance: 5.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF67CFC6878,?,?,?,00007FF67CFC67A6), ref: 00007FF67CFC6CE7
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF67CFC6878,?,?,?,00007FF67CFC67A6), ref: 00007FF67CFC6CF5
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF67CFC6878,?,?,?,00007FF67CFC67A6), ref: 00007FF67CFC6D13
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF67CFC6878,?,?,?,00007FF67CFC67A6), ref: 00007FF67CFC6D21

Memory Dump Source

Source File: 00000004.00000002.2147078672.00007FF67CFC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67CFC0000, based on PE: true

Associated: 00000004.00000002.2147061005.00007FF67CFC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147094422.00007FF67CFCA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147114846.00007FF67CFCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2147133143.00007FF67CFCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff67cfc0000_WebExperienceHostApp.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 0056834fd57f5863927073a6cb3a8cdd4485bbb69fd36fa37474e5618a9aa299
Instruction ID: fb216cb9b858b2c2da1cc9b012527eb907265ada88f5cb4c73a72df42a4231bc
Opcode Fuzzy Hash: 0056834fd57f5863927073a6cb3a8cdd4485bbb69fd36fa37474e5618a9aa299
Instruction Fuzzy Hash: F50169B3B09B8186EB209F52F9440AA7761FB48B90B198531DF4D63B24DF3CE5A6C740

Function 00007FFD93749450 Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD9374946D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD93749477
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD93749481
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD9374948B

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 1408db0c91c4afda7cd62dbc657a8b28289742c7a241f7735ef7cac3faab0118
Instruction ID: 53767d5a41e436444ca3b24d48a6394021951bf8c2edb652017d863cab83969d
Opcode Fuzzy Hash: 1408db0c91c4afda7cd62dbc657a8b28289742c7a241f7735ef7cac3faab0118
Instruction Fuzzy Hash: C3F03C21719B0293DB249B56E9E81387339FB88B96F104030CA4D53B20DFBCE4A58300

Function 00007FFD93762820 Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD9376283D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD93762847
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD93762851
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD9376285B

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 28282babf5ab9a79a3e9250d435ee7dac1d2215b7bc58fb2e129965c8d656ec7
Instruction ID: 9d0650c30988254e7121c373cd38377ea62eb922007fdeb7d16907ed2039f383
Opcode Fuzzy Hash: 28282babf5ab9a79a3e9250d435ee7dac1d2215b7bc58fb2e129965c8d656ec7
Instruction Fuzzy Hash: F6F0EC21B19B4293DB649B95E9E41687338FB8CFE6B544031DA4D53B60DF7CE4A58300

Function 00007FFD937494C0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD937494DD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD937494E7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD937494F1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD937494FB

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 78515aec29c92e18f2c63f3efd2ffdad150a398ddd245488889049c7a56c38d1
Instruction ID: 87b53c263f30769274a8b5c0f05c013b592eb8eb8b89c4dde6cd095e194df017
Opcode Fuzzy Hash: 78515aec29c92e18f2c63f3efd2ffdad150a398ddd245488889049c7a56c38d1
Instruction Fuzzy Hash: 19F03C21B19B0293DB249B56E9E81387339FB88B96B504030CA4D53B60DF7CE4A58300

Function 00007FFD937491F8 Relevance: 5.0, APIs: 4, Instructions: 16COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD9374920A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD93749214
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD9374921E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD93749228

Memory Dump Source

Source File: 00000004.00000002.2147163734.00007FFD93731000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFD93730000, based on PE: true

Associated: 00000004.00000002.2147148953.00007FFD93730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147201110.00007FFD93785000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147228174.00007FFD937B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.2147245555.00007FFD937B7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd93730000_WebExperienceHostApp.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 7ad3a6edda06eaf9da7d43210142655a193d10ee84286b762144f3f5892102b8
Instruction ID: e80c8554c3121053885c4fe0f41f5dde37e9ea7cb053468f2c0e04c24c1e84fc
Opcode Fuzzy Hash: 7ad3a6edda06eaf9da7d43210142655a193d10ee84286b762144f3f5892102b8
Instruction Fuzzy Hash: DBE02866715B0183EB649F61D8A80787334FF9CFAA7241031CE1D56664CE78E495C300

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report recibatt- 533152.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\711103.rbs

C:\Users\user\AppData\Local\Aplication_files\WebExperienceHostApp.exe

C:\Users\user\AppData\Local\Aplication_files\msvcp140_app.dll

C:\Users\user\AppData\Local\Aplication_files\vcamp140_app.dll

C:\Users\user\AppData\Local\Aplication_files\vccorlib140_app.dll

C:\Users\user\AppData\Local\Aplication_files\vcomp140_app.dll

C:\Users\user\AppData\Local\Aplication_files\vcruntime140_1_app.dll

C:\Users\user\AppData\Local\Aplication_files\vcruntime140_app.dll

C:\Windows\Installer\711101.msi

C:\Windows\Installer\MSI124A.tmp

C:\Windows\Installer\MSI12B8.tmp

C:\Windows\Installer\MSI12E8.tmp

C:\Windows\Installer\MSI1327.tmp

C:\Windows\Installer\MSI1367.tmp

C:\Windows\Installer\MSI13C6.tmp

C:\Windows\Installer\SourceHash{9295EB37-D0C2-4849-8522-3C24732E7204}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

C:\Windows\Temp\~DF3A86FBC234ACA344.TMP

C:\Windows\Temp\~DF446ED56DE899A873.TMP

C:\Windows\Temp\~DF4693D6F38400A101.TMP

C:\Windows\Temp\~DF485036A346646AA1.TMP

C:\Windows\Temp\~DF76A60FBCE0F23EC4.TMP

C:\Windows\Temp\~DF8D1E4238889C8842.TMP

C:\Windows\Temp\~DFCFBA0D4EAFFE3299.TMP

C:\Windows\Temp\~DFD441F4492135CBC4.TMP

Windows Analysis Report
recibatt- 533152.msi

Function 00007FF67CFC2AA0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 192
libraryloaderCOMMON

Function 00007FF67CFC54F4 Relevance: 24.1, APIs: 15, Strings: 1, Instructions: 138
COMMON

Function 00007FF67CFC5D10 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 289
libraryloaderCOMMON

Function 00007FF67CFC158C Relevance: 10.6, APIs: 7, Instructions: 94
COMMON

Function 00007FFD93738370 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67
COMMON

Function 00007FF67CFC27BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75
COMMON

Function 00007FFDA46D6430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
COMMON

Function 00007FF67CFC301C Relevance: 4.6, APIs: 3, Instructions: 149
COMMON

Function 00007FF67CFC251C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84
COMMON

Function 00007FFD93742100 Relevance: 3.0, APIs: 2, Instructions: 29
COMMON

Function 00007FFD93733930 Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Function 00007FF67CFC480C Relevance: 1.6, APIs: 1, Instructions: 60
COMMON