Edit tour

Windows Analysis Report
4iogI3WCTh.exe

Overview

General Information

Sample name:	4iogI3WCTh.exe renamed because original name is a hash value
Original sample name:	f4e673616e807b25a98f0655c693d411.exe
Analysis ID:	1583032
MD5:	f4e673616e807b25a98f0655c693d411
SHA1:	7d697956f37a0432d4952806739e4c39ace201a1
SHA256:	80e013ba13cf1238703dc670cb3defce7fbf9e3b09beedfdcb6d3197aec5552f
Tags:	exeValleyRATuser-abuse_ch
Infos:

Detection

GhostRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected GhostRat

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Found evasive API chain (may stop execution after checking mutex)

Found stalling execution ending in API Sleep call

Loading BitLocker PowerShell Module

Sets debug register (to hijack the execution of another thread)

Suspicious powershell command line found

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

Uses Register-ScheduledTask to add task schedules

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a global mouse hook

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Sigma detected: Potential Regsvr32 Commandline Flag Anomaly

Sigma detected: Suspicious Electron Application Child Processes

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

4iogI3WCTh.exe (PID: 4008 cmdline: "C:\Users\user\Desktop\4iogI3WCTh.exe" MD5: F4E673616E807B25A98F0655C693D411)

4iogI3WCTh.tmp (PID: 2316 cmdline: "C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp" /SL5="$20434,1664838,141312,C:\Users\user\Desktop\4iogI3WCTh.exe" MD5: 8FDC58C7D4C59472615682D6DEA9D190)

4iogI3WCTh.exe (PID: 600 cmdline: "C:\Users\user\Desktop\4iogI3WCTh.exe" /VERYSILENT MD5: F4E673616E807B25A98F0655C693D411)

4iogI3WCTh.tmp (PID: 2496 cmdline: "C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp" /SL5="$20442,1664838,141312,C:\Users\user\Desktop\4iogI3WCTh.exe" /VERYSILENT MD5: 8FDC58C7D4C59472615682D6DEA9D190)

msedgewebview2.exe (PID: 2304 cmdline: "C:\Users\user\AppData\Roaming\\NVIDIA app\\724\\msedgewebview2.exe" MD5: 71FDF2D301949413F8B14E0F12C2E0F5)

powershell.exe (PID: 2800 cmdline: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msedgewebview2.exe (PID: 7232 cmdline: "C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe" MD5: 71FDF2D301949413F8B14E0F12C2E0F5)

powershell.exe (PID: 7248 cmdline: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7608 cmdline: "tasklist" /FI "IMAGENAME eq regsvr32.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

regsvr32.exe (PID: 7672 cmdline: "regsvr32" /s /i:SYNC "C:\Users\user\AppData\Roaming\NVIDIA app\724\msedge_elf.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

powershell.exe (PID: 2996 cmdline: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7764 cmdline: "tasklist" /FI "IMAGENAME eq regsvr32.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

regsvr32.exe (PID: 7824 cmdline: "regsvr32" /s /i:SYNC "C:\Users\user\AppData\Roaming\NVIDIA app\724\msedge_elf.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

powershell.exe (PID: 7840 cmdline: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 8144 cmdline: "tasklist" /FI "IMAGENAME eq regsvr32.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

regsvr32.exe (PID: 2700 cmdline: "regsvr32" /s /i:SYNC "C:\Users\user\AppData\Roaming\NVIDIA app\724\msedge_elf.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

powershell.exe (PID: 1448 cmdline: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5944 cmdline: "tasklist" /FI "IMAGENAME eq regsvr32.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

regsvr32.exe (PID: 4312 cmdline: "regsvr32" /s /i:SYNC "C:\Users\user\AppData\Roaming\NVIDIA app\724\msedge_elf.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

powershell.exe (PID: 1516 cmdline: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

Threatname: GhostRat

{"C2 url": ["154.39.239.95:1445", "154.39.239.95:1445"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000012.00000002.3094660374.0000000000BAA000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x26a28:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x29f5e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000012.00000003.1931212895.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x27a28:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x2af5e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000012.00000002.3096785341.0000000002720000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x22388:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x258be:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Process Memory Space: regsvr32.exe PID: 7672	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
18.2.regsvr32.exe.272130d.1.raw.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x2107b:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x245b1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
18.3.regsvr32.exe.baf9ad.0.raw.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x2107b:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x245b1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
18.2.regsvr32.exe.baf9ad.0.raw.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x2107b:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x245b1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Sigma Signatures

System Summary

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Source: Network Connection

Author: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 154.39.239.95, DestinationIsIpv6: false, DestinationPort: 1445, EventID: 3, Image: C:\Windows\System32\regsvr32.exe, Initiated: true, ProcessId: 7672, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736

Sigma detected: Potential Regsvr32 Commandline Flag Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "regsvr32" /s /i:SYNC "C:\Users\user\AppData\Roaming\NVIDIA app\724\msedge_elf.dll", CommandLine: "regsvr32" /s /i:SYNC "C:\Users\user\AppData\Roaming\NVIDIA app\724\msedge_elf.dll", CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe", ParentImage: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe, ParentProcessId: 7232, ParentProcessName: msedgewebview2.exe, ProcessCommandLine: "regsvr32" /s /i:SYNC "C:\Users\user\AppData\Roaming\NVIDIA app\724\msedge_elf.dll", ProcessId: 7672, ProcessName: regsvr32.exe

Sigma detected: Suspicious Electron Application Child Processes

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest", CommandLine: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest", CommandLine|base64offset|contains: -, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\\NVIDIA app\\724\\msedgewebview2.exe", ParentImage: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe, ParentProcessId: 2304, ParentProcessName: msedgewebview2.exe, ProcessCommandLine: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest", ProcessId: 2800, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest", CommandLine: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest", CommandLine|base64offset|contains: -, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\\NVIDIA app\\724\\msedgewebview2.exe", ParentImage: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe, ParentProcessId: 2304, ParentProcessName: msedgewebview2.exe, ProcessCommandLine: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest", ProcessId: 2800, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Anonymous RAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T16:22:25.381051+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49736	154.39.239.95	1445	TCP
2025-01-01T16:23:34.432562+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49737	154.39.239.95	1445	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: regsvr32.exe.7672.18.memstrmin

Malware Configuration Extractor: GhostRat {"C2 url": ["154.39.239.95:1445", "154.39.239.95:1445"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\is-A0K1V.tmp	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedge_elf.dll (copy)	ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: 4iogI3WCTh.exe	ReversingLabs: Detection: 47%
Source: 4iogI3WCTh.exe	Virustotal: Detection: 47%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.4% probability

Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1C35A0 BCryptGenRandom,SystemFunction036,HeapFree,TlsSetValue,HeapFree,HeapFree,TlsSetValue,	4_2_00007FFDFF1C35A0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1C3150 TlsGetValue,BCryptGenRandom,SystemFunction036,TlsGetValue,TlsGetValue,TlsSetValue,HeapFree,HeapFree,TlsSetValue,HeapFree,HeapFree,	4_2_00007FFDFF1C3150
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1C3150 TlsGetValue,BCryptGenRandom,SystemFunction036,TlsGetValue,TlsGetValue,TlsSetValue,HeapFree,HeapFree,TlsSetValue,HeapFree,HeapFree,	18_2_00007FFDFF1C3150
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1C35A0 BCryptGenRandom,SystemFunction036,HeapFree,TlsSetValue,HeapFree,HeapFree,TlsSetValue,	18_2_00007FFDFF1C35A0

Source: 4iogI3WCTh.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge WebView2 Runtime_is1

Jump to behavior

Source:	Binary string: msedgewebview2.exe.pdbOGP source: 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005DB2000.00000004.00001000.00020000.00000000.sdmp, msedgewebview2.exe, 00000004.00000000.1652015949.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 0000000A.00000000.1748884605.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 0000000A.00000002.3096660732.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: msedgewebview2.exe.pdb source: 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005DB2000.00000004.00001000.00020000.00000000.sdmp, msedgewebview2.exe, 00000004.00000000.1652015949.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 0000000A.00000000.1748884605.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 0000000A.00000002.3096660732.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp

Source: C:\Windows\System32\regsvr32.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: c:
Source: C:\Windows\System32\regsvr32.exe	File opened: [:	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 18_2_02C99960 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW,

18_2_02C99960

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49736 -> 154.39.239.95:1445
Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49737 -> 154.39.239.95:1445

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 154.39.239.95 1445

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 154.39.239.95:1445
Source: Malware configuration extractor	URLs: 154.39.239.95:1445

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 154.39.239.95:1445

Source: Joe Sandbox View

ASN Name: COGENT-174US COGENT-174US

Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.239.95

Source: C:\Windows\System32\regsvr32.exe

Code function: 18_2_02C93660 select,recv,_errno,_errno,_errno,

18_2_02C93660

Source: 4iogI3WCTh.tmp, 00000003.00000002.1663567578.000000000018E000.00000004.00000010.00020000.00000000.sdmp, 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, is-A0K1V.tmp.3.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: 4iogI3WCTh.tmp, 00000003.00000002.1663567578.000000000018E000.00000004.00000010.00020000.00000000.sdmp, 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, is-A0K1V.tmp.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, is-A0K1V.tmp.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 4iogI3WCTh.tmp, 00000003.00000002.1663567578.000000000018E000.00000004.00000010.00020000.00000000.sdmp, 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, is-A0K1V.tmp.3.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: 4iogI3WCTh.tmp, 00000003.00000002.1663567578.000000000018E000.00000004.00000010.00020000.00000000.sdmp, 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, is-A0K1V.tmp.3.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: powershell.exe, 0000001B.00000002.2593657575.000001B542100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsXbe;c
Source: 4iogI3WCTh.tmp, 00000003.00000002.1663567578.000000000018E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4Cod
Source: 4iogI3WCTh.tmp, 00000003.00000002.1663567578.000000000018E000.00000004.00000010.00020000.00000000.sdmp, 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, is-A0K1V.tmp.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, is-A0K1V.tmp.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 4iogI3WCTh.tmp, 00000003.00000002.1663567578.000000000018E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digi
Source: 4iogI3WCTh.tmp, 00000003.00000002.1663567578.000000000018E000.00000004.00000010.00020000.00000000.sdmp, 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, is-A0K1V.tmp.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: powershell.exe, 00000005.00000002.1728566872.00000231AF8F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2011774321.0000026BAE922000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1864557259.0000026744423000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2236249896.000001A05A89F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2562965151.000001B539C8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.3020355477.000001AE603FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: 4iogI3WCTh.tmp, 00000003.00000002.1663567578.000000000018E000.00000004.00000010.00020000.00000000.sdmp, 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, is-A0K1V.tmp.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, is-A0K1V.tmp.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 4iogI3WCTh.tmp, 00000003.00000002.1663567578.000000000018E000.00000004.00000010.00020000.00000000.sdmp, 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, is-A0K1V.tmp.3.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: 4iogI3WCTh.tmp, 00000003.00000002.1663567578.000000000018E000.00000004.00000010.00020000.00000000.sdmp, 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, is-A0K1V.tmp.3.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000021.00000002.2694346489.000001AE505B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.1733782261.00000231B7C8F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2589140588.000001B542008000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micros
Source: powershell.exe, 00000005.00000002.1698180699.000002319FAA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1847876321.0000026B9EAD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1783904068.00000267345D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2078437647.000001A04AA58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2344779647.000001B529E49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2694346489.000001AE505B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000005.00000002.1698180699.000002319F881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1847876321.0000026B9E8B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1783904068.00000267343B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2078437647.000001A04A831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2344779647.000001B529C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2694346489.000001AE50391000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1698180699.000002319FAA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1847876321.0000026B9EAD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1783904068.00000267345D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2078437647.000001A04AA58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2344779647.000001B529E49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2694346489.000001AE505B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000021.00000002.2694346489.000001AE505B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 4iogI3WCTh.tmp, 00000003.00000002.1663567578.000000000018E000.00000004.00000010.00020000.00000000.sdmp, 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, is-A0K1V.tmp.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 4iogI3WCTh.tmp, 00000003.00000002.1663567578.000000000018E000.00000004.00000010.00020000.00000000.sdmp, 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, is-A0K1V.tmp.3.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: 4iogI3WCTh.exe, 00000000.00000003.1639795686.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, 4iogI3WCTh.exe, 00000000.00000003.1639572060.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, 4iogI3WCTh.tmp, 00000001.00000000.1640326476.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 4iogI3WCTh.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: powershell.exe, 00000008.00000002.2026513817.0000026BB6E2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: powershell.exe, 00000008.00000002.2026513817.0000026BB6E2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c/
Source: powershell.exe, 00000008.00000002.2023594423.0000026BB6DED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000008.00000002.2026513817.0000026BB6E2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.cz
Source: 4iogI3WCTh.exe, 00000000.00000003.1639795686.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, 4iogI3WCTh.exe, 00000000.00000003.1639572060.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, 4iogI3WCTh.tmp, 00000001.00000000.1640326476.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 4iogI3WCTh.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: powershell.exe, 00000016.00000002.2265845423.000001A0630D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://.VisualC
Source: powershell.exe, 00000005.00000002.1698180699.000002319F881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1847876321.0000026B9E8B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1783904068.00000267343B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2078437647.000001A04A831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2344779647.000001B529C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2694346489.000001AE50391000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000021.00000002.2694346489.000001AE505B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000021.00000002.3020355477.000001AE603FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000021.00000002.3020355477.000001AE603FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000021.00000002.3020355477.000001AE603FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005DB2000.00000004.00001000.00020000.00000000.sdmp, msedgewebview2.exe, 00000004.00000000.1652015949.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 0000000A.00000000.1748884605.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 0000000A.00000002.3096660732.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://crashpad.chromium.org/
Source: 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005DB2000.00000004.00001000.00020000.00000000.sdmp, msedgewebview2.exe, 00000004.00000000.1652015949.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 0000000A.00000000.1748884605.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 0000000A.00000002.3096660732.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005DB2000.00000004.00001000.00020000.00000000.sdmp, msedgewebview2.exe, 00000004.00000000.1652015949.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 0000000A.00000000.1748884605.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 0000000A.00000002.3096660732.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: is-A0K1V.tmp.3.dr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support/rust/deps
Source: powershell.exe, 00000021.00000002.2694346489.000001AE505B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.1728566872.00000231AF8F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2011774321.0000026BAE922000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1864557259.0000026744423000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2236249896.000001A05A89F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2562965151.000001B539C8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.3020355477.000001AE603FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 4iogI3WCTh.tmp, 00000003.00000002.1663567578.000000000018E000.00000004.00000010.00020000.00000000.sdmp, 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, is-A0K1V.tmp.3.dr	String found in binary or memory: https://www.entrust.net/rpa0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Windows\System32\regsvr32.exe

Code function: [esc]

18_2_02CA2000

Source: C:\Windows\System32\regsvr32.exe

Code function: 18_2_02CA2000 Sleep,GetTickCount,GetTickCount,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,GlobalUnlock,CloseClipboard,GetKeyState,lstrlenW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,

18_2_02CA2000

Source: C:\Windows\System32\regsvr32.exe

18_2_02CA2000

Source: C:\Windows\System32\regsvr32.exe

Code function: 18_2_02C9EBE0 GetDesktopWindow,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,GetDIBits,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,

18_2_02C9EBE0

Source: C:\Windows\System32\regsvr32.exe

Code function: 18_2_02CA1BF0 SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,

18_2_02CA1BF0

Source: C:\Windows\System32\regsvr32.exe

Windows user hook set: 0 mouse low level C:\Windows\system32\DINPUT8.dll

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 18.2.regsvr32.exe.272130d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 18.3.regsvr32.exe.baf9ad.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 18.2.regsvr32.exe.baf9ad.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000012.00000002.3094660374.0000000000BAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000012.00000003.1931212895.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000012.00000002.3096785341.0000000002720000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1CCC50 memset,GetModuleHandleA,LoadLibraryA,GetProcAddress,HeapFree,HeapFree,GetModuleHandleA,GetProcAddress,HeapFree,HeapFree,AddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,HeapFree,HeapFree,NtGetContextThread,NtSetContextThread,NtClose,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,	4_2_00007FFDFF1CCC50
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1CCC50 memset,GetModuleHandleA,LoadLibraryA,GetProcAddress,HeapFree,HeapFree,GetModuleHandleA,GetProcAddress,HeapFree,HeapFree,AddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,HeapFree,HeapFree,RtlFreeHeap,NtGetContextThread,NtSetContextThread,NtClose,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,	18_2_00007FFDFF1CCC50
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1D4700 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	18_2_00007FFDFF1D4700
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02743E28 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,	18_2_02743E28

Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C9E0C7 ExitWindowsEx,	18_2_02C9E0C7
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C9E0E8 ExitWindowsEx,	18_2_02C9E0E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C9E097 ExitProcess,ExitWindowsEx,	18_2_02C9E097

Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600D952B0	4_2_00007FF600D952B0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600E14810	4_2_00007FF600E14810
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600D55810	4_2_00007FF600D55810
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600D553E0	4_2_00007FF600D553E0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600D5BFE0	4_2_00007FF600D5BFE0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600E1FDE0	4_2_00007FF600E1FDE0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600D54DC0	4_2_00007FF600D54DC0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600D5CBB2	4_2_00007FF600D5CBB2
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600D5C940	4_2_00007FF600D5C940
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600E4A32E	4_2_00007FF600E4A32E
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600D5EF00	4_2_00007FF600D5EF00
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600D520C0	4_2_00007FF600D520C0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600D540D0	4_2_00007FF600D540D0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600D5C2A0	4_2_00007FF600D5C2A0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600D55280	4_2_00007FF600D55280
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600D57480	4_2_00007FF600D57480
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600D5CC80	4_2_00007FF600D5CC80
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600D5DE90	4_2_00007FF600D5DE90
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600D53860	4_2_00007FF600D53860
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600D53260	4_2_00007FF600D53260
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600D5DC68	4_2_00007FF600D5DC68
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600D55670	4_2_00007FF600D55670
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1B1D70	4_2_00007FFDFF1B1D70
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1FFA50	4_2_00007FFDFF1FFA50
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1FE760	4_2_00007FFDFF1FE760
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1F8080	4_2_00007FFDFF1F8080
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1B6060	4_2_00007FFDFF1B6060
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1E9FD0	4_2_00007FFDFF1E9FD0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1D0010	4_2_00007FFDFF1D0010
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1E3050	4_2_00007FFDFF1E3050
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1CFEA0	4_2_00007FFDFF1CFEA0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1ECEE0	4_2_00007FFDFF1ECEE0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1D4EF0	4_2_00007FFDFF1D4EF0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1BBD90	4_2_00007FFDFF1BBD90
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1E3D8E	4_2_00007FFDFF1E3D8E
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1C4D62	4_2_00007FFDFF1C4D62
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1E3C84	4_2_00007FFDFF1E3C84
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1C5C90	4_2_00007FFDFF1C5C90
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1FDD00	4_2_00007FFDFF1FDD00
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1E3D00	4_2_00007FFDFF1E3D00
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1C6CF0	4_2_00007FFDFF1C6CF0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1BDD40	4_2_00007FFDFF1BDD40
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1FED39	4_2_00007FFDFF1FED39
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1D8B90	4_2_00007FFDFF1D8B90
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1CCC50	4_2_00007FFDFF1CCC50
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1E3A99	4_2_00007FFDFF1E3A99
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1B5A8D	4_2_00007FFDFF1B5A8D
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1DAA90	4_2_00007FFDFF1DAA90
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1BCAA0	4_2_00007FFDFF1BCAA0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1B5B0B	4_2_00007FFDFF1B5B0B
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1E3AFF	4_2_00007FFDFF1E3AFF
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1D9AF0	4_2_00007FFDFF1D9AF0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1B5B3E	4_2_00007FFDFF1B5B3E
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1B3626	4_2_00007FFDFF1B3626
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1E39AF	4_2_00007FFDFF1E39AF
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1B9A10	4_2_00007FFDFF1B9A10
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1D19F0	4_2_00007FFDFF1D19F0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1FD870	4_2_00007FFDFF1FD870
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1F4900	4_2_00007FFDFF1F4900
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1E3956	4_2_00007FFDFF1E3956
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1DF800	4_2_00007FFDFF1DF800
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1FD6C0	4_2_00007FFDFF1FD6C0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1CE6C0	4_2_00007FFDFF1CE6C0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF2036A0	4_2_00007FFDFF2036A0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1E36E7	4_2_00007FFDFF1E36E7
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1DB6F0	4_2_00007FFDFF1DB6F0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1D35F0	4_2_00007FFDFF1D35F0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1DB640	4_2_00007FFDFF1DB640
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1B3626	4_2_00007FFDFF1B3626
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1D1480	4_2_00007FFDFF1D1480
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1F2490	4_2_00007FFDFF1F2490
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1E34C0	4_2_00007FFDFF1E34C0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1ED4E0	4_2_00007FFDFF1ED4E0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1FF520	4_2_00007FFDFF1FF520
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1CF530	4_2_00007FFDFF1CF530
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1F83D0	4_2_00007FFDFF1F83D0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF208280	4_2_00007FFDFF208280
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF208260	4_2_00007FFDFF208260
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1D5340	4_2_00007FFDFF1D5340
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF207350	4_2_00007FFDFF207350
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1D9180	4_2_00007FFDFF1D9180
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1F0210	4_2_00007FFDFF1F0210
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1E409B	4_2_00007FFDFF1E409B
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1E40B2	4_2_00007FFDFF1E40B2
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1F30B0	4_2_00007FFDFF1F30B0
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1E40EF	4_2_00007FFDFF1E40EF
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1C3150	4_2_00007FFDFF1C3150
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FFDFF1BD150	4_2_00007FFDFF1BD150
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B8B4DFB	5_2_00007FFD9B8B4DFB
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C9EBE0	18_2_02C9EBE0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C93360	18_2_02C93360
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C96790	18_2_02C96790
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CAFF94	18_2_02CAFF94
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C974F0	18_2_02C974F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C98440	18_2_02C98440
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CA15C0	18_2_02CA15C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CAAA5C	18_2_02CAAA5C
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CB0A00	18_2_02CB0A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CA1BF0	18_2_02CA1BF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C93BA0	18_2_02C93BA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CAD328	18_2_02CAD328
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CAB0BC	18_2_02CAB0BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C9B050	18_2_02C9B050
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C92850	18_2_02C92850
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CAC870	18_2_02CAC870
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CBC804	18_2_02CBC804
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C9C1A0	18_2_02C9C1A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C95930	18_2_02C95930
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C98EC0	18_2_02C98EC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CABEDC	18_2_02CABEDC
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CAAE80	18_2_02CAAE80
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C99650	18_2_02C99650
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CB3650	18_2_02CB3650
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C9F790	18_2_02C9F790
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CA5F90	18_2_02CA5F90
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CB0F30	18_2_02CB0F30
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CAF4E8	18_2_02CAF4E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CBB4EC	18_2_02CBB4EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CB9CA0	18_2_02CB9CA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C99460	18_2_02C99460
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CB0414	18_2_02CB0414
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CBCD40	18_2_02CBCD40
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CBBD50	18_2_02CBBD50
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CB2D00	18_2_02CB2D00
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C9F520	18_2_02C9F520
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1B1D70	18_2_00007FFDFF1B1D70
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1CCC50	18_2_00007FFDFF1CCC50
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1D35F0	18_2_00007FFDFF1D35F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1B3626	18_2_00007FFDFF1B3626
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1C3150	18_2_00007FFDFF1C3150
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1E9FD0	18_2_00007FFDFF1E9FD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1D0010	18_2_00007FFDFF1D0010
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1E3050	18_2_00007FFDFF1E3050
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1CFEA0	18_2_00007FFDFF1CFEA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1ECEE0	18_2_00007FFDFF1ECEE0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1D4EF0	18_2_00007FFDFF1D4EF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1BBD90	18_2_00007FFDFF1BBD90
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1E3D8E	18_2_00007FFDFF1E3D8E
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1C4D62	18_2_00007FFDFF1C4D62
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1E3C84	18_2_00007FFDFF1E3C84
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1C5C90	18_2_00007FFDFF1C5C90
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1FDD00	18_2_00007FFDFF1FDD00
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1E3D00	18_2_00007FFDFF1E3D00
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1C6CF0	18_2_00007FFDFF1C6CF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1BDD40	18_2_00007FFDFF1BDD40
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1FED39	18_2_00007FFDFF1FED39
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1D8B90	18_2_00007FFDFF1D8B90
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1E3A99	18_2_00007FFDFF1E3A99
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1B5A8D	18_2_00007FFDFF1B5A8D
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1DAA90	18_2_00007FFDFF1DAA90
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1BCAA0	18_2_00007FFDFF1BCAA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1B5B0B	18_2_00007FFDFF1B5B0B
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1E3AFF	18_2_00007FFDFF1E3AFF
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1D9AF0	18_2_00007FFDFF1D9AF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1B5B3E	18_2_00007FFDFF1B5B3E
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1B3626	18_2_00007FFDFF1B3626
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1E39AF	18_2_00007FFDFF1E39AF
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1B9A10	18_2_00007FFDFF1B9A10
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1D19F0	18_2_00007FFDFF1D19F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1FFA50	18_2_00007FFDFF1FFA50
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1FD870	18_2_00007FFDFF1FD870
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1F4900	18_2_00007FFDFF1F4900
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1E3956	18_2_00007FFDFF1E3956
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1FE760	18_2_00007FFDFF1FE760
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1DF800	18_2_00007FFDFF1DF800
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1FD6C0	18_2_00007FFDFF1FD6C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1CE6C0	18_2_00007FFDFF1CE6C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF2036A0	18_2_00007FFDFF2036A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1E36E7	18_2_00007FFDFF1E36E7
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1DB6F0	18_2_00007FFDFF1DB6F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1DB640	18_2_00007FFDFF1DB640
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1D1480	18_2_00007FFDFF1D1480
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1F2490	18_2_00007FFDFF1F2490
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1E34C0	18_2_00007FFDFF1E34C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1ED4E0	18_2_00007FFDFF1ED4E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1FF520	18_2_00007FFDFF1FF520
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1CF530	18_2_00007FFDFF1CF530
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1F83D0	18_2_00007FFDFF1F83D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF208280	18_2_00007FFDFF208280
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF208260	18_2_00007FFDFF208260
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1D5340	18_2_00007FFDFF1D5340
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF207350	18_2_00007FFDFF207350
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1D9180	18_2_00007FFDFF1D9180
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1F0210	18_2_00007FFDFF1F0210
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1F8080	18_2_00007FFDFF1F8080
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1E409B	18_2_00007FFDFF1E409B
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1B6060	18_2_00007FFDFF1B6060
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1E40B2	18_2_00007FFDFF1E40B2
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1F30B0	18_2_00007FFDFF1F30B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1E40EF	18_2_00007FFDFF1E40EF
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_00007FFDFF1BD150	18_2_00007FFDFF1BD150
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_025A73D0	18_2_025A73D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_025A3390	18_2_025A3390
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_025A6860	18_2_025A6860
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_025AA30C	18_2_025AA30C
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_025B4898	18_2_025B4898
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_025A2880	18_2_025A2880
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_025AE1C0	18_2_025AE1C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_025A6F70	18_2_025A6F70
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_025B6C50	18_2_025B6C50
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02743E28	18_2_02743E28
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_0274361C	18_2_0274361C
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_0272767D	18_2_0272767D
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_0272AA19	18_2_0272AA19
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02727ADD	18_2_02727ADD
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02723A9D	18_2_02723A9D
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02726F6D	18_2_02726F6D
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_0273735D	18_2_0273735D
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02742740	18_2_02742740
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02734FA5	18_2_02734FA5
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02722F8D	18_2_02722F8D
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_027470D4	18_2_027470D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_027448DC	18_2_027448DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_0272E8CD	18_2_0272E8CD
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_027439F8	18_2_027439F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BDFA65	18_2_02BDFA65
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BD5A61	18_2_02BD5A61
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BC6261	18_2_02BC6261
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BC2321	18_2_02BC2321
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BD1091	18_2_02BD1091
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BDB9AD	18_2_02BDB9AD
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BC8991	18_2_02BC8991
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BC9121	18_2_02BC9121
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BCE6B1	18_2_02BCE6B1
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BDFEE5	18_2_02BDFEE5
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BD16C1	18_2_02BD16C1
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BC2E31	18_2_02BC2E31
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BC3671	18_2_02BC3671
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BCEFF1	18_2_02BCEFF1
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BE27D1	18_2_02BE27D1
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BC6FC1	18_2_02BC6FC1
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BE04D1	18_2_02BE04D1
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BC5401	18_2_02BC5401
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BCBC71	18_2_02BCBC71
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BDA52D	18_2_02BDA52D

Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: String function: 00007FFDFF1B9EF0 appears 69 times
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: String function: 00007FFDFF1D40B0 appears 52 times
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: String function: 00007FFDFF1BB6C0 appears 44 times
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: String function: 00007FFDFF20B554 appears 94 times
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: String function: 00007FFDFF1EC8D0 appears 46 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFDFF1B9EF0 appears 69 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFDFF1D40B0 appears 52 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFDFF1BB6C0 appears 44 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFDFF20B554 appears 94 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFDFF1EC8D0 appears 46 times

Source: 4iogI3WCTh.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 4iogI3WCTh.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 4iogI3WCTh.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: 4iogI3WCTh.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 4iogI3WCTh.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-6A565.tmp.3.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-6A565.tmp.3.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: is-183JO.tmp.3.dr	Static PE information: Number of sections : 13 > 10
Source: is-A0K1V.tmp.3.dr	Static PE information: Number of sections : 11 > 10

Source: 4iogI3WCTh.exe, 00000000.00000003.1639795686.000000007FE3E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs 4iogI3WCTh.exe
Source: 4iogI3WCTh.exe, 00000000.00000003.1639572060.00000000024C2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs 4iogI3WCTh.exe

Source: 4iogI3WCTh.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 18.2.regsvr32.exe.272130d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 18.3.regsvr32.exe.baf9ad.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 18.2.regsvr32.exe.baf9ad.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000012.00000002.3094660374.0000000000BAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000012.00000003.1931212895.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000012.00000002.3096785341.0000000002720000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@39/41@0/1

Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe

Code function: 4_2_00007FFDFF1D7AC0 memset,FormatMessageW,GetLastError,HeapFree,HeapFree,

4_2_00007FFDFF1D7AC0

Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C992E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	18_2_02C992E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C9A900 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	18_2_02C9A900
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C98E00 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,	18_2_02C98E00
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C98C80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,OpenProcess,	18_2_02C98C80

Source: C:\Windows\System32\regsvr32.exe

Code function: 18_2_02C98180 GetDriveTypeW,GetDiskFreeSpaceExW,GlobalMemoryStatusEx,

18_2_02C98180

Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe

Code function: 4_2_00007FFDFF2036A0 SetLastError,GetCurrentDirectoryW,GetLastError,GetLastError,HeapFree,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlLookupFunctionEntry,CreateToolhelp32Snapshot,memset,Module32FirstW,Module32NextW,UnmapViewOfFile,CloseHandle,HeapFree,UnmapViewOfFile,CloseHandle,CloseHandle,HeapFree,HeapFree,HeapFree,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,UnmapViewOfFile,CloseHandle,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,HeapFree,HeapFree,GetLastError,HeapFree,

4_2_00007FFDFF2036A0

Source: C:\Windows\System32\regsvr32.exe

Code function: 18_2_02C97A90 CoInitialize,CoCreateInstance,SysFreeString,CoUninitialize,

18_2_02C97A90

Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp

File created: C:\Users\user\AppData\Local\unins000.dat

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7256:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2424:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\2024.12.25
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5100:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\yEsBQ

Source: C:\Users\user\Desktop\4iogI3WCTh.exe

File created: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp

Jump to behavior

Source: C:\Users\user\Desktop\4iogI3WCTh.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\4iogI3WCTh.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'REGSVR32.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'REGSVR32.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'REGSVR32.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'REGSVR32.EXE'

Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\4iogI3WCTh.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: 4iogI3WCTh.exe	ReversingLabs: Detection: 47%
Source: 4iogI3WCTh.exe	Virustotal: Detection: 47%

Source: C:\Users\user\Desktop\4iogI3WCTh.exe

File read: C:\Users\user\Desktop\4iogI3WCTh.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\4iogI3WCTh.exe "C:\Users\user\Desktop\4iogI3WCTh.exe"
Source: C:\Users\user\Desktop\4iogI3WCTh.exe	Process created: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp "C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp" /SL5="$20434,1664838,141312,C:\Users\user\Desktop\4iogI3WCTh.exe"
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Process created: C:\Users\user\Desktop\4iogI3WCTh.exe "C:\Users\user\Desktop\4iogI3WCTh.exe" /VERYSILENT
Source: C:\Users\user\Desktop\4iogI3WCTh.exe	Process created: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp "C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp" /SL5="$20442,1664838,141312,C:\Users\user\Desktop\4iogI3WCTh.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Process created: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe "C:\Users\user\AppData\Roaming\\NVIDIA app\\724\\msedgewebview2.exe"
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Process created: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe "C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe"
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /FI "IMAGENAME eq regsvr32.exe"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:SYNC "C:\Users\user\AppData\Roaming\NVIDIA app\724\msedge_elf.dll"
Source: unknown	Process created: C:\Windows\System32\tasklist.exe "tasklist" /FI "IMAGENAME eq regsvr32.exe"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:SYNC "C:\Users\user\AppData\Roaming\NVIDIA app\724\msedge_elf.dll"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\tasklist.exe "tasklist" /FI "IMAGENAME eq regsvr32.exe"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:SYNC "C:\Users\user\AppData\Roaming\NVIDIA app\724\msedge_elf.dll"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\tasklist.exe "tasklist" /FI "IMAGENAME eq regsvr32.exe"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:SYNC "C:\Users\user\AppData\Roaming\NVIDIA app\724\msedge_elf.dll"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\4iogI3WCTh.exe	Process created: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp "C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp" /SL5="$20434,1664838,141312,C:\Users\user\Desktop\4iogI3WCTh.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Process created: C:\Users\user\Desktop\4iogI3WCTh.exe "C:\Users\user\Desktop\4iogI3WCTh.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\Desktop\4iogI3WCTh.exe	Process created: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp "C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp" /SL5="$20442,1664838,141312,C:\Users\user\Desktop\4iogI3WCTh.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Process created: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe "C:\Users\user\AppData\Roaming\\NVIDIA app\\724\\msedgewebview2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Process created: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe "C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /FI "IMAGENAME eq regsvr32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:SYNC "C:\Users\user\AppData\Roaming\NVIDIA app\724\msedge_elf.dll"	Jump to behavior

Source: C:\Users\user\Desktop\4iogI3WCTh.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4iogI3WCTh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\4iogI3WCTh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\4iogI3WCTh.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe

Process created: C:\Windows\System32\tasklist.exe "tasklist" /FI "IMAGENAME eq regsvr32.exe"

Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge WebView2 Runtime_is1

Jump to behavior

Source: 4iogI3WCTh.exe

Static file information: File size 2044814 > 1048576

Source:	Binary string: msedgewebview2.exe.pdbOGP source: 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005DB2000.00000004.00001000.00020000.00000000.sdmp, msedgewebview2.exe, 00000004.00000000.1652015949.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 0000000A.00000000.1748884605.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 0000000A.00000002.3096660732.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: msedgewebview2.exe.pdb source: 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005DB2000.00000004.00001000.00020000.00000000.sdmp, msedgewebview2.exe, 00000004.00000000.1652015949.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 0000000A.00000000.1748884605.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 0000000A.00000002.3096660732.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"	Jump to behavior

Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe

Code function: 4_2_00007FF600E1F800 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,

4_2_00007FF600E1F800

Source: _setup64.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x8546
Source: 4iogI3WCTh.exe	Static PE information: real checksum: 0x0 should be: 0x1ff4e0
Source: is-6A565.tmp.3.dr	Static PE information: real checksum: 0x0 should be: 0x1295e0
Source: is-A0K1V.tmp.3.dr	Static PE information: real checksum: 0xcdffe should be: 0xd3a10
Source: _setup64.tmp.3.dr	Static PE information: real checksum: 0x0 should be: 0x8546
Source: 4iogI3WCTh.tmp.2.dr	Static PE information: real checksum: 0x0 should be: 0x11ef3f
Source: 4iogI3WCTh.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x11ef3f

Source: is-183JO.tmp.3.dr	Static PE information: section name: .gxfg
Source: is-183JO.tmp.3.dr	Static PE information: section name: .retplne
Source: is-183JO.tmp.3.dr	Static PE information: section name: CPADinfo
Source: is-183JO.tmp.3.dr	Static PE information: section name: LZMADEC
Source: is-183JO.tmp.3.dr	Static PE information: section name: _RDATA
Source: is-183JO.tmp.3.dr	Static PE information: section name: malloc_h
Source: is-A0K1V.tmp.3.dr	Static PE information: section name: .xdata

Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe

Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:SYNC "C:\Users\user\AppData\Roaming\NVIDIA app\724\msedge_elf.dll"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B79D2A5 pushad ; iretd	5_2_00007FFD9B79D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B8BDBFA push E85AE7B6h; ret	5_2_00007FFD9B8BDBF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B8BDB72 push E85AE7B6h; ret	5_2_00007FFD9B8BDBF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B8B5B83 pushad ; ret	5_2_00007FFD9B8B5BA1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B8B607C push esp; ret	5_2_00007FFD9B8B60AA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B8B60AC push esp; ret	5_2_00007FFD9B8B60BA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B8B604C push esp; ret	5_2_00007FFD9B8B60AA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B980B5C push ds; ret	5_2_00007FFD9B980B5D
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CBFAB8 pushfq ; retf 0002h	18_2_02CBFAB9
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CBFA78 pushfq ; retf 0002h	18_2_02CBFA79
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CBFA08 push rax; retf 0002h	18_2_02CBFA0A
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CBFA20 push rax; retf 0002h	18_2_02CBFA22
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CBFA38 push rax; retf 0002h	18_2_02CBFA3A
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CC0238 push rax; retf 0002h	18_2_02CC023A
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CBFB58 pushfq ; retf 0002h	18_2_02CBFB59
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CC00D8 push rax; retf 0002h	18_2_02CC00DA
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CC0097 push rdx; retf 0002h	18_2_02CC00A2
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CC00A8 push rax; retf 0002h	18_2_02CC00AA
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C900B7 push rdi; ret	18_2_02C900BD
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CBF971 push rbp; retf	18_2_02CBF974
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_025AB348 push esp; iretd	18_2_025AB349
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_025B5DBA push ebp; iretd	18_2_025B5DC4
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_0272BA55 push esp; iretd	18_2_0272BA56
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_027364C7 push ebp; iretd	18_2_027364D1
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BDF787 push cs; retf	18_2_02BDF788
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BC8428 push ecx; ret	18_2_02BC8429
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BC847D push eax; ret	18_2_02BC847E
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02BE0449 pushfd ; ret	18_2_02BE044A

Source: C:\Users\user\Desktop\4iogI3WCTh.exe	File created: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	File created: C:\Users\user\AppData\Local\Temp\is-VFQ39.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	File created: C:\Users\user\AppData\Local\Temp\is-VFQ39.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	File created: C:\Users\user\AppData\Roaming\NVIDIA app\724\is-A0K1V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N408J.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	File created: C:\Users\user\AppData\Roaming\NVIDIA app\724\is-183JO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	File created: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	File created: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedge_elf.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	File created: C:\Users\user\AppData\Local\is-6A565.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	File created: C:\Users\user\AppData\Local\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N408J.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4iogI3WCTh.exe	File created: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Jump to dropped file

Boot Survival

Uses Register-ScheduledTask to add task schedules

Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Windows\System32\regsvr32.exe

Code function: 18_2_02C9E03A OpenEventLogW,ClearEventLogW,CloseEventLog,

18_2_02C9E03A

Source: C:\Windows\System32\regsvr32.exe

Key value created or modified: HKEY_CURRENT_USER\Console\1 d33f351a4aeea5e608853d1a56661059

Jump to behavior

Source: C:\Users\user\Desktop\4iogI3WCTh.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4iogI3WCTh.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\System32\regsvr32.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

Found stalling execution ending in API Sleep call

Source: C:\Windows\System32\regsvr32.exe

Stalling execution: Execution stalls by calling Sleep

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

Source: C:\Windows\System32\regsvr32.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05DF8D13-C355-47F4-A11E-851B338CEFB8}

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6186	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3627	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6535
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3010
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8755
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 660
Source: C:\Windows\System32\regsvr32.exe	Window / User API: threadDelayed 2884	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Window / User API: threadDelayed 3567	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Window / User API: threadDelayed 2636	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7123
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2626
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6850
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2809
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7190
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1132

Source: C:\Windows\System32\regsvr32.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-VFQ39.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\NVIDIA app\724\is-A0K1V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-VFQ39.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N408J.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedge_elf.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\is-6A565.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N408J.tmp\_isetup\_shfoldr.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	API coverage: 1.4 %
Source: C:\Windows\System32\regsvr32.exe	API coverage: 7.3 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4956	Thread sleep count: 6186 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4956	Thread sleep count: 3627 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2316	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 600	Thread sleep count: 6535 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 600	Thread sleep count: 3010 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7196	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7332	Thread sleep count: 8755 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7356	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7328	Thread sleep count: 660 > 30
Source: C:\Windows\System32\regsvr32.exe TID: 7708	Thread sleep count: 296 > 30	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7740	Thread sleep count: 2884 > 30	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7740	Thread sleep time: -2884000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7748	Thread sleep count: 3567 > 30	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7748	Thread sleep time: -35670s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7740	Thread sleep count: 2636 > 30	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7740	Thread sleep time: -2636000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7936	Thread sleep count: 7123 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7936	Thread sleep count: 2626 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7972	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5004	Thread sleep count: 6850 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3804	Thread sleep count: 2809 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4136	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6540	Thread sleep count: 7190 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6540	Thread sleep count: 1132 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6648	Thread sleep time: -4611686018427385s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 18_2_02C99960 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW,

18_2_02C99960

Source: C:\Windows\System32\regsvr32.exe

Code function: 18_2_02C989F0 GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

18_2_02C989F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: powershell.exe, 00000021.00000002.2694346489.000001AE505B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000021.00000002.2694346489.000001AE505B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: 4iogI3WCTh.tmp, 00000001.00000002.1644578663.0000000000628000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 4iogI3WCTh.tmp, 00000001.00000002.1644578663.0000000000628000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}{
Source: powershell.exe, 00000021.00000002.2694346489.000001AE505B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: regsvr32.exe, 00000012.00000002.3094660374.0000000000BAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\regsvr32.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe

Code function: 4_2_00007FF600EC99DC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_00007FF600EC99DC

Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe

Code function: 4_2_00007FF600E1F800 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,

4_2_00007FF600E1F800

Source: C:\Windows\System32\regsvr32.exe

Code function: 18_2_02C97BF0 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,

18_2_02C97BF0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600EC99DC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FF600EC99DC
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Code function: 4_2_00007FF600EA3F68 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00007FF600EA3F68
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CA15C0 Sleep,SleepEx,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,RegOpenKeyExW,Sleep,SleepEx,RegOpenKeyExW,RegQueryValueExW,Sleep,WaitForSingleObject,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,	18_2_02CA15C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CAC1C4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_02CAC1C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02CA4CD0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_02CA4CD0

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 154.39.239.95 1445

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\regsvr32.exe

Code function: 18_2_02C98EC0 GetSystemDirectoryA,CreateProcessA,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread,

18_2_02C98EC0

Contains functionality to inject threads in other processes

Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C98EC0 GetSystemDirectoryA,CreateProcessA,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread,		18_2_02C98EC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 18_2_02C9A410 VirtualAllocEx,TerminateProcess,OpenProcess,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,VirtualFreeEx,		18_2_02C9A410

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\regsvr32.exe

Thread register set: 7672 5

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: GetSystemDirectoryA,CreateProcessA,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe

18_2_02C98EC0

Source: C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	Process created: C:\Users\user\Desktop\4iogI3WCTh.exe "C:\Users\user\Desktop\4iogI3WCTh.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Process created: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe "C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /FI "IMAGENAME eq regsvr32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:SYNC "C:\Users\user\AppData\Roaming\NVIDIA app\724\msedge_elf.dll"	Jump to behavior

Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"c:\users\user\appdata\roaming\nvidia app\724\msedgewebview2.exe\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{226c52d4-f263-4d4a-8ae7-8e60e9b5a5f5}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries -executiontimelimit 0) -runlevel highest"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"c:\users\user\appdata\roaming\nvidia app\724\msedgewebview2.exe\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{226c52d4-f263-4d4a-8ae7-8e60e9b5a5f5}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries -executiontimelimit 0) -runlevel highest"
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"c:\users\user\appdata\roaming\nvidia app\724\msedgewebview2.exe\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{226c52d4-f263-4d4a-8ae7-8e60e9b5a5f5}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries -executiontimelimit 0) -runlevel highest"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"c:\users\user\appdata\roaming\nvidia app\724\msedgewebview2.exe\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{226c52d4-f263-4d4a-8ae7-8e60e9b5a5f5}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries -executiontimelimit 0) -runlevel highest"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"c:\users\user\appdata\roaming\nvidia app\724\msedgewebview2.exe\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{226c52d4-f263-4d4a-8ae7-8e60e9b5a5f5}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries -executiontimelimit 0) -runlevel highest"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"c:\users\user\appdata\roaming\nvidia app\724\msedgewebview2.exe\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{226c52d4-f263-4d4a-8ae7-8e60e9b5a5f5}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries -executiontimelimit 0) -runlevel highest"
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"c:\users\user\appdata\roaming\nvidia app\724\msedgewebview2.exe\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{226c52d4-f263-4d4a-8ae7-8e60e9b5a5f5}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries -executiontimelimit 0) -runlevel highest"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"c:\users\user\appdata\roaming\nvidia app\724\msedgewebview2.exe\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{226c52d4-f263-4d4a-8ae7-8e60e9b5a5f5}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries -executiontimelimit 0) -runlevel highest"	Jump to behavior

Source: regsvr32.exe, 00000012.00000002.3098361442.0000000002E10000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Program Manager

Source: C:\Windows\System32\regsvr32.exe	Code function: gethostname,gethostbyname,inet_ntoa,inet_ntoa,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,GetTickCount,_localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,	18_2_02C96790
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,GetLocaleInfoW,GetLocaleInfoW,GetACP,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,	18_2_02CB6254
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,	18_2_02CB5BD8
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,free,	18_2_02CB73F4
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoW,	18_2_02CB6020
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesA,	18_2_02CB61E8
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesA,	18_2_02CB6150
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	18_2_02CB5CC0
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLastError,free,free,GetLocaleInfoW,GetLocaleInfoW,free,GetLocaleInfoW,	18_2_02CAE590
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,	18_2_02CB5D50

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe

Code function: 4_2_00007FFDFF1FFA50 GetCurrentProcessId,ProcessPrng,HeapFree,CreateNamedPipeW,GetLastError,HeapFree,HeapFree,HeapFree,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,CloseHandle,

4_2_00007FFDFF1FFA50

Source: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe

Code function: 4_2_00007FF600EA4214 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_00007FF600EA4214

Source: C:\Windows\System32\regsvr32.exe

Code function: 18_2_02CAFF94 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

18_2_02CAFF94

Source: C:\Windows\System32\regsvr32.exe

Code function: 18_2_02CABA94 HeapCreate,GetVersion,HeapSetInformation,

18_2_02CABA94

Source: regsvr32.exe	Binary or memory string: acs.exe
Source: regsvr32.exe	Binary or memory string: vsserv.exe
Source: regsvr32.exe	Binary or memory string: avcenter.exe
Source: regsvr32.exe	Binary or memory string: kxetray.exe
Source: regsvr32.exe	Binary or memory string: KSafeTray.exe
Source: regsvr32.exe	Binary or memory string: avp.exe
Source: regsvr32.exe	Binary or memory string: cfp.exe
Source: regsvr32.exe	Binary or memory string: 360Safe.exe
Source: regsvr32.exe	Binary or memory string: rtvscan.exe
Source: regsvr32.exe	Binary or memory string: 360tray.exe
Source: regsvr32.exe	Binary or memory string: TMBMSRV.exe
Source: regsvr32.exe	Binary or memory string: ashDisp.exe
Source: regsvr32.exe	Binary or memory string: 360Tray.exe
Source: regsvr32.exe	Binary or memory string: avgwdsvc.exe
Source: regsvr32.exe	Binary or memory string: AYAgent.aye
Source: regsvr32.exe	Binary or memory string: RavMonD.exe
Source: regsvr32.exe	Binary or memory string: QUHLPSVC.EXE
Source: regsvr32.exe	Binary or memory string: Mcshield.exe
Source: regsvr32.exe	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: regsvr32.exe PID: 7672, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: regsvr32.exe PID: 7672, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	121 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	11 Native API	1 Windows Service	1 Access Token Manipulation	2 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Windows Service	1 DLL Side-Loading	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	121 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	423 Process Injection	1 Masquerading	NTDS	37 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	1 Scheduled Task/Job	1 Modify Registry	LSA Secrets	231 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	423 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Regsvr32	/etc/passwd and /etc/shadow	2 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Indicator Removal	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
4iogI3WCTh.exe	47%	ReversingLabs	Win32.Packed.Generic
4iogI3WCTh.exe	47%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\is-N408J.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N408J.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-VFQ39.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-VFQ39.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\is-6A565.tmp	4%	ReversingLabs
C:\Users\user\AppData\Local\unins000.exe (copy)	4%	ReversingLabs
C:\Users\user\AppData\Roaming\NVIDIA app\724\is-183JO.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\NVIDIA app\724\is-A0K1V.tmp	48%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Roaming\NVIDIA app\724\msedge_elf.dll (copy)	48%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe (copy)	0%	ReversingLabs

Source	Detection	Scanner	Label
https://.VisualC	0%	Avira URL Cloud	safe
http://crl4.digi	0%	Avira URL Cloud	safe
http://www.microsoft.c/	0%	Avira URL Cloud	safe
http://crl.microsXbe;c	0%	Avira URL Cloud	safe
http://www.microsoft.cz	0%	Avira URL Cloud	safe
http://schemas.micros	0%	Avira URL Cloud	safe
154.39.239.95:1445	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
154.39.239.95:1445	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.innosetup.com/	4iogI3WCTh.exe, 00000000.00000003.1639795686.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, 4iogI3WCTh.exe, 00000000.00000003.1639572060.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, 4iogI3WCTh.tmp, 00000001.00000000.1640326476.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 4iogI3WCTh.tmp.0.dr	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000005.00000002.1728566872.00000231AF8F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2011774321.0000026BAE922000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1864557259.0000026744423000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2236249896.000001A05A89F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2562965151.000001B539C8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.3020355477.000001AE603FB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000021.00000002.2694346489.000001AE505B9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://crashpad.chromium.org/	4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005DB2000.00000004.00001000.00020000.00000000.sdmp, msedgewebview2.exe, 00000004.00000000.1652015949.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 0000000A.00000000.1748884605.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 0000000A.00000002.3096660732.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000021.00000002.2694346489.000001AE505B9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000005.00000002.1698180699.000002319FAA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1847876321.0000026B9EAD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1783904068.00000267345D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2078437647.000001A04AA58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2344779647.000001B529E49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2694346489.000001AE505B9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net03	4iogI3WCTh.tmp, 00000003.00000002.1663567578.000000000018E000.00000004.00000010.00020000.00000000.sdmp, 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, is-A0K1V.tmp.3.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000021.00000002.2694346489.000001AE505B9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net02	4iogI3WCTh.tmp, 00000003.00000002.1663567578.000000000018E000.00000004.00000010.00020000.00000000.sdmp, 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, is-A0K1V.tmp.3.dr	false		high
http://www.entrust.net/rpa03	4iogI3WCTh.tmp, 00000003.00000002.1663567578.000000000018E000.00000004.00000010.00020000.00000000.sdmp, 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, is-A0K1V.tmp.3.dr	false		high
https://crashpad.chromium.org/bug/new	4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005DB2000.00000004.00001000.00020000.00000000.sdmp, msedgewebview2.exe, 00000004.00000000.1652015949.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 0000000A.00000000.1748884605.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 0000000A.00000002.3096660732.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp	false		high
http://www.microsoft.c/	powershell.exe, 00000008.00000002.2026513817.0000026BB6E2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.co	powershell.exe, 00000008.00000002.2023594423.0000026BB6DED000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000021.00000002.3020355477.000001AE603FB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000021.00000002.3020355477.000001AE603FB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aia.entrust.net/ts1-chain256.cer01	4iogI3WCTh.tmp, 00000003.00000002.1663567578.000000000018E000.00000004.00000010.00020000.00000000.sdmp, 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, is-A0K1V.tmp.3.dr	false		high
http://schemas.micros	powershell.exe, 00000005.00000002.1733782261.00000231B7C8F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2589140588.000001B542008000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.rs/getrandom#nodejs-es-module-support/rust/deps	is-A0K1V.tmp.3.dr	false		high
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005DB2000.00000004.00001000.00020000.00000000.sdmp, msedgewebview2.exe, 00000004.00000000.1652015949.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 0000000A.00000000.1748884605.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp, msedgewebview2.exe, 0000000A.00000002.3096660732.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmp	false		high
http://crl.microsXbe;c	powershell.exe, 0000001B.00000002.2593657575.000001B542100000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000021.00000002.2694346489.000001AE505B9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl4.digi	4iogI3WCTh.tmp, 00000003.00000002.1663567578.000000000018E000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000005.00000002.1698180699.000002319FAA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1847876321.0000026B9EAD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1783904068.00000267345D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2078437647.000001A04AA58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2344779647.000001B529E49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2694346489.000001AE505B9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000021.00000002.3020355477.000001AE603FB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.1728566872.00000231AF8F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2011774321.0000026BAE922000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1864557259.0000026744423000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2236249896.000001A05A89F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2562965151.000001B539C8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.3020355477.000001AE603FB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://.VisualC	powershell.exe, 00000016.00000002.2265845423.000001A0630D9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000005.00000002.1698180699.000002319F881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1847876321.0000026B9E8B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1783904068.00000267343B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2078437647.000001A04A831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2344779647.000001B529C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2694346489.000001AE50391000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.c	powershell.exe, 00000008.00000002.2026513817.0000026BB6E2F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.remobjects.com/ps	4iogI3WCTh.exe, 00000000.00000003.1639795686.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, 4iogI3WCTh.exe, 00000000.00000003.1639572060.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, 4iogI3WCTh.tmp, 00000001.00000000.1640326476.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 4iogI3WCTh.tmp.0.dr	false		high
http://crl.entrust.net/ts1ca.crl0	4iogI3WCTh.tmp, 00000003.00000002.1663567578.000000000018E000.00000004.00000010.00020000.00000000.sdmp, 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, is-A0K1V.tmp.3.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.1698180699.000002319F881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1847876321.0000026B9E8B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1783904068.00000267343B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2078437647.000001A04A831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2344779647.000001B529C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2694346489.000001AE50391000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.cz	powershell.exe, 00000008.00000002.2026513817.0000026BB6E2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	4iogI3WCTh.tmp, 00000003.00000002.1663567578.000000000018E000.00000004.00000010.00020000.00000000.sdmp, 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, is-A0K1V.tmp.3.dr	false		high
https://www.entrust.net/rpa0	4iogI3WCTh.tmp, 00000003.00000002.1663567578.000000000018E000.00000004.00000010.00020000.00000000.sdmp, 4iogI3WCTh.tmp, 00000003.00000003.1652827323.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, is-A0K1V.tmp.3.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.39.239.95	unknown	United States		174	COGENT-174US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583032
Start date and time:	2025-01-01 16:21:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	4iogI3WCTh.exe renamed because original name is a hash value
Original Sample Name:	f4e673616e807b25a98f0655c693d411.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@39/41@0/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 88% Number of executed functions: 18 Number of non-executed functions: 209
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, msedgewebview2.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 2800 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:21:56	API Interceptor	136x Sleep call for process: powershell.exe modified
10:23:00	API Interceptor	1354841x Sleep call for process: regsvr32.exe modified
15:22:00	Task Scheduler	Run new task: MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5} path: C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COGENT-174US	Receipt-#202431029B.exe	Get hash	malicious	XWorm	Browse	154.39.0.150
	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	38.55.246.3
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	38.55.246.3
	ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	38.55.246.3
	mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	38.55.246.3
	debug.dbg.elf	Get hash	malicious	Mirai, Moobot	Browse	38.55.246.3
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	38.55.246.3
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	38.55.246.3
	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	38.55.246.3
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	38.55.246.3

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-N408J.tmp\_isetup\_setup64.tmp	setup.exe	Get hash	malicious	Unknown	Browse
	RXxeYma4d5.exe	Get hash	malicious	GhostRat	Browse
	017069451a4dbc523a1165a2f1bd361a762bb40856778.exe	Get hash	malicious	Unknown	Browse
	vc8Kx5C54G.exe	Get hash	malicious	Socks5Systemz	Browse
	AbC0LBkVhr.exe	Get hash	malicious	Socks5Systemz	Browse
	Mg5bMQ2lWi.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	KRdh0OaXqH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	wG1fFAzGfH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	AGcC2uK0El.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	6hvZpn91O8.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\9MCd.zip

Download File

Process:	C:\Windows\System32\regsvr32.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	124896
Entropy (8bit):	7.944547559215277
Encrypted:	false
SSDEEP:	3072:FNalrrRVSotgWB5x9DY/BKwl4UjXSsOvRgRLVAiSa64fJTXP:zaNr/XLY/BKwWiCNvRgtVjSa6yTXP
MD5:	4FDDCA6D02ECB4783C2F9AAC0D4E6708
SHA1:	735BB5DD7DF3D2069ED0ABEBDF79685ACFD745EF
SHA-256:	10C7E26C41C3EE01CB1291CB42C6773DB13A77E5E881CA5736BE28EA172896C9
SHA-512:	96D308FF995D381CF00997BA312F3C3B1DBCCA7648A5AEB0BD0C1BF39C6ECEAFA74BE763C9F373853DAB5B526E7C7F60461558FC8935C505C88B5D2F0A0ED4AE
Malicious:	false
Preview:	PK.........v.Y..IOJ..........CRT.zlib.[y8...Od....!{.l.PHJ.5.2....Q.i..."K...F..F(dd(.(Lc.Kd...t.......?....>.\|.y..~..\|."rG..t.W...q.S.=3.....E>.......F.q.>!..W..9.#.....B.p...-.!.v.69.j..E..}Q...D.../x...M7.X.Dn....N9..)s;{..3ku.U...B....>.@.........K.s=........;.6...a..#.-.o..>.\|.p/.....4..9.]/...G..,z.x...!....p/r.<m".$..'...c...+...3...^n.%..N]G^.b........./}.S-Q...+">...2.-...3j.6.r.m...0.fLh.b..U2QI.}.PZ...E]#...H........IMb.J.5.o....6L.Ia.7....W$...)e.(..m.sf.4...\|....U...}.........^n.....x}M..R..i.>1..p..BU............:.....(T.J}...H.Uyg...;.]iG.f.G....!.FO}../.]z.....sK..?..%f!...nO.....:.w..:vLc`...^[..r.E.].7N.$.......}H..>n....;....`Y.~. .\...].....A+.......s...~..&._....?X...7.o.....?\...7.o..?.W.1.....w.........&....uq.*.{.......C;.. O.'.G.y.Z...UX.g.3%.r.......S...Bw.l....cE...}.E....L.}......?.....Q..iaU...c.Fl..2x.........e..c.7{C........;...'~.........}.#...._....^..........\.N...)w..=...h..0h.:X...W..&.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_15atcwyf.z10.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1edmsvzq.kbv.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3eapmcwe.fjj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3kghojya.ym3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4edpade3.r1r.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5kk0bmp5.cne.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bztiphio.jr5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eoxnsdtj.rbu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fmmpaidy.vlz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ga1bcddm.ejo.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hqzrlpba.kj5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ihpcrawk.de0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbuhcfie.2p0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_li0awkf1.mja.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oitfcbpm.uxf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pk5yg1wu.nmi.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q4szhrof.xmi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t2eqxqat.web.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wd0gp13x.i0q.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xoyeynsv.oep.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yrvregqt.vkb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yykegmc1.rfv.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zdx0xkcp.fqt.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zm2jbxqi.ruz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\is-N408J.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.215994423157539
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
MD5:	4FF75F505FDDCC6A9AE62216446205D9
SHA1:	EFE32D504CE72F32E92DCF01AA2752B04D81A342
SHA-256:	A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
SHA-512:	BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: setup.exe, Detection: malicious, Browse Filename: RXxeYma4d5.exe, Detection: malicious, Browse Filename: 017069451a4dbc523a1165a2f1bd361a762bb40856778.exe, Detection: malicious, Browse Filename: vc8Kx5C54G.exe, Detection: malicious, Browse Filename: AbC0LBkVhr.exe, Detection: malicious, Browse Filename: Mg5bMQ2lWi.exe, Detection: malicious, Browse Filename: KRdh0OaXqH.exe, Detection: malicious, Browse Filename: wG1fFAzGfH.exe, Detection: malicious, Browse Filename: AGcC2uK0El.exe, Detection: malicious, Browse Filename: 6hvZpn91O8.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N408J.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp

Download File

Process:	C:\Users\user\Desktop\4iogI3WCTh.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1160704
Entropy (8bit):	6.385672321945446
Encrypted:	false
SSDEEP:	24576:cYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5oNx9fX:nGUhni7iSFCQ6R
MD5:	8FDC58C7D4C59472615682D6DEA9D190
SHA1:	8E131FE09FD238493719B4FD92E6C833BF3596C1
SHA-256:	26A5BE637EE680B1EC11D1ADF2FD0972CC52078CBD200D9273F8BB826707C83B
SHA-512:	B05B9FD8FF3D627B562CBD2968466FB54ADBC2FA5591EBE803300A3C5EF7887BC1761D8013B47AAB0F5387265C8B7B15078A01ABB75D4C3180671780181EBE24
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O..........................................@..............................................@...............................7..................................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc................"..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp

Download File

Process:	C:\Users\user\Desktop\4iogI3WCTh.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1160704
Entropy (8bit):	6.385672321945446
Encrypted:	false
SSDEEP:	24576:cYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5oNx9fX:nGUhni7iSFCQ6R
MD5:	8FDC58C7D4C59472615682D6DEA9D190
SHA1:	8E131FE09FD238493719B4FD92E6C833BF3596C1
SHA-256:	26A5BE637EE680B1EC11D1ADF2FD0972CC52078CBD200D9273F8BB826707C83B
SHA-512:	B05B9FD8FF3D627B562CBD2968466FB54ADBC2FA5591EBE803300A3C5EF7887BC1761D8013B47AAB0F5387265C8B7B15078A01ABB75D4C3180671780181EBE24
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O..........................................@..............................................@...............................7..................................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc................"..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-VFQ39.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.215994423157539
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
MD5:	4FF75F505FDDCC6A9AE62216446205D9
SHA1:	EFE32D504CE72F32E92DCF01AA2752B04D81A342
SHA-256:	A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
SHA-512:	BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-VFQ39.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\is-6A565.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1183079
Entropy (8bit):	6.358030873431536
Encrypted:	false
SSDEEP:	24576:UYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5oNx9fl:vGUhni7iSFCQ6z
MD5:	AB7D17B24C62300DDE903ACEA8FB451E
SHA1:	86B4F5E4FB796F59D4C9B99FC40EE03F869174EC
SHA-256:	A226B5CBFD2181CA533FC751FBCB664005DA56C1B93ABB41D3E541117B3E6A9A
SHA-512:	D379C7A32E35EA3B409DE1547E26574A4B0093D492ED41CAEB73BC5B25BB23737CA37E4C8D072BF98C993A40A0DABC961CC9E81A5B806334699F1558119E3D9D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O..........................................@..............................................@...............................7..................................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc................"..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Local\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp
File Type:	InnoSetup Log Microsoft Edge WebView2 Runtime, version 0x418, 4039 bytes, 813848\37\user\376, C:\Users\user\AppData\Local\376\377\377\0
Category:	dropped
Size (bytes):	4039
Entropy (8bit):	3.8548008369987743
Encrypted:	false
SSDEEP:	96:PPUr1dblhcpvwvJu82tiKkCdfc1AGlEDA4MZAe2LDzLCHhJ:41dphcpvcJu1iQf7fDSmDCHj
MD5:	E3444EEB8383524AA9C9A50E773F5BEC
SHA1:	17295DD050064526F8B0BE29E69D8E892B499411
SHA-256:	F15D8A856E8E97E2A347DD6A018D2A50F6650DEECBCE124DBFC52FEE9B9CB355
SHA-512:	FDFAD4FCFEAAAC1AB9CCB998FD426F703BD0A8D260161C0B1C3134057797D4964AC15E5563692969F69116DF4F65A8706706730011E23639DDCDEA9B31B54109
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................Microsoft Edge WebView2 Runtime.................................................................................................Microsoft Edge WebView2 Runtime.............................................................................................................%................................................................................................................)...................s........8.1.3.8.4.8......j.o.n.e.s......C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l..................6.*.. ..............IFPS...............................................................................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.................!MAIN....-1..(...dll:shell32.dll.ShellExecuteW........................HASCMDLINEPARAM....26 @16..PARAMCOUNT.......COMPARETEXT.........PARAMSTR...........E.......INITIALIZESE

C:\Users\user\AppData\Local\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1183079
Entropy (8bit):	6.358030873431536
Encrypted:	false
SSDEEP:	24576:UYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5oNx9fl:vGUhni7iSFCQ6z
MD5:	AB7D17B24C62300DDE903ACEA8FB451E
SHA1:	86B4F5E4FB796F59D4C9B99FC40EE03F869174EC
SHA-256:	A226B5CBFD2181CA533FC751FBCB664005DA56C1B93ABB41D3E541117B3E6A9A
SHA-512:	D379C7A32E35EA3B409DE1547E26574A4B0093D492ED41CAEB73BC5B25BB23737CA37E4C8D072BF98C993A40A0DABC961CC9E81A5B806334699F1558119E3D9D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O..........................................@..............................................@...............................7..................................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc................"..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Roaming\NVIDIA app\724\131.0.2903.99.manifest (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	226
Entropy (8bit):	4.879827856514398
Encrypted:	false
SSDEEP:	6:KdhlRu9TbX+A8/5RFYpquUk5uUX0CdiYCvjA1G:KLuVA5cpN5H07vvWG
MD5:	540DEC862D2DA724038D74A036CB5A91
SHA1:	4BE947A12B2BB11455B1DF6F5D173523C1E3D4F4
SHA-256:	3204A19052305E09F1EC2E91D2381668756BD5777C45AF5F720068F7E404882D
SHA-512:	C597FC3FD14E64661215C78C3E391DA3DBF435784102B2BD224F486BCBC6AEE79F028736683B4B4596EF3C59F37BD0038161DB71081216C2A9B30E83988E4893
Malicious:	false
Preview:	<assembly.. xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>.. <assemblyIdentity.. name='131.0.2903.99'.. version='131.0.2903.99'.. type='win32'/>.. <file name='msedge_elf.dll'/>..</assembly>..

C:\Users\user\AppData\Roaming\NVIDIA app\724\is-183JO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3338280
Entropy (8bit):	6.4960533185169735
Encrypted:	false
SSDEEP:	49152:Vn2/NI1JwFkNBl0ZzuoodNNetmnzbojD2VgE5Yee0tQ+57YwYAoioA25p:oFk3QlOVgqUbp
MD5:	71FDF2D301949413F8B14E0F12C2E0F5
SHA1:	C57E8EFF6BFC0BE6420E97CFD6DE895C937FD5B7
SHA-256:	1E7E2C05C6C634AA7F11C8C217BF9C21FBE336F128D744FBAF3FC91D643925A0
SHA-512:	752FE30B893A1E0A0FBD93FB91DCEEA2B88F5E1C067E8F780FBEDCF1FD4A11EC1317D65BBC3C11086926A2D37A49E5F519C40F7D65DBA335079DC2044DD53F58
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...R.Yg.........."......~'..0.......B.........@.............................04......3...`.........................................Qm-......m-.P.....2.x....@0..,....2.((....4..,..H1-.T.....................-.(....'.@........... v-......W-. ....................text....}'......~'................. ..`.rdata.......'.......'.............@..@.data........P.......6..............@....pdata...,...@0......2/.............@..@.gxfg..../...p1..0...`0.............@..@.retplne......1.......0..................tls....I.....1.......0.............@...CPADinfo8.....1.......0.............@...LZMADEC.......1.......0............. ..`_RDATA........1.......0.............@..@malloc_h......2.......0............. ..`.rsrc...x.....2.......0.............@..@.reloc...,....4.......2.............@..B................................................................................................

C:\Users\user\AppData\Roaming\NVIDIA app\724\is-A0K1V.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	859869
Entropy (8bit):	6.876255920793919
Encrypted:	false
SSDEEP:	24576:AT44HVKh+ckwZ/DFtffUVoSjHJH1/e5MS:AdVKh+ckwZ/DF5fajHN1/e5MS
MD5:	DD247AC7C8775CF2C020F1E06D186B79
SHA1:	C9419A3F25DAFD281724EAE83787D68CD6AB8AA7
SHA-256:	59FE220B22C341F168D0726898C5065EAB294480DCC732B649C5F5CAB7A9DF7B
SHA-512:	9D5ECCF13C230E8754D28B0ED550D28183996F9D93064AA7FBEFC994A6B6F6C2B9EA41A8D499F2C34A654451B7E33AB87B91EADA4B7160D4142379F265738820
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 48%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Cmg....3.....&"...*.~..........0........................................@............`... ..............................................................P..P"......(&...0..............................`;..(.......................8............................text....\|.......~..................`..`.data...............................@....rdata.............................@..@.pdata..P"...P...$...>..............@..@.xdata...L.......N...b..............@..@.bss.....................................edata..............................@..@.idata..............................@....CRT....`...........................@....tls......... ......................@....reloc.......0......................@..B........................................................................................................................................................................

C:\Users\user\AppData\Roaming\NVIDIA app\724\is-U86JT.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	226
Entropy (8bit):	4.879827856514398
Encrypted:	false
SSDEEP:	6:KdhlRu9TbX+A8/5RFYpquUk5uUX0CdiYCvjA1G:KLuVA5cpN5H07vvWG
MD5:	540DEC862D2DA724038D74A036CB5A91
SHA1:	4BE947A12B2BB11455B1DF6F5D173523C1E3D4F4
SHA-256:	3204A19052305E09F1EC2E91D2381668756BD5777C45AF5F720068F7E404882D
SHA-512:	C597FC3FD14E64661215C78C3E391DA3DBF435784102B2BD224F486BCBC6AEE79F028736683B4B4596EF3C59F37BD0038161DB71081216C2A9B30E83988E4893
Malicious:	false
Preview:	<assembly.. xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>.. <assemblyIdentity.. name='131.0.2903.99'.. version='131.0.2903.99'.. type='win32'/>.. <file name='msedge_elf.dll'/>..</assembly>..

C:\Users\user\AppData\Roaming\NVIDIA app\724\msedge_elf.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	859869
Entropy (8bit):	6.876255920793919
Encrypted:	false
SSDEEP:	24576:AT44HVKh+ckwZ/DFtffUVoSjHJH1/e5MS:AdVKh+ckwZ/DF5fajHN1/e5MS
MD5:	DD247AC7C8775CF2C020F1E06D186B79
SHA1:	C9419A3F25DAFD281724EAE83787D68CD6AB8AA7
SHA-256:	59FE220B22C341F168D0726898C5065EAB294480DCC732B649C5F5CAB7A9DF7B
SHA-512:	9D5ECCF13C230E8754D28B0ED550D28183996F9D93064AA7FBEFC994A6B6F6C2B9EA41A8D499F2C34A654451B7E33AB87B91EADA4B7160D4142379F265738820
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 48%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Cmg....3.....&"...*.~..........0........................................@............`... ..............................................................P..P"......(&...0..............................`;..(.......................8............................text....\|.......~..................`..`.data...............................@....rdata.............................@..@.pdata..P"...P...$...>..............@..@.xdata...L.......N...b..............@..@.bss.....................................edata..............................@..@.idata..............................@....CRT....`...........................@....tls......... ......................@....reloc.......0......................@..B........................................................................................................................................................................

C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3338280
Entropy (8bit):	6.4960533185169735
Encrypted:	false
SSDEEP:	49152:Vn2/NI1JwFkNBl0ZzuoodNNetmnzbojD2VgE5Yee0tQ+57YwYAoioA25p:oFk3QlOVgqUbp
MD5:	71FDF2D301949413F8B14E0F12C2E0F5
SHA1:	C57E8EFF6BFC0BE6420E97CFD6DE895C937FD5B7
SHA-256:	1E7E2C05C6C634AA7F11C8C217BF9C21FBE336F128D744FBAF3FC91D643925A0
SHA-512:	752FE30B893A1E0A0FBD93FB91DCEEA2B88F5E1C067E8F780FBEDCF1FD4A11EC1317D65BBC3C11086926A2D37A49E5F519C40F7D65DBA335079DC2044DD53F58
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...R.Yg.........."......~'..0.......B.........@.............................04......3...`.........................................Qm-......m-.P.....2.x....@0..,....2.((....4..,..H1-.T.....................-.(....'.@........... v-......W-. ....................text....}'......~'................. ..`.rdata.......'.......'.............@..@.data........P.......6..............@....pdata...,...@0......2/.............@..@.gxfg..../...p1..0...`0.............@..@.retplne......1.......0..................tls....I.....1.......0.............@...CPADinfo8.....1.......0.............@...LZMADEC.......1.......0............. ..`_RDATA........1.......0.............@..@malloc_h......2.......0............. ..`.rsrc...x.....2.......0.............@..@.reloc...,....4.......2.............@..B................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.965694801345935
TrID:	Win32 Executable (generic) a (10002005/4) 98.86% Inno Setup installer (109748/4) 1.08% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	4iogI3WCTh.exe
File size:	2'044'814 bytes
MD5:	f4e673616e807b25a98f0655c693d411
SHA1:	7d697956f37a0432d4952806739e4c39ace201a1
SHA256:	80e013ba13cf1238703dc670cb3defce7fbf9e3b09beedfdcb6d3197aec5552f
SHA512:	c7e329b4d0f1085da58568d1979b10486f33886f963005a618e977d0c27ee5ae4483d611406fa5a836985a49398704c66187c03652a936b26f8bbced2f1f56c4
SSDEEP:	49152:3WX/qQfkYzgrW/r1DNKHOkjSKVpTfCyMHGVa52a:mTfccDMRSKVZfCyi3
TLSH:	CC952312B7C34836E16018B8EC4BC4886D177D6D2DE164273DB9EB4F6D7C2C2687EA91
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	b8868baba9aba2d8

Static PE Info

General

Entrypoint:	0x416478
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4FC4B854 [Tue May 29 11:51:48 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	483f0c4259a9148c34961abbda6146c1

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004152B8h
call 00007F4B8C8BDFC1h
xor eax, eax
push ebp
push 00416B45h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 00416B01h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0041AB48h]
call 00007F4B8C8CC86Bh
call 00007F4B8C8CC412h
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F4B8C8C6094h
mov edx, dword ptr [ebp-14h]
mov eax, 0041D6E8h
call 00007F4B8C8BC5F7h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0041D6E8h]
mov dl, 01h
mov eax, dword ptr [0040F080h]
call 00007F4B8C8C697Fh
mov dword ptr [0041D6ECh], eax
xor edx, edx
push ebp
push 00416AADh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F4B8C8CC8F3h
mov dword ptr [0041D6F4h], eax
mov eax, dword ptr [0041D6F4h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F4B8C8CDC5Ah
mov eax, dword ptr [0041D6F4h]
mov edx, 00000028h
call 00007F4B8C8C6E48h
mov edx, dword ptr [0041D6F4h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e000	0xf9e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x21000	0xb230	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x20000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1e350	0x24c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x143f8	0x14400	c9bb3afc1ceaaa31127ccfa204c657ef	False	0.5487316743827161	data	6.482216817915366	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x16000	0xbe8	0xc00	1ba5adf2e1058c0460dcc814ba86fb32	False	0.6246744791666666	data	6.005798728198158	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x17000	0xd9c	0xe00	d5b22eff9e08edaa95f493c1a71158c0	False	0.2924107142857143	data	2.669288666959085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x18000	0x574c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1e000	0xf9e	0x1000	b47eaca4c149ee829de76a342b5560d5	False	0.35595703125	data	4.9677831942996935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1f000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x20000	0x18	0x200	3746f5876803f8f30db5bb2deb8772ae	False	0.05078125	data	0.190488766434666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x21000	0xb230	0xb400	a8a3dde713ee44ed84d94490c3c52914	False	0.16378038194444444	data	3.9756020825062692	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x213ec	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.16532258064516128
RT_ICON	0x216d4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.32094594594594594
RT_ICON	0x217fc	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.18310234541577824
RT_STRING	0x226a4	0xc4	data			0.5969387755102041
RT_STRING	0x22768	0xcc	data			0.6225490196078431
RT_STRING	0x22834	0x174	data			0.5510752688172043
RT_STRING	0x229a8	0x39c	data			0.34523809523809523
RT_STRING	0x22d44	0x34c	data			0.4218009478672986
RT_STRING	0x23090	0x294	data			0.4106060606060606
RT_RCDATA	0x23324	0x82e8	data	English	United States	0.11261637622344235
RT_RCDATA	0x2b60c	0x10	data			1.5
RT_RCDATA	0x2b61c	0x1a0	data			0.8149038461538461
RT_RCDATA	0x2b7bc	0x2c	data			1.1590909090909092
RT_GROUP_ICON	0x2b7e8	0x30	data	English	United States	0.9583333333333334
RT_VERSION	0x2b818	0x4b8	COM executable for DOS	English	United States	0.3228476821192053
RT_MANIFEST	0x2bcd0	0x560	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4251453488372093

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	GetKeyboardType, LoadStringW, MessageBoxA, CharNextW
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
user32.dll	CreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW
kernel32.dll	WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, LeaveCriticalSection, InitializeCriticalSection, GetWindowsDirectoryW, GetVersionExW, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, EnterCriticalSection, DeleteFileW, DeleteCriticalSection, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CompareStringW, CloseHandle
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW
comctl32.dll	InitCommonControls
kernel32.dll	Sleep
advapi32.dll	AdjustTokenPrivileges
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-01T16:22:25.381051+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	49736	154.39.239.95	1445	TCP
2025-01-01T16:23:34.432562+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	49737	154.39.239.95	1445	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 1, 2025 16:22:25.375720978 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:25.380531073 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:25.380621910 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:25.381051064 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:25.386620998 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.268737078 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.268997908 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:26.273871899 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.273890972 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.273933887 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.588936090 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.588948011 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.588959932 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.588969946 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.588979006 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.588989973 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.589000940 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.589004993 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:26.589013100 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.589024067 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.589030027 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:26.589035988 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.589065075 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:26.589075089 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:26.589159966 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.593858004 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.593868971 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.593879938 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.593916893 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:26.593949080 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:26.861298084 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.861320019 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.861331940 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.861342907 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.861355066 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.861366034 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.861377954 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.861377954 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:26.861388922 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.861402035 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.861413002 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.861413002 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:26.861423969 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.861424923 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:26.861444950 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.861462116 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.861464977 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:26.861476898 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.861486912 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.861490011 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:26.861500978 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.861511946 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.861516953 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:26.861524105 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.861535072 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.861546993 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.861547947 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:26.861558914 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.861558914 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:26.861572981 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.861582994 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:26.861603975 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:26.861635923 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.043917894 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.043932915 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.043943882 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.043989897 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.044033051 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.044080019 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.044109106 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.044302940 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.044322014 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.044332981 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.044365883 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.044380903 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.044393063 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.044399023 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.044445992 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.044987917 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.044998884 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.045011044 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.045022011 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.045033932 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.045034885 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.045099974 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.045598984 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.045644045 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.045679092 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.045691013 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.045701981 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.045712948 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.045722961 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.045727968 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.045762062 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.046572924 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.046583891 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.046595097 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.046611071 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.046622038 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.046622992 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.046633959 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.046662092 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.047481060 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.047492027 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.047504902 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.047538996 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.047552109 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.047558069 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.047564030 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.047574997 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.047631979 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.048281908 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.048326969 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.048373938 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.048389912 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.048402071 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.048413038 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.048424006 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.048439026 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.048472881 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.049194098 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.049205065 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.049216986 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.049225092 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.049253941 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.049283981 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.267688036 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.267705917 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.267716885 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.267728090 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.267752886 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.267793894 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.267822027 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.267832041 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.267882109 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.267913103 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.267924070 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.267935038 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.267968893 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.268136024 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.268179893 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.268192053 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.268194914 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.268209934 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.268222094 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.268224955 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.268259048 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.268429041 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.268474102 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.268524885 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.268580914 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.268630981 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.268640995 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.268651962 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.268685102 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.268703938 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.268712044 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.268716097 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.268728018 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.268764019 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.269129992 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.269143105 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.269153118 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.269182920 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.269207954 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.269289017 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.269304037 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.269315004 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.269345045 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.269351006 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.269362926 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.269373894 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.269386053 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.269393921 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.269443989 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.269462109 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.269474030 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.269484997 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.269496918 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.269515038 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.269541979 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.270287037 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.270303965 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.270314932 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.270330906 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.270334005 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.270344019 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.270354033 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.270363092 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.270365953 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.270382881 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.270389080 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.270395041 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.270406008 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.270410061 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.270418882 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.270440102 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.270464897 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.271137953 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.271148920 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.271159887 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.271178007 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.271189928 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.271192074 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.271202087 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.271218061 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.271225929 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.271238089 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.271245956 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.271250010 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.271261930 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.271274090 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.271282911 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.271302938 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.272175074 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.272192955 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.272202969 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.272212982 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.272227049 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.272237062 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.272238016 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.272250891 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.272252083 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.272262096 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.272274971 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.272280931 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.272285938 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.272299051 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.272316933 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.272357941 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.272969007 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.272979975 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.273001909 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.273013115 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.273024082 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.273030043 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.273036957 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.273056030 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.273082018 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.354408979 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.354419947 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.354432106 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.354444981 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.354454994 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.354496002 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.354520082 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.491235018 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.491254091 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.491266012 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.491282940 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.491295099 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.491297960 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.491307020 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.491327047 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.491339922 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.491350889 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.491364956 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.491374969 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.491393089 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.491395950 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.491440058 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.491472006 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.491482019 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.491523027 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.491535902 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.491547108 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.491559029 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.491588116 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.491589069 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.491600990 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.491614103 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.491624117 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.491628885 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.491633892 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.491657019 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.491687059 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.491851091 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492024899 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492037058 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492048979 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492064953 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492075920 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492082119 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.492091894 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492104053 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492108107 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.492117882 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.492120981 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492137909 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492147923 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492149115 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.492160082 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492171049 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492182016 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492192030 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.492192984 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492206097 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492218018 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492218018 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.492229939 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492238045 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.492244005 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492253065 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.492257118 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492273092 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.492302895 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.492783070 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492794037 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492805958 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492831945 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492835045 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.492845058 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492857933 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492868900 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492880106 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.492886066 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.492916107 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.492937088 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.493091106 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.493158102 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.493168116 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.493180037 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.493190050 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.493215084 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.493231058 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.493297100 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.493308067 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.493318081 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.493328094 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.493338108 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.493347883 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.493359089 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.493362904 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.493370056 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.493381977 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.493410110 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.493437052 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.496170998 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.496354103 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.496364117 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.496381998 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.496391058 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.496395111 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.496406078 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.496417046 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.496424913 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.496428967 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.496440887 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.496452093 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.496458054 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.496464968 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.496475935 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.496488094 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.496499062 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.496505976 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.496511936 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.496522903 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.496535063 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.496828079 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.496843100 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.496881008 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.496913910 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.496925116 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.496934891 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.496944904 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.496958971 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.496987104 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.497116089 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.497126102 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.497138023 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.497152090 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.497164011 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.497167110 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.497174025 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.497185946 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.497185946 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.497196913 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.497229099 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.497380018 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.497390032 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.497401953 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.497411013 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.497421980 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.497440100 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.497471094 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:27.578262091 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.578273058 CET	1445	49736	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:27.578320026 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:28.604742050 CET	49737	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:28.609658957 CET	1445	49737	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:28.609769106 CET	49737	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:30.588661909 CET	49736	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:33.563939095 CET	49737	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:33.568908930 CET	1445	49737	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:33.568922043 CET	1445	49737	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:33.569013119 CET	1445	49737	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:33.569063902 CET	1445	49737	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:34.113107920 CET	1445	49737	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:34.113351107 CET	49737	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:34.118232012 CET	1445	49737	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:44.760441065 CET	49737	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:44.765347004 CET	1445	49737	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:45.075850010 CET	1445	49737	154.39.239.95	192.168.2.4
Jan 1, 2025 16:22:45.119762897 CET	49737	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:45.190085888 CET	49737	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:22:45.194876909 CET	1445	49737	154.39.239.95	192.168.2.4
Jan 1, 2025 16:23:01.541727066 CET	49737	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:23:01.546561003 CET	1445	49737	154.39.239.95	192.168.2.4
Jan 1, 2025 16:23:01.856856108 CET	1445	49737	154.39.239.95	192.168.2.4
Jan 1, 2025 16:23:01.901010990 CET	49737	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:23:01.925146103 CET	49737	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:23:01.929941893 CET	1445	49737	154.39.239.95	192.168.2.4
Jan 1, 2025 16:23:17.604309082 CET	49737	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:23:17.609057903 CET	1445	49737	154.39.239.95	192.168.2.4
Jan 1, 2025 16:23:17.919558048 CET	1445	49737	154.39.239.95	192.168.2.4
Jan 1, 2025 16:23:17.963542938 CET	49737	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:23:17.988104105 CET	49737	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:23:17.992858887 CET	1445	49737	154.39.239.95	192.168.2.4
Jan 1, 2025 16:23:34.432562113 CET	49737	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:23:34.437347889 CET	1445	49737	154.39.239.95	192.168.2.4
Jan 1, 2025 16:23:34.748145103 CET	1445	49737	154.39.239.95	192.168.2.4
Jan 1, 2025 16:23:34.806049109 CET	49737	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:23:34.810925007 CET	1445	49737	154.39.239.95	192.168.2.4
Jan 1, 2025 16:23:50.510545969 CET	49737	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:23:50.510588884 CET	49737	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:23:50.515520096 CET	1445	49737	154.39.239.95	192.168.2.4
Jan 1, 2025 16:23:50.515573025 CET	49737	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:23:52.448637009 CET	50005	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:23:52.453515053 CET	1445	50005	154.39.239.95	192.168.2.4
Jan 1, 2025 16:23:52.453576088 CET	50005	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:23:58.691724062 CET	50005	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:23:58.696608067 CET	1445	50005	154.39.239.95	192.168.2.4
Jan 1, 2025 16:23:58.696636915 CET	1445	50005	154.39.239.95	192.168.2.4
Jan 1, 2025 16:23:58.696646929 CET	1445	50005	154.39.239.95	192.168.2.4
Jan 1, 2025 16:23:58.696726084 CET	1445	50005	154.39.239.95	192.168.2.4
Jan 1, 2025 16:23:59.242759943 CET	1445	50005	154.39.239.95	192.168.2.4
Jan 1, 2025 16:23:59.243051052 CET	50005	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:23:59.247802973 CET	1445	50005	154.39.239.95	192.168.2.4
Jan 1, 2025 16:24:09.182615042 CET	50005	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:24:09.187549114 CET	1445	50005	154.39.239.95	192.168.2.4
Jan 1, 2025 16:24:09.501919031 CET	1445	50005	154.39.239.95	192.168.2.4
Jan 1, 2025 16:24:09.522770882 CET	50005	1445	192.168.2.4	154.39.239.95
Jan 1, 2025 16:24:09.527771950 CET	1445	50005	154.39.239.95	192.168.2.4

Target ID:	0
Start time:	10:21:53
Start date:	01/01/2025
Path:	C:\Users\user\Desktop\4iogI3WCTh.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\4iogI3WCTh.exe"
Imagebase:	0x400000
File size:	2'044'814 bytes
MD5 hash:	F4E673616E807B25A98F0655C693D411
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:21:53
Start date:	01/01/2025
Path:	C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-T7IAT.tmp\4iogI3WCTh.tmp" /SL5="$20434,1664838,141312,C:\Users\user\Desktop\4iogI3WCTh.exe"
Imagebase:	0x400000
File size:	1'160'704 bytes
MD5 hash:	8FDC58C7D4C59472615682D6DEA9D190
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:21:53
Start date:	01/01/2025
Path:	C:\Users\user\Desktop\4iogI3WCTh.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\4iogI3WCTh.exe" /VERYSILENT
Imagebase:	0x400000
File size:	2'044'814 bytes
MD5 hash:	F4E673616E807B25A98F0655C693D411
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:21:53
Start date:	01/01/2025
Path:	C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-ST0J4.tmp\4iogI3WCTh.tmp" /SL5="$20442,1664838,141312,C:\Users\user\Desktop\4iogI3WCTh.exe" /VERYSILENT
Imagebase:	0x400000
File size:	1'160'704 bytes
MD5 hash:	8FDC58C7D4C59472615682D6DEA9D190
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:21:54
Start date:	01/01/2025
Path:	C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\\NVIDIA app\\724\\msedgewebview2.exe"
Imagebase:	0x7ff600d50000
File size:	3'338'280 bytes
MD5 hash:	71FDF2D301949413F8B14E0F12C2E0F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	10:21:54
Start date:	01/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:21:54
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:22:01
Start date:	01/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 2424, Parent PID: 2996

General

Target ID:	9
Start time:	10:22:01
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:22:04
Start date:	01/01/2025
Path:	C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe"
Imagebase:	0x7ff600d50000
File size:	3'338'280 bytes
MD5 hash:	71FDF2D301949413F8B14E0F12C2E0F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	10:22:04
Start date:	01/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 7256, Parent PID: 7248

General

Target ID:	12
Start time:	10:22:04
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:22:19
Start date:	01/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist" /FI "IMAGENAME eq regsvr32.exe"
Imagebase:	0x7ff66c980000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:22:19
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:22:20
Start date:	01/01/2025
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	"regsvr32" /s /i:SYNC "C:\Users\user\AppData\Roaming\NVIDIA app\724\msedge_elf.dll"
Imagebase:	0x7ff6adac0000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000012.00000002.3094660374.0000000000BAA000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000012.00000003.1931212895.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000012.00000002.3096785341.0000000002720000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	10:22:33
Start date:	01/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist" /FI "IMAGENAME eq regsvr32.exe"
Imagebase:	0x7ff66c980000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	10:22:33
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	10:22:33
Start date:	01/01/2025
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	"regsvr32" /s /i:SYNC "C:\Users\user\AppData\Roaming\NVIDIA app\724\msedge_elf.dll"
Imagebase:	0x7ff6adac0000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	10:22:33
Start date:	01/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7848, Parent PID: 7840

General

Target ID:	23
Start time:	10:22:33
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	10:22:58
Start date:	01/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist" /FI "IMAGENAME eq regsvr32.exe"
Imagebase:	0x7ff66c980000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	10:22:58
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	10:22:58
Start date:	01/01/2025
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	"regsvr32" /s /i:SYNC "C:\Users\user\AppData\Roaming\NVIDIA app\724\msedge_elf.dll"
Imagebase:	0x7ff6adac0000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	10:22:59
Start date:	01/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5100, Parent PID: 1448

General

Target ID:	28
Start time:	10:22:59
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	10:23:31
Start date:	01/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist" /FI "IMAGENAME eq regsvr32.exe"
Imagebase:	0x7ff66c980000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	10:23:31
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	10:23:32
Start date:	01/01/2025
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	"regsvr32" /s /i:SYNC "C:\Users\user\AppData\Roaming\NVIDIA app\724\msedge_elf.dll"
Imagebase:	0x7ff6adac0000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	10:23:32
Start date:	01/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\user\AppData\Roaming\NVIDIA app\724\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{226C52D4-F263-4D4A-8AE7-8E60E9B5A5F5}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 4048, Parent PID: 1516

General

Target ID:	34
Start time:	10:23:32
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	29.2%
Total number of Nodes:	271
Total number of Limit Nodes:	31

Executed Functions

Function 00007FFDFF1B1D70 Relevance: 174.2, APIs: 86, Strings: 12, Instructions: 2678memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B2436
HeapFree.KERNEL32 ref: 00007FFDFF1B2454
HeapFree.KERNEL32 ref: 00007FFDFF1B2511

Strings

Encrypted files are not supportedInvalid local file headerInvalid Central Directory header, xrefs: 00007FFDFF1B3597
!, xrefs: 00007FFDFF1B35A6
Support for multi-disk files is not implemented, xrefs: 00007FFDFF1B43FC
/i:S, xrefs: 00007FFDFF1B2761
SYNC, xrefs: 00007FFDFF1B2767
/, xrefs: 00007FFDFF1B440B
Could not read enough bytesFromUtf8Errorbyteserrorinvalid seek to a negative or overflowing position, xrefs: 00007FFDFF1B5539, 00007FFDFF1B5557
Could not find central directory endInvalid digital signature header, xrefs: 00007FFDFF1B317D
ZQ, xrefs: 00007FFDFF1B7034
cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 00007FFDFF1B59EC
(, xrefs: 00007FFDFF1B25DA
called `Result::unwrap()` on an `Err` value, xrefs: 00007FFDFF1B4272, 00007FFDFF1B4351

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID: !$($/$/i:S$Could not find central directory endInvalid digital signature header$Could not read enough bytesFromUtf8Errorbyteserrorinvalid seek to a negative or overflowing position$Encrypted files are not supportedInvalid local file headerInvalid Central Directory header$SYNC$Support for multi-disk files is not implemented$ZQ$called `Result::unwrap()` on an `Err` value$cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs
API String ID: 3298025750-1660721834
Opcode ID: fbfe40eca320aa8c0a065b08ee0eec9281792f96c6d33ef7d80ceee36d9426fc
Instruction ID: 9b150b05a4ccfc3cb340ddfd5f009cb71a9318e0550ae670a484390f0d35a008
Opcode Fuzzy Hash: fbfe40eca320aa8c0a065b08ee0eec9281792f96c6d33ef7d80ceee36d9426fc
Instruction Fuzzy Hash: DD535862B0CBC280EB719B15A4647AAA3A0FB84784F444236DBAD97BDDDF7CD145CB40

Function 00007FFDFF1F8080 Relevance: 156.5, APIs: 83, Strings: 5, Instructions: 2510memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,00000003,?,?,00007FFDFF1FEC30,00000000,00000000,00000000,00000003,?,?,00007FFDFF1FFA41), ref: 00007FFDFF1F817C
HeapFree.KERNEL32(?,00000003,?,?,00007FFDFF1FEC30,00000000,00000000,00000000,00000003,?,?,00007FFDFF1FFA41), ref: 00007FFDFF1F8264
HeapFree.KERNEL32(?,00000003,?,?,00007FFDFF1FEC30,00000000,00000000,00000000,00000003,?,?,00007FFDFF1FFA41), ref: 00007FFDFF1F8382
HeapFree.KERNEL32(?,00000003,?,?,00007FFDFF1FEC30,00000000,00000000,00000000,00000003,?,?,00007FFDFF1FFA41), ref: 00007FFDFF1F83AC
GetEnvironmentStringsW.KERNEL32 ref: 00007FFDFF1F8453

Strings

\?\\, xrefs: 00007FFDFF1F909A
.exeprogram not found, xrefs: 00007FFDFF1F9214
assertion failed: self.height > 0, xrefs: 00007FFDFF1FB147
]?\\, xrefs: 00007FFDFF1F90A2
PATHlibrary\std\src\sys_common\process.rs, xrefs: 00007FFDFF1FA5EB

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$EnvironmentStrings
String ID: .exeprogram not found$PATHlibrary\std\src\sys_common\process.rs$\?\\$]?\\$assertion failed: self.height > 0
API String ID: 2767186067-2173948767
Opcode ID: 438d530565eb0e12457dbd3d83dd6ad7e9905329718b40961276f865af7bf96e
Instruction ID: a0245f55102d1041b4e3700003bd1392dfff067be3dbece459562974700c2350
Opcode Fuzzy Hash: 438d530565eb0e12457dbd3d83dd6ad7e9905329718b40961276f865af7bf96e
Instruction Fuzzy Hash: 6E435E62F09AC285EB709F259860BF923A1FB44798F444236DA7D9B7DDDF38A645C300

Function 00007FFDFF1FFA50 Relevance: 20.0, APIs: 13, Instructions: 457
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FFDFF1FFAB0
ProcessPrng.BCRYPTPRIMITIVES ref: 00007FFDFF1FFADC
HeapFree.KERNEL32 ref: 00007FFDFF1FFB87

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: Process$CurrentFreeHeapPrng
String ID:
API String ID: 2687294623-0
Opcode ID: fceb44e27e5dd72fb5a5ad19f0c294b97442bf41cb646bf3afeacaad0d38f75c
Instruction ID: 7cccc6d561d06525f19e7ae06b088c08969d3bcde0456e28126a86fa225e37c2
Opcode Fuzzy Hash: fceb44e27e5dd72fb5a5ad19f0c294b97442bf41cb646bf3afeacaad0d38f75c
Instruction Fuzzy Hash: 86129F23F08A9189E7648B259860BBA27A0FB447A8F484336DE7E877DDDF78D445C340

Function 00007FFDFF1B6060 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 319
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FFDFF1B60B3

Strings

$, xrefs: 00007FFDFF1B6382
$, xrefs: 00007FFDFF1B636E

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FileModuleName
String ID: $$$
API String ID: 514040917-233714265
Opcode ID: ce73ce1ada085a5ca2ae938c063113766c90b9e5e731682de3bfba0677b67b52
Instruction ID: 339956c890906bb06932d5f68ea2d3fe6403c325703cfbdd2646ba333e67b152
Opcode Fuzzy Hash: ce73ce1ada085a5ca2ae938c063113766c90b9e5e731682de3bfba0677b67b52
Instruction Fuzzy Hash: F6021722A0CBC180E7B09B11E4647EAB3A5FB88744F544235DAED87BA9DF7CD549CB40

Function 00007FF600E1F800 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?,?,?,?,?,?,00007FF600E1F6E6,?,?,00000518,00000000,00007FF600E1F597), ref: 00007FF600E1F8AD
GetProcAddress.KERNEL32(?,?,?,?,?,?,00007FF600E1F6E6,?,?,00000518,00000000,00007FF600E1F597), ref: 00007FF600E1F8C2
LoadLibraryW.KERNEL32(?,?,?,?,?,?,00007FF600E1F6E6,?,?,00000518,00000000,00007FF600E1F597), ref: 00007FF600E1F8E8
GetProcAddress.KERNEL32(?,?,?,?,?,?,00007FF600E1F6E6,?,?,00000518,00000000,00007FF600E1F597), ref: 00007FF600E1F8FD

Strings

bcryptprimitives.dll, xrefs: 00007FF600E1F8A6, 00007FF600E1F8E1
ProcessPrng, xrefs: 00007FF600E1F8B8, 00007FF600E1F8F3

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ProcessPrng$bcryptprimitives.dll
API String ID: 2574300362-2667675608
Opcode ID: 5a0c0f51a3f4aa7e9dbaeae2f82cae117ef1f02cd69cd5ea1cdda0f7bdd660f4
Instruction ID: 6f31d75e31e05cc7627d955b42bd3711a736c68830467bf2f17e8d5327df5038
Opcode Fuzzy Hash: 5a0c0f51a3f4aa7e9dbaeae2f82cae117ef1f02cd69cd5ea1cdda0f7bdd660f4
Instruction Fuzzy Hash: 16314D31F0AB06A1FB698F25E85427563E0AF98B90F784435CA8E97B64EE3CE5418304

Function 00007FF600D952B0 Relevance: 7.9, APIs: 5, Instructions: 367
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF600D95385
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF600D9543A
ReleaseSRWLockExclusive.KERNEL32(?,?,?,00007FF601049800,?,?,?,00000000,?,00007FF600E1F2B3), ref: 00007FF600D95476

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID: ExclusiveLock$Release$Acquire
String ID:
API String ID: 1021914862-0
Opcode ID: 224a45e544231f32f11fdf08f87741da0663b91ffaa8d1a9425e7b058fb14494
Instruction ID: fecde85f27f78dddb92e885ace71c747b69f52557c1891dc6586a229414ca94b
Opcode Fuzzy Hash: 224a45e544231f32f11fdf08f87741da0663b91ffaa8d1a9425e7b058fb14494
Instruction Fuzzy Hash: 13F1C072B08A4596EB55CB15E85437A37A0FB48BA4F604231DBAE877E8DF3CE545C310

Function 00007FFDFF1FE760 Relevance: 4.1, APIs: 3, Instructions: 387
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82598d90d550b72ee476d5cddae3e5e921dd7659936aa46976c6ac262945f66
Instruction ID: f1a09179eae9c51fbf856bcf81509ff29f413e3aab55b15a9af3e94403e81d01
Opcode Fuzzy Hash: c82598d90d550b72ee476d5cddae3e5e921dd7659936aa46976c6ac262945f66
Instruction Fuzzy Hash: 55E10063F18A8281EB658B259520B7F67A1FF91788F485731DE7E066E8DF7CE5818300

Function 00007FFDFF202788 Relevance: 15.1, APIs: 10, Instructions: 121
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapFree.KERNEL32 ref: 00007FFDFF20279F
HeapFree.KERNEL32 ref: 00007FFDFF2027B9
CloseHandle.KERNEL32 ref: 00007FFDFF202867
CloseHandle.KERNEL32 ref: 00007FFDFF202903
WaitForSingleObject.KERNEL32 ref: 00007FFDFF202CCE
GetLastError.KERNEL32 ref: 00007FFDFF202CD7
HeapFree.KERNEL32 ref: 00007FFDFF202CF9
HeapFree.KERNEL32 ref: 00007FFDFF202D1C
CloseHandle.KERNEL32 ref: 00007FFDFF202D7C
CloseHandle.KERNEL32 ref: 00007FFDFF202D85

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: CloseFreeHandleHeap$ErrorLastObjectSingleWait
String ID:
API String ID: 3984667017-0
Opcode ID: cfa682ff03c4f44f18bee66fc3c727f52537c13954e66ac81976801c894b316b
Instruction ID: 4a3e0437cda4f7f4fc14de4a540bb15fd5cfe0c74e7281dbffcc0530fba28dec
Opcode Fuzzy Hash: cfa682ff03c4f44f18bee66fc3c727f52537c13954e66ac81976801c894b316b
Instruction Fuzzy Hash: 5C515B23A08AC584E7609F62D8647E92760FB44788F484236EE6DCABDDDF789589C340

Function 00007FFDFF201E80 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FFDFF202028
memcpy.MSVCRT ref: 00007FFDFF20203B
memcpy.MSVCRT ref: 00007FFDFF202052
memcpy.MSVCRT ref: 00007FFDFF20206B
memcpy.MSVCRT ref: 00007FFDFF2020AC
memcpy.MSVCRT ref: 00007FFDFF2020C7

Strings

assertion failed: old_left_len + count <= CAPACITY, xrefs: 00007FFDFF202292
called `Result::unwrap()` on an `Err` value, xrefs: 00007FFDFF202E52, 00007FFDFF202E86, 00007FFDFF202EBA

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: memcpy
String ID: assertion failed: old_left_len + count <= CAPACITY$called `Result::unwrap()` on an `Err` value
API String ID: 3510742995-3830370267
Opcode ID: e28cc99cdbe1d1161b80fb67a978a9abc618a5c0e5a2e42b35f9e95ab9161b0c
Instruction ID: 234c993e7d6d4ddc4886c3ab7f5b545315f96f9a3c72b20bb554fe37aa3b868c
Opcode Fuzzy Hash: e28cc99cdbe1d1161b80fb67a978a9abc618a5c0e5a2e42b35f9e95ab9161b0c
Instruction Fuzzy Hash: 94C11663A04B8582EB459F14E8017F96768FF58B98F499332DF6D93395DF38A285C300

Function 00007FFDFF1F2BA0 Relevance: 12.2, APIs: 8, Instructions: 177
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFDFF1F2F10: HeapFree.KERNEL32(?,?,?,?,-8000000000000000,?,?,?,?,?,00007FFDFF1FD7C7), ref: 00007FFDFF1F3038

CreateFileW.KERNEL32 ref: 00007FFDFF1F2D28
GetLastError.KERNEL32 ref: 00007FFDFF1F2D44
SetFileInformationByHandle.KERNEL32 ref: 00007FFDFF1F2D6D
HeapFree.KERNEL32 ref: 00007FFDFF1F2D8A
GetLastError.KERNEL32 ref: 00007FFDFF1F2D99
HeapFree.KERNEL32 ref: 00007FFDFF1F2DC5
GetLastError.KERNEL32 ref: 00007FFDFF1F2DDE
CloseHandle.KERNEL32 ref: 00007FFDFF1F2DF0

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: ErrorFreeHeapLast$FileHandle$CloseCreateInformation
String ID:
API String ID: 2929975209-0
Opcode ID: 38fcc76711a0213deb93089215563ba373ce08b229646afb8c47c777b446e7be
Instruction ID: 4d18287f98bca43877d5c4fcb72652e2744c565cde5e24d881a2bafcaecb8980
Opcode Fuzzy Hash: 38fcc76711a0213deb93089215563ba373ce08b229646afb8c47c777b446e7be
Instruction Fuzzy Hash: 6861A163F086D646FB7086219170BB92791AF45788F184331DE7E87ACDDFBDA8A58310

Function 00007FFDFF2027D0 Relevance: 12.1, APIs: 8, Instructions: 105
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32 ref: 00007FFDFF202867
CloseHandle.KERNEL32 ref: 00007FFDFF202903
WaitForSingleObject.KERNEL32 ref: 00007FFDFF202CCE
GetLastError.KERNEL32 ref: 00007FFDFF202CD7
HeapFree.KERNEL32 ref: 00007FFDFF202CF9
HeapFree.KERNEL32 ref: 00007FFDFF202D1C
CloseHandle.KERNEL32 ref: 00007FFDFF202D7C
CloseHandle.KERNEL32 ref: 00007FFDFF202D85
GetLastError.KERNEL32 ref: 00007FFDFF202DDE

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: CloseHandle$ErrorFreeHeapLast$ObjectSingleWait
String ID:
API String ID: 908592504-0
Opcode ID: 4298aa4110947bfe5c9ff9accb72ae427ee72d447fa7bcb020a8269d375f2e61
Instruction ID: e1b5349974fac94351bdf0d701c999070ad1347089377888d0461d8212526a8f
Opcode Fuzzy Hash: 4298aa4110947bfe5c9ff9accb72ae427ee72d447fa7bcb020a8269d375f2e61
Instruction Fuzzy Hash: 6B412823A08BC188E7719F61D8647E92760FB4479CF084236EE6D8AADDDF789589C350

Function 00007FFDFF2030A0 Relevance: 10.1, APIs: 8, Instructions: 117
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,00000000,-8000000000000000,?,00000003,?,?,00007FFDFF202F50), ref: 00007FFDFF203106
GetLastError.KERNEL32(?,?,00000000,-8000000000000000,?,00000003,?,?,00007FFDFF202F50), ref: 00007FFDFF203171
CloseHandle.KERNEL32(?,?,00000000,-8000000000000000,?,00000003,?,?,00007FFDFF202F50), ref: 00007FFDFF2031CA
CloseHandle.KERNEL32(?,?,00000000,-8000000000000000,?,00000003,?,?,00007FFDFF202F50), ref: 00007FFDFF2031D3
HeapFree.KERNEL32(?,?,00000000,-8000000000000000,?,00000003,?,?,00007FFDFF202F50), ref: 00007FFDFF203230
CloseHandle.KERNEL32(?,?,00000000,-8000000000000000,?,00000003,?,?,00007FFDFF202F50), ref: 00007FFDFF203241
CloseHandle.KERNEL32(?,?,00000000,-8000000000000000,?,00000003,?,?,00007FFDFF202F50), ref: 00007FFDFF20324A
HeapFree.KERNEL32(?,?,00000000,-8000000000000000,?,00000003,?,?,00007FFDFF202F50), ref: 00007FFDFF20325C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: CloseHandle$ErrorFreeHeapLast
String ID:
API String ID: 2056089037-0
Opcode ID: a7d48adf411b1f9489ff9b97180360af9167b3e19d8b93aaaca9e7b3bd2fe902
Instruction ID: 132ee58ff0e06c534b672086d2f36b185b3335ca7d5e60e1c7748a097c884c6a
Opcode Fuzzy Hash: a7d48adf411b1f9489ff9b97180360af9167b3e19d8b93aaaca9e7b3bd2fe902
Instruction Fuzzy Hash: 0F416523B08B4285EB24DB2295617BD67A1EB88784F484631DE7ED77DADF3CE9458300

Function 00007FF600EC782C Relevance: 9.1, APIs: 6, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00007FF600EC783B
FlsSetValue.KERNEL32 ref: 00007FF600EC7871
FlsSetValue.KERNEL32 ref: 00007FF600EC789E
FlsSetValue.KERNEL32 ref: 00007FF600EC78AF
FlsSetValue.KERNEL32 ref: 00007FF600EC78C0
SetLastError.KERNEL32 ref: 00007FF600EC78DB

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: b56dea6cb73fc9b56703c4709b2027bc621aa76816c84145973931551c731a8d
Instruction ID: 2bae1e24b9ddebdc45ba8d4c619aa2afb7d4575a8344d76869460526f8fe36bf
Opcode Fuzzy Hash: b56dea6cb73fc9b56703c4709b2027bc621aa76816c84145973931551c731a8d
Instruction Fuzzy Hash: B1116021F0C256A1FA58A3319A5693D29429F447B0F744B34E9AEE77EEDE2DB4438700

Function 00007FFDFF1FA50D Relevance: 5.2, APIs: 4, Instructions: 151memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFDFF1F9574
HeapFree.KERNEL32(00000000), ref: 00007FFDFF1F9750

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: CloseFreeHandleHeap
String ID:
API String ID: 1642312469-0
Opcode ID: a6d343e71d077978c8e156747e5163b3d87f03e85517c32c21585745529b7e21
Instruction ID: 6fa476140bd96fe3f203c137a0be3dcd2c2193b45444f0ddf16ca595a36807df
Opcode Fuzzy Hash: a6d343e71d077978c8e156747e5163b3d87f03e85517c32c21585745529b7e21
Instruction Fuzzy Hash: 2A713866E15AD684EB709F22DC60BFD23A1FB84B98F404236CA2D9B7DDDF3895418700

Function 00007FFDFF203270 Relevance: 3.1, APIs: 2, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32 ref: 00007FFDFF2032E8
GetLastError.KERNEL32 ref: 00007FFDFF20330B

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 4dcf40ea932a4df618902db9eb42e27f590e638ff9cb20d7303d3cb83be7cdde
Instruction ID: 87e1d5bf5e1e3f0ddf99dd183868adebf42303ca60e054fb8927f71ed6921719
Opcode Fuzzy Hash: 4dcf40ea932a4df618902db9eb42e27f590e638ff9cb20d7303d3cb83be7cdde
Instruction Fuzzy Hash: 72412C63B08B4189EB248B66D5A07BD27A1EB04B84F188635DE7DD77C9DF7CE8518340

Function 00007FF600ECC4D4 Relevance: 3.1, APIs: 2, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__free_lconv_mon.LIBCMT ref: 00007FF600ECC531
__free_lconv_num.LIBCMT ref: 00007FF600ECC553

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID: __free_lconv_mon__free_lconv_num
String ID:
API String ID: 2148069796-0
Opcode ID: 81b9c93780bff18e7441eb59178c2ad727a2e1b9be613c2960ee2683208b9e85
Instruction ID: 8508ed77ab76e2311eff3e05b3efbd22bc04e9da9b064eb3293736058cac6198
Opcode Fuzzy Hash: 81b9c93780bff18e7441eb59178c2ad727a2e1b9be613c2960ee2683208b9e85
Instruction Fuzzy Hash: 22413032F2A642A4EF549F21D5507BC2790AF84B48F784432DA4DA679EDF2DE883C350

Function 00007FFDFF1DA2A0 Relevance: 1.3, APIs: 1, Instructions: 50
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapReAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000004,00007FFDFF1D8DF2), ref: 00007FFDFF1DA2D8

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 57b4c8917531aa89a4a40f83ae940fd55842c2f83d1ea938bbb383108463c6cd
Instruction ID: a87f2eda94482e2c19ab243adfc3d313ad928b7f4f3c72d608aa74518a7996e4
Opcode Fuzzy Hash: 57b4c8917531aa89a4a40f83ae940fd55842c2f83d1ea938bbb383108463c6cd
Instruction Fuzzy Hash: 0A114F22F09B4291EB258B12A560B7D63F1AB08394F584375DEBD867C9EF3DA581C200

Function 00007FFDFF1FEDF5 Relevance: 1.3, APIs: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFDFF1FFA50: GetCurrentProcessId.KERNEL32 ref: 00007FFDFF1FFAB0
Part of subcall function 00007FFDFF1FFA50: ProcessPrng.BCRYPTPRIMITIVES ref: 00007FFDFF1FFADC
Part of subcall function 00007FFDFF1FFA50: HeapFree.KERNEL32 ref: 00007FFDFF1FFB87

CloseHandle.KERNEL32 ref: 00007FFDFF1FEF4F

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: Process$CloseCurrentFreeHandleHeapPrng
String ID:
API String ID: 4199747799-0
Opcode ID: 4be62e6c556ec3346351a61870d323fa1739e9f9d1c35523c750760ad5fc9d98
Instruction ID: 2c87c9606dbf6dc953e0f8cdbecabb23414bf0a5b0325341088e7b9f4bddabe6
Opcode Fuzzy Hash: 4be62e6c556ec3346351a61870d323fa1739e9f9d1c35523c750760ad5fc9d98
Instruction Fuzzy Hash: 43F03A23B0568145E7619B25E9607AD63D49B80BA8F0C8631DE3E87BD9CF7CE4C6D300

Non-executed Functions

Function 00007FFDFF2036A0 Relevance: 83.8, APIs: 45, Strings: 2, Instructions: 1550memoryfileprocessCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDFF2037B9
GetCurrentDirectoryW.KERNEL32 ref: 00007FFDFF2037C4
GetLastError.KERNEL32 ref: 00007FFDFF2037CF
GetLastError.KERNEL32 ref: 00007FFDFF2037F6
HeapFree.KERNEL32 ref: 00007FFDFF203876
memset.MSVCRT ref: 00007FFDFF20397E
RtlCaptureContext.NTDLL ref: 00007FFDFF203986
RtlLookupFunctionEntry.NTDLL ref: 00007FFDFF2039AA
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FFDFF203B51
memset.MSVCRT ref: 00007FFDFF203B75
Module32FirstW.KERNEL32 ref: 00007FFDFF203B8A
Module32NextW.KERNEL32 ref: 00007FFDFF203BCA
UnmapViewOfFile.KERNEL32(?), ref: 00007FFDFF203D33
CloseHandle.KERNEL32(?), ref: 00007FFDFF203D3B
HeapFree.KERNEL32(?), ref: 00007FFDFF203D5A
UnmapViewOfFile.KERNEL32(?), ref: 00007FFDFF203DCF
CloseHandle.KERNEL32(?), ref: 00007FFDFF203DD7
CloseHandle.KERNEL32(?), ref: 00007FFDFF203EC3
HeapFree.KERNEL32(?), ref: 00007FFDFF203F4D
HeapFree.KERNEL32(?), ref: 00007FFDFF203F65
HeapFree.KERNEL32(?), ref: 00007FFDFF205584
GetLastError.KERNEL32 ref: 00007FFDFF2055A6

Strings

stack backtrace:, xrefs: 00007FFDFF2038F3
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtraces [... omitted frame ...], xrefs: 00007FFDFF2055EC

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$ErrorLast$CloseHandle$FileModule32UnmapViewmemset$CaptureContextCreateCurrentDirectoryEntryFirstFunctionLookupNextSnapshotToolhelp32
String ID: note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtraces [... omitted frame ...]$stack backtrace:
API String ID: 858481261-3192684347
Opcode ID: 09e5637573c4e064e0f652eb0a634184cf0c759bfa2e68a08de6e06b0b7d86df
Instruction ID: c6e51a58ab8f63ef8d1e802ada43323a854046b92b25c95d1f308f78648631cb
Opcode Fuzzy Hash: 09e5637573c4e064e0f652eb0a634184cf0c759bfa2e68a08de6e06b0b7d86df
Instruction Fuzzy Hash: E2033D62A04AC689EB708F25D8657FD33A1FB44788F484236CA6D9BBDDDF389645D300

Function 00007FFDFF1DB6F0 Relevance: 69.6, APIs: 42, Strings: 3, Instructions: 2092COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF1EC8D0: memcmp.MSVCRT ref: 00007FFDFF1ECA57

memcpy.MSVCRT ref: 00007FFDFF1DBF0C
memcpy.MSVCRT ref: 00007FFDFF1DBF56

Strings

.debug_abbrev.debug_addr.debug_aranges.debug_cu_index.debug_info.debug_line.debug_line_str.debug_loc.debug_loclists.debug_ranges.debug_rnglists.debug_str.debug_str_offsets.debug_tu_index.debug_types.debug_abbrev.dwo.debug_info.dwo.debug_line.dwo.debug_loc.dwo., xrefs: 00007FFDFF1DB72A, 00007FFDFF1DBAE9
.debug_rnglists.dwo.debug_str.dwo.debug_str_offsets.dwo.debug_types.dwo, xrefs: 00007FFDFF1DED3D
assertion failed: end >= start && end <= len, xrefs: 00007FFDFF1DF0F5, 00007FFDFF1DF13D

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: memcpy$memcmp
String ID: .debug_abbrev.debug_addr.debug_aranges.debug_cu_index.debug_info.debug_line.debug_line_str.debug_loc.debug_loclists.debug_ranges.debug_rnglists.debug_str.debug_str_offsets.debug_tu_index.debug_types.debug_abbrev.dwo.debug_info.dwo.debug_line.dwo.debug_loc.dwo.$.debug_rnglists.dwo.debug_str.dwo.debug_str_offsets.dwo.debug_types.dwo$assertion failed: end >= start && end <= len
API String ID: 3384217055-3986548874
Opcode ID: 2f846fa1828be6d94f64d2428e07d67e384862b86ff2f41c5eacc9247d9dc5e4
Instruction ID: 9812a3f84a9a76fabef71dbdba1899424231082c42c3d5d436e63aa71634841e
Opcode Fuzzy Hash: 2f846fa1828be6d94f64d2428e07d67e384862b86ff2f41c5eacc9247d9dc5e4
Instruction Fuzzy Hash: 52335A22F09BC589EB718F25D8647ED33A1FB44788F445236CA6D4BB99DF39A291C340

Function 00007FFDFF1D35F0 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 373memorylibraryloaderCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 00007FFDFF1D361B
LoadLibraryA.KERNEL32 ref: 00007FFDFF1D3762
GetProcAddress.KERNEL32 ref: 00007FFDFF1D3793
HeapFree.KERNEL32 ref: 00007FFDFF1D37B1
HeapFree.KERNEL32 ref: 00007FFDFF1D37CC
GetModuleHandleA.KERNEL32 ref: 00007FFDFF1D37F4
GetProcAddress.KERNEL32 ref: 00007FFDFF1D3825
HeapFree.KERNEL32 ref: 00007FFDFF1D3841
HeapFree.KERNEL32 ref: 00007FFDFF1D385C
LoadLibraryA.KERNEL32 ref: 00007FFDFF1D3884
GetProcAddress.KERNEL32 ref: 00007FFDFF1D38B5
HeapFree.KERNEL32 ref: 00007FFDFF1D38D1
HeapFree.KERNEL32 ref: 00007FFDFF1D38EC
LoadLibraryA.KERNEL32 ref: 00007FFDFF1D3914
GetProcAddress.KERNEL32 ref: 00007FFDFF1D3945
HeapFree.KERNEL32 ref: 00007FFDFF1D3961
HeapFree.KERNEL32 ref: 00007FFDFF1D397C
LoadLibraryA.KERNEL32 ref: 00007FFDFF1D39A4
GetProcAddress.KERNEL32 ref: 00007FFDFF1D39D5
HeapFree.KERNEL32 ref: 00007FFDFF1D39F1
HeapFree.KERNEL32 ref: 00007FFDFF1D3A0C
LoadLibraryA.KERNEL32 ref: 00007FFDFF1D3A34
GetProcAddress.KERNEL32 ref: 00007FFDFF1D3A65
HeapFree.KERNEL32 ref: 00007FFDFF1D3A81
HeapFree.KERNEL32 ref: 00007FFDFF1D3A9C
CreateEventW.KERNEL32 ref: 00007FFDFF1D3AF7
WaitForSingleObject.KERNEL32 ref: 00007FFDFF1D3B0C
HeapFree.KERNEL32 ref: 00007FFDFF1D3BD1
HeapFree.KERNEL32 ref: 00007FFDFF1D3C9B

Part of subcall function 00007FFDFF1C3150: TlsGetValue.KERNEL32 ref: 00007FFDFF1C316A
Part of subcall function 00007FFDFF1C3150: BCryptGenRandom.BCRYPT ref: 00007FFDFF1C319F
Part of subcall function 00007FFDFF1C3150: SystemFunction036.ADVAPI32 ref: 00007FFDFF1C31BA

Strings

cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 00007FFDFF1D3B99

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$AddressProc$LibraryLoad$CreateEvent$CryptFunction036HandleModuleObjectRandomSingleSystemValueWait
String ID: cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs
API String ID: 3168797044-1168434340
Opcode ID: 5254ad478ccc7177241345e557fcb222bbc8335646cd33d2d1f36cdd6ef6abc7
Instruction ID: 4bd907d4506240fb6b681ccbdb3b5d4627e36f8c37782c24e45038fe4df0061a
Opcode Fuzzy Hash: 5254ad478ccc7177241345e557fcb222bbc8335646cd33d2d1f36cdd6ef6abc7
Instruction Fuzzy Hash: 97F18F22F09A4640FB14EB66A425BBA5361EF85784F484332E97ED76EEDF7CE1458300

Function 00007FFDFF1FD6C0 Relevance: 51.7, APIs: 34, Instructions: 695COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a2399d51f1e29b51e7b954411ffbba37ccaecf0322d9fe853ab7c454f75477
Instruction ID: 7663b5955e62d60496adef034e484711ccef4d28b80113114c965049d2951200
Opcode Fuzzy Hash: 13a2399d51f1e29b51e7b954411ffbba37ccaecf0322d9fe853ab7c454f75477
Instruction Fuzzy Hash: F4629263B087C585EB259B259864BF96365FB44B88F484232DE3DDB7D9DF389285C300

Function 00007FFDFF1E34C0 Relevance: 46.2, APIs: 28, Strings: 2, Instructions: 1215COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFDFF1E355A

Strings

@, xrefs: 00007FFDFF1E4F14
assertion failed: end >= start && end <= len, xrefs: 00007FFDFF1E544F

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: memcpy
String ID: @$assertion failed: end >= start && end <= len
API String ID: 3510742995-884486453
Opcode ID: 83b0d2c804a2d17cdd4d1568f02dadd859c430cf1c076f3a96b1d1d2e213e988
Instruction ID: 786aa64ac353d5ae0b79de23511a7fb5e4d549053d762f52aa7f55abfef477d6
Opcode Fuzzy Hash: 83b0d2c804a2d17cdd4d1568f02dadd859c430cf1c076f3a96b1d1d2e213e988
Instruction Fuzzy Hash: 42C28176F08AC285E7708F2198647F927A1FB54B88F444236CA7D9BBD9DF38A655C300

Function 00007FFDFF1CCC50 Relevance: 44.3, APIs: 24, Strings: 1, Instructions: 515memorylibrarynativeCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFDFF1CCC7E
GetModuleHandleA.KERNEL32 ref: 00007FFDFF1CCD0B
LoadLibraryA.KERNEL32 ref: 00007FFDFF1CCD1B
GetProcAddress.KERNEL32 ref: 00007FFDFF1CCDBA
HeapFree.KERNEL32 ref: 00007FFDFF1CCDEB
HeapFree.KERNEL32 ref: 00007FFDFF1CCE04
GetModuleHandleA.KERNEL32 ref: 00007FFDFF1CCE90
GetProcAddress.KERNEL32 ref: 00007FFDFF1CCF26
HeapFree.KERNEL32 ref: 00007FFDFF1CCF57
HeapFree.KERNEL32 ref: 00007FFDFF1CCF70
AddVectoredExceptionHandler.KERNEL32 ref: 00007FFDFF1CCF81
NtQueryInformationProcess.NTDLL ref: 00007FFDFF1CCFBB

Part of subcall function 00007FFDFF1B89B0: memcpy.MSVCRT ref: 00007FFDFF1B89F0

NtQuerySystemInformation.NTDLL ref: 00007FFDFF1CD009
HeapFree.KERNEL32 ref: 00007FFDFF1CD363
HeapFree.KERNEL32 ref: 00007FFDFF1CD4D8

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FFDFF1CD3DB, 00007FFDFF1CD41D, 00007FFDFF1CD45C, 00007FFDFF1CD49B

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$AddressHandleInformationModuleProcQuery$ExceptionHandlerLibraryLoadProcessSystemVectoredmemcpymemset
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 1664888229-2333694755
Opcode ID: 8172e6515329652ded644d9a0edfd0989f5716e5b8afd2ee42f4bd8873f6e240
Instruction ID: 993944a9bfd7e05b6f215574f003057790f5b50f5cca1f889b2d1500f33dfc97
Opcode Fuzzy Hash: 8172e6515329652ded644d9a0edfd0989f5716e5b8afd2ee42f4bd8873f6e240
Instruction Fuzzy Hash: 31427B22B0CBC681E7218B15E460BAAB7A1FB85794F444235EABD877D9EF3DE445C700

Function 00007FFDFF1DB640 Relevance: 35.7, APIs: 21, Strings: 2, Instructions: 1186COMMON

Download Yara Rule

Strings

.debug_abbrev.debug_addr.debug_aranges.debug_cu_index.debug_info.debug_line.debug_line_str.debug_loc.debug_loclists.debug_ranges.debug_rnglists.debug_str.debug_str_offsets.debug_tu_index.debug_types.debug_abbrev.dwo.debug_info.dwo.debug_line.dwo.debug_loc.dwo., xrefs: 00007FFDFF1DB72A, 00007FFDFF1DBAE9
assertion failed: end >= start && end <= len, xrefs: 00007FFDFF1DF0F5

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID: .debug_abbrev.debug_addr.debug_aranges.debug_cu_index.debug_info.debug_line.debug_line_str.debug_loc.debug_loclists.debug_ranges.debug_rnglists.debug_str.debug_str_offsets.debug_tu_index.debug_types.debug_abbrev.dwo.debug_info.dwo.debug_line.dwo.debug_loc.dwo.$assertion failed: end >= start && end <= len
API String ID: 0-3902390773
Opcode ID: 39d032b92a1a12b1332f768935ba21eddf85ef91a5f9e677f7b862e58e5345a2
Instruction ID: 9c5d4016625696dce4424643613c216b846f20c7f257ce473b5d767fb2a91edd
Opcode Fuzzy Hash: 39d032b92a1a12b1332f768935ba21eddf85ef91a5f9e677f7b862e58e5345a2
Instruction Fuzzy Hash: A1C24B66F09BC588EB709F21E9547ED23A5FB45788F444636CA6D8BB99DF3CA241C300

Function 00007FFDFF1FED39 Relevance: 33.6, APIs: 17, Strings: 2, Instructions: 353COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FFDFF1FED50
DuplicateHandle.KERNEL32 ref: 00007FFDFF1FED79
GetCurrentProcess.KERNEL32 ref: 00007FFDFF1FEEC0
DuplicateHandle.KERNEL32 ref: 00007FFDFF1FEEEA
GetLastError.KERNEL32 ref: 00007FFDFF1FEEF9
CloseHandle.KERNEL32 ref: 00007FFDFF1FEF2F

Strings

RUST_MIN_STACKlibrary\std\src\thread\mod.rsfailed to spawn thread, xrefs: 00007FFDFF1FEF91
cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 00007FFDFF1FF30D, 00007FFDFF1FF336

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: Handle$CurrentDuplicateProcess$CloseErrorLast
String ID: RUST_MIN_STACKlibrary\std\src\thread\mod.rsfailed to spawn thread$cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs
API String ID: 120317985-1624771165
Opcode ID: a7a26373da3a9d2d51e43068dc015ad600d64288357960b00bdec085fbec96bd
Instruction ID: e37cf64fef75aedf87c40203b741ff1572f291e718f7c43b47a2de038290a53c
Opcode Fuzzy Hash: a7a26373da3a9d2d51e43068dc015ad600d64288357960b00bdec085fbec96bd
Instruction Fuzzy Hash: 55F14B22F0868285FB219B619420BBD2760FF85788F484736EA7E967DEDF7CA545C340

Function 00007FFDFF1ED4E0 Relevance: 23.2, APIs: 17, Instructions: 1948memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1EDDB3
HeapFree.KERNEL32 ref: 00007FFDFF1EDEFA
HeapFree.KERNEL32 ref: 00007FFDFF1EE368
HeapFree.KERNEL32 ref: 00007FFDFF1EE387
HeapFree.KERNEL32 ref: 00007FFDFF1EE3A6
HeapFree.KERNEL32 ref: 00007FFDFF1EE3C5

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1301e2872d8d33dc24c0c98feb857d5f6bebc45cb55f2481f8866833ccd60381
Instruction ID: b395b3e730e56fcfadc1cead6615dec1558de7a37dbebbf87e893d89a8032d62
Opcode Fuzzy Hash: 1301e2872d8d33dc24c0c98feb857d5f6bebc45cb55f2481f8866833ccd60381
Instruction Fuzzy Hash: 83239A63A08BC58AE7758F25D8647E933A4FB15798F444235DBAD4BBD9DF38A281C300

Function 00007FFDFF1F83D0 Relevance: 22.9, APIs: 15, Instructions: 419COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00007FFDFF1F8453
CloseHandle.KERNEL32 ref: 00007FFDFF1F9574

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: CloseEnvironmentHandleStrings
String ID:
API String ID: 1140201626-0
Opcode ID: c030696cd6d434510976683d13ef0ed609537dd014d8e4ce769ad43e91dd36b4
Instruction ID: 7fb91d34d7c6cd4059ddb62095e504447e05c4220ac929d27fe24ea870a09aac
Opcode Fuzzy Hash: c030696cd6d434510976683d13ef0ed609537dd014d8e4ce769ad43e91dd36b4
Instruction Fuzzy Hash: 9C126C62F08AC289EB709F2598647FA23A4FB447A8F544336DA3D877D9DF38A545C304

Function 00007FFDFF1B3626 Relevance: 19.8, APIs: 12, Strings: 1, Instructions: 270memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFDFF1B391F
memset.MSVCRT ref: 00007FFDFF1B3AC3
HeapFree.KERNEL32 ref: 00007FFDFF1B3C9C

Strings

assertion failed: filled <= self.buf.init/rustc/051478957371ee0084a7c0913941d2a8c4757bb9\library\core\src\io\borrowed_buf.rs, xrefs: 00007FFDFF1B5510

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeapmemcpymemset
String ID: assertion failed: filled <= self.buf.init/rustc/051478957371ee0084a7c0913941d2a8c4757bb9\library\core\src\io\borrowed_buf.rs
API String ID: 2272576838-4183801151
Opcode ID: 4f054f8e4e19e29106e1af65f47cb3223a67d80ee22871d64f350aa48d78b9dd
Instruction ID: 47025f6cbf730af9947328116518df1645b597a1517548001fbb7ba126fec7a2
Opcode Fuzzy Hash: 4f054f8e4e19e29106e1af65f47cb3223a67d80ee22871d64f350aa48d78b9dd
Instruction Fuzzy Hash: E6D16A23B0CBC181EB759B11E4647EAA3A1FB89784F444236DAAD966EDDF3CD044CB00

Function 00007FFDFF1FD870 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 269memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDFF1FD978
GetSystemDirectoryW.KERNEL32 ref: 00007FFDFF1FD983
GetLastError.KERNEL32 ref: 00007FFDFF1FD98E
GetLastError.KERNEL32 ref: 00007FFDFF1FD9A2
GetLastError.KERNEL32 ref: 00007FFDFF1FDA04
HeapFree.KERNEL32 ref: 00007FFDFF1FDA2D
memcpy.MSVCRT ref: 00007FFDFF1FDA5F
HeapFree.KERNEL32 ref: 00007FFDFF1FDA7E

Strings

\cmd.exemaximum number of ProcThreadAttributes exceeded, xrefs: 00007FFDFF1FDAA6, 00007FFDFF1FDAEF

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: ErrorLast$FreeHeap$DirectorySystemmemcpy
String ID: \cmd.exemaximum number of ProcThreadAttributes exceeded
API String ID: 2652732990-1207947948
Opcode ID: e31841b91a3d51fdaf1265d39354bef1d39cff5940ec474fdca1294ce6f4f35f
Instruction ID: 1c3ba806bb2b1f8f4493dd73784849fb27e38d39d1d9c925f3ee92a86034b431
Opcode Fuzzy Hash: e31841b91a3d51fdaf1265d39354bef1d39cff5940ec474fdca1294ce6f4f35f
Instruction Fuzzy Hash: 20B1C323F08AC646E7759B219860BBA2394FB44B98F440335DA3E8B7DDEF7C92419340

Function 00007FFDFF1D19F0 Relevance: 17.4, APIs: 10, Strings: 1, Instructions: 941memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFDFF1D1A8F
memcpy.MSVCRT ref: 00007FFDFF1D2356
memcpy.MSVCRT ref: 00007FFDFF1D2403
memcpy.MSVCRT ref: 00007FFDFF1D24D1
memcpy.MSVCRT ref: 00007FFDFF1D251D
memcpy.MSVCRT ref: 00007FFDFF1D2575
memcpy.MSVCRT ref: 00007FFDFF1D25D5
memcpy.MSVCRT ref: 00007FFDFF1D2C7D
HeapFree.KERNEL32 ref: 00007FFDFF1D2F62
HeapFree.KERNEL32 ref: 00007FFDFF1D3034

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FFDFF1D2F73, 00007FFDFF1D2FC7

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: memcpy$FreeHeap
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 4250714341-2333694755
Opcode ID: 77d6d7910d222a6fbb65514acdabdb5332d1765fe32c9b0aba826a4b2411445e
Instruction ID: 3b9b9e74b255792056f9ae16fed03f4bd3f990afdcf06e54422c6f5a464e09b8
Opcode Fuzzy Hash: 77d6d7910d222a6fbb65514acdabdb5332d1765fe32c9b0aba826a4b2411445e
Instruction Fuzzy Hash: F0C2C46360CAC085E3328728A0257EBBBA4FBD5358F444214DBE847ADADB7ED245CF51

Function 00007FFDFF1B5B3E Relevance: 16.4, APIs: 13, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5AB6
HeapFree.KERNEL32 ref: 00007FFDFF1B5B7A
HeapFree.KERNEL32 ref: 00007FFDFF1B5BD2
HeapFree.KERNEL32 ref: 00007FFDFF1B5BEE
HeapFree.KERNEL32 ref: 00007FFDFF1B5C14
HeapFree.KERNEL32 ref: 00007FFDFF1B5C4F
CloseHandle.KERNEL32 ref: 00007FFDFF1B5C8E
HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: caa1644d56e6903e210761e739694b7f537ec90383b347763ba604b930fa642b
Instruction ID: 9376e8b829906eee368c08e431b05af79162acebd477383420f8ce4f290838f7
Opcode Fuzzy Hash: caa1644d56e6903e210761e739694b7f537ec90383b347763ba604b930fa642b
Instruction Fuzzy Hash: 8551CA22E0C58281F775E7169468BFA9391EF84B44F884236D67DC66EEDF7CE4858700

Function 00007FFDFF1B5A8D Relevance: 15.1, APIs: 12, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5AB6
HeapFree.KERNEL32 ref: 00007FFDFF1B5BD2
HeapFree.KERNEL32 ref: 00007FFDFF1B5BEE
HeapFree.KERNEL32 ref: 00007FFDFF1B5C14
HeapFree.KERNEL32 ref: 00007FFDFF1B5C4F
CloseHandle.KERNEL32 ref: 00007FFDFF1B5C8E
HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 7c6bfc4ec4daf8bccd0858c64a18faaffa8ccce5faacefbc6a7cad9b7e6fc23c
Instruction ID: ab9d4aa001f569bb4b2442af6521ef15bad470be26eb338df1205345eeed1ec5
Opcode Fuzzy Hash: 7c6bfc4ec4daf8bccd0858c64a18faaffa8ccce5faacefbc6a7cad9b7e6fc23c
Instruction Fuzzy Hash: FD51FC22E0C58281E774E716D464BFA9391EF84B44F884236D67EC66EEDF7CE4858700

Function 00007FFDFF1B5B0B Relevance: 15.1, APIs: 12, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5AB6
HeapFree.KERNEL32 ref: 00007FFDFF1B5BD2
HeapFree.KERNEL32 ref: 00007FFDFF1B5BEE
HeapFree.KERNEL32 ref: 00007FFDFF1B5C14
HeapFree.KERNEL32 ref: 00007FFDFF1B5C4F
CloseHandle.KERNEL32 ref: 00007FFDFF1B5C8E
HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 59897a74670c148dc2d60e1e09159064bf25d1b95b4df10c41992e997d9b2cb3
Instruction ID: d877c746e2c220981d0b359a91af12a8f1aede985c40467965d96b0440fdfbb2
Opcode Fuzzy Hash: 59897a74670c148dc2d60e1e09159064bf25d1b95b4df10c41992e997d9b2cb3
Instruction Fuzzy Hash: DB51EC22E0C58281F775E7169464BFA5391EF84B44F884236D67EC66EEDF7CE4858700

Function 00007FFDFF1D7AC0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 269windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFDFF1D7AFA
FormatMessageW.KERNEL32(?,?,?,?,?,?,00007FFDFF1D75DD), ref: 00007FFDFF1D7B5A
GetLastError.KERNEL32(?,?,?,?,?,?,00007FFDFF1D75DD), ref: 00007FFDFF1D7C50

Strings

NTDLL.DLL, xrefs: 00007FFDFF1D7B0C
assertion failed: self.is_char_boundary(new_len)/rustc/051478957371ee0084a7c0913941d2a8c4757bb9\library\alloc\src\string.rs, xrefs: 00007FFDFF1D7EE7

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: ErrorFormatLastMessagememset
String ID: NTDLL.DLL$assertion failed: self.is_char_boundary(new_len)/rustc/051478957371ee0084a7c0913941d2a8c4757bb9\library\alloc\src\string.rs
API String ID: 3213201652-1160814674
Opcode ID: 7d0419ad284309cd4374accb28fe6e6ae8a505fc58f0253efb77040429660bee
Instruction ID: 08c0385bacec9a21f8d5ef4bf72cc2bed18f4afae8fe1fbd81de9701315b7837
Opcode Fuzzy Hash: 7d0419ad284309cd4374accb28fe6e6ae8a505fc58f0253efb77040429660bee
Instruction Fuzzy Hash: 24C17C23F09B8284EB758F21D860BFC27A1AB44784F844235DA7D46BDDDF7CA6499300

Function 00007FFDFF1FF520 Relevance: 12.2, APIs: 8, Instructions: 242memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32 ref: 00007FFDFF1FF5E3
HeapFree.KERNEL32 ref: 00007FFDFF1FF8C2

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: Heap$AllocFree
String ID:
API String ID: 1379380650-0
Opcode ID: 8da30b7bec8accfa36a7b946bbcd10b5db588d1f6b4e97918d0503b075d2ce2d
Instruction ID: dd23d6de2759ee31c3d9e031976dab3f59fd4777d681f713c1e43d2dd5d35423
Opcode Fuzzy Hash: 8da30b7bec8accfa36a7b946bbcd10b5db588d1f6b4e97918d0503b075d2ce2d
Instruction Fuzzy Hash: 4591B267F1869280EB149B269424BB953A1BF49BE4F584331DE3E877E9DF7CA042C300

Function 00007FFDFF1C35A0 Relevance: 10.6, APIs: 7, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

BCryptGenRandom.BCRYPT(?,?,?,?,00000000,?,00007FFDFF1D364B), ref: 00007FFDFF1C35D0
SystemFunction036.ADVAPI32(?,?,?,?,00000000,?,00007FFDFF1D364B), ref: 00007FFDFF1C35E8
HeapFree.KERNEL32(?,?,?,?,00000000,?,00007FFDFF1D364B), ref: 00007FFDFF1C366F
TlsSetValue.KERNEL32 ref: 00007FFDFF1C3717
HeapFree.KERNEL32 ref: 00007FFDFF1C3733
HeapFree.KERNEL32 ref: 00007FFDFF1C3744
TlsSetValue.KERNEL32 ref: 00007FFDFF1C3760

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$Value$CryptFunction036RandomSystem
String ID:
API String ID: 323188907-0
Opcode ID: c8b5d4a8c75f3ea6cea0be794ee2b4811a84ecc7a2c5e7d1367716b9eb3fc738
Instruction ID: fa327beb36cb07808cfde47dafe0e9a293b15010a1217ec43740013c572bf12e
Opcode Fuzzy Hash: c8b5d4a8c75f3ea6cea0be794ee2b4811a84ecc7a2c5e7d1367716b9eb3fc738
Instruction Fuzzy Hash: 5D51C312F0C68142FB259B29A022BF953A2AF94744F484230EA7D937E9EF3CD5868700

Function 00007FFDFF1E3AFF Relevance: 10.2, APIs: 8, Instructions: 171memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1E4676
HeapFree.KERNEL32 ref: 00007FFDFF1E468F
HeapFree.KERNEL32 ref: 00007FFDFF1E46A8
HeapFree.KERNEL32 ref: 00007FFDFF1E46C7
HeapFree.KERNEL32 ref: 00007FFDFF1E46E6
HeapFree.KERNEL32 ref: 00007FFDFF1E472C
HeapFree.KERNEL32 ref: 00007FFDFF1E50CD
HeapFree.KERNEL32 ref: 00007FFDFF1E560C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 09a530fc936fe538a66fe1b6293619f73d5b2157e70e6bd90c254f78e998f4da
Instruction ID: 077bb08dee664ea86b0f0255f91212e1561ddf78acd9c2c6a108f1955475cdfc
Opcode Fuzzy Hash: 09a530fc936fe538a66fe1b6293619f73d5b2157e70e6bd90c254f78e998f4da
Instruction Fuzzy Hash: 9B817E27F0868284E7748B2188B4BFD23A1EB45B48F484236DA7D96ADDDF3CA555C340

Function 00007FF600EC99DC Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF600EC9A55
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF600EC9A6D
RtlVirtualUnwind.KERNEL32 ref: 00007FF600EC9AA8
IsDebuggerPresent.KERNEL32 ref: 00007FF600EC9AE1
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF600EC9AEB
UnhandledExceptionFilter.KERNEL32 ref: 00007FF600EC9AF6

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: ca7995b0427c74961f129d9e3359f77c41b9b354362c1dbd84a5901568778dac
Instruction ID: b953f1e86eb7e92f87be2a5b2eb50889a8cefe25d71197417c114b0d870fb9de
Opcode Fuzzy Hash: ca7995b0427c74961f129d9e3359f77c41b9b354362c1dbd84a5901568778dac
Instruction Fuzzy Hash: 7A318236608F8196DB60CF25E8446AE73A4FB88794F600536EA8D93B59DF3CD545CB00

Function 00007FFDFF1E3C84 Relevance: 9.0, APIs: 7, Instructions: 279memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1E4676
HeapFree.KERNEL32 ref: 00007FFDFF1E468F
HeapFree.KERNEL32 ref: 00007FFDFF1E46A8
HeapFree.KERNEL32 ref: 00007FFDFF1E46C7
HeapFree.KERNEL32 ref: 00007FFDFF1E46E6
HeapFree.KERNEL32 ref: 00007FFDFF1E472C
HeapFree.KERNEL32 ref: 00007FFDFF1E50CD

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: f5132911b1968778408cf26baa82a8a921da3f2466c0fd5ecb262d6e9b40ef5b
Instruction ID: 9b04f7bbaf7f03c54d2c82adbae3b0162846e44208cba88b63826d0d87d1c64c
Opcode Fuzzy Hash: f5132911b1968778408cf26baa82a8a921da3f2466c0fd5ecb262d6e9b40ef5b
Instruction Fuzzy Hash: 1DC1C367F0869285F7258F2198A0BFA23A1FB54B98F445335CA7E5BBD8CF38A551C340

Function 00007FFDFF1E3050 Relevance: 9.0, APIs: 7, Instructions: 228memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFDFF1E3115
memcpy.MSVCRT ref: 00007FFDFF1E317B
memcpy.MSVCRT ref: 00007FFDFF1E31D6
memcpy.MSVCRT ref: 00007FFDFF1E323A
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000621,?,000000FF,?), ref: 00007FFDFF1E346E
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000621,?,000000FF,?), ref: 00007FFDFF1E348A
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000621,?,000000FF,?), ref: 00007FFDFF1E34A8

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: memcpy$FreeHeap
String ID:
API String ID: 4250714341-0
Opcode ID: 8dd02e92e88c40f19f032c7e363b032ad23560cc67eae052600dec9b49e44535
Instruction ID: 2a02a4f4daff15e9287822a1ccd8f37e2187ac55723bd5a7438622c270dc508a
Opcode Fuzzy Hash: 8dd02e92e88c40f19f032c7e363b032ad23560cc67eae052600dec9b49e44535
Instruction Fuzzy Hash: F8A19263B08B9195E748CB25A8507BD77A4FB08B88F448639DF7D97789DF38A4A5C300

Function 00007FFDFF1E3956 Relevance: 8.9, APIs: 7, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1E4676
HeapFree.KERNEL32 ref: 00007FFDFF1E468F
HeapFree.KERNEL32 ref: 00007FFDFF1E46A8
HeapFree.KERNEL32 ref: 00007FFDFF1E46C7
HeapFree.KERNEL32 ref: 00007FFDFF1E46E6
HeapFree.KERNEL32 ref: 00007FFDFF1E472C
HeapFree.KERNEL32 ref: 00007FFDFF1E4749

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: fd63e856eb015ec5f51c62fc99575096974c0a34329b33ac0cb20281510a4d34
Instruction ID: 2aab7e74d112e3a624174618719577bd121e5f129f5335dd1921a6d73aceacc2
Opcode Fuzzy Hash: fd63e856eb015ec5f51c62fc99575096974c0a34329b33ac0cb20281510a4d34
Instruction Fuzzy Hash: D5813036F0878285E7758F21D8A4BF927A1FB44788F444236DA7D9BAC8DF38A655C340

Function 00007FFDFF1E36E7 Relevance: 8.9, APIs: 7, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1E4676
HeapFree.KERNEL32 ref: 00007FFDFF1E468F
HeapFree.KERNEL32 ref: 00007FFDFF1E46A8
HeapFree.KERNEL32 ref: 00007FFDFF1E46C7
HeapFree.KERNEL32 ref: 00007FFDFF1E46E6
HeapFree.KERNEL32 ref: 00007FFDFF1E472C
HeapFree.KERNEL32 ref: 00007FFDFF1E4749

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b857b663233abc2a39a8ba098606bb2f3ce205983c38fa8aa67c63c92e1bdcfd
Instruction ID: 569907f85a94aa91b5bee67ee5294eef3740e2e409f33dc349e28361e84e6738
Opcode Fuzzy Hash: b857b663233abc2a39a8ba098606bb2f3ce205983c38fa8aa67c63c92e1bdcfd
Instruction Fuzzy Hash: 4A819227F086C285E7748F2198B4BF927A2EB44788F454236DA3D8BACDDF38A555D340

Function 00007FFDFF1E39AF Relevance: 8.9, APIs: 7, Instructions: 177memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1E4676
HeapFree.KERNEL32 ref: 00007FFDFF1E468F
HeapFree.KERNEL32 ref: 00007FFDFF1E46A8
HeapFree.KERNEL32 ref: 00007FFDFF1E46C7
HeapFree.KERNEL32 ref: 00007FFDFF1E46E6
HeapFree.KERNEL32 ref: 00007FFDFF1E472C
HeapFree.KERNEL32 ref: 00007FFDFF1E4749

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 61e925f0bd4845e07c21514a5f9b7ee1f517024c2c21a7bcbae36c40c8faadb3
Instruction ID: aa18cdc5b1d3fab8328526f6f90c2c76894865f86857d99b91d8f9ca162a8939
Opcode Fuzzy Hash: 61e925f0bd4845e07c21514a5f9b7ee1f517024c2c21a7bcbae36c40c8faadb3
Instruction Fuzzy Hash: 14814036F0878285E7358F21D8A4BE927A1FB44788F444236DA7D9BAC8CF38A555C340

Function 00007FFDFF1E3A99 Relevance: 8.9, APIs: 7, Instructions: 176memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1E4676
HeapFree.KERNEL32 ref: 00007FFDFF1E468F
HeapFree.KERNEL32 ref: 00007FFDFF1E46A8
HeapFree.KERNEL32 ref: 00007FFDFF1E46C7
HeapFree.KERNEL32 ref: 00007FFDFF1E46E6
HeapFree.KERNEL32 ref: 00007FFDFF1E472C
HeapFree.KERNEL32 ref: 00007FFDFF1E4749

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 44182e887e7d0efc228957ae0501d76aa4f7d58b228effaa487e1b8e7d8d6f09
Instruction ID: fa2409231e700d8286381b74ead68a5eb0993e8609952be9fc0a305057cdea85
Opcode Fuzzy Hash: 44182e887e7d0efc228957ae0501d76aa4f7d58b228effaa487e1b8e7d8d6f09
Instruction Fuzzy Hash: 90815E36F08A8285E775CF21D8A4BE927A1FB44748F444236DA7D9BBD8CF38A655C340

Function 00007FFDFF1E3D00 Relevance: 8.9, APIs: 7, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2094d9726481f2266feefc6f73223e4268ebd1d24990f1577a276635490febd3
Instruction ID: 4e883ba50ff147fadd0c55edb60e9c5ac1ff8b210e3c19bd0b73c2f6236ba15e
Opcode Fuzzy Hash: 2094d9726481f2266feefc6f73223e4268ebd1d24990f1577a276635490febd3
Instruction Fuzzy Hash: 40715F26F0868285E7758B21C8A4BF927A1FB45B88F444236DA7D9BADCCF38A5558340

Function 00007FFDFF1E3D8E Relevance: 8.9, APIs: 7, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1E4676
HeapFree.KERNEL32 ref: 00007FFDFF1E468F
HeapFree.KERNEL32 ref: 00007FFDFF1E46A8
HeapFree.KERNEL32 ref: 00007FFDFF1E46C7
HeapFree.KERNEL32 ref: 00007FFDFF1E46E6
HeapFree.KERNEL32 ref: 00007FFDFF1E472C
HeapFree.KERNEL32 ref: 00007FFDFF1E4749
memcpy.MSVCRT ref: 00007FFDFF1E493E
HeapFree.KERNEL32 ref: 00007FFDFF1E494F
HeapFree.KERNEL32 ref: 00007FFDFF1E50CD

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 495242ae50444dac973720d3591e73a16405e634a3a9191f095da54efb851e3b
Instruction ID: 3999ca5d69e74759511b00186a10096e26bb8d3b9695cf5e180164cb1bb441c3
Opcode Fuzzy Hash: 495242ae50444dac973720d3591e73a16405e634a3a9191f095da54efb851e3b
Instruction Fuzzy Hash: 03614136F08A8285E774CB21C8647E927A1FB45B88F444236DA7D9BBDCDF38A555C340

Function 00007FFDFF1CE6C0 Relevance: 6.7, APIs: 3, Strings: 1, Instructions: 732COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFDFF1CE850
memcpy.MSVCRT ref: 00007FFDFF1CEA8A

Strings

[]::{closureshim# as mut const ; dyn + unsafe extern ", xrefs: 00007FFDFF1CF161

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: memcpymemset
String ID: []::{closureshim# as mut const ; dyn + unsafe extern "
API String ID: 1297977491-2319383918
Opcode ID: 3058a19b97277a4887a3c3b335366e21a18f31c2296a733d91f9bbf3818d986d
Instruction ID: 08ab9294233f26354b0f96cbdfb3b3b5201ea0ddf56ea3bb33e2f796d39d7b48
Opcode Fuzzy Hash: 3058a19b97277a4887a3c3b335366e21a18f31c2296a733d91f9bbf3818d986d
Instruction Fuzzy Hash: 9B525853B1E7E141EB168B3950645B97F52EB92BA0B0AC365DEBA237C9DB3CC205C710

Function 00007FFDFF1DF800 Relevance: 6.7, APIs: 3, Strings: 1, Instructions: 698COMMON

Download Yara Rule

Strings

assertion failed: end >= start && end <= len, xrefs: 00007FFDFF1E2680

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID: assertion failed: end >= start && end <= len
API String ID: 0-206846142
Opcode ID: 52bae061de8d486421e5cdd105c45893e92115456fa6b35b77be34391d5e5c99
Instruction ID: f5aab7c9f19af5fd3e91d1707da24579d31ec03f3b99d365ae8f9ca4758be8a5
Opcode Fuzzy Hash: 52bae061de8d486421e5cdd105c45893e92115456fa6b35b77be34391d5e5c99
Instruction Fuzzy Hash: B8626B73F08AC586E7648F25D864BED27A0F708B84F548236DA6D57B88CF78E695C340

Function 00007FFDFF1FDD00 Relevance: 6.7, APIs: 3, Strings: 1, Instructions: 655memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1FE6AB
HeapFree.KERNEL32 ref: 00007FFDFF1FE74C

Strings

cmd.exe /e:ON /v:OFF /d /c ", xrefs: 00007FFDFF1FDD87

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID: cmd.exe /e:ON /v:OFF /d /c "
API String ID: 3298025750-533445247
Opcode ID: 540c56050219d6ae0ed16984cde3de223801cc26468ce916b5c854f92d5a89b9
Instruction ID: 758ecc05084032f8238f1fd7304ea536589894bc52aececb9dfa9dfa781c3578
Opcode Fuzzy Hash: 540c56050219d6ae0ed16984cde3de223801cc26468ce916b5c854f92d5a89b9
Instruction Fuzzy Hash: 1242F363F185A684FB258B65D820ABE2B61BB94798F444735CE3E22BDDDF3CA541D300

Function 00007FF600EA4214 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF600EA4240
GetCurrentThreadId.KERNEL32 ref: 00007FF600EA424E
GetCurrentProcessId.KERNEL32 ref: 00007FF600EA425A
QueryPerformanceCounter.KERNEL32 ref: 00007FF600EA426A

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: e85c398f83cda05d48f02c07b33ae7a056136c201d5e620368e1909d556533f3
Instruction ID: de5ed3ad842cc59879f76efc7eefc37dc4418c118e198a0a5992dedba8bc42f6
Opcode Fuzzy Hash: e85c398f83cda05d48f02c07b33ae7a056136c201d5e620368e1909d556533f3
Instruction Fuzzy Hash: 3C112A26B14F018AEB00CF60E8552B833A4FB59758F541E31EAAE867A4DF7CD5558380

Function 00007FFDFF208260 Relevance: 4.1, Strings: 3, Instructions: 307COMMON

Download Yara Rule

Strings

GenuineI, xrefs: 00007FFDFF20866A
HygonGen, xrefs: 00007FFDFF208637
Authenti, xrefs: 00007FFDFF208618

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID: Authenti$GenuineI$HygonGen
API String ID: 0-696657513
Opcode ID: 553b47b91acfb713ec3f34dba4622d48770d4086a30021621cc9d0c063c31db3
Instruction ID: 2a7846f3279d3e1aff9b2b8b8dd4256c61f3eda67e189caeb203e3e28b1cb844
Opcode Fuzzy Hash: 553b47b91acfb713ec3f34dba4622d48770d4086a30021621cc9d0c063c31db3
Instruction Fuzzy Hash: 4B9146A3B2595102FB5C8595AC36BFA4982B3987C8F08A13DEE6FD7BC5DC7CC9118200

Function 00007FFDFF208280 Relevance: 4.1, Strings: 3, Instructions: 304COMMON

Download Yara Rule

Strings

GenuineI, xrefs: 00007FFDFF20866A
HygonGen, xrefs: 00007FFDFF208637
Authenti, xrefs: 00007FFDFF208618

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID: Authenti$GenuineI$HygonGen
API String ID: 0-696657513
Opcode ID: 3cf1cd8363fab52de2c43edf8c9fc48a8d980115ddd4384e0326ab3b8f27850b
Instruction ID: cf11e8b37b230b4d62cfcf067573b1398043e50b3519fd078777fa4efeefea0f
Opcode Fuzzy Hash: 3cf1cd8363fab52de2c43edf8c9fc48a8d980115ddd4384e0326ab3b8f27850b
Instruction Fuzzy Hash: 3B915AA3B2595106FB5C85A5AC36BFA0992B3587C8F08A13DEE6FD7BC4DC7CC9118200

Function 00007FFDFF1C6CF0 Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 417COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFDFF1C6D1D

Strings

punycode{-0, xrefs: 00007FFDFF1C7298

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: memset
String ID: punycode{-0
API String ID: 2221118986-3751456247
Opcode ID: c5ed4f09c13a652098ff349d5c13cca4fae09cf5ef5f41673a26ee16a7983347
Instruction ID: 8f8d234ec287ed036c2d5c9a4d39979af9d6c757c462f8a4e4ab7d896f2269fa
Opcode Fuzzy Hash: c5ed4f09c13a652098ff349d5c13cca4fae09cf5ef5f41673a26ee16a7983347
Instruction Fuzzy Hash: D2F1D163F1868586EB658B65D464BF82793BB49B98F008232DE3D07BC8DF7DE5458300

Function 00007FFDFF1D8B90 Relevance: 2.7, APIs: 2, Instructions: 187memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFDFF1D8C1B
HeapFree.KERNEL32(?,?,FFFFFFFF,00000000,00000000,FFFFFFFF,00000000,FFFFFFFF,?,?,00007FFDFF1F5015), ref: 00007FFDFF1D8E4C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeapmemcpy
String ID:
API String ID: 673829100-0
Opcode ID: 948636d1f188f2fe7ce2279cb59ec3b41c1c3eb05543006880b7322ce74c44b5
Instruction ID: 7ffa2b511c70b4043eac5315cf50c2cc5e9f82854c13ccb85ee9fc6204cae02e
Opcode Fuzzy Hash: 948636d1f188f2fe7ce2279cb59ec3b41c1c3eb05543006880b7322ce74c44b5
Instruction Fuzzy Hash: 2361FF53F09B9189FB108A6584617FE2B61EB147A8F048A35DE3E4B7CACF3C9184D354

Function 00007FFDFF1DAA90 Relevance: 2.1, Strings: 1, Instructions: 810COMMON

Download Yara Rule

Strings

.debug_abbrev.debug_addr.debug_aranges.debug_cu_index.debug_info.debug_line.debug_line_str.debug_loc.debug_loclists.debug_ranges.debug_rnglists.debug_str.debug_str_offsets.debug_tu_index.debug_types.debug_abbrev.dwo.debug_info.dwo.debug_line.dwo.debug_loc.dwo., xrefs: 00007FFDFF1DBAE9

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID: .debug_abbrev.debug_addr.debug_aranges.debug_cu_index.debug_info.debug_line.debug_line_str.debug_loc.debug_loclists.debug_ranges.debug_rnglists.debug_str.debug_str_offsets.debug_tu_index.debug_types.debug_abbrev.dwo.debug_info.dwo.debug_line.dwo.debug_loc.dwo.
API String ID: 0-210007371
Opcode ID: 9846ced626f50b3349dd3ae563d72c799e51d8242283a9c8810a824c5f302a78
Instruction ID: 3d8032ac572e89fe3dc41a4349342064b53cb2fbd411b96a6b35972f1ec4f651
Opcode Fuzzy Hash: 9846ced626f50b3349dd3ae563d72c799e51d8242283a9c8810a824c5f302a78
Instruction Fuzzy Hash: EC62CF62F08AD585EB21CF259514BFD2760FB15B98F458331CE7A276DAEF38A185C300

Function 00007FFDFF1E9FD0 Relevance: 2.0, Strings: 1, Instructions: 799COMMON

Download Yara Rule

Strings

assertion failed: offset != 0 && offset <= len, xrefs: 00007FFDFF1EB596

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID: assertion failed: offset != 0 && offset <= len
API String ID: 0-3868694986
Opcode ID: 897817f8e4e227d16181da55621cfbacf12c0909c2f848d25216e07fdd527998
Instruction ID: fa9974b5a06d0305a38f1ec9a6e139683f6740ff6b8778f85f174a0efa47ecb3
Opcode Fuzzy Hash: 897817f8e4e227d16181da55621cfbacf12c0909c2f848d25216e07fdd527998
Instruction Fuzzy Hash: BB825873A08BC589D770CF25D854BE937A4F718B98F548226DA6D4BB98DF38E691C300

Function 00007FF600E14810 Relevance: 1.9, APIs: 1, Instructions: 358COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF600E14C63

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID: AcquireExclusiveLock
String ID:
API String ID: 4021432409-0
Opcode ID: 52404d676935fd51f2e6cd92444088826ad68504fdd2481b9765e1fc6d428024
Instruction ID: 1d0d23a3a324490c67ccd7c6ea01da8893a5658d4b08fe1bc1c4c7b6017a1621
Opcode Fuzzy Hash: 52404d676935fd51f2e6cd92444088826ad68504fdd2481b9765e1fc6d428024
Instruction Fuzzy Hash: 12E125B3B14B8652EB188B28D4517F823A1EB44B90F644631DE6E977E8DF3CE592D340

Function 00007FFDFF1F2490 Relevance: 1.7, Strings: 1, Instructions: 478COMMON

Download Yara Rule

Strings

assertion failed: offset != 0 && offset <= len, xrefs: 00007FFDFF1F2B19

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID: assertion failed: offset != 0 && offset <= len
API String ID: 0-3868694986
Opcode ID: 2582dd782aa42888d8c20b2b0d8c375f1318bbd7082a1813ee6e15c984e30bfe
Instruction ID: 739f0979ccafaef25b3d076b09c01fc4a47e6244444ea1cd69be8cd924fa8cc9
Opcode Fuzzy Hash: 2582dd782aa42888d8c20b2b0d8c375f1318bbd7082a1813ee6e15c984e30bfe
Instruction Fuzzy Hash: 7E02E362F08AD582FB258B55D5259F86321AB65BC8F449731CF7E137D9EFACA281C300

Function 00007FFDFF1CF530 Relevance: 1.7, Strings: 1, Instructions: 406COMMON

Download Yara Rule

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FFDFF1CF5F1

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 0-2333694755
Opcode ID: 9873a4fe1d6996a01699aea28591c59a8a23eb888f81d31cb769a44d9d398626
Instruction ID: 8be81f91242c4f39ded51d49ddf6ec3c2b212af2d9dbed6ce6894dbcac61c2b1
Opcode Fuzzy Hash: 9873a4fe1d6996a01699aea28591c59a8a23eb888f81d31cb769a44d9d398626
Instruction Fuzzy Hash: FBF10663E18F8552E7124B3890116BAB758BFEB784F41D327EEF532A84EF68D551C200

Function 00007FFDFF1BCAA0 Relevance: 1.6, APIs: 1, Instructions: 349COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00007FFDFF1BCB12

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: bfca64ee5dd66cb40102bfd37af9eecec96e75ccafb59875afc1c03c10ce4ad7
Instruction ID: 943f7817e94f21d8e9e85394fb4d258a1a10158915727af940eb15ca86f81f13
Opcode Fuzzy Hash: bfca64ee5dd66cb40102bfd37af9eecec96e75ccafb59875afc1c03c10ce4ad7
Instruction Fuzzy Hash: 4CC1EF23F286A5C2FB55CA259824EBA6B55B715B90F808731DE3E47BC8DF3CE6519300

Function 00007FFDFF1BDD40 Relevance: 1.6, Strings: 1, Instructions: 335COMMON

Download Yara Rule

Strings

00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899library\core\src\fmt\mod.rs, xrefs: 00007FFDFF1BDD66, 00007FFDFF1BDFA1

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899library\core\src\fmt\mod.rs
API String ID: 0-4235933832
Opcode ID: dafc0b0b2fa81a23a36a368731a6854d0ed45247f493ba2807bdc1613f2a39f3
Instruction ID: b1dcf429d55c276a594fc8670a7ea1f847d5406610d45dc6f35da23e9f7a4e24
Opcode Fuzzy Hash: dafc0b0b2fa81a23a36a368731a6854d0ed45247f493ba2807bdc1613f2a39f3
Instruction Fuzzy Hash: 1FD12573B1C69182EB288B19E010BA97B61EB95B94F905336DBBE53BD8DB3CD541C700

Function 00007FFDFF1D4EF0 Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899library\core\src\fmt\mod.rs, xrefs: 00007FFDFF1D4F39, 00007FFDFF1D5045, 00007FFDFF1D50E0

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899library\core\src\fmt\mod.rs
API String ID: 0-4235933832
Opcode ID: 7b120234c183ec421d9c761d4ad554baac27753d8922162ea11eab789e31fe8f
Instruction ID: de2adfde9b55a8804f3adc9ce049a181a31c1b57fbad34dc75d28585704c4aa4
Opcode Fuzzy Hash: 7b120234c183ec421d9c761d4ad554baac27753d8922162ea11eab789e31fe8f
Instruction Fuzzy Hash: BEA12763F1879186E7208B28D010BBC2B70EB65BA4F805332DBBE57BD9DB2D9605C350

Function 00007FFDFF1C5C90 Relevance: 1.5, APIs: 1, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855c6a3017c68afa2fb5e017c893873fa85ac130e394efc422fbe9ffc4808bcd
Instruction ID: 3dc0bec38355340890ca19193b91719c759d3c8b17f0003a03240e0333900b23
Opcode Fuzzy Hash: 855c6a3017c68afa2fb5e017c893873fa85ac130e394efc422fbe9ffc4808bcd
Instruction Fuzzy Hash: BB81B463F18A9585FB598B60C424AF967A2BB04F94F954732DE7D03BC8CF78E586C201

Function 00007FFDFF1F4900 Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

0123456789abcdef, xrefs: 00007FFDFF1F4ACF

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID: 0123456789abcdef
API String ID: 0-1757737011
Opcode ID: 2ae8c82d58e40611926e99e3b991d634f9eb78cd0a42da415c386cfafe3228bc
Instruction ID: 1fe8b7c32e8bff590818aea63f01a9e941e1dcd1325bab69aa8a83dbb471f83a
Opcode Fuzzy Hash: 2ae8c82d58e40611926e99e3b991d634f9eb78cd0a42da415c386cfafe3228bc
Instruction Fuzzy Hash: E3613493F186D149F3188A68C9B06BD2BE1A759354F048A39DABB177DECB3CD116C310

Function 00007FFDFF1BBD90 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

0123456789abcdef, xrefs: 00007FFDFF1BBE10, 00007FFDFF1BBF27

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID: 0123456789abcdef
API String ID: 0-1757737011
Opcode ID: 41fe9f70e1f881c9ff2dcb0a197f8a38f7cab797b2b7be2c4445955718cc02c6
Instruction ID: 0f515ff1cd75a34ac2167f75ef9af8c0d68c26c5194f88877e9ee226f254813c
Opcode Fuzzy Hash: 41fe9f70e1f881c9ff2dcb0a197f8a38f7cab797b2b7be2c4445955718cc02c6
Instruction Fuzzy Hash: AA512A13F29AE0DAE321C739841066C3F629B96748F48C1A5CBA84BFDECA6D9105D711

Function 00007FF600D5EF00 Relevance: 1.3, Instructions: 1269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb1e13c95d6cd2d8f2921b9e83b013f5092bfbbb21e7cc2c2ef6f15e67356004
Instruction ID: 14f3182065c49de2a93186512f1b3b3912b0ef7478e5bc00e90811baaf8fecc3
Opcode Fuzzy Hash: cb1e13c95d6cd2d8f2921b9e83b013f5092bfbbb21e7cc2c2ef6f15e67356004
Instruction Fuzzy Hash: 33A2A4776286448F9358DF25A44405BBBA2F798248F869519FB83D3688EB7CEE01CF44

Function 00007FF600D520C0 Relevance: .6, Instructions: 646COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b6302aede2dd13ff882eb9c1be377701c721944b08f923b62188f15a2c4496
Instruction ID: 65cbcd93d882846703bb96a715466eae9591aa425655463deb6b314685dd9ea1
Opcode Fuzzy Hash: 44b6302aede2dd13ff882eb9c1be377701c721944b08f923b62188f15a2c4496
Instruction Fuzzy Hash: 2D324C770B46004BD31FCE2ED99158AB292F784AA2709F238FE57C7B54E67CEE158604

Function 00007FF600D57480 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61459ae49209b8aa77289af15049f597d175e6278f781adac225be77cbf64d55
Instruction ID: 0c52bceb1823adec7cd0d91558d994e46f2c70fe98c5e9a1fc769fadec35aeb6
Opcode Fuzzy Hash: 61459ae49209b8aa77289af15049f597d175e6278f781adac225be77cbf64d55
Instruction Fuzzy Hash: 713269B6F90A65A6DB048F16E94138D7B64F319BC9F998526DF8C83B54EB38E471C300

Function 00007FF600D540D0 Relevance: .5, Instructions: 510COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621dddc85820b6b9669c90c1ac098aea83f3a6e1c9f60fd3a8c13654824637f4
Instruction ID: 9c8db6dfbaab611f7fb7ef8f296d3a6f92b08b2798452e37c3364e5d0807847b
Opcode Fuzzy Hash: 621dddc85820b6b9669c90c1ac098aea83f3a6e1c9f60fd3a8c13654824637f4
Instruction Fuzzy Hash: F422A316D08FA962E6234739D5031B66710EFB7B88F10E707FED8B1592EF75A9C99200

Function 00007FF600D53860 Relevance: .5, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d8db660dafa7654a1594341d234b86c4b903bc484b0369b76a9fc2ccc5b30d
Instruction ID: 58ec9bc2b3b333e283f34ffd1ee01bf8e9ac60bde8c14845539be5bc599ef1b5
Opcode Fuzzy Hash: c0d8db660dafa7654a1594341d234b86c4b903bc484b0369b76a9fc2ccc5b30d
Instruction Fuzzy Hash: C722C822D0CFCA61E6234B39D0065B56720BFB7294B10D32BFFC971572EB66B681A711

Function 00007FF600D5CC80 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc7f1e8d38be1dce1e658158e93024426cecbeb35098d748da9d2820df1e0ca
Instruction ID: 31291abb577d8ccb11533cefdda8203a4c07d61eadd989bbdbe71ba33ee7c58b
Opcode Fuzzy Hash: bdc7f1e8d38be1dce1e658158e93024426cecbeb35098d748da9d2820df1e0ca
Instruction Fuzzy Hash: 3ED18D9BC28FD945F313633D54436A2E610AFFB5D9A20E303FDF475A52EB50B2956220

Function 00007FFDFF1C4D62 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7380352a85895adf8fab7e696124b6531631a79e70cbfd8537b4f909af3c6f
Instruction ID: e641ec7f39a950a3964d010eed4fa11eaf95dda1523f5c4e622228497aedd7a7
Opcode Fuzzy Hash: 2f7380352a85895adf8fab7e696124b6531631a79e70cbfd8537b4f909af3c6f
Instruction Fuzzy Hash: 76E18966E29FC556F323573860032B5E718AFFB2C9E40E31AFDD4B0D23EB6482529644

Function 00007FF600E1FDE0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b03ffa947e19b5bdbebc1974038c104e1affe12c7df01e0c7fa0e18cd5219a8
Instruction ID: ae64361679b4363e6030730e2a9256823591e60839c87218c34554e5f3e4ff46
Opcode Fuzzy Hash: 4b03ffa947e19b5bdbebc1974038c104e1affe12c7df01e0c7fa0e18cd5219a8
Instruction Fuzzy Hash: 32B12652F04E854AE7578B39A805365A246EBE87D4F24C733DD8FA2BA5DF3CD8578100

Function 00007FF600D53260 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf0e0dfe6573bd52038698bb5992c6f245c2f2e0251e08476892236e289c43a
Instruction ID: 5ca2f3bdc914dc6ce4e7f913c579d51994c06c4bafa4644b5460f25bbf793962
Opcode Fuzzy Hash: daf0e0dfe6573bd52038698bb5992c6f245c2f2e0251e08476892236e289c43a
Instruction Fuzzy Hash: 31F15D16D1CFC593E6254B3996003BA6720FFB9348F11E715EFD922A66DF28F2E49210

Function 00007FFDFF1D9AF0 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1dc13081ad5558e55ea4c603ee039ea872212a762f14636ae902722c0eedc8
Instruction ID: 9b9ea38b46c44b1c8380ad96c52f7329cb3bd00c88358c297e72c58fbdd0bb81
Opcode Fuzzy Hash: ea1dc13081ad5558e55ea4c603ee039ea872212a762f14636ae902722c0eedc8
Instruction Fuzzy Hash: A9B1FF23F0979645FB648F659660AFD6BB2AB41788F844232DA7D066DDDF2CA186C300

Function 00007FFDFF1B9A10 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51e10f5c83b60a1e670c582175ac48264940eadba18cf56fed112fa514e8ec7
Instruction ID: 220027fe1aacf12e8d6dcbb4847947433f94088a162a0bd04752d108dbd95d9c
Opcode Fuzzy Hash: a51e10f5c83b60a1e670c582175ac48264940eadba18cf56fed112fa514e8ec7
Instruction Fuzzy Hash: 58918B93F29BA642E72347396901FB597005F937E4E84D322FE7D31BE8D729A6438200

Function 00007FFDFF1ECEE0 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55bedb8bff48838494dfd3dcb2e8a61b4416bba5e6cf71af93d87c01b1bc494
Instruction ID: e3c22edc7439e4d9ae2e73188a706e3c529552e3637b070e2a111c080dffa9ad
Opcode Fuzzy Hash: a55bedb8bff48838494dfd3dcb2e8a61b4416bba5e6cf71af93d87c01b1bc494
Instruction Fuzzy Hash: 28A10463F1879681F7208B249910BADBFA0F701B89F255222CE79277C4EBB5E952D340

Function 00007FFDFF1D1480 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945e785c8056ed0a905e30907c44b417fc330ac3cfabb06acc6c313a67cced6d
Instruction ID: cfb10edf787bfb14bdc32624c474d21e12f9c1edf2af3df32905339e55246978
Opcode Fuzzy Hash: 945e785c8056ed0a905e30907c44b417fc330ac3cfabb06acc6c313a67cced6d
Instruction Fuzzy Hash: 008102B3F006A187D6149F06B840A99AB64F795BE4F485325EFB917FE9DB38E5018B00

Function 00007FF600D5BFE0 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 943d49a28179acb6b17e54598dc5f3c7297a0172a48014cdfa5047513f315c58
Instruction ID: 42858ce704e87d82e7337dbb5c1b4504bf1351e8323591d66745dc42e29d66d4
Opcode Fuzzy Hash: 943d49a28179acb6b17e54598dc5f3c7297a0172a48014cdfa5047513f315c58
Instruction Fuzzy Hash: A86107E6F50F9883DB548B9EA402B886760F719FC5F55511AEE2C67301EA3DE9A3C340

Function 00007FF600E4A32E Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf33cdc69c3299d472383f200f441af98b7fe15a7d2d0e9731f929016fc6b732
Instruction ID: aa39d43f46a004ae0d0f52f5945e408190e2ece373673d1c148930ec10ed9bd4
Opcode Fuzzy Hash: bf33cdc69c3299d472383f200f441af98b7fe15a7d2d0e9731f929016fc6b732
Instruction Fuzzy Hash: DD514862BA816272F6258D1185182BD5E51B714BE0F689435CD6FB37D8CEBCFC439306

Function 00007FF600D5C2A0 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d6523ba8e4505282c919c1d35e15f27044c6a44fab965eb172d8ea98f7d2704
Instruction ID: da7cff74ec7fdd3f23c44029e7e5cb4f6e3f0f44d058c844f84f206ffc1f1dbc
Opcode Fuzzy Hash: 0d6523ba8e4505282c919c1d35e15f27044c6a44fab965eb172d8ea98f7d2704
Instruction Fuzzy Hash: BA51BAF3B62B9485D7918FA9E444BC837A8F329F95F215115EB4C6B351DB328A62C301

Function 00007FF600D54DC0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa6adafdb106660c0d321112be448ade1fbd3db098cd3a8aeba4c6045d9caf54
Instruction ID: ce0946072f44b6fcabb2d6275f7f165c60306e00a52ddb3bf64de7b37030062e
Opcode Fuzzy Hash: fa6adafdb106660c0d321112be448ade1fbd3db098cd3a8aeba4c6045d9caf54
Instruction Fuzzy Hash: 2E51C269C1DF5552F713273A5803265D600EFE3368F60D722EDF936BE8EB19B684A210

Function 00007FFDFF1D0010 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4330e56959ee462ed1205fda9ac7683176cd5f26063ffa8ef68a2c8a5f0f074
Instruction ID: bbcdfeaba6f303869daa57e48cb6fd07a7524944c91fc44f1a9e12cee9065b37
Opcode Fuzzy Hash: b4330e56959ee462ed1205fda9ac7683176cd5f26063ffa8ef68a2c8a5f0f074
Instruction Fuzzy Hash: 4841CF63F4476582FB54CB51A674E7D6765E790BD0F01A222CD2A23BC8CE29D996C380

Function 00007FF600D5C940 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4a65e5fc425792a793ac68988cba2243953124910f05dff7bce0a5145c7a1f
Instruction ID: 0170317dbb6d31d77014a7bc07e0f4fbd25c586ce79d6100a1036fe20b7352e5
Opcode Fuzzy Hash: fd4a65e5fc425792a793ac68988cba2243953124910f05dff7bce0a5145c7a1f
Instruction Fuzzy Hash: C641E5DAC29FB945E723A33A6D43286D9009EF7589550E307FCB439E65F701B4D13224

Function 00007FF600D5DE90 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f591b5af9a1ef7e941aac8fc2b0d6d4d4530c66ee7874c897e3acd264b08f5f5
Instruction ID: f2a19fb3f685d9e3f09aca433a685dfc8dc3ea505ca07501c78200f6c5e3079f
Opcode Fuzzy Hash: f591b5af9a1ef7e941aac8fc2b0d6d4d4530c66ee7874c897e3acd264b08f5f5
Instruction Fuzzy Hash: 9A4162A9D19F9A12FB136739680332392009FF3658E51D71BFDF439ED9D706B1006214

Function 00007FF600D553E0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68618b32ec539653f6afb2048c4418c23db15ed9a1a153799c11dc67db87b1ac
Instruction ID: 617d66eb562c02f008d5b6cea3c29dbaf07604a0f231146326ad6ef7ccede570
Opcode Fuzzy Hash: 68618b32ec539653f6afb2048c4418c23db15ed9a1a153799c11dc67db87b1ac
Instruction Fuzzy Hash: F441252AE2CFD761F30383392407632E2045FF7185A91EB2FFCE4B1962EB6553416218

Function 00007FF600D5DC68 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccaa971847919f2726b5e6a0ac4f02ce63b2c962ad82b6cb0fc390d8f1c18703
Instruction ID: 915cabef30cfc65095b3990ed185d41fb34cf74b0cb12af9a95adfbf869fee5b
Opcode Fuzzy Hash: ccaa971847919f2726b5e6a0ac4f02ce63b2c962ad82b6cb0fc390d8f1c18703
Instruction Fuzzy Hash: 10412FA9D1EFA912EB13673A680332796109FF3648E42D71BFDB439EA9D706B5006214

Function 00007FFDFF1CFEA0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9993b2b2d933a5bfc7a2219cf6c256d202eb4f3db8034e8362e2e7bca22a43
Instruction ID: d30f3891446c094dc1ff7a90cedb1092b0d84fcd9b05a14e95529962a32dd353
Opcode Fuzzy Hash: eb9993b2b2d933a5bfc7a2219cf6c256d202eb4f3db8034e8362e2e7bca22a43
Instruction Fuzzy Hash: 0B31B5E6F08B8042FE40E7A8747737B9321A7853C0F40E236DE999A64ADF2ED1428644

Function 00007FF600D55670 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17be1081393184b343b8fa1a71279b3cb8314d435527c2839a7d2183fc68784
Instruction ID: 7e0572205aef93a9364a57010d27be6479321c09c95d5b000d5ab5739b48ec6c
Opcode Fuzzy Hash: e17be1081393184b343b8fa1a71279b3cb8314d435527c2839a7d2183fc68784
Instruction Fuzzy Hash: 9231282AC2DFD7A1F713873E6407525D614AFF3285A90E71FF9A835822FB519741A304

Function 00007FF600D55810 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f59619f2fc84a76977a484b6fbf48e2977ca4adec30f5e107804e2571b71ec7
Instruction ID: 2849c916de16e4722bdc47ac1a5828c5119798167068cfc2706935aa28c6ca30
Opcode Fuzzy Hash: 4f59619f2fc84a76977a484b6fbf48e2977ca4adec30f5e107804e2571b71ec7
Instruction Fuzzy Hash: 19316D19C1DF43A1F6036738A0222B99300AF91366FA0D332FD9DB66DEEF0C3541A961

Function 00007FF600D55280 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d721332e5020621eb378f129f93154b2c7573ae697d87e421f431961e9557234
Instruction ID: 8a70c4059bb8f577f2b7a35cb47b8b7280c8210beed025a9f2b3790727afe8ef
Opcode Fuzzy Hash: d721332e5020621eb378f129f93154b2c7573ae697d87e421f431961e9557234
Instruction Fuzzy Hash: 7121552AC2DFD761F713833E2507516C600AFF3285AA0E72FFDA834D62EB1157806218

Function 00007FF600D5CBB2 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67873bb694e39b0da57e3b684ed25785b9ac1d435853c2fd3d9a8a96bf8bc1a6
Instruction ID: f39935334cf07e1555a60577868f0a27429845e72acee24f7d9026c04abcd13b
Opcode Fuzzy Hash: 67873bb694e39b0da57e3b684ed25785b9ac1d435853c2fd3d9a8a96bf8bc1a6
Instruction Fuzzy Hash: 3B0146EAC25FBA42E723A3396943282D910AEF3588120E307FDF834E15F301B5E07220

Function 00007FFDFF1F3A60 Relevance: 21.5, APIs: 10, Strings: 2, Instructions: 492memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF1F2F10: HeapFree.KERNEL32(?,?,?,?,-8000000000000000,?,?,?,?,?,00007FFDFF1FD7C7), ref: 00007FFDFF1F3038

SetLastError.KERNEL32 ref: 00007FFDFF1F3B8A
GetEnvironmentVariableW.KERNEL32 ref: 00007FFDFF1F3B9C
GetLastError.KERNEL32 ref: 00007FFDFF1F3BA8
GetLastError.KERNEL32 ref: 00007FFDFF1F3BC1
HeapFree.KERNEL32 ref: 00007FFDFF1F3C52
HeapFree.KERNEL32 ref: 00007FFDFF1F3CEB

Strings

at :, xrefs: 00007FFDFF1F3E0C
<unknown>, xrefs: 00007FFDFF1F4080

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: ErrorFreeHeapLast$EnvironmentVariable
String ID: at :$<unknown>
API String ID: 3632352037-3657909574
Opcode ID: 04428a9d78c532e1f0cf110db2d458ed5a58efb03c349683df5bc48a5f3d9d9c
Instruction ID: ef522784541848859e8e0d546a0ee729225381c55b3fce6a6bbaec9df2f6cdf6
Opcode Fuzzy Hash: 04428a9d78c532e1f0cf110db2d458ed5a58efb03c349683df5bc48a5f3d9d9c
Instruction Fuzzy Hash: 0F423872A04B8189E721CF64E8647EC37A0FB4478CF544225DEAC9BB99DF79D689C340

Function 00007FFDFF20B920 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 143COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FFDFF20B9F5
abort.MSVCRT(?,?,00000058,00000000,00000000,00007FFDFF1D3E0B), ref: 00007FFDFF20B9FB
RtlUnwindEx.KERNEL32 ref: 00007FFDFF20BB11

Strings

CCG!, xrefs: 00007FFDFF20B949
CCG", xrefs: 00007FFDFF20B982
CCG , xrefs: 00007FFDFF20BB76
CCG!, xrefs: 00007FFDFF20B9E8
CCG , xrefs: 00007FFDFF20B98E

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: ExceptionRaiseUnwindabort
String ID: CCG $CCG $CCG!$CCG!$CCG"
API String ID: 4140830120-3297834124
Opcode ID: 5bc34f7d40157eba8501d59ce3945ad9d64287e2136d5953a0acd2ec2cd73646
Instruction ID: a0f521e5d8548aebb2f75295e680b3d8aaa9a0ed5030224cca77a8bcc0dded2b
Opcode Fuzzy Hash: 5bc34f7d40157eba8501d59ce3945ad9d64287e2136d5953a0acd2ec2cd73646
Instruction Fuzzy Hash: E651B123A18B8182E7608B15E454BAD7360F799B88F149336EE9E937A8DF3CD5C1C700

Function 00007FF600EC76B4 Relevance: 18.1, APIs: 12, Instructions: 112COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF600EC76C3
FlsGetValue.KERNEL32 ref: 00007FF600EC76D8
FlsSetValue.KERNEL32 ref: 00007FF600EC76F9
FlsSetValue.KERNEL32 ref: 00007FF600EC7726
FlsSetValue.KERNEL32 ref: 00007FF600EC7737
FlsSetValue.KERNEL32 ref: 00007FF600EC7748
SetLastError.KERNEL32 ref: 00007FF600EC7763
FlsGetValue.KERNEL32 ref: 00007FF600EC7799
FlsSetValue.KERNEL32 ref: 00007FF600EC77B8
FlsSetValue.KERNEL32 ref: 00007FF600EC77E0
FlsSetValue.KERNEL32 ref: 00007FF600EC77F1
FlsSetValue.KERNEL32 ref: 00007FF600EC7802

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 679ebdd6012efd4f2184cab96f22550e9729fe9a57b12a49abf0e9019d89b45b
Instruction ID: 910435965ec584f49e3cb3f4ab14641375e20b6b26a69ebb16e24f66b35b9d3d
Opcode Fuzzy Hash: 679ebdd6012efd4f2184cab96f22550e9729fe9a57b12a49abf0e9019d89b45b
Instruction Fuzzy Hash: 0341B020F0C24766FA58A3319A5297D25425F447B0F741B35EDBEE67DEDE2EB4038600

Function 00007FFDFF200910 Relevance: 16.7, APIs: 11, Instructions: 164fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFDFF20094D
ReadFileEx.KERNEL32 ref: 00007FFDFF2009A8
SleepEx.KERNEL32 ref: 00007FFDFF2009CA
WriteFileEx.KERNEL32 ref: 00007FFDFF200A6C
SleepEx.KERNEL32 ref: 00007FFDFF200A8A
GetLastError.KERNEL32 ref: 00007FFDFF200B46
CloseHandle.KERNEL32 ref: 00007FFDFF200D2B
CloseHandle.KERNEL32 ref: 00007FFDFF200D33

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: CloseFileHandleSleep$ErrorLastReadWritememset
String ID:
API String ID: 78123985-0
Opcode ID: d058cd0a179d3d6460f1a9839e8550a17ca57885168eb3e9a344e1bb7442838e
Instruction ID: 0640073abb9024965d30e722e91ce4fd53b0ac10646957428622638a63b8f10e
Opcode Fuzzy Hash: d058cd0a179d3d6460f1a9839e8550a17ca57885168eb3e9a344e1bb7442838e
Instruction Fuzzy Hash: 05615B23B096C285E731DB259861BF927A0EF44799F084235EE7DCBBDDCE7892859240

Function 00007FF600EC876C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FF600EC88E8
GetProcAddress.KERNEL32 ref: 00007FF600EC88F4

Strings

MZx, xrefs: 00007FF600EC878B, 00007FF600EC8871, 00007FF600EC88D1
api-ms-, xrefs: 00007FF600EC8832
ext-ms-, xrefs: 00007FF600EC8845

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: MZx$api-ms-$ext-ms-
API String ID: 3013587201-2431898299
Opcode ID: 9012bdd7212366aca56ebc41b45c61d2762b06a06ef125b279c2271da8952638
Instruction ID: 9a3547dbea3d1765f4d3bcf60b9223f82d89c8deab8e13413f56391ef1964ce5
Opcode Fuzzy Hash: 9012bdd7212366aca56ebc41b45c61d2762b06a06ef125b279c2271da8952638
Instruction Fuzzy Hash: 57413522B09A0261FB19DB169A04A752B90BF44BE0FE84935DD1DE7B88EF3DE442C310

Function 00007FFDFF1FCC50 Relevance: 14.0, APIs: 8, Strings: 1, Instructions: 470COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFDFF1FCD1C
memcpy.MSVCRT ref: 00007FFDFF1FD1EB
memcpy.MSVCRT ref: 00007FFDFF1FD25F
memcpy.MSVCRT ref: 00007FFDFF1FD290

Part of subcall function 00007FFDFF201A80: memcpy.MSVCRT ref: 00007FFDFF201B57
Part of subcall function 00007FFDFF201A80: memcpy.MSVCRT ref: 00007FFDFF201BB2
Part of subcall function 00007FFDFF201A80: memcpy.MSVCRT ref: 00007FFDFF201BDE
Part of subcall function 00007FFDFF201A80: memcpy.MSVCRT ref: 00007FFDFF201C0E
Part of subcall function 00007FFDFF201A80: memcpy.MSVCRT ref: 00007FFDFF201C38

Strings

assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}, xrefs: 00007FFDFF1FD5AB

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: memcpy
String ID: assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}
API String ID: 3510742995-2944714439
Opcode ID: 89f531cca56aa7116139f907f0da929c2f2cd043399ca1d2ec962858fae046c4
Instruction ID: c36ca5263cf8036e0413559aa63ac0c411c3e492645be335acb36e8cf01360f3
Opcode Fuzzy Hash: 89f531cca56aa7116139f907f0da929c2f2cd043399ca1d2ec962858fae046c4
Instruction Fuzzy Hash: 31329C32A04BC585E721CF24E8507E933A8FB58788F548326DEAD5BB99EF759295C300

Function 00007FFDFF1B5B9C Relevance: 13.8, APIs: 11, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF1D1930: HeapFree.KERNEL32 ref: 00007FFDFF1D194B

HeapFree.KERNEL32 ref: 00007FFDFF1B5BD2
HeapFree.KERNEL32 ref: 00007FFDFF1B5BEE
HeapFree.KERNEL32 ref: 00007FFDFF1B5C14
HeapFree.KERNEL32 ref: 00007FFDFF1B5C4F
CloseHandle.KERNEL32 ref: 00007FFDFF1B5C8E
HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 8561a6216a9ae4a2ec0d22806185ea6deb2f7180165c8590b54d4cece6da2468
Instruction ID: 0a0cae084323baf62e32b97706ee232cd1e65f633a65d5a77b8f58dc9405aa7d
Opcode Fuzzy Hash: 8561a6216a9ae4a2ec0d22806185ea6deb2f7180165c8590b54d4cece6da2468
Instruction Fuzzy Hash: CE41CA22E0C58281E775E716D464BFA9391EF84B84F884236E67DC66EEDF3CE4858740

Function 00007FFDFF1B5ACE Relevance: 13.8, APIs: 11, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5BD2
HeapFree.KERNEL32 ref: 00007FFDFF1B5BEE
HeapFree.KERNEL32 ref: 00007FFDFF1B5C14
HeapFree.KERNEL32 ref: 00007FFDFF1B5C4F
CloseHandle.KERNEL32 ref: 00007FFDFF1B5C8E
HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 3c87eadd060c749213746bdf93b8bd6a02bbe638b6040960788d01f8d44c691e
Instruction ID: 00bcc727a0907e7ece687e2d3bbb9f21b4e41c4efa5ce5cebcd995f2c8dba0d9
Opcode Fuzzy Hash: 3c87eadd060c749213746bdf93b8bd6a02bbe638b6040960788d01f8d44c691e
Instruction Fuzzy Hash: 4341CA22E0C98281E774E716D464BFA5391EF84B84F884236E67DC66EEDF3DE4858700

Function 00007FFDFF1B5B1B Relevance: 13.8, APIs: 11, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5BD2
HeapFree.KERNEL32 ref: 00007FFDFF1B5BEE
HeapFree.KERNEL32 ref: 00007FFDFF1B5C14
HeapFree.KERNEL32 ref: 00007FFDFF1B5C4F
CloseHandle.KERNEL32 ref: 00007FFDFF1B5C8E
HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 57e27cc4d0819dc5799461deb8f50d1f69b201bc8b2409ed42f05f1be8cba751
Instruction ID: acb8f048fa6429d51d61f567c6721e00b42baf704f1a9332b021aade9f3f8c99
Opcode Fuzzy Hash: 57e27cc4d0819dc5799461deb8f50d1f69b201bc8b2409ed42f05f1be8cba751
Instruction Fuzzy Hash: 1641BC22E0C58281E774E716D465BFA5391EF84784F884236D67DC66EEDF3CE4858740

Function 00007FFDFF1B5B23 Relevance: 12.6, APIs: 10, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5BEE
HeapFree.KERNEL32 ref: 00007FFDFF1B5C14
HeapFree.KERNEL32 ref: 00007FFDFF1B5C4F
CloseHandle.KERNEL32 ref: 00007FFDFF1B5C8E
HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 261a229b8e1394eda717e18d3c2c803599d58609ec2cc152b0a46f7ad4648e9c
Instruction ID: 154f66197a925fd93cf7d441e1ae60780541d75cf225f9f704c5a20e2628af91
Opcode Fuzzy Hash: 261a229b8e1394eda717e18d3c2c803599d58609ec2cc152b0a46f7ad4648e9c
Instruction Fuzzy Hash: 4441EC22F0C58281E724E716D464BFA5391EF84B84F884236E67EC66EEDF3DE4858700

Function 00007FFDFF201A80 Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 219memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFDFF201B57
memcpy.MSVCRT ref: 00007FFDFF201BB2
memcpy.MSVCRT ref: 00007FFDFF201BDE
memcpy.MSVCRT ref: 00007FFDFF201C0E
memcpy.MSVCRT ref: 00007FFDFF201C38
memcpy.MSVCRT ref: 00007FFDFF201D4A
HeapFree.KERNEL32 ref: 00007FFDFF201E1D

Strings

assertion failed: new_left_len <= CAPACITY, xrefs: 00007FFDFF201E41

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: memcpy$FreeHeap
String ID: assertion failed: new_left_len <= CAPACITY
API String ID: 4250714341-3316943531
Opcode ID: 0815340ef1731f07483ec4c874e919c53205e22530a9fb0d17b850f78d7d7749
Instruction ID: 52187084fc6478bf8ae9eefdb500ddfc5d2e30843fa02f5ba0a4f9108b9bb355
Opcode Fuzzy Hash: 0815340ef1731f07483ec4c874e919c53205e22530a9fb0d17b850f78d7d7749
Instruction Fuzzy Hash: AFB17022A14B8492DB158F18E4507EA77B8FB58B88F499332DF5D937A5DF38E265C300

Function 00007FFDFF2016F0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFDFF201774
memcpy.MSVCRT ref: 00007FFDFF201791
memcpy.MSVCRT ref: 00007FFDFF2017C9
memcpy.MSVCRT ref: 00007FFDFF2017E6
memcpy.MSVCRT ref: 00007FFDFF201919
memcpy.MSVCRT ref: 00007FFDFF201937

Strings

assertion failed: old_left_len >= count, xrefs: 00007FFDFF201A4A
assertion failed: old_right_len + count <= CAPACITY, xrefs: 00007FFDFF201A32

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: memcpy
String ID: assertion failed: old_left_len >= count$assertion failed: old_right_len + count <= CAPACITY
API String ID: 3510742995-1889375005
Opcode ID: 5f28f55d4d53a3fb4c4159c48140d0e5593e219bc1ba93657ad7eb557a64445d
Instruction ID: 8842cae4ac226b42eafee060bb5072c1cfccbfb1fd2b1709e520d6942225970f
Opcode Fuzzy Hash: 5f28f55d4d53a3fb4c4159c48140d0e5593e219bc1ba93657ad7eb557a64445d
Instruction Fuzzy Hash: 75A11663E04B8582EB419F18E8117F96368FF54788F489322DF6D536A5EF39E286C300

Function 00007FFDFF1BF410 Relevance: 11.6, APIs: 9, Instructions: 316memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFDFF1BF511
memcpy.MSVCRT ref: 00007FFDFF1BF524
HeapFree.KERNEL32 ref: 00007FFDFF1BF612
HeapFree.KERNEL32 ref: 00007FFDFF1BF623
memcpy.MSVCRT ref: 00007FFDFF1BF754
memcpy.MSVCRT ref: 00007FFDFF1BF767
memcpy.MSVCRT ref: 00007FFDFF1BF7E3
HeapFree.KERNEL32 ref: 00007FFDFF1BF939
HeapFree.KERNEL32 ref: 00007FFDFF1BF94A

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: memcpy$FreeHeap
String ID:
API String ID: 4250714341-0
Opcode ID: f595f81670e5eafe5a398fea8c5e546e874d365134dae0907874cb4d3c3da873
Instruction ID: 7412ca9cadc72833afb07bb9431e7f900ce370a47974830df5805b5a56111784
Opcode Fuzzy Hash: f595f81670e5eafe5a398fea8c5e546e874d365134dae0907874cb4d3c3da873
Instruction Fuzzy Hash: 41F1B162A08BC495E7019F29E8117E963B4FF58B88F449235DF6C537A9EF38E295C300

Function 00007FFDFF1B5ADE Relevance: 11.3, APIs: 9, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5AF4
HeapFree.KERNEL32 ref: 00007FFDFF1B5C4F
CloseHandle.KERNEL32 ref: 00007FFDFF1B5C8E
HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 10b1a13ee8a33fcd3c8a22acce54fb6c156ea7d84399997b180ef384dd64cf6f
Instruction ID: 42eb55a6e6bfff4f145278d59accc1b517bedd116ae8db263ebd9c8e66076b97
Opcode Fuzzy Hash: 10b1a13ee8a33fcd3c8a22acce54fb6c156ea7d84399997b180ef384dd64cf6f
Instruction Fuzzy Hash: A731DB12F0C98281E724E716D475BBA5351EF84784F884236E67EC66EEDF3CE4458700

Function 00007FFDFF1B5B2E Relevance: 11.3, APIs: 9, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5C14
HeapFree.KERNEL32 ref: 00007FFDFF1B5C4F
CloseHandle.KERNEL32 ref: 00007FFDFF1B5C8E
HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 8dbbc4ac059df1bec0b843cea38818466f16e1ede087bad11e8082fa2c75cef3
Instruction ID: 56e7d52adbcfcabe932295e4e8bab6a93eb9e10dcc7d4bb820f707c48c1574bf
Opcode Fuzzy Hash: 8dbbc4ac059df1bec0b843cea38818466f16e1ede087bad11e8082fa2c75cef3
Instruction Fuzzy Hash: 8C31BB22F0C98281E764E716D465BFA5391EF84B84F884236E67EC66EEDF3CE4458700

Function 00007FFDFF1F4EB0 Relevance: 10.6, APIs: 7, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDFF1F4F99
GetModuleFileNameW.KERNEL32 ref: 00007FFDFF1F4FA6
GetLastError.KERNEL32 ref: 00007FFDFF1F4FB2
GetLastError.KERNEL32 ref: 00007FFDFF1F4FCB
HeapFree.KERNEL32 ref: 00007FFDFF1F504B
GetLastError.KERNEL32 ref: 00007FFDFF1F5065
HeapFree.KERNEL32 ref: 00007FFDFF1F50E6

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: ErrorLast$FreeHeap$FileModuleName
String ID:
API String ID: 526635459-0
Opcode ID: a0651dde3e88f96297784a8a7650e1338b07eb8bfa1f450acd1c6636bd51b719
Instruction ID: 2eb8ea3fead2b05dc4b83834d0f485f73b58e2308fafdc56cc06bcaf44321246
Opcode Fuzzy Hash: a0651dde3e88f96297784a8a7650e1338b07eb8bfa1f450acd1c6636bd51b719
Instruction Fuzzy Hash: FD518C23F087C189E7359A25E864BE92354BB05BA8F444235ED3D9B7DDDF7DA2818300

Function 00007FFDFF1DA530 Relevance: 10.6, APIs: 7, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee3642c33017c4efd684ab942de05cbcc5d9702edbdc9b8b41c86c71921b5fd9
Instruction ID: e36dddbcbe6316d5651a4d6cd5df245808dfcc2ffe86c3470ebc5955ace74c3b
Opcode Fuzzy Hash: ee3642c33017c4efd684ab942de05cbcc5d9702edbdc9b8b41c86c71921b5fd9
Instruction Fuzzy Hash: 26516A23E08B8189E721DF65E465BAD27B0EB44798F148235EEAD46BCADF3C91858340

Function 00007FFDFF20BB90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FFDFF20BC22
RtlUnwindEx.KERNEL32 ref: 00007FFDFF20BC5F
abort.MSVCRT ref: 00007FFDFF20BC65
RaiseException.KERNEL32 ref: 00007FFDFF20BCA2
abort.MSVCRT ref: 00007FFDFF20BCB7

Strings

CCG , xrefs: 00007FFDFF20BC9D

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: abort$CaptureContextExceptionRaiseUnwind
String ID: CCG
API String ID: 4122134289-1584390748
Opcode ID: 08dfc625460027e4dc3f1e91b091f1f0002f64ee4f4f23cf7402fbec38152bbb
Instruction ID: 7325011e4a8bdb14261db52d0ae148c75d7705bce61b4d99f29e312f275098b8
Opcode Fuzzy Hash: 08dfc625460027e4dc3f1e91b091f1f0002f64ee4f4f23cf7402fbec38152bbb
Instruction Fuzzy Hash: F031BF73A08BC586E7208F28E4403AA7771FBD9788F505322DA9C93768DF79C191CB00

Function 00007FFDFF20165D Relevance: 10.2, APIs: 8, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF201677
HeapFree.KERNEL32 ref: 00007FFDFF2016A0
HeapFree.KERNEL32 ref: 00007FFDFF2016D3
memcpy.MSVCRT ref: 00007FFDFF201774
memcpy.MSVCRT ref: 00007FFDFF201791
memcpy.MSVCRT ref: 00007FFDFF2017C9
memcpy.MSVCRT ref: 00007FFDFF2017E6
memcpy.MSVCRT ref: 00007FFDFF201919
memcpy.MSVCRT ref: 00007FFDFF201937

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: memcpy$FreeHeap
String ID:
API String ID: 4250714341-0
Opcode ID: c55a4e5bb68020af28e249f56a40bbc2f62e591f6d169ff66686ff56121460bb
Instruction ID: e813ef22d492e1b223e8e155b3d4e31f43fa5969991416f073a6703d7de8eba3
Opcode Fuzzy Hash: c55a4e5bb68020af28e249f56a40bbc2f62e591f6d169ff66686ff56121460bb
Instruction Fuzzy Hash: 8A910523E08BC481EB119F28A8117F96365FF547C8F499322DE6D576A5DF39E286C300

Function 00007FFDFF20167E Relevance: 10.2, APIs: 8, Instructions: 181memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF2016A0
HeapFree.KERNEL32 ref: 00007FFDFF2016D3
memcpy.MSVCRT ref: 00007FFDFF201774
memcpy.MSVCRT ref: 00007FFDFF201791
memcpy.MSVCRT ref: 00007FFDFF2017C9
memcpy.MSVCRT ref: 00007FFDFF2017E6
memcpy.MSVCRT ref: 00007FFDFF201919
memcpy.MSVCRT ref: 00007FFDFF201937

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: memcpy$FreeHeap
String ID:
API String ID: 4250714341-0
Opcode ID: 75eba5dee96d198cbf8f50639a0191d34156a513ce214b86d9ecda7407933842
Instruction ID: 9c02caf6c4a22965dba0527634f7ebcb69f43959ed7cbd26cf11ef16e31862c4
Opcode Fuzzy Hash: 75eba5dee96d198cbf8f50639a0191d34156a513ce214b86d9ecda7407933842
Instruction Fuzzy Hash: 7B81F523E04BC481EB119F28A9117F96365FF547C8F499322DE6D576A5DF39A286C300

Function 00007FFDFF1E2824 Relevance: 10.1, APIs: 8, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1E287F
HeapFree.KERNEL32 ref: 00007FFDFF1E2896
HeapFree.KERNEL32 ref: 00007FFDFF1E28B5
HeapFree.KERNEL32 ref: 00007FFDFF1E28E2
HeapFree.KERNEL32 ref: 00007FFDFF1E28F9
HeapFree.KERNEL32 ref: 00007FFDFF1E2918
HeapFree.KERNEL32 ref: 00007FFDFF1E2945
memcpy.MSVCRT ref: 00007FFDFF1E2A2C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: e15290c3a3c6b49585e86641f13fc43bc01caf9bc5813c4a0b938877b82554fd
Instruction ID: 3fdba14abeda94b62f71de8a44d88f1b9a4b88966515cc0e7eefc5763dc146b5
Opcode Fuzzy Hash: e15290c3a3c6b49585e86641f13fc43bc01caf9bc5813c4a0b938877b82554fd
Instruction Fuzzy Hash: 9A518862E08BC585F761DF2AD8617E82361FF98798F448232DE6D87799DF389195C300

Function 00007FFDFF1B5C81 Relevance: 10.1, APIs: 8, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5DE3
HeapFree.KERNEL32 ref: 00007FFDFF1B5ECD
HeapFree.KERNEL32 ref: 00007FFDFF1B5EEE
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 83515c7d39ee7eb7ed8ecc8af2090f4f3005d2330fa7cb51c9bf8bf13eb74f9a
Instruction ID: 9546cd61a23bc0ae2e1ac8f0dfd5a5a2364d0925628379a2b211e1751ab33563
Opcode Fuzzy Hash: 83515c7d39ee7eb7ed8ecc8af2090f4f3005d2330fa7cb51c9bf8bf13eb74f9a
Instruction Fuzzy Hash: 1231EA22F0C68181E724E71694647FA5391EF85B84F884236EA7DC66EEDF3CE485C740

Function 00007FFDFF1B5B97 Relevance: 10.1, APIs: 8, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF1CE5D0: HeapFree.KERNEL32 ref: 00007FFDFF1CE673

Part of subcall function 00007FFDFF1B1A50: HeapFree.KERNEL32 ref: 00007FFDFF1B1A91
Part of subcall function 00007FFDFF1B1A50: HeapFree.KERNEL32 ref: 00007FFDFF1B1AA9

HeapFree.KERNEL32 ref: 00007FFDFF1B5C4F
CloseHandle.KERNEL32 ref: 00007FFDFF1B5C8E
HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 3fd73ba2423a818efbc5733cb8091903cd5ff2fdcb34c9587334f1194e35a5fa
Instruction ID: 27dee84791bb83f156f071ae80f4ab3af10b8cac50c31e4b73bd3746993cdd6f
Opcode Fuzzy Hash: 3fd73ba2423a818efbc5733cb8091903cd5ff2fdcb34c9587334f1194e35a5fa
Instruction Fuzzy Hash: 4B31AA22F1C58281E725E716D465BBA5351EF84B84F884236E67EC66EEDF3CE4458700

Function 00007FFDFF1B5B8F Relevance: 10.1, APIs: 8, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF1B1A50: HeapFree.KERNEL32 ref: 00007FFDFF1B1A91
Part of subcall function 00007FFDFF1B1A50: HeapFree.KERNEL32 ref: 00007FFDFF1B1AA9

HeapFree.KERNEL32 ref: 00007FFDFF1B5C4F
CloseHandle.KERNEL32 ref: 00007FFDFF1B5C8E
HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: b87c8a249b356e605a869656e7c32de3ef77988de8c14335fe5ce27b6d0c8675
Instruction ID: 73cf534e64259f5a8e7b7f15b99828a4e6e7e6fe867ad05d33d6b1c9baca723a
Opcode Fuzzy Hash: b87c8a249b356e605a869656e7c32de3ef77988de8c14335fe5ce27b6d0c8675
Instruction Fuzzy Hash: 3531CC22F0C58281E724E716D465BBE5391EF84B84F884236E67EC66EEDF3CE4458600

Function 00007FFDFF1B5B36 Relevance: 10.1, APIs: 8, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5C4F
CloseHandle.KERNEL32 ref: 00007FFDFF1B5C8E
HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 3b1b52626daede615cde2e829f5f9c8f3d07f3723f182ac1d4d0aa618008667d
Instruction ID: 9a241433a5cfb6151c5138e5890072334997d8508824d99f4a71948ac1186eea
Opcode Fuzzy Hash: 3b1b52626daede615cde2e829f5f9c8f3d07f3723f182ac1d4d0aa618008667d
Instruction Fuzzy Hash: CE31CB22F0C98281E724A7169464BBA5391EF84B84F484236E67EC66EEDF3CE4458600

Function 00007FFDFF200530 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 216memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF20054A
HeapFree.KERNEL32 ref: 00007FFDFF20062B
HeapFree.KERNEL32 ref: 00007FFDFF2006E8

Strings

main, xrefs: 00007FFDFF2005AD
cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 00007FFDFF20074E, 00007FFDFF2007E4

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID: cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs$main
API String ID: 3298025750-3821718884
Opcode ID: bb67c991c9ffcd16aad204d31aed2df4e4bca4dadbca21e6275df8169d64fa26
Instruction ID: d6833b220ffb1551bfd1d8834ecd167c6afbc62cb053271c7da8fae78ecf2e2b
Opcode Fuzzy Hash: bb67c991c9ffcd16aad204d31aed2df4e4bca4dadbca21e6275df8169d64fa26
Instruction Fuzzy Hash: 19916823B09A4285FB10DB61A864BAD2761FB44748F894636EA3CC67DDDF3CE485C340

Function 00007FFDFF20126A Relevance: 9.1, APIs: 6, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF20128C
HeapFree.KERNEL32 ref: 00007FFDFF2012BF
SetLastError.KERNEL32 ref: 00007FFDFF2013CA
GetFullPathNameW.KERNEL32 ref: 00007FFDFF2013DF
GetLastError.KERNEL32 ref: 00007FFDFF2013EA
GetLastError.KERNEL32 ref: 00007FFDFF201403

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: ErrorLast$FreeHeap$FullNamePath
String ID:
API String ID: 554372815-0
Opcode ID: add5975aaafc1cf7c704bcaff5a89812681b38a32ed5c548fc2392545f1d6386
Instruction ID: d638afb906e009c75657ce096fb55e939e3da18a9ff69edaef0e05774d5ac317
Opcode Fuzzy Hash: add5975aaafc1cf7c704bcaff5a89812681b38a32ed5c548fc2392545f1d6386
Instruction Fuzzy Hash: CC417126B04BC289E7349F619864BE92795FB45B98F580235ED3DDBBD9CE7C92448300

Function 00007FFDFF205756 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136memoryfileCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF20576A
UnmapViewOfFile.KERNEL32 ref: 00007FFDFF205772
CloseHandle.KERNEL32 ref: 00007FFDFF20577A
HeapFree.KERNEL32 ref: 00007FFDFF2058C5

Strings

s [... omitted frame ...], xrefs: 00007FFDFF20594B

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseFileHandleUnmapView
String ID: s [... omitted frame ...]
API String ID: 238406573-3732609013
Opcode ID: d28fbf8e32a916bb5f5f9b548799d7f9454f25eeb76f5a2ebb97e068833c1f99
Instruction ID: cc53acc588faa276a899ac3c7ddce7026a815bcb32125d5aa0a758de23e86ce1
Opcode Fuzzy Hash: d28fbf8e32a916bb5f5f9b548799d7f9454f25eeb76f5a2ebb97e068833c1f99
Instruction Fuzzy Hash: ED516173B05B8589EB21CF25D4917AD37A0FB44B88F484236DA6E87B99DF38D594C340

Function 00007FFDFF2056F5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134memoryfileCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF205714
UnmapViewOfFile.KERNEL32 ref: 00007FFDFF205728
CloseHandle.KERNEL32 ref: 00007FFDFF205730
HeapFree.KERNEL32 ref: 00007FFDFF2058C5

Strings

s [... omitted frame ...], xrefs: 00007FFDFF20594B

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseFileHandleUnmapView
String ID: s [... omitted frame ...]
API String ID: 238406573-3732609013
Opcode ID: 234675bfcce436fed44dfe154107cb3bacbaa412422a1148ee189f855ecd01d8
Instruction ID: 1d5f582f46b0c37fc76ed98338589047fba8ec1930fba5d6961fdbc5667e7922
Opcode Fuzzy Hash: 234675bfcce436fed44dfe154107cb3bacbaa412422a1148ee189f855ecd01d8
Instruction Fuzzy Hash: 4C516133B05B8589EB24CF25D4917AD37A0FB44B88F484236DA6E87B99DF38D094C340

Function 00007FFDFF1E3B9D Relevance: 8.9, APIs: 7, Instructions: 132memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1E4676
HeapFree.KERNEL32 ref: 00007FFDFF1E468F
HeapFree.KERNEL32 ref: 00007FFDFF1E46A8
HeapFree.KERNEL32 ref: 00007FFDFF1E46C7
HeapFree.KERNEL32 ref: 00007FFDFF1E46E6
HeapFree.KERNEL32 ref: 00007FFDFF1E472C
HeapFree.KERNEL32 ref: 00007FFDFF1E4749
memcpy.MSVCRT ref: 00007FFDFF1E493E
HeapFree.KERNEL32 ref: 00007FFDFF1E494F
HeapFree.KERNEL32 ref: 00007FFDFF1E50CD

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 489845e03afb98c4090425f8c6251e203cf8a037b3b8927327c1bd347c4ed4a9
Instruction ID: 76684177dd6e23ca328d1ff5ff4ce79c373273c93e3919f5c2e02e3d8de317aa
Opcode Fuzzy Hash: 489845e03afb98c4090425f8c6251e203cf8a037b3b8927327c1bd347c4ed4a9
Instruction Fuzzy Hash: 20612F36F08A8284E7708B21C8A4BED27A1FB45B48F444236DA7D9BADCDF39A555D340

Function 00007FFDFF1E282E Relevance: 8.9, APIs: 7, Instructions: 119memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1E283D

Part of subcall function 00007FFDFF1E9E80: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFDFF1E284D), ref: 00007FFDFF1E9EC9
Part of subcall function 00007FFDFF1E9E80: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFDFF1E284D), ref: 00007FFDFF1E9EE1

Part of subcall function 00007FFDFF20BB90: RtlCaptureContext.NTDLL ref: 00007FFDFF20BC22
Part of subcall function 00007FFDFF20BB90: RtlUnwindEx.KERNEL32 ref: 00007FFDFF20BC5F
Part of subcall function 00007FFDFF20BB90: abort.MSVCRT ref: 00007FFDFF20BC65
Part of subcall function 00007FFDFF20BB90: RaiseException.KERNEL32 ref: 00007FFDFF20BCA2

Part of subcall function 00007FFDFF1E9DD0: HeapFree.KERNEL32 ref: 00007FFDFF1E9E29
Part of subcall function 00007FFDFF1E9DD0: HeapFree.KERNEL32 ref: 00007FFDFF1E9E41

HeapFree.KERNEL32 ref: 00007FFDFF1E28B5
HeapFree.KERNEL32 ref: 00007FFDFF1E28E2
HeapFree.KERNEL32 ref: 00007FFDFF1E28F9
HeapFree.KERNEL32 ref: 00007FFDFF1E2918
HeapFree.KERNEL32 ref: 00007FFDFF1E2945
memcpy.MSVCRT ref: 00007FFDFF1E2A2C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CaptureContextExceptionRaiseUnwindabortmemcpy
String ID:
API String ID: 2542667021-0
Opcode ID: 5fc51d1ebdd88091b81caa2cd0b9062daedb01c5e3652c18e38a26a7469e139f
Instruction ID: ee0744fcb60847d85b1335d771b50c36d0161695a06a981e8d6760dd1568d27d
Opcode Fuzzy Hash: 5fc51d1ebdd88091b81caa2cd0b9062daedb01c5e3652c18e38a26a7469e139f
Instruction Fuzzy Hash: EE516562E08AC585E7219F2AD8617EC2360FF98788F448231DE6D87799DF389296C300

Function 00007FFDFF1E3B85 Relevance: 8.9, APIs: 7, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1E4676
HeapFree.KERNEL32 ref: 00007FFDFF1E468F
HeapFree.KERNEL32 ref: 00007FFDFF1E46A8
HeapFree.KERNEL32 ref: 00007FFDFF1E46C7
HeapFree.KERNEL32 ref: 00007FFDFF1E46E6
HeapFree.KERNEL32 ref: 00007FFDFF1E472C
HeapFree.KERNEL32 ref: 00007FFDFF1E4749
memcpy.MSVCRT ref: 00007FFDFF1E493E
HeapFree.KERNEL32 ref: 00007FFDFF1E494F
HeapFree.KERNEL32 ref: 00007FFDFF1E50CD

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 3ffb236f535855adf34124bfa4af6b624816a2f8cbb8fef7e87e2e33191baae1
Instruction ID: 04717d77400071adad7bc968dad6c2f3984cac7b01c7a98e6c586d2f9078df5d
Opcode Fuzzy Hash: 3ffb236f535855adf34124bfa4af6b624816a2f8cbb8fef7e87e2e33191baae1
Instruction Fuzzy Hash: 4A512E36F08A8284E7348B21C4A47FD27A1FB49B88F444236DA7D97ADDCF39A595C340

Function 00007FFDFF1E3B6D Relevance: 8.9, APIs: 7, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1E4676
HeapFree.KERNEL32 ref: 00007FFDFF1E468F
HeapFree.KERNEL32 ref: 00007FFDFF1E46A8
HeapFree.KERNEL32 ref: 00007FFDFF1E46C7
HeapFree.KERNEL32 ref: 00007FFDFF1E46E6
HeapFree.KERNEL32 ref: 00007FFDFF1E472C
HeapFree.KERNEL32 ref: 00007FFDFF1E4749
memcpy.MSVCRT ref: 00007FFDFF1E493E
HeapFree.KERNEL32 ref: 00007FFDFF1E494F
HeapFree.KERNEL32 ref: 00007FFDFF1E50CD

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: f8e9ff72d2b10f8e5550b4d9e62c789666abc753acc552a9996634e3e99383e5
Instruction ID: dbd010a6794e2ced693b59f971096d4ae4d2155f15019f1588bbdd10e36f567d
Opcode Fuzzy Hash: f8e9ff72d2b10f8e5550b4d9e62c789666abc753acc552a9996634e3e99383e5
Instruction Fuzzy Hash: BC512E36F08A8284E7348B21C4A47FD27A1FB49B88F444236DA7D97ADDDF39A595C340

Function 00007FFDFF1E3B55 Relevance: 8.9, APIs: 7, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1E4676
HeapFree.KERNEL32 ref: 00007FFDFF1E468F
HeapFree.KERNEL32 ref: 00007FFDFF1E46A8
HeapFree.KERNEL32 ref: 00007FFDFF1E46C7
HeapFree.KERNEL32 ref: 00007FFDFF1E46E6
HeapFree.KERNEL32 ref: 00007FFDFF1E472C
HeapFree.KERNEL32 ref: 00007FFDFF1E4749
memcpy.MSVCRT ref: 00007FFDFF1E493E
HeapFree.KERNEL32 ref: 00007FFDFF1E494F
HeapFree.KERNEL32 ref: 00007FFDFF1E50CD

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 83a0f0f4cb5db5319ffe598177c77cd9d728ab489563a82a6f72eeb3e851a94e
Instruction ID: 308cdc327ce102dcc7e7553992a7f199a6252ca8e6ff28a0a669a91058f75831
Opcode Fuzzy Hash: 83a0f0f4cb5db5319ffe598177c77cd9d728ab489563a82a6f72eeb3e851a94e
Instruction Fuzzy Hash: 31512F36F0868284E7348B21C4A47FD27A1FB45B48F444236DA7D97ADDCF39A555C340

Function 00007FFDFF1E382B Relevance: 8.9, APIs: 7, Instructions: 113memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32 ref: 00007FFDFF1E4486
HeapFree.KERNEL32 ref: 00007FFDFF1E4676
HeapFree.KERNEL32 ref: 00007FFDFF1E468F
HeapFree.KERNEL32 ref: 00007FFDFF1E46A8
HeapFree.KERNEL32 ref: 00007FFDFF1E46C7
HeapFree.KERNEL32 ref: 00007FFDFF1E46E6
HeapFree.KERNEL32 ref: 00007FFDFF1E472C
HeapFree.KERNEL32 ref: 00007FFDFF1E50CD
HeapFree.KERNEL32 ref: 00007FFDFF1E560C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: Heap$Free$Alloc
String ID:
API String ID: 3901518246-0
Opcode ID: a28e2469a1086507f963d4a02e7423ec9da993cb7dcdf754f3cb40e64e8d99f0
Instruction ID: 71d7b6d5c5d0618744fab792a361c1363aa9dbc4f48134f78a99d79e68d5cb2c
Opcode Fuzzy Hash: a28e2469a1086507f963d4a02e7423ec9da993cb7dcdf754f3cb40e64e8d99f0
Instruction Fuzzy Hash: 2E512E36F08AC284E7708B21C4A47F927A1FB49748F484236DA7D9A6DDCF79A595C340

Function 00007FFDFF1E27F8 Relevance: 8.9, APIs: 7, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1E2896
HeapFree.KERNEL32 ref: 00007FFDFF1E28B5
HeapFree.KERNEL32 ref: 00007FFDFF1E28E2
HeapFree.KERNEL32 ref: 00007FFDFF1E28F9
HeapFree.KERNEL32 ref: 00007FFDFF1E2918
HeapFree.KERNEL32 ref: 00007FFDFF1E2945
memcpy.MSVCRT ref: 00007FFDFF1E2A2C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: c9ff0e854f76592ba2f966b1517ea8719470b024589185620eb48dfa989bddbd
Instruction ID: da6989203bce9c9df232e657ecfff2dfc7e9802202e7b00ef1790593307c5a4a
Opcode Fuzzy Hash: c9ff0e854f76592ba2f966b1517ea8719470b024589185620eb48dfa989bddbd
Instruction Fuzzy Hash: 11518623E08BC585F7219F2AD8617E82360FF98758F448232DE6D87799DF389295C300

Function 00007FFDFF1B3050 Relevance: 8.8, APIs: 7, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 00007FFDFF1B31E1
SetFilePointerEx.KERNEL32 ref: 00007FFDFF1B3242
CloseHandle.KERNEL32 ref: 00007FFDFF1B32D6
HeapFree.KERNEL32 ref: 00007FFDFF1B32F7
HeapFree.KERNEL32 ref: 00007FFDFF1B3312
HeapFree.KERNEL32 ref: 00007FFDFF1B3333
HeapFree.KERNEL32 ref: 00007FFDFF1B3344
HeapFree.KERNEL32 ref: 00007FFDFF1B335D
HeapFree.KERNEL32 ref: 00007FFDFF1B339D
HeapFree.KERNEL32 ref: 00007FFDFF1B33C0
CloseHandle.KERNEL32 ref: 00007FFDFF1B3492
HeapFree.KERNEL32 ref: 00007FFDFF1B3D2F

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseFileHandlePointer
String ID:
API String ID: 1704820636-0
Opcode ID: 683f471ecae524daddba303215965c41c5eeb5eb68a1e05db357fd5047f55771
Instruction ID: 273d5b4030009f4d4789f2471e6bb212a77ac0b6316f44709fc7b27fe91fc758
Opcode Fuzzy Hash: 683f471ecae524daddba303215965c41c5eeb5eb68a1e05db357fd5047f55771
Instruction Fuzzy Hash: 94413D62F0CBC180E7249B16A4647EAA3A1EF85784F484236DBAD977EDDF3DE0458740

Function 00007FFDFF1B2FDA Relevance: 8.8, APIs: 7, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 00007FFDFF1B31E1
SetFilePointerEx.KERNEL32 ref: 00007FFDFF1B3242
CloseHandle.KERNEL32 ref: 00007FFDFF1B32D6
HeapFree.KERNEL32 ref: 00007FFDFF1B32F7
HeapFree.KERNEL32 ref: 00007FFDFF1B3312
HeapFree.KERNEL32 ref: 00007FFDFF1B3333
HeapFree.KERNEL32 ref: 00007FFDFF1B3344
HeapFree.KERNEL32 ref: 00007FFDFF1B335D
HeapFree.KERNEL32 ref: 00007FFDFF1B339D
HeapFree.KERNEL32 ref: 00007FFDFF1B33C0

Part of subcall function 00007FFDFF1D4700: WaitForSingleObject.KERNEL32 ref: 00007FFDFF1D4760

CloseHandle.KERNEL32 ref: 00007FFDFF1B3492

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseFileHandlePointer$ObjectSingleWait
String ID:
API String ID: 3998891674-0
Opcode ID: 1eff7c243977d48493124ba029a573040a936019609b2282d8b64a1a4220b9d6
Instruction ID: 547103a4e99d6515271f1d8b244bac8f3889b7f3a3e6bbef64b0e32667a5b782
Opcode Fuzzy Hash: 1eff7c243977d48493124ba029a573040a936019609b2282d8b64a1a4220b9d6
Instruction Fuzzy Hash: 38413D62F0CAC180E7349B12A4647EAA391EF85784F484236DBAD977EEDF7DE0458740

Function 00007FFDFF1B3011 Relevance: 8.8, APIs: 7, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 00007FFDFF1B31E1
SetFilePointerEx.KERNEL32 ref: 00007FFDFF1B3242
CloseHandle.KERNEL32 ref: 00007FFDFF1B32D6
HeapFree.KERNEL32 ref: 00007FFDFF1B32F7
HeapFree.KERNEL32 ref: 00007FFDFF1B3312
HeapFree.KERNEL32 ref: 00007FFDFF1B3333
HeapFree.KERNEL32 ref: 00007FFDFF1B3344
HeapFree.KERNEL32 ref: 00007FFDFF1B335D
HeapFree.KERNEL32 ref: 00007FFDFF1B339D
HeapFree.KERNEL32 ref: 00007FFDFF1B33C0
CloseHandle.KERNEL32 ref: 00007FFDFF1B3492
HeapFree.KERNEL32 ref: 00007FFDFF1B3D2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5C4F
CloseHandle.KERNEL32 ref: 00007FFDFF1B5C8E
HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle$FilePointer
String ID:
API String ID: 3729840729-0
Opcode ID: 2f470c464f670b293869539d2a59d827c6f3b789b41c3703fc2447eef19ec4f5
Instruction ID: 91f09eb141b4516e06137f3e026e0bbbd663b289727a95a67f1fbdd6c286d852
Opcode Fuzzy Hash: 2f470c464f670b293869539d2a59d827c6f3b789b41c3703fc2447eef19ec4f5
Instruction Fuzzy Hash: EA413D62F0CAC180E7359B16A4647EAA391EF84784F484236DBAD977EDDF3DE0458740

Function 00007FFDFF1B1770 Relevance: 8.8, APIs: 7, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B178D
HeapFree.KERNEL32 ref: 00007FFDFF1B17BD
HeapFree.KERNEL32 ref: 00007FFDFF1B17D8
HeapFree.KERNEL32 ref: 00007FFDFF1B180E
CloseHandle.KERNEL32 ref: 00007FFDFF1B1824
CloseHandle.KERNEL32 ref: 00007FFDFF1B183A
CloseHandle.KERNEL32 ref: 00007FFDFF1B1853

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: dfa1284bc944867e7561965f19c9dcdca01bf570fcab73a2e81406f181e401f5
Instruction ID: c6edfb0143e725e25982eb68c480ad9e4db63c0b88d91efdb98124f9784dbf51
Opcode Fuzzy Hash: dfa1284bc944867e7561965f19c9dcdca01bf570fcab73a2e81406f181e401f5
Instruction Fuzzy Hash: A8314A23F1864282FB34972794A4BBD1352EB84748F594632DB7ED76E9CE2CF4818340

Function 00007FFDFF1B5C68 Relevance: 8.8, APIs: 7, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5CBE
HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 90be09df39cd437478b2506726d66e5d011696e4b736ae54a69079537084e471
Instruction ID: 99b4b69a5f57c97120ee470ebb5a93356160f3d52f6a70d2fe7a639dc15fb945
Opcode Fuzzy Hash: 90be09df39cd437478b2506726d66e5d011696e4b736ae54a69079537084e471
Instruction Fuzzy Hash: EC31C822F0C98281E725EB12D465BFA5391EF85784F884236E67EC66EEDF3CE445C640

Function 00007FFDFF1B5C6C Relevance: 8.8, APIs: 7, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5CBE
HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 731c998e6d922bfb57b6749f5f98103dff0bdd1ab0ac403100a52b877ab64ecb
Instruction ID: 99b4b69a5f57c97120ee470ebb5a93356160f3d52f6a70d2fe7a639dc15fb945
Opcode Fuzzy Hash: 731c998e6d922bfb57b6749f5f98103dff0bdd1ab0ac403100a52b877ab64ecb
Instruction Fuzzy Hash: EC31C822F0C98281E725EB12D465BFA5391EF85784F884236E67EC66EEDF3CE445C640

Function 00007FFDFF1B5C6A Relevance: 8.8, APIs: 7, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5CBE
HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 9e0524eda01755049f13f3f504d9c8dd9d62d95135fec3dd851297a2ce3b672d
Instruction ID: 99b4b69a5f57c97120ee470ebb5a93356160f3d52f6a70d2fe7a639dc15fb945
Opcode Fuzzy Hash: 9e0524eda01755049f13f3f504d9c8dd9d62d95135fec3dd851297a2ce3b672d
Instruction Fuzzy Hash: EC31C822F0C98281E725EB12D465BFA5391EF85784F884236E67EC66EEDF3CE445C640

Function 00007FFDFF1B5C73 Relevance: 8.8, APIs: 7, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5CBE
HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 5eff6a55d9828a513b4c970e1a21620796b69d969cad4c308f0db246b5496ea3
Instruction ID: 99b4b69a5f57c97120ee470ebb5a93356160f3d52f6a70d2fe7a639dc15fb945
Opcode Fuzzy Hash: 5eff6a55d9828a513b4c970e1a21620796b69d969cad4c308f0db246b5496ea3
Instruction Fuzzy Hash: EC31C822F0C98281E725EB12D465BFA5391EF85784F884236E67EC66EEDF3CE445C640

Function 00007FFDFF1B5D07 Relevance: 8.8, APIs: 7, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5ECD
HeapFree.KERNEL32 ref: 00007FFDFF1B5EEE
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 9b27e6b75524f38e42bfb0c88f277100b64cd8d0d774f256052e2f505c888584
Instruction ID: 5f7b7e2c8894345a0e4d1ef2af66880596ec03065fdaa990bc997afbdc1c2a00
Opcode Fuzzy Hash: 9b27e6b75524f38e42bfb0c88f277100b64cd8d0d774f256052e2f505c888584
Instruction Fuzzy Hash: 8431DA22F0C68181E724E71694657BA5391EF85B84F884236E67DC66EEDF3CE445C740

Function 00007FFDFF1B5D0C Relevance: 8.8, APIs: 7, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5ECD
HeapFree.KERNEL32 ref: 00007FFDFF1B5EEE
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 4eb8aa26603fa8ab5348b0d081e9fd9e682ab30f5a08b26c387968f8cc10d8f6
Instruction ID: dc0494190a89a0cf8dc40c044794f4d275d1a4a1defe584a58b1479d0799dd84
Opcode Fuzzy Hash: 4eb8aa26603fa8ab5348b0d081e9fd9e682ab30f5a08b26c387968f8cc10d8f6
Instruction Fuzzy Hash: 3631D822F0C68181E724E71694657BA9391EF85B84F884236E67DC66EEDF3CE485C740

Function 00007FFDFF1B5C56 Relevance: 8.8, APIs: 7, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFDFF1B5C8E
HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 50d6b114c8c7573a04633daa721445bb2470851cdf7ef7d36e189d501671819e
Instruction ID: be0fbab6efdec0a263039c110dcf909c44021f8a0932a0f99782636ab2a69266
Opcode Fuzzy Hash: 50d6b114c8c7573a04633daa721445bb2470851cdf7ef7d36e189d501671819e
Instruction Fuzzy Hash: 8221CA22F0C58181E724A7169465BBA5791EF84B84F884236E67EC66EEDF3CE4458600

Function 00007FFDFF1F4E11 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39memorylibraryloaderCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1F4E2A
GetModuleHandleA.KERNEL32 ref: 00007FFDFF1F4E58
GetProcAddress.KERNEL32 ref: 00007FFDFF1F4E6C

Strings

kernel32, xrefs: 00007FFDFF1F4E51
GetTempPath2W, xrefs: 00007FFDFF1F4E62

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: AddressFreeHandleHeapModuleProc
String ID: GetTempPath2W$kernel32
API String ID: 2247350619-407914046
Opcode ID: b081a45a60ed80a7388da0ddb173ae443c57b4b72a7a5ef97f1b0dbc135a56c4
Instruction ID: 5822d29ba8188a569d8cf24520682fadc7d2676b9137a0541c2e2c7cb1ea35ec
Opcode Fuzzy Hash: b081a45a60ed80a7388da0ddb173ae443c57b4b72a7a5ef97f1b0dbc135a56c4
Instruction Fuzzy Hash: 4D015E52F0968685FB24D751A460BF82361AF88784F884636DD3EC3BDEDF3CA551D200

Function 00007FF600EB3208 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF600EB322D
GetProcAddress.KERNEL32 ref: 00007FF600EB3243
FreeLibrary.KERNEL32 ref: 00007FF600EB326A

Strings

CorExitProcess, xrefs: 00007FF600EB323C
mscoree.dll, xrefs: 00007FF600EB3224

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4c69cba3254830e0d3a980ef48b8611d2ef689da3e86788930c60b852a344f9c
Instruction ID: 48e2e040730378fd034d2dbe8b10d9d9d6847882c44ac7ae346f09fb9a62978f
Opcode Fuzzy Hash: 4c69cba3254830e0d3a980ef48b8611d2ef689da3e86788930c60b852a344f9c
Instruction Fuzzy Hash: E0F0F661B0DB0291EB208B64E44533A6360FF48BA0FB00635CAAE866F8CF3CD544C300

Function 00007FFDFF1D47F0 Relevance: 7.6, APIs: 5, Instructions: 148COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FFDFF1D487D
WriteConsoleW.KERNEL32 ref: 00007FFDFF1D48BC
WriteConsoleW.KERNEL32 ref: 00007FFDFF1D4923
GetLastError.KERNEL32 ref: 00007FFDFF1D492C
GetLastError.KERNEL32 ref: 00007FFDFF1D49BE

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: ConsoleErrorLastWrite$ByteCharMultiWide
String ID:
API String ID: 1956605914-0
Opcode ID: 64ca358332984b66bee882b73d39c0a3e8e0597bd67fc2b936da312716404949
Instruction ID: ee5481ab42a6440b6bb5fe900187e2a04b5903d9df902eb2872a29917f984dcb
Opcode Fuzzy Hash: 64ca358332984b66bee882b73d39c0a3e8e0597bd67fc2b936da312716404949
Instruction Fuzzy Hash: 9851BF63F0879245EB348B6198A4BFD6361EF44398F484335DABD87ADDDF2C96918340

Function 00007FFDFF1D6590 Relevance: 7.6, APIs: 5, Instructions: 120COMMON

Download Yara Rule

APIs

WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,?,?,?,?,00000000,?,?,00007FFDFF1D6571), ref: 00007FFDFF1D65F4
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00007FFDFF1D6659

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: AddressSingleValueWake
String ID:
API String ID: 741412973-0
Opcode ID: e224da9b11933408c96e3e1203a7cfe5e053282d44fe7d69c8e67e755a0f930d
Instruction ID: f63a7783890b7628d1a46548955b0fc599cee5abc5ed78c9cc7a29bf537eb4d1
Opcode Fuzzy Hash: e224da9b11933408c96e3e1203a7cfe5e053282d44fe7d69c8e67e755a0f930d
Instruction Fuzzy Hash: 0D418E23F0960685FB259B21D870BBD6371AF44794F584335DA7D866DDEF2CA8868700

Function 00007FFDFF1E2800 Relevance: 7.6, APIs: 6, Instructions: 110memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF1E9140: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FFDFF1E0792), ref: 00007FFDFF1E9171

HeapFree.KERNEL32 ref: 00007FFDFF1E28B5
HeapFree.KERNEL32 ref: 00007FFDFF1E28E2
HeapFree.KERNEL32 ref: 00007FFDFF1E28F9
HeapFree.KERNEL32 ref: 00007FFDFF1E2918
HeapFree.KERNEL32 ref: 00007FFDFF1E2945
memcpy.MSVCRT ref: 00007FFDFF1E2A2C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 018e24e97acf25053f4ff6b8b447ab253433e717b4b67bd3f77397b7b89c9cbd
Instruction ID: 740e38dcf1d0b2af12d910753b5e6d209870c387741393b99846573ed51683d7
Opcode Fuzzy Hash: 018e24e97acf25053f4ff6b8b447ab253433e717b4b67bd3f77397b7b89c9cbd
Instruction Fuzzy Hash: A7515463E08BC585F7619F2AD8617E823A0FF98758F449232DE6D87699DF389295C300

Function 00007FFDFF1E2818 Relevance: 7.6, APIs: 6, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1E28B5
HeapFree.KERNEL32 ref: 00007FFDFF1E28E2
HeapFree.KERNEL32 ref: 00007FFDFF1E28F9
HeapFree.KERNEL32 ref: 00007FFDFF1E2918
HeapFree.KERNEL32 ref: 00007FFDFF1E2945
memcpy.MSVCRT ref: 00007FFDFF1E2A2C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 615b6bc0470214188588a2d01fe18b6e00251015df3519477c1fd14d926b36d5
Instruction ID: 048f9863a11c56ad2af4dc65603211db1606beb09ffcd6206e7ab88390fcdfc3
Opcode Fuzzy Hash: 615b6bc0470214188588a2d01fe18b6e00251015df3519477c1fd14d926b36d5
Instruction Fuzzy Hash: 49515663E08BC585F7619F2A98617E823A0FF98758F449231DE6D87799DF389295C300

Function 00007FFDFF1E280E Relevance: 7.6, APIs: 6, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1E28B5
HeapFree.KERNEL32 ref: 00007FFDFF1E28E2
HeapFree.KERNEL32 ref: 00007FFDFF1E28F9
HeapFree.KERNEL32 ref: 00007FFDFF1E2918
HeapFree.KERNEL32 ref: 00007FFDFF1E2945
memcpy.MSVCRT ref: 00007FFDFF1E2A2C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 1b80cc4edbfc19ba362e0ae68058afa0b0959abf5f74af2f5b7f27f660db8034
Instruction ID: 048f9863a11c56ad2af4dc65603211db1606beb09ffcd6206e7ab88390fcdfc3
Opcode Fuzzy Hash: 1b80cc4edbfc19ba362e0ae68058afa0b0959abf5f74af2f5b7f27f660db8034
Instruction Fuzzy Hash: 49515663E08BC585F7619F2A98617E823A0FF98758F449231DE6D87799DF389295C300

Function 00007FFDFF1DF42E Relevance: 7.6, APIs: 6, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DF53E
HeapFree.KERNEL32 ref: 00007FFDFF1DF553
HeapFree.KERNEL32 ref: 00007FFDFF1DF587
HeapFree.KERNEL32 ref: 00007FFDFF1DF5D9
HeapFree.KERNEL32 ref: 00007FFDFF1DF616
HeapFree.KERNEL32 ref: 00007FFDFF1DF64A
HeapFree.KERNEL32 ref: 00007FFDFF1DF662

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: cd39e22c407f865b54224c9ba4c1cda457d3b64844c9e2beba43f49b92b01f6b
Instruction ID: 193d91e53a94c513f18d4749783202a654458f625b620a8dd5faaeba7d335ac0
Opcode Fuzzy Hash: cd39e22c407f865b54224c9ba4c1cda457d3b64844c9e2beba43f49b92b01f6b
Instruction Fuzzy Hash: 08410B16F08A8588FB20DB65D8617FC2361EF84748F884236DA7D96BE9DF3CA641C740

Function 00007FFDFF1DF526 Relevance: 7.6, APIs: 6, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DF53E
HeapFree.KERNEL32 ref: 00007FFDFF1DF553
HeapFree.KERNEL32 ref: 00007FFDFF1DF587
HeapFree.KERNEL32 ref: 00007FFDFF1DF5D9
HeapFree.KERNEL32 ref: 00007FFDFF1DF616
HeapFree.KERNEL32 ref: 00007FFDFF1DF64A
HeapFree.KERNEL32 ref: 00007FFDFF1DF662

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4e8e63c802991ca37476f4a08790f10f3f712d771a486c672b0fada353905c5c
Instruction ID: 6b81d892d55d3f63df57d82f77ef44c5468217f3c21d2e9ad8b404191d4ae55f
Opcode Fuzzy Hash: 4e8e63c802991ca37476f4a08790f10f3f712d771a486c672b0fada353905c5c
Instruction Fuzzy Hash: B941FB16F08A8584FB24DB65D8617FC2361EF88748F884236D97D867E9DF3CA541C340

Function 00007FFDFF1DF4C5 Relevance: 7.6, APIs: 6, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DF5A9
HeapFree.KERNEL32 ref: 00007FFDFF1DF5BA
HeapFree.KERNEL32 ref: 00007FFDFF1DF5D9
HeapFree.KERNEL32 ref: 00007FFDFF1DF616
HeapFree.KERNEL32 ref: 00007FFDFF1DF64A
HeapFree.KERNEL32 ref: 00007FFDFF1DF662

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e421189457731f8469c786c6cc5690f8cb513ab31b929df96de85d38aedc7e5e
Instruction ID: 7ae11940d9e56b0523445221429358161bb2c80738d8f602c72385bb1abc7365
Opcode Fuzzy Hash: e421189457731f8469c786c6cc5690f8cb513ab31b929df96de85d38aedc7e5e
Instruction Fuzzy Hash: 2441FA16F09B8584FB24DB66D8617B82361EF88B44F884236DA7D977E9DF3C9541C300

Function 00007FFDFF1DF595 Relevance: 7.6, APIs: 6, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DF5A9
HeapFree.KERNEL32 ref: 00007FFDFF1DF5BA
HeapFree.KERNEL32 ref: 00007FFDFF1DF5D9
HeapFree.KERNEL32 ref: 00007FFDFF1DF616
HeapFree.KERNEL32 ref: 00007FFDFF1DF64A
HeapFree.KERNEL32 ref: 00007FFDFF1DF662

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 82f8239812ef13a5ab77ed4f4006f2a8862964b8ac7c2ee90b04806fae2f552d
Instruction ID: 2e425428e76b6e259baeb5caa09b3059cfe941fbd158d7c859f937408fc3cc6f
Opcode Fuzzy Hash: 82f8239812ef13a5ab77ed4f4006f2a8862964b8ac7c2ee90b04806fae2f552d
Instruction Fuzzy Hash: 1841F916F09B8584FB24DB66D8617B92361EF88B84F884236DA6D977E9DF3C9541C300

Function 00007FFDFF200E92 Relevance: 7.6, APIs: 5, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF200EB3
SetLastError.KERNEL32 ref: 00007FFDFF200FCA
GetFullPathNameW.KERNEL32 ref: 00007FFDFF200FDF
GetLastError.KERNEL32 ref: 00007FFDFF200FEA
GetLastError.KERNEL32 ref: 00007FFDFF201003

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: ErrorLast$FreeFullHeapNamePath
String ID:
API String ID: 526175943-0
Opcode ID: d2e7441096d1d4c443a168f80f84ad59918335a3ef1acd8e76c73ca9fe5aab4a
Instruction ID: 7bc310e88a8449770a4c31b594f6bd75ddcfb9b8351b88fb8bb2bd5d2ee9ca08
Opcode Fuzzy Hash: d2e7441096d1d4c443a168f80f84ad59918335a3ef1acd8e76c73ca9fe5aab4a
Instruction Fuzzy Hash: 32317E22B08BC14AF771DF219868BAD27A4FB45B98F580235DE7DD77CECE7892448201

Function 00007FFDFF1B5D66 Relevance: 7.6, APIs: 6, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5D7E

Part of subcall function 00007FFDFF1F5100: HeapFree.KERNEL32(?,?,?,?), ref: 00007FFDFF1F514C

Part of subcall function 00007FFDFF20BB90: RtlCaptureContext.NTDLL ref: 00007FFDFF20BC22
Part of subcall function 00007FFDFF20BB90: RtlUnwindEx.KERNEL32 ref: 00007FFDFF20BC5F
Part of subcall function 00007FFDFF20BB90: abort.MSVCRT ref: 00007FFDFF20BC65
Part of subcall function 00007FFDFF20BB90: RaiseException.KERNEL32 ref: 00007FFDFF20BCA2

CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CaptureCloseContextExceptionHandleRaiseUnwindabort
String ID:
API String ID: 245745995-0
Opcode ID: 96126d6c02fbbf8e782e58c2a3d80acb49b0ff1150806085a0b3a49e367393b1
Instruction ID: 01c8e830314fb3429f8656a95c439f5939d87cded16a14a0411606c6c22731ae
Opcode Fuzzy Hash: 96126d6c02fbbf8e782e58c2a3d80acb49b0ff1150806085a0b3a49e367393b1
Instruction Fuzzy Hash: 3831EC22F0C58181E724E71694757EA5391FF85B84F884236EA7DC66EEDF2CE4458640

Function 00007FFDFF1B5E35 Relevance: 7.6, APIs: 6, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5E49

Part of subcall function 00007FFDFF20BB90: RtlCaptureContext.NTDLL ref: 00007FFDFF20BC22
Part of subcall function 00007FFDFF20BB90: RtlUnwindEx.KERNEL32 ref: 00007FFDFF20BC5F
Part of subcall function 00007FFDFF20BB90: abort.MSVCRT ref: 00007FFDFF20BC65
Part of subcall function 00007FFDFF20BB90: RaiseException.KERNEL32 ref: 00007FFDFF20BCA2

CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CaptureCloseContextExceptionHandleRaiseUnwindabort
String ID:
API String ID: 245745995-0
Opcode ID: 9b2101f2c0b34afee534a08863a95abeab72c783c6af0a658a0effa2343cbafb
Instruction ID: 79cf013823ffe068f5709d4dc3503ea6b14a583d6e061d776bd7e88f901c9513
Opcode Fuzzy Hash: 9b2101f2c0b34afee534a08863a95abeab72c783c6af0a658a0effa2343cbafb
Instruction Fuzzy Hash: 72211812F0C58281EB24E7129475BBE5791EF85B84F880236EA7EC66EEDF3CE4458700

Function 00007FFDFF1B5C58 Relevance: 7.6, APIs: 6, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF1B15B0: HeapFree.KERNEL32 ref: 00007FFDFF1B15DD

Part of subcall function 00007FFDFF1B1920: CloseHandle.KERNEL32 ref: 00007FFDFF1B192E
Part of subcall function 00007FFDFF1B1920: HeapFree.KERNEL32 ref: 00007FFDFF1B1971
Part of subcall function 00007FFDFF1B1920: HeapFree.KERNEL32 ref: 00007FFDFF1B1989
Part of subcall function 00007FFDFF1B1920: HeapFree.KERNEL32 ref: 00007FFDFF1B19A3

HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 6d8e65684b45a88600395803eb29ed45d2a3983aade4a925e5d91a5df0034843
Instruction ID: 051325a56ac97ca9c5644d0f4092265c6736cc2f83b3f7f673a9ca391e93563b
Opcode Fuzzy Hash: 6d8e65684b45a88600395803eb29ed45d2a3983aade4a925e5d91a5df0034843
Instruction Fuzzy Hash: E621CB22F0C58281E724EB1294657FE9391EF85784F884236E67EC66EEDF3CE4458600

Function 00007FFDFF1B5D2B Relevance: 7.6, APIs: 6, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5EEE
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 959184bec4a91f8b15299a3477b17e7a467e69ac5ce00708e390efaf71274746
Instruction ID: 03503d7501dc178868a89969e86211b98947e1c7c8f4c417a9c6bb0d4ba444fd
Opcode Fuzzy Hash: 959184bec4a91f8b15299a3477b17e7a467e69ac5ce00708e390efaf71274746
Instruction Fuzzy Hash: B721EA22F0C58181E724E71694757BA9391EF85B84F884236E67EC66EEDF3CE445C740

Function 00007FFDFF1B5C75 Relevance: 7.6, APIs: 6, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF1B1920: CloseHandle.KERNEL32 ref: 00007FFDFF1B192E
Part of subcall function 00007FFDFF1B1920: HeapFree.KERNEL32 ref: 00007FFDFF1B1971
Part of subcall function 00007FFDFF1B1920: HeapFree.KERNEL32 ref: 00007FFDFF1B1989
Part of subcall function 00007FFDFF1B1920: HeapFree.KERNEL32 ref: 00007FFDFF1B19A3

HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: d001ec50cc023509c53ac4d4128adba0a2bbf7c238277bdf7c154bdcc35d4d85
Instruction ID: c6044d8981150a88b5d97304b364cd7b196efe217e27fca1b9d8dda1b38304eb
Opcode Fuzzy Hash: d001ec50cc023509c53ac4d4128adba0a2bbf7c238277bdf7c154bdcc35d4d85
Instruction Fuzzy Hash: 7021C922F0C58281E725EB16D4657FA9391EF88784F884236E67EC66EEDF3CE445C600

Function 00007FFDFF1B5C7A Relevance: 7.6, APIs: 6, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF1B1920: CloseHandle.KERNEL32 ref: 00007FFDFF1B192E
Part of subcall function 00007FFDFF1B1920: HeapFree.KERNEL32 ref: 00007FFDFF1B1971
Part of subcall function 00007FFDFF1B1920: HeapFree.KERNEL32 ref: 00007FFDFF1B1989
Part of subcall function 00007FFDFF1B1920: HeapFree.KERNEL32 ref: 00007FFDFF1B19A3

HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: d001ec50cc023509c53ac4d4128adba0a2bbf7c238277bdf7c154bdcc35d4d85
Instruction ID: c6044d8981150a88b5d97304b364cd7b196efe217e27fca1b9d8dda1b38304eb
Opcode Fuzzy Hash: d001ec50cc023509c53ac4d4128adba0a2bbf7c238277bdf7c154bdcc35d4d85
Instruction Fuzzy Hash: 7021C922F0C58281E725EB16D4657FA9391EF88784F884236E67EC66EEDF3CE445C600

Function 00007FFDFF1B5C6E Relevance: 7.6, APIs: 6, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF1B1920: CloseHandle.KERNEL32 ref: 00007FFDFF1B192E
Part of subcall function 00007FFDFF1B1920: HeapFree.KERNEL32 ref: 00007FFDFF1B1971
Part of subcall function 00007FFDFF1B1920: HeapFree.KERNEL32 ref: 00007FFDFF1B1989
Part of subcall function 00007FFDFF1B1920: HeapFree.KERNEL32 ref: 00007FFDFF1B19A3

HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: d001ec50cc023509c53ac4d4128adba0a2bbf7c238277bdf7c154bdcc35d4d85
Instruction ID: c6044d8981150a88b5d97304b364cd7b196efe217e27fca1b9d8dda1b38304eb
Opcode Fuzzy Hash: d001ec50cc023509c53ac4d4128adba0a2bbf7c238277bdf7c154bdcc35d4d85
Instruction Fuzzy Hash: 7021C922F0C58281E725EB16D4657FA9391EF88784F884236E67EC66EEDF3CE445C600

Function 00007FFDFF1B5C7F Relevance: 7.6, APIs: 6, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 94dd05ed3e7cbc88eeb597d48c06e2e252d4658633ee448895aa461142424feb
Instruction ID: 86f9b80b426747142c98d2195d94abc14cd6fe9b93d6c6ca66cd710949d455b0
Opcode Fuzzy Hash: 94dd05ed3e7cbc88eeb597d48c06e2e252d4658633ee448895aa461142424feb
Instruction Fuzzy Hash: 5A21EC22F0C58181E725E71694747BA5391EF84B84F884236E67EC66EEDF3CE445C700

Function 00007FFDFF1B5C95 Relevance: 7.6, APIs: 6, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5CFD
CloseHandle.KERNEL32 ref: 00007FFDFF1B5F0E
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 914a0a6bef2835900175439e1b19609a14eef3506211583a17c443d105c37651
Instruction ID: 7ac4b0fef43c988c32cbb07db7b7a50e4eaf3339f2bd34a74f87b803c1314c57
Opcode Fuzzy Hash: 914a0a6bef2835900175439e1b19609a14eef3506211583a17c443d105c37651
Instruction Fuzzy Hash: D021EC22F0C58181E724E71694657BA5391EF84B84F884236E67EC66EEDF3CE445C700

Function 00007FFDFF1FED0D Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FFDFF1FED0F
GetLastError.KERNEL32 ref: 00007FFDFF1FED27
GetCurrentProcess.KERNEL32 ref: 00007FFDFF1FEEC0
DuplicateHandle.KERNEL32 ref: 00007FFDFF1FEEEA
GetLastError.KERNEL32 ref: 00007FFDFF1FEEF9

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: ErrorHandleLast$CurrentDuplicateProcess
String ID:
API String ID: 3697983210-0
Opcode ID: a2846c33b80589a9331e861803d4bb719fa938c2d183521538b211f41f45dd27
Instruction ID: 76aa467ce65d35b6f9fba20ef5ea476ce6ddc81a92e055992c9713bfab8686f4
Opcode Fuzzy Hash: a2846c33b80589a9331e861803d4bb719fa938c2d183521538b211f41f45dd27
Instruction Fuzzy Hash: 6A115163F1829145FB609A61B4257AE2791EB843A8F044331EE7E877CECFBCD0819340

Function 00007FFDFF1D6960 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1D6A71
WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FFDFF1D6AC1
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FFDFF1D694A), ref: 00007FFDFF1D6B23

Strings

cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 00007FFDFF1D6AE3

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$AddressSingleWake
String ID: cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs
API String ID: 2995119335-1168434340
Opcode ID: 64aae8602360610d860c797d911c6c94a8d6c86d8d8a88f1b801de3dd4796441
Instruction ID: 7c1667c3061f54f61a6c6caa539d0c6ce8ec16fa5366ef87244a31882597532e
Opcode Fuzzy Hash: 64aae8602360610d860c797d911c6c94a8d6c86d8d8a88f1b801de3dd4796441
Instruction Fuzzy Hash: CD710C22F0CB4688F7119B60A871BBD2770AB5431CF885735D97CC66EAEF2CA589C311

Function 00007FFDFF2056EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF1DA9C0: HeapFree.KERNEL32 ref: 00007FFDFF1DAA0C
Part of subcall function 00007FFDFF1DA9C0: HeapFree.KERNEL32 ref: 00007FFDFF1DAA25
Part of subcall function 00007FFDFF1DA9C0: UnmapViewOfFile.KERNEL32 ref: 00007FFDFF1DAA47
Part of subcall function 00007FFDFF1DA9C0: CloseHandle.KERNEL32 ref: 00007FFDFF1DAA4F

UnmapViewOfFile.KERNEL32 ref: 00007FFDFF205728
CloseHandle.KERNEL32 ref: 00007FFDFF205730
HeapFree.KERNEL32 ref: 00007FFDFF2058C5

Strings

s [... omitted frame ...], xrefs: 00007FFDFF20594B

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseFileHandleUnmapView
String ID: s [... omitted frame ...]
API String ID: 238406573-3732609013
Opcode ID: d0a656f1095f46913aafe9a0ec105c611fbe03b47028f47e86df0d274d496bb2
Instruction ID: d04ba4df181e705e49acf85ea0fe285a2aa8415b32fab70f80e6d218d07eb6a2
Opcode Fuzzy Hash: d0a656f1095f46913aafe9a0ec105c611fbe03b47028f47e86df0d274d496bb2
Instruction Fuzzy Hash: B8516F33A05B8589EB20CF25D4917AD37A0FB48B88F484236DA6E87B99DF38D094C340

Function 00007FFDFF1DF7A6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20filememoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DF7BC
UnmapViewOfFile.KERNEL32 ref: 00007FFDFF1DF7CF
CloseHandle.KERNEL32 ref: 00007FFDFF1DF7D7

Strings

assertion failed: end >= start && end <= len, xrefs: 00007FFDFF1E2680, 00007FFDFF1E269D

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: CloseFileFreeHandleHeapUnmapView
String ID: assertion failed: end >= start && end <= len
API String ID: 2029649301-206846142
Opcode ID: cc07d0baf98cc2c21bfab83bb81f6587acc31c4e6d9239d8fc6b82601fbd105b
Instruction ID: 98e8fca222986aef913dd1830fc0788d6ff22852e9fbc5a3b4066e1c80aa0f3d
Opcode Fuzzy Hash: cc07d0baf98cc2c21bfab83bb81f6587acc31c4e6d9239d8fc6b82601fbd105b
Instruction Fuzzy Hash: 10F01526F0868242E728AB2294747FD5720EF85B80F484232DE7EC77EBCE2CA0418200

Function 00007FFDFF1D8010 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 396COMMON

Download Yara Rule

Strings

{size limit reached}`fmt::Error` from `SizeLimitedFmtAdapter` was discarded, xrefs: 00007FFDFF1D8458
00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899library\core\src\fmt\mod.rs, xrefs: 00007FFDFF1D804A
<unknown>, xrefs: 00007FFDFF1D856E

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899library\core\src\fmt\mod.rs$<unknown>${size limit reached}`fmt::Error` from `SizeLimitedFmtAdapter` was discarded
API String ID: 0-1737120873
Opcode ID: 139fbd7fd0065e9446f04bb1c7d6771a4feb4527c133a6b113dbc105a9ff76d0
Instruction ID: 6c830ccd3787091433a94ac68a5c896b4ca01a31dca04dcf122d630f396d1bd2
Opcode Fuzzy Hash: 139fbd7fd0065e9446f04bb1c7d6771a4feb4527c133a6b113dbc105a9ff76d0
Instruction Fuzzy Hash: 08F18663F08B9289EB208B21E860BED2760FB55BA8F444236DE6D47BD9DF38D145C340

Function 00007FFDFF1DF4F0 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DF51F
HeapFree.KERNEL32 ref: 00007FFDFF1DF5D9
HeapFree.KERNEL32 ref: 00007FFDFF1DF616
HeapFree.KERNEL32 ref: 00007FFDFF1DF64A
HeapFree.KERNEL32 ref: 00007FFDFF1DF662

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2be3e3c36506147d5380a14d6b86b91e398f8fb32940a3fe3899d9cc2e9d81f1
Instruction ID: 99fdf99f09d20570cfdb7095f09678aa174bf8fa31a4529fa0b7b3fc920ad140
Opcode Fuzzy Hash: 2be3e3c36506147d5380a14d6b86b91e398f8fb32940a3fe3899d9cc2e9d81f1
Instruction Fuzzy Hash: 05410D16F09B8584FB249B25D8647FC2361EF94B48F884236C97D867D9DF7C9645C700

Function 00007FFDFF1DF35D Relevance: 6.3, APIs: 5, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DF553
HeapFree.KERNEL32 ref: 00007FFDFF1DF587
HeapFree.KERNEL32 ref: 00007FFDFF1DF5D9
HeapFree.KERNEL32 ref: 00007FFDFF1DF616
HeapFree.KERNEL32 ref: 00007FFDFF1DF64A
HeapFree.KERNEL32 ref: 00007FFDFF1DF662

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 14ca36cfc3f5f768d3efff822d12e70a49b249a37526e1ddfe6aed361d7acb69
Instruction ID: c5b64c3151ac699c301ec4c5802a373dcd61cb4f2979bf33780b2302dbb0fcd7
Opcode Fuzzy Hash: 14ca36cfc3f5f768d3efff822d12e70a49b249a37526e1ddfe6aed361d7acb69
Instruction Fuzzy Hash: 24410C16F09B8584FB249B65D8617FC2361EF84748F884236CA7D867E9DF7CA641C340

Function 00007FFDFF1E2826 Relevance: 6.3, APIs: 5, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1E28E2
HeapFree.KERNEL32 ref: 00007FFDFF1E28F9
HeapFree.KERNEL32 ref: 00007FFDFF1E2918
HeapFree.KERNEL32 ref: 00007FFDFF1E2945
memcpy.MSVCRT ref: 00007FFDFF1E2A2C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 14b18590f53ecf8803b5db270a917b17736928481ca0a51a87bbfcec2dee7029
Instruction ID: e030a638a6ceb302f494fa217c0c59724986a0896d7e6bd90289caf4a86ba115
Opcode Fuzzy Hash: 14b18590f53ecf8803b5db270a917b17736928481ca0a51a87bbfcec2dee7029
Instruction Fuzzy Hash: A8417463E08BC585E7219F2AD8517E823B0FB98798F449222DFAC87795EF349295C300

Function 00007FFDFF1DF37D Relevance: 6.3, APIs: 5, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DF5BA
HeapFree.KERNEL32 ref: 00007FFDFF1DF5D9
HeapFree.KERNEL32 ref: 00007FFDFF1DF616
HeapFree.KERNEL32 ref: 00007FFDFF1DF64A
HeapFree.KERNEL32 ref: 00007FFDFF1DF662

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 76840de9d188bfec8944c4b56978a3b0a9c47d0891725c63c35cb23727952999
Instruction ID: 241ab2718d27e8d94ba10daea49a3ef4bad2ceaf8720922c6d9973353c0e8d29
Opcode Fuzzy Hash: 76840de9d188bfec8944c4b56978a3b0a9c47d0891725c63c35cb23727952999
Instruction Fuzzy Hash: 77410C16F09B8584FB249B66D8617FD2361EB88B48F884236CA6D877E9DF3C9651C300

Function 00007FFDFF1F7520 Relevance: 6.3, APIs: 5, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,?,?,00007FFDFF207729), ref: 00007FFDFF1F7539
TlsGetValue.KERNEL32(00000000,?,?,?,00007FFDFF207729), ref: 00007FFDFF1F755B
TlsGetValue.KERNEL32(00000000,?,?,?,00007FFDFF207729), ref: 00007FFDFF1F75AC
TlsSetValue.KERNEL32(00000000,?,?,?,00007FFDFF207729), ref: 00007FFDFF1F75C7
HeapFree.KERNEL32(00000000,?,?,?,00007FFDFF207729), ref: 00007FFDFF1F75F5

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: Value$FreeHeap
String ID:
API String ID: 911738859-0
Opcode ID: 5eba0e87723cc33a9d57a20c5ca8c8ea6536750146c3255c0c928d0beb7e84b5
Instruction ID: e0888955ba2dbf202d89c56c23b96f9913e7342336b12ba5a132901c1678549a
Opcode Fuzzy Hash: 5eba0e87723cc33a9d57a20c5ca8c8ea6536750146c3255c0c928d0beb7e84b5
Instruction Fuzzy Hash: 8131AF26F0968341FB296B219870FBD2351AF44750F484635CD3EC27E9EF2CE84A9200

Function 00007FFDFF1D1810 Relevance: 6.3, APIs: 5, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FFDFF1D1828
TlsGetValue.KERNEL32 ref: 00007FFDFF1D184A
TlsGetValue.KERNEL32 ref: 00007FFDFF1D18B3
TlsSetValue.KERNEL32 ref: 00007FFDFF1D18CE
HeapFree.KERNEL32 ref: 00007FFDFF1D18E4

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: Value$FreeHeap
String ID:
API String ID: 911738859-0
Opcode ID: 26942761a0965110d81714b1389a9b5f6261cccf0107593a6df524b88d149246
Instruction ID: 2f3b3a5946d4361b1cb9ca5c32f104b0d46aba55e83aed5cb68d9685409f046a
Opcode Fuzzy Hash: 26942761a0965110d81714b1389a9b5f6261cccf0107593a6df524b88d149246
Instruction Fuzzy Hash: 80318122F0C68341FB64AB229431ABD63A1AF98344F484334ED7ED27EEDF2DA5419200

Function 00007FFDFF1D6BF0 Relevance: 6.3, APIs: 5, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,00007FFDFF1D69AC,?,?,?,?,?,?,?,?,?,?,00007FFDFF1D694A), ref: 00007FFDFF1D6C09
TlsGetValue.KERNEL32(?,?,?,?,00007FFDFF1D69AC,?,?,?,?,?,?,?,?,?,?,00007FFDFF1D694A), ref: 00007FFDFF1D6C2B
TlsGetValue.KERNEL32(?,?,?,?,00007FFDFF1D69AC,?,?,?,?,?,?,?,?,?,?,00007FFDFF1D694A), ref: 00007FFDFF1D6C74
TlsSetValue.KERNEL32(?,?,?,?,00007FFDFF1D69AC,?,?,?,?,?,?,?,?,?,?,00007FFDFF1D694A), ref: 00007FFDFF1D6C8F
HeapFree.KERNEL32(?,?,?,?,00007FFDFF1D69AC,?,?,?,?,?,?,?,?,?,?,00007FFDFF1D694A), ref: 00007FFDFF1D6CA5

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: Value$FreeHeap
String ID:
API String ID: 911738859-0
Opcode ID: 748ec38de08cf74347156b979be811061d1f0e9ce42157d1a6afbf02d28d7dc0
Instruction ID: ac3cad008785449c828cb0e479d449fb8dbb82bf5052310bb431bd90babc67c2
Opcode Fuzzy Hash: 748ec38de08cf74347156b979be811061d1f0e9ce42157d1a6afbf02d28d7dc0
Instruction Fuzzy Hash: 31215C22F0D24645FB686B219870ABD2361EF44790F884638DD7EC77EEDE2CE9459200

Function 00007FFDFF1D6640 Relevance: 6.3, APIs: 5, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00007FFDFF1D6659
TlsGetValue.KERNEL32(00000000,?,?,?,00007FFDFF207546), ref: 00007FFDFF1D667B
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00007FFDFF1D66CC
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00007FFDFF1D66E7
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00007FFDFF1D6715

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: Value$FreeHeap
String ID:
API String ID: 911738859-0
Opcode ID: 647371fa815f160e084380a3322170dba1639890cc026436209bcda58d68c0b0
Instruction ID: f222cd035862dbc3b442cb8edb0ad3bacd3f9f55e3c9a15dd523a5c030fcc2c0
Opcode Fuzzy Hash: 647371fa815f160e084380a3322170dba1639890cc026436209bcda58d68c0b0
Instruction Fuzzy Hash: AD218127F0974641FB696B229871BBD23A1EF48784F484639C93DC37E9DF2CE8418200

Function 00007FFDFF1B5F45 Relevance: 6.3, APIs: 5, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5F5E
HeapFree.KERNEL32 ref: 00007FFDFF1B5FD2
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 8f2e022b5a13b178997417444c556ffc790e6e4c1c02ec9b1f1ec5ba35d00e55
Instruction ID: 4107df6adc13ec3c6c19752e3a02f713d5d4607c477c4c8ae1a0dd5531eff79c
Opcode Fuzzy Hash: 8f2e022b5a13b178997417444c556ffc790e6e4c1c02ec9b1f1ec5ba35d00e55
Instruction Fuzzy Hash: 7521CC22F0C68181E724EB16E4757EA6391EF95784F880236EA7DC66EEDF2CE445C740

Function 00007FFDFF1B5D30 Relevance: 6.3, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5D4F
HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 5dcb8b1b1b055337957f60ec3d89fa83330e4122e760f0e77dc5f47e5136adb2
Instruction ID: caa4c90b3333bd30f4441ff5c2ae3903eeb0b576e96e3c290fc844cd768b33bf
Opcode Fuzzy Hash: 5dcb8b1b1b055337957f60ec3d89fa83330e4122e760f0e77dc5f47e5136adb2
Instruction Fuzzy Hash: B621C922E0C58281E724E71294657AA5391EF84B84F894236EA7EC66EE9F3CE445C740

Function 00007FFDFF202EE4 Relevance: 6.3, APIs: 5, Instructions: 31memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFDFF202F3B
HeapFree.KERNEL32 ref: 00007FFDFF202F73
HeapFree.KERNEL32 ref: 00007FFDFF202F92
CloseHandle.KERNEL32 ref: 00007FFDFF202FA3
CloseHandle.KERNEL32 ref: 00007FFDFF202FAC

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: CloseHandle$FreeHeap
String ID:
API String ID: 2735614835-0
Opcode ID: f075cbb6e37bf0b4f8a528bf882ea4d362e89f41f0dbbfeac2edd3197c0d22f0
Instruction ID: d2c5fd206c6c81b983673af4208669b6584fd97cfc91f82ef12a1c3a37b37602
Opcode Fuzzy Hash: f075cbb6e37bf0b4f8a528bf882ea4d362e89f41f0dbbfeac2edd3197c0d22f0
Instruction Fuzzy Hash: 2801AC12F0C68284EB34EB218875BFD1761EF85788F484632E53ECA6EE8F6CA5458341

Function 00007FFDFF202EF5 Relevance: 6.3, APIs: 5, Instructions: 31memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFDFF202F3B
HeapFree.KERNEL32 ref: 00007FFDFF202F73
HeapFree.KERNEL32 ref: 00007FFDFF202F92
CloseHandle.KERNEL32 ref: 00007FFDFF202FA3
CloseHandle.KERNEL32 ref: 00007FFDFF202FAC

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: CloseHandle$FreeHeap
String ID:
API String ID: 2735614835-0
Opcode ID: 523487da440fef8eff58d454bffd27798c91b43593e3f0a030bdd4b2f116fe82
Instruction ID: a445ac0160de6c27c290e319c2566d24dab2f809e59248fc330aa409f8771506
Opcode Fuzzy Hash: 523487da440fef8eff58d454bffd27798c91b43593e3f0a030bdd4b2f116fe82
Instruction Fuzzy Hash: 51019A12F0868284EB34EB218875BFD1761EF85784F884632E53ECA6EECF6CA5458341

Function 00007FFDFF202F0B Relevance: 6.3, APIs: 5, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFDFF202F3B
HeapFree.KERNEL32 ref: 00007FFDFF202F73
HeapFree.KERNEL32 ref: 00007FFDFF202F92
CloseHandle.KERNEL32 ref: 00007FFDFF202FA3
CloseHandle.KERNEL32 ref: 00007FFDFF202FAC

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: CloseHandle$FreeHeap
String ID:
API String ID: 2735614835-0
Opcode ID: bd85eee10e6b2b5acff7177fd9023e8838213d09a081b573d04e12af7397c435
Instruction ID: 1e7b3516b8de3ad23c1de677134ec1e8fb84ae23e83653df96d77f555f35801b
Opcode Fuzzy Hash: bd85eee10e6b2b5acff7177fd9023e8838213d09a081b573d04e12af7397c435
Instruction Fuzzy Hash: BBF0BB12F0868284EB34EB218875BFD1751EF85788F484632E53ECA6EE8F6CA5858341

Function 00007FFDFF202F18 Relevance: 6.3, APIs: 5, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFDFF202F3B
HeapFree.KERNEL32 ref: 00007FFDFF202F73
HeapFree.KERNEL32 ref: 00007FFDFF202F92
CloseHandle.KERNEL32 ref: 00007FFDFF202FA3
CloseHandle.KERNEL32 ref: 00007FFDFF202FAC

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: CloseHandle$FreeHeap
String ID:
API String ID: 2735614835-0
Opcode ID: 03a047a88813e1780a580047c99208fa107029d63280c70ddd0ed40ba63df692
Instruction ID: d8f66b172528295ae26d198247dafc00ed3c85b0f3340b07759797c2d1bc6758
Opcode Fuzzy Hash: 03a047a88813e1780a580047c99208fa107029d63280c70ddd0ed40ba63df692
Instruction Fuzzy Hash: 63F0CD12F0868244EB34EB218875BFC1761EF85784F884632E53ECA6EECF6CA585C341

Function 00007FFDFF202F30 Relevance: 6.3, APIs: 5, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFDFF202F3B
HeapFree.KERNEL32 ref: 00007FFDFF202F73
HeapFree.KERNEL32 ref: 00007FFDFF202F92
CloseHandle.KERNEL32 ref: 00007FFDFF202FA3
CloseHandle.KERNEL32 ref: 00007FFDFF202FAC

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: CloseHandle$FreeHeap
String ID:
API String ID: 2735614835-0
Opcode ID: 3d311f52a470369b030e31f32c5d74bd1b63e64cf6a834aaf081ac354adfeaba
Instruction ID: f06639e3f8f6026456766b793613b5d369856654c9237025f60e61e63689c232
Opcode Fuzzy Hash: 3d311f52a470369b030e31f32c5d74bd1b63e64cf6a834aaf081ac354adfeaba
Instruction Fuzzy Hash: ADF0BB12F0868244EB34EB218875BFD1751EF85784F484632E53ECA6EE8F6CA5858341

Function 00007FFDFF1B1010 Relevance: 6.1, APIs: 4, Instructions: 107sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FFDFF1B1055
_amsg_exit.MSVCRT ref: 00007FFDFF1B1083

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 7a6858b4a111024a6cc5377d0223c21af8fa8804fcf8e0753f5f945e2038adf5
Instruction ID: e82574c2b0791977c51a316931e9bbc7725b648bfdb7040cc322989417b7bec0
Opcode Fuzzy Hash: 7a6858b4a111024a6cc5377d0223c21af8fa8804fcf8e0753f5f945e2038adf5
Instruction Fuzzy Hash: 15414832F0D64685F7219B66E8A0B7923A2AF44788F594235DE3CE73D8DF2DE8419340

Function 00007FFDFF1DA9C0 Relevance: 6.1, APIs: 4, Instructions: 67memoryfileCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DAA0C
HeapFree.KERNEL32 ref: 00007FFDFF1DAA25
UnmapViewOfFile.KERNEL32 ref: 00007FFDFF1DAA47
CloseHandle.KERNEL32 ref: 00007FFDFF1DAA4F

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseFileHandleUnmapView
String ID:
API String ID: 238406573-0
Opcode ID: 6e9d08601aada3ebda142bf5451b6c79b2a3b1d46f3cf5d7e8f41b57147b1daa
Instruction ID: ec66b4218cc638e0a6dcf9321b9fac381672a0ee909ac89abd497cb889f11e14
Opcode Fuzzy Hash: 6e9d08601aada3ebda142bf5451b6c79b2a3b1d46f3cf5d7e8f41b57147b1daa
Instruction Fuzzy Hash: B0212F13F0964191E729DA169564BBD6760EB48794F4D4372DE7D862DADF3CE4C38300

Function 00007FFDFF202FC0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(?,?,?,?), ref: 00007FFDFF202FE8
GetLastError.KERNEL32(?,?,?,?), ref: 00007FFDFF203041
CloseHandle.KERNEL32(?,?,?,?), ref: 00007FFDFF203082
CloseHandle.KERNEL32(?,?,?,?), ref: 00007FFDFF20308A

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: CloseHandle$CreateErrorEventLast
String ID:
API String ID: 3743700123-0
Opcode ID: 09aafb2f2a13753dac2855e7ee686a30df7e55715b2e5e4ad83259d5d6819a2e
Instruction ID: d55540a99065c5f68596268ef2bd0beacb5630cbe6e405a40862dcae530ded85
Opcode Fuzzy Hash: 09aafb2f2a13753dac2855e7ee686a30df7e55715b2e5e4ad83259d5d6819a2e
Instruction Fuzzy Hash: 0B116023B0974146F7299B22A5617792650EB88790F184234DE7DC7BDAEF3CA5E28300

Function 00007FFDFF1F79B5 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1F7A49

Strings

mluf, xrefs: 00007FFDFF1F7A21
RUST_BACKTRACElibrary\std\src\env.rs, xrefs: 00007FFDFF1F79B5
lluf, xrefs: 00007FFDFF1F7A2A

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID: RUST_BACKTRACElibrary\std\src\env.rs$lluf$mluf
API String ID: 3298025750-2275200021
Opcode ID: 99de367703d15cd714de64103d7c739dd0f4992637ccbe406c41fe0e699d4e92
Instruction ID: cfdd89d01d048897c7e1869f6180f723447558b2bafcc2e326eb4a9dff1251df
Opcode Fuzzy Hash: 99de367703d15cd714de64103d7c739dd0f4992637ccbe406c41fe0e699d4e92
Instruction Fuzzy Hash: AF01002BF0D28385FB14CB7584B0BB827119B40748F490636C93E977D8DF6DA2898311

Function 00007FFDFF1FB612 Relevance: 6.0, APIs: 4, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1FB626
HeapFree.KERNEL32 ref: 00007FFDFF1FB663
FreeEnvironmentStringsW.KERNEL32 ref: 00007FFDFF1FB6C7
CloseHandle.KERNEL32 ref: 00007FFDFF1FB75C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: Free$Heap$CloseEnvironmentHandleStrings
String ID:
API String ID: 2554599491-0
Opcode ID: 9640f53210c7b52cd9f8d9e54cffecb3ac057683ed2e7fda180f5fc9af32cfe1
Instruction ID: cf04741377c5807d12f560e664395a6cc3d77097c2ad57fe026bf8e29871bf03
Opcode Fuzzy Hash: 9640f53210c7b52cd9f8d9e54cffecb3ac057683ed2e7fda180f5fc9af32cfe1
Instruction Fuzzy Hash: 7AF0FB16F0CAC784EB34EB128875ABE1351EF84B94F484231D93ECA6FEDF28A5418601

Function 00007FF600E16650 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32 ref: 00007FF600E166B8
QueryPerformanceCounter.KERNEL32 ref: 00007FF600E166C8

Strings

@, xrefs: 00007FF600E16697

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID: PerformanceQuery$CounterFrequency
String ID: @
API String ID: 774501991-2766056989
Opcode ID: e099399b4bba6a206bd73a69b740a9bbcdb50347600655b0d4b5bd40480757c9
Instruction ID: 0c2911e5826d38cef950ee8f66542a2d9d0e4130c3bf39dd542222983313d4f3
Opcode Fuzzy Hash: e099399b4bba6a206bd73a69b740a9bbcdb50347600655b0d4b5bd40480757c9
Instruction Fuzzy Hash: F741A471608B46A5EB14DB12E814BAAB7A5FB89BC0F618131EE8ED7758DF3CE445C700

Function 00007FFDFF1C0840 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FFDFF20BB7B

Strings

CCG , xrefs: 00007FFDFF20BB76
TSUR, xrefs: 00007FFDFF1C086E

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: ExceptionRaise
String ID: CCG $TSUR
API String ID: 3997070919-2088351922
Opcode ID: ce616d5934e710458d62c4a5e38894ff4846d75723d4c3057a09a05fa28419c4
Instruction ID: 1f695a3a632e05b88b49aab4ef6e433b7b1ca9f4723604d6ebc0082dc72930b9
Opcode Fuzzy Hash: ce616d5934e710458d62c4a5e38894ff4846d75723d4c3057a09a05fa28419c4
Instruction Fuzzy Hash: 8821C323F18A8686E714AB5198207B82760FBD9B40F559335EE7D837D5EF2CD1958700

Function 00007FF600EA439C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(00007FF600EA355F,?,?,?,?,00007FF600EA0CDF), ref: 00007FF600EA43EC
RaiseException.KERNEL32(00007FF600EA355F,?,?,?,?,00007FF600EA0CDF), ref: 00007FF600EA442D

Strings

csm, xrefs: 00007FF600EA441A

Memory Dump Source

Source File: 00000004.00000002.3096409227.00007FF600D51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF600D50000, based on PE: true

Associated: 00000004.00000002.3096365307.00007FF600D50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FC9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FD3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3096881320.00007FF600FE3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097148530.00007FF601035000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097240650.00007FF601036000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097274982.00007FF601037000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601044000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097363246.00007FF601049000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097489667.00007FF601054000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097568999.00007FF60106D000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097632343.00007FF60106F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097701660.00007FF601070000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3097759273.00007FF601071000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff600d50000_msedgewebview2.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0f6f5aab5b9c0bcbb602c08630281df54c19691ace711ec3f4508fe3375f2d53
Instruction ID: 2ed48859d176712d8df8daf6cfeea654debfe16116f0532b733ac987d0a26658
Opcode Fuzzy Hash: 0f6f5aab5b9c0bcbb602c08630281df54c19691ace711ec3f4508fe3375f2d53
Instruction Fuzzy Hash: 2A115B32608B4182EB218B15F40026977E4FB8CB94F694231DBCD47B98DF7CD961CB00

Function 00007FFDFF1D03E0 Relevance: 5.2, APIs: 4, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,?,?,00007FFDFF1D033B,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDFF1D04EC
HeapFree.KERNEL32(?,?,?,00007FFDFF1D033B,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDFF1D05D4
HeapFree.KERNEL32(?,?,?,00007FFDFF1D033B,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDFF1D069F
HeapFree.KERNEL32(?,?,?,00007FFDFF1D033B,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDFF1D071C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d3da0ccef5b28666f5925e49e8291ba41b0b372db1ee40d32c972a4e5e7034d4
Instruction ID: c2f010e5d3537dbf074708e1003ba7469dec51be5eaaa93733dfd99960bd14b6
Opcode Fuzzy Hash: d3da0ccef5b28666f5925e49e8291ba41b0b372db1ee40d32c972a4e5e7034d4
Instruction Fuzzy Hash: A0716BA3F09B8581EB559B129460BBD67A0BFA5BE0F484336DE3D573D9DF38A5808300

Function 00007FFDFF1E6900 Relevance: 5.2, APIs: 4, Instructions: 197memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,?,?,?,00007FFDFF1E6896), ref: 00007FFDFF1E69FC
HeapFree.KERNEL32(?,?,?,?,00007FFDFF1E6896), ref: 00007FFDFF1E6AE4
HeapFree.KERNEL32(?,?,?,?,00007FFDFF1E6896), ref: 00007FFDFF1E6C02
HeapFree.KERNEL32(?,?,?,?,00007FFDFF1E6896), ref: 00007FFDFF1E6C2C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c56f213a2c46c99bad4175adfeaf617cf962afcb7cad8e3978e7a63cd4d1ef28
Instruction ID: 6bea9f999c5c9d84612ceb03793f939fd52e94eaf0f09f17b6a74b1edcfcec27
Opcode Fuzzy Hash: c56f213a2c46c99bad4175adfeaf617cf962afcb7cad8e3978e7a63cd4d1ef28
Instruction Fuzzy Hash: 35716CA3F19B4581EB549B069860BB967A0FB55BE4F888332DE3D473D9DF38A591C300

Function 00007FFDFF1E63B0 Relevance: 5.2, APIs: 4, Instructions: 197memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,?,00007FFDFF1DA935,?,00007FFDFF1E6336), ref: 00007FFDFF1E64AC
HeapFree.KERNEL32(?,?,00007FFDFF1DA935,?,00007FFDFF1E6336), ref: 00007FFDFF1E6594
HeapFree.KERNEL32(?,?,00007FFDFF1DA935,?,00007FFDFF1E6336), ref: 00007FFDFF1E66B2
HeapFree.KERNEL32(?,?,00007FFDFF1DA935,?,00007FFDFF1E6336), ref: 00007FFDFF1E66DC

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 64f3e2e7e1d29491e44c2c2d5edef822e9774029c70c08a2961a66ba1e57c605
Instruction ID: ec7bad7cfbb42a7d67db2fce279e23482fd4059c52a975349eb29f947547cd84
Opcode Fuzzy Hash: 64f3e2e7e1d29491e44c2c2d5edef822e9774029c70c08a2961a66ba1e57c605
Instruction Fuzzy Hash: 93716EA3F19B4581DB549B02D460BF96791BB59BE4F888331DA3D473D9DF38E4948300

Function 00007FFDFF2024E0 Relevance: 5.2, APIs: 4, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFDFF2025E4
memcpy.MSVCRT ref: 00007FFDFF2025FD
memcpy.MSVCRT ref: 00007FFDFF202681
HeapFree.KERNEL32 ref: 00007FFDFF2027B9

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: memcpy$FreeHeap
String ID:
API String ID: 4250714341-0
Opcode ID: 7408da389cc62de15cdbf28d03c6a1c343b2220792d7d54e617a01770f75db06
Instruction ID: a50f5be6ac1992987dedd0fb052003818aec0c7fdc49384a9fd088f3ec7289b1
Opcode Fuzzy Hash: 7408da389cc62de15cdbf28d03c6a1c343b2220792d7d54e617a01770f75db06
Instruction Fuzzy Hash: E371D322B04BD582E7019F24E8157F963A4FF54788F485236EF6D936A9EF38E295C300

Function 00007FFDFF1EFBE3 Relevance: 5.1, APIs: 4, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1EFC42
HeapFree.KERNEL32 ref: 00007FFDFF1EFC61

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 158bcffbfadd7facc714b648e70e716548a84815923cc62af2668e7051903eb0
Instruction ID: eb0105f3511bb94837d87cae91764a8e1fcf6b94a09eb432bc65890f0f7b0c0b
Opcode Fuzzy Hash: 158bcffbfadd7facc714b648e70e716548a84815923cc62af2668e7051903eb0
Instruction Fuzzy Hash: 22411B23F08A8589FB649B62D860BF927A1EB94788F444236DA3D876DDCF3CA545C300

Function 00007FFDFF1DF444 Relevance: 5.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DF47F
HeapFree.KERNEL32 ref: 00007FFDFF1DF616
HeapFree.KERNEL32 ref: 00007FFDFF1DF64A
HeapFree.KERNEL32 ref: 00007FFDFF1DF662

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4f9ffcdbe65ced747dbbbabc06d50595e3e4280e7050ab5aa28799dea5bf2aca
Instruction ID: abd87a0e6e006f05fae859796acf99ed402f0418bf02698581bd70d1ef5a55d3
Opcode Fuzzy Hash: 4f9ffcdbe65ced747dbbbabc06d50595e3e4280e7050ab5aa28799dea5bf2aca
Instruction Fuzzy Hash: 5A411D16F09B8584FB209B25D8607FC23A1EB98B48F884236CA7D877D9DF3CA645C300

Function 00007FFDFF1DF271 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DF587
HeapFree.KERNEL32 ref: 00007FFDFF1DF5D9
HeapFree.KERNEL32 ref: 00007FFDFF1DF616
HeapFree.KERNEL32 ref: 00007FFDFF1DF64A
HeapFree.KERNEL32 ref: 00007FFDFF1DF662

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0b1e4a3cd404bea86f781876e3da708f4f624fbfb3550a49b62d53791c1919dc
Instruction ID: b12ae5850f5570bb5aea5117f0b9161f7ea4b1093a0352bd0d2a4895d766f120
Opcode Fuzzy Hash: 0b1e4a3cd404bea86f781876e3da708f4f624fbfb3550a49b62d53791c1919dc
Instruction Fuzzy Hash: 81410A17F09B8584FB249B65D861BFC2361EB84744F844236DA7D86BE9DF7CA641C300

Function 00007FFDFF1DD690 Relevance: 5.1, APIs: 4, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DDD8A
HeapFree.KERNEL32 ref: 00007FFDFF1DDDA3
HeapFree.KERNEL32 ref: 00007FFDFF1DDDBC
HeapFree.KERNEL32 ref: 00007FFDFF1DDDDF

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 9e0cd9e9151a0fd929f3df473d0dde1175908c3a452089df11cb28012acafeb0
Instruction ID: be789bf812d85b22a2c9edf4b195041632015e6bdcb892fdcbe143d05996fe8e
Opcode Fuzzy Hash: 9e0cd9e9151a0fd929f3df473d0dde1175908c3a452089df11cb28012acafeb0
Instruction Fuzzy Hash: D5411C22E08B8585EBB49F25C8607ED37A0EB45B58F444636CA3D8B6DCDF3CE5429741

Function 00007FFDFF1DF27F Relevance: 5.1, APIs: 4, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF1E5630: HeapFree.KERNEL32(?,?,?,?,00007FFDFF1DA935,?,?,00007FFDFF1EC385,?,?,?,00007FFDFF1DF75C,?,?,?,?), ref: 00007FFDFF1E567C
Part of subcall function 00007FFDFF1E5630: HeapFree.KERNEL32(?,?,?,?,00007FFDFF1DA935,?,?,00007FFDFF1EC385,?,?,?,00007FFDFF1DF75C,?,?,?,?), ref: 00007FFDFF1E568F
Part of subcall function 00007FFDFF1E5630: HeapFree.KERNEL32(?,?,?,?,00007FFDFF1DA935,?,?,00007FFDFF1EC385,?,?,?,00007FFDFF1DF75C,?,?,?,?), ref: 00007FFDFF1E56CC

HeapFree.KERNEL32 ref: 00007FFDFF1DF587
HeapFree.KERNEL32 ref: 00007FFDFF1DF5D9
HeapFree.KERNEL32 ref: 00007FFDFF1DF616
HeapFree.KERNEL32 ref: 00007FFDFF1DF64A
HeapFree.KERNEL32 ref: 00007FFDFF1DF662

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6398b163fbff243dacce19293a57bdff1145a7ac6c975c3fe937d01e056e963f
Instruction ID: aa9f4363e7d29aa3fd22c59d62ff226163d301ac7b99cd53e9cfa503ab5218f0
Opcode Fuzzy Hash: 6398b163fbff243dacce19293a57bdff1145a7ac6c975c3fe937d01e056e963f
Instruction Fuzzy Hash: 3D410B17F09B8588FB249B65D8617FC2361EB84744F844236CA7D86BE9DF7CA655C300

Function 00007FFDFF1DF278 Relevance: 5.1, APIs: 4, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DF587
HeapFree.KERNEL32 ref: 00007FFDFF1DF5D9
HeapFree.KERNEL32 ref: 00007FFDFF1DF616
HeapFree.KERNEL32 ref: 00007FFDFF1DF64A
HeapFree.KERNEL32 ref: 00007FFDFF1DF662

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c2024bbb9709f1814c1c9a77e9f6afd4a8796ce2635cbde07b84155f171ea8db
Instruction ID: 0f0a4afdff5e343ec8122190c4318505cf2d8cef956e848f4523cfc3223dd7e5
Opcode Fuzzy Hash: c2024bbb9709f1814c1c9a77e9f6afd4a8796ce2635cbde07b84155f171ea8db
Instruction Fuzzy Hash: DA410A17F09B8584FB249B65D861BFC2361EB88744F884236CA7D86BE9DF7CA641C300

Function 00007FFDFF1DF25D Relevance: 5.1, APIs: 4, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DF587
HeapFree.KERNEL32 ref: 00007FFDFF1DF5D9
HeapFree.KERNEL32 ref: 00007FFDFF1DF616
HeapFree.KERNEL32 ref: 00007FFDFF1DF64A
HeapFree.KERNEL32 ref: 00007FFDFF1DF662

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 067785e98ca60c08406f54bde3466dfe3a64ca6d71eafa823704a090f7fda234
Instruction ID: ad5934dece2a903bc6789c468954e83cf67325feacb2f38b02cb60a7ad325ec0
Opcode Fuzzy Hash: 067785e98ca60c08406f54bde3466dfe3a64ca6d71eafa823704a090f7fda234
Instruction Fuzzy Hash: 7241FB17F09B8584FB249B65D8617FC2361EB94748F884236CA7D86BE9DF7CA645C300

Function 00007FFDFF1DF37B Relevance: 5.1, APIs: 4, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DF587
HeapFree.KERNEL32 ref: 00007FFDFF1DF5D9
HeapFree.KERNEL32 ref: 00007FFDFF1DF616
HeapFree.KERNEL32 ref: 00007FFDFF1DF64A
HeapFree.KERNEL32 ref: 00007FFDFF1DF662

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 03d2e09cb5ad5f42da9ba985daa5ece4e775708236b991982a193b578a920ee6
Instruction ID: 1583d9adadc376120ae49670575d2f5954336596a26d8504b501b5e0b555c8fb
Opcode Fuzzy Hash: 03d2e09cb5ad5f42da9ba985daa5ece4e775708236b991982a193b578a920ee6
Instruction Fuzzy Hash: 7841EB17F09B8584FB249B65D8617FC2361EB84B44F884236CA7D86BE9DF7CA651C700

Function 00007FFDFF1E2810 Relevance: 5.1, APIs: 4, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1E28F9
HeapFree.KERNEL32 ref: 00007FFDFF1E2918
HeapFree.KERNEL32 ref: 00007FFDFF1E2945
memcpy.MSVCRT ref: 00007FFDFF1E2A2C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 67ee343ecabcf816c14570db30fd487d7031c2c42f4856d3ceac0912aaa11ec8
Instruction ID: 9ea07c620acd5e1047d53a4370658beb5c020a4383ec93a04a6d6a0f737b5c3b
Opcode Fuzzy Hash: 67ee343ecabcf816c14570db30fd487d7031c2c42f4856d3ceac0912aaa11ec8
Instruction Fuzzy Hash: 82418363A08BC495E7629F29D8517E823B0FB98798F149222DFAC47795EF34D2D6C300

Function 00007FFDFF1DF3DA Relevance: 5.1, APIs: 4, Instructions: 88memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DF407
HeapFree.KERNEL32 ref: 00007FFDFF1DF616
HeapFree.KERNEL32 ref: 00007FFDFF1DF64A
HeapFree.KERNEL32 ref: 00007FFDFF1DF662

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a60d2ed675696a77582077a6b025a48e86fd7e984e53490c33931313f0ba4539
Instruction ID: 38698e90df1ae6224c64827c9d16971f4814a51c7226fd5dc6acd9164aa34b46
Opcode Fuzzy Hash: a60d2ed675696a77582077a6b025a48e86fd7e984e53490c33931313f0ba4539
Instruction Fuzzy Hash: 7441FF26F08B8584EB64DB65D8617FC2365EB84B48F484236DA7D877E9DF3C9645C300

Function 00007FFDFF1DF4CF Relevance: 5.1, APIs: 4, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DF5D9
HeapFree.KERNEL32 ref: 00007FFDFF1DF616
HeapFree.KERNEL32 ref: 00007FFDFF1DF64A
HeapFree.KERNEL32 ref: 00007FFDFF1DF662

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c3f6f91f2cfefc38d1dd9f41bea9a625a110087332fcf3cbba6f9faf75973dca
Instruction ID: 3c0998a30e9234fe9ff10d6f499b61dce21c36630c9eab39291b5cffb272e94f
Opcode Fuzzy Hash: c3f6f91f2cfefc38d1dd9f41bea9a625a110087332fcf3cbba6f9faf75973dca
Instruction Fuzzy Hash: F0410C2AF09B8584FB249B65D8617FC2361EB88B44F884236CA6D977E9DF7C9651C300

Function 00007FFDFF1DF3BD Relevance: 5.1, APIs: 4, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DF5D9
HeapFree.KERNEL32 ref: 00007FFDFF1DF616
HeapFree.KERNEL32 ref: 00007FFDFF1DF64A
HeapFree.KERNEL32 ref: 00007FFDFF1DF662

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 05dfb6c6206b45a8594ffc8712356b135e58ccc07ede374e2e282b4b2303c70c
Instruction ID: 1714372ffb56c66d9c95b40f4eeeac8b7482ae5898d202779d1b15006fee2612
Opcode Fuzzy Hash: 05dfb6c6206b45a8594ffc8712356b135e58ccc07ede374e2e282b4b2303c70c
Instruction Fuzzy Hash: E641F82AF09B8584FB249B65D8617FC2361EB88B44F884236CA6D977E9DF7C9651C300

Function 00007FFDFF1DD7B8 Relevance: 5.1, APIs: 4, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DDD8A
HeapFree.KERNEL32 ref: 00007FFDFF1DDDA3
HeapFree.KERNEL32 ref: 00007FFDFF1DDDBC
HeapFree.KERNEL32 ref: 00007FFDFF1DDDDF
memcpy.MSVCRT ref: 00007FFDFF1DDF83
HeapFree.KERNEL32 ref: 00007FFDFF1DDF94

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 203dfa3da7f380c43157f7a49de0f6000d9bcbe515633572d8ecfb1985b28732
Instruction ID: 5dd84da11e7f2ed281d74750e2d9abb9a859addcf416ad78762ebe6330bee49a
Opcode Fuzzy Hash: 203dfa3da7f380c43157f7a49de0f6000d9bcbe515633572d8ecfb1985b28732
Instruction Fuzzy Hash: F3319063F086C685EB759B2A8864BFC27A1EB85798F448332D93D466DDDF3C9442D340

Function 00007FFDFF1DD729 Relevance: 5.1, APIs: 4, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DDD8A
HeapFree.KERNEL32 ref: 00007FFDFF1DDDA3
HeapFree.KERNEL32 ref: 00007FFDFF1DDDBC
HeapFree.KERNEL32 ref: 00007FFDFF1DDDDF
memcpy.MSVCRT ref: 00007FFDFF1DDF83
HeapFree.KERNEL32 ref: 00007FFDFF1DDF94

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 40f6f7db8463019ad53cc951d77d748c244ca87c8fed7663def7dff9cf4ccf73
Instruction ID: 4a2b7a08e9f08643cd8fc7c51b93a7a7cc86b2c71e6b5ecb557a1f7c380f7429
Opcode Fuzzy Hash: 40f6f7db8463019ad53cc951d77d748c244ca87c8fed7663def7dff9cf4ccf73
Instruction Fuzzy Hash: 1F317063F08A8685EB749B268864BFC2761EB45788F448632D93D876DDDF3CE446D340

Function 00007FFDFF1DD2C6 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DDD8A
HeapFree.KERNEL32 ref: 00007FFDFF1DDDA3
HeapFree.KERNEL32 ref: 00007FFDFF1DDDBC
HeapFree.KERNEL32 ref: 00007FFDFF1DDDDF

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c4afbb92dbedabcc1b83b4d9ce57f9e39efc2a60305a8a67e045839e0f8192d8
Instruction ID: 548cadb5f0875bfcd53b08398d8b1918fda46b2435e114cf8205777e881eac9a
Opcode Fuzzy Hash: c4afbb92dbedabcc1b83b4d9ce57f9e39efc2a60305a8a67e045839e0f8192d8
Instruction Fuzzy Hash: BC318F23F0878685EBB49B268864BFC27A1EB44748F544632D93D866D8DF3DA486D300

Function 00007FFDFF1DD712 Relevance: 5.1, APIs: 4, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DDD8A
HeapFree.KERNEL32 ref: 00007FFDFF1DDDA3
HeapFree.KERNEL32 ref: 00007FFDFF1DDDBC
HeapFree.KERNEL32 ref: 00007FFDFF1DDDDF
memcpy.MSVCRT ref: 00007FFDFF1DDF83
HeapFree.KERNEL32 ref: 00007FFDFF1DDF94

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 5557bbdf9161e23a7454bac459f8b31d38cf2f445c8708a97a76ae444007d92b
Instruction ID: a9d3fe49bd2a9b3b26216b8d56e73ce3231a1f853ead9e557f1e2bf935c0b9fa
Opcode Fuzzy Hash: 5557bbdf9161e23a7454bac459f8b31d38cf2f445c8708a97a76ae444007d92b
Instruction Fuzzy Hash: 8B212F62F08A4685EB749B268464BFD2361EF45758F444732D93D866DCDF3CA486D340

Function 00007FFDFF1DD6E8 Relevance: 5.1, APIs: 4, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DDD8A
HeapFree.KERNEL32 ref: 00007FFDFF1DDDA3
HeapFree.KERNEL32 ref: 00007FFDFF1DDDBC
HeapFree.KERNEL32 ref: 00007FFDFF1DDDDF
memcpy.MSVCRT ref: 00007FFDFF1DDF83
HeapFree.KERNEL32 ref: 00007FFDFF1DDF94

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: a8c13b65cea9d356ea16b8514db902aa4dcba5185f55f5f24989ed4d58ca6426
Instruction ID: 2f0aded1c58e506bb89e01ee6fff78f5ff74405e3d1b961fc7da0e59581bd72a
Opcode Fuzzy Hash: a8c13b65cea9d356ea16b8514db902aa4dcba5185f55f5f24989ed4d58ca6426
Instruction Fuzzy Hash: 83215163F08A8684EB659B268874BFD2361EF45748F848632D93D866DDDF3CE446D340

Function 00007FFDFF1DD6FC Relevance: 5.1, APIs: 4, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DDD8A
HeapFree.KERNEL32 ref: 00007FFDFF1DDDA3
HeapFree.KERNEL32 ref: 00007FFDFF1DDDBC
HeapFree.KERNEL32 ref: 00007FFDFF1DDDDF
memcpy.MSVCRT ref: 00007FFDFF1DDF83
HeapFree.KERNEL32 ref: 00007FFDFF1DDF94

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 07c3f79239ddffe42480303ab468d0793f2cb290f724fc6465e7ba09de79d166
Instruction ID: cfa7d3f5bca22b2645aa7a791f1062efde4c5748dc8b12689237c51aa0970545
Opcode Fuzzy Hash: 07c3f79239ddffe42480303ab468d0793f2cb290f724fc6465e7ba09de79d166
Instruction Fuzzy Hash: FE213062F08A4685EB749B268874BFD2361EF45758F444732D93D866DCDF3CE4469340

Function 00007FFDFF1DD851 Relevance: 5.1, APIs: 4, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DDD8A
HeapFree.KERNEL32 ref: 00007FFDFF1DDDA3
HeapFree.KERNEL32 ref: 00007FFDFF1DDDBC
HeapFree.KERNEL32 ref: 00007FFDFF1DDDDF
memcpy.MSVCRT ref: 00007FFDFF1DDF83
HeapFree.KERNEL32 ref: 00007FFDFF1DDF94

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 4abee7d5d64f7d3a415186a1935c1990f1fc296d168f87e70dc8bc6e15aed684
Instruction ID: 94628131a8eb5bd8d9fd3808ddc6a2a264da27b250adcee437f34ede8b6f4039
Opcode Fuzzy Hash: 4abee7d5d64f7d3a415186a1935c1990f1fc296d168f87e70dc8bc6e15aed684
Instruction Fuzzy Hash: D4215123F0868685EB749B268474BFC2361EB45768F444732D93E866DCDF3CE4869340

Function 00007FFDFF1DD6E0 Relevance: 5.1, APIs: 4, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DDD8A
HeapFree.KERNEL32 ref: 00007FFDFF1DDDA3
HeapFree.KERNEL32 ref: 00007FFDFF1DDDBC
HeapFree.KERNEL32 ref: 00007FFDFF1DDDDF

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2e61da2eb2248dc83792848431cd5ac26fcf5439949884c105f8ef1e77e62fd7
Instruction ID: 79278eb6c930783372ddf52d09fc39ad01b9afe24aff5cdb472cf2b1f4076326
Opcode Fuzzy Hash: 2e61da2eb2248dc83792848431cd5ac26fcf5439949884c105f8ef1e77e62fd7
Instruction Fuzzy Hash: EB211022F08A8685EB649B268874BFD2361EF45748F944632D93D866DDDF3CE446D340

Function 00007FFDFF1DCFAC Relevance: 5.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DDD8A
HeapFree.KERNEL32 ref: 00007FFDFF1DDDA3
HeapFree.KERNEL32 ref: 00007FFDFF1DDDBC
HeapFree.KERNEL32 ref: 00007FFDFF1DDDDF

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6228adb6785208c8780ed4afb107c2628e135c0ea8acf4d1a3f0e252b296a178
Instruction ID: 14c9807fb6e54fcf69a6f2a2127f08d1e6f943e2df0f4ebaba3516d154cda5eb
Opcode Fuzzy Hash: 6228adb6785208c8780ed4afb107c2628e135c0ea8acf4d1a3f0e252b296a178
Instruction Fuzzy Hash: 92212E22F08B8684EBB49F268874BFC23A1EB45748F544632D93D866DDDF3DA486D340

Function 00007FFDFF1DD283 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DDD8A
HeapFree.KERNEL32 ref: 00007FFDFF1DDDA3
HeapFree.KERNEL32 ref: 00007FFDFF1DDDBC
HeapFree.KERNEL32 ref: 00007FFDFF1DDDDF

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: cdaf69e7d2ef374fe4f6d13058f57039585728060fcc19a93959682507387012
Instruction ID: 50f09a6c708bf4dde6381531f2dd35c9c4c2617c3db9899d04b037e5c9fc8d50
Opcode Fuzzy Hash: cdaf69e7d2ef374fe4f6d13058f57039585728060fcc19a93959682507387012
Instruction Fuzzy Hash: 91212123F08B8685EB749F26C864BFD23A1EB45748F444632D93D866DDDF3DA4869340

Function 00007FFDFF1DD799 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1DDD8A
HeapFree.KERNEL32 ref: 00007FFDFF1DDDA3
HeapFree.KERNEL32 ref: 00007FFDFF1DDDBC
HeapFree.KERNEL32 ref: 00007FFDFF1DDDDF

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4be58199294a5fc3a0047ffa0208aa800a139b1e4565b298b80a31e54962b60d
Instruction ID: ec9112b0e25e5157c7d86e4f90039e07486cefde7a2ab1fa0586d9041f801240
Opcode Fuzzy Hash: 4be58199294a5fc3a0047ffa0208aa800a139b1e4565b298b80a31e54962b60d
Instruction Fuzzy Hash: C4215E22F0868684EB759B268874BFD2761EB85758F484332D93D866DDDF3CA486D340

Function 00007FFDFF1B5F79 Relevance: 5.0, APIs: 4, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF1B19E0: HeapFree.KERNEL32 ref: 00007FFDFF1B1A1D

Part of subcall function 00007FFDFF20BB90: RtlCaptureContext.NTDLL ref: 00007FFDFF20BC22
Part of subcall function 00007FFDFF20BB90: RtlUnwindEx.KERNEL32 ref: 00007FFDFF20BC5F
Part of subcall function 00007FFDFF20BB90: abort.MSVCRT ref: 00007FFDFF20BC65
Part of subcall function 00007FFDFF20BB90: RaiseException.KERNEL32 ref: 00007FFDFF20BCA2

HeapFree.KERNEL32 ref: 00007FFDFF1B5FD2
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CaptureContextExceptionRaiseUnwindabort
String ID:
API String ID: 390735245-0
Opcode ID: 974bb72df1af5c06c83b5b03a4570bd83dccb0df6c2662da9c167491d22d3cb2
Instruction ID: 8d7cb98ec6d0c47f607af022ac32d7958af54e98271bc0c6f014aa5a7927e415
Opcode Fuzzy Hash: 974bb72df1af5c06c83b5b03a4570bd83dccb0df6c2662da9c167491d22d3cb2
Instruction Fuzzy Hash: 8F21A822B0C68181E724EB16E4657EA6391EF85784F880236EA7DC66EEDF2CE445C740

Function 00007FFDFF1B5DED Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF1F5100: HeapFree.KERNEL32(?,?,?,?), ref: 00007FFDFF1F514C

Part of subcall function 00007FFDFF20BB90: RtlCaptureContext.NTDLL ref: 00007FFDFF20BC22
Part of subcall function 00007FFDFF20BB90: RtlUnwindEx.KERNEL32 ref: 00007FFDFF20BC5F
Part of subcall function 00007FFDFF20BB90: abort.MSVCRT ref: 00007FFDFF20BC65
Part of subcall function 00007FFDFF20BB90: RaiseException.KERNEL32 ref: 00007FFDFF20BCA2

HeapFree.KERNEL32 ref: 00007FFDFF1B5F2F
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CaptureContextExceptionRaiseUnwindabort
String ID:
API String ID: 390735245-0
Opcode ID: 937b8beb80115c3275c675492ddf9a4748e13ef6cf30560cd51afa8d36bbbd60
Instruction ID: 7e1adec405c7a7e662a80eaa4b3e6b6afcfadf1aa97e0cfeb4bcaae0be213635
Opcode Fuzzy Hash: 937b8beb80115c3275c675492ddf9a4748e13ef6cf30560cd51afa8d36bbbd60
Instruction Fuzzy Hash: 3011C922F0C58181E725E712D4757AAA791EF85B84F880236EA7EC66EEDF3CE445C740

Function 00007FFDFF1B5F65 Relevance: 5.0, APIs: 4, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF1B5FD2
HeapFree.KERNEL32 ref: 00007FFDFF1B5FF6
HeapFree.KERNEL32 ref: 00007FFDFF1B6009
HeapFree.KERNEL32 ref: 00007FFDFF1B602C

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b92d28ae7846d3ae64757a80e9f499f1e1f864708ca56736c3f4856fbdc78461
Instruction ID: 429c8702c79bf805f7f87c391584ee58b87c9cee74ff59d5a8bfe124c04c9c66
Opcode Fuzzy Hash: b92d28ae7846d3ae64757a80e9f499f1e1f864708ca56736c3f4856fbdc78461
Instruction Fuzzy Hash: 8C11EF22B0C68181E724E716E4657EA6391EFC9784F884236DA7DC66EDDF3CD445C740

Function 00007FFDFF1B1920 Relevance: 5.0, APIs: 4, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFDFF1B192E
HeapFree.KERNEL32 ref: 00007FFDFF1B1971
HeapFree.KERNEL32 ref: 00007FFDFF1B1989
HeapFree.KERNEL32 ref: 00007FFDFF1B19A3

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 47beff361a7016510e6482b0399fa7114c6e678aca699df9604a878c8033f4fa
Instruction ID: c79e73c68c8e5f70a08628781464cc4df8e1039790e9a4e30d828dea248d7488
Opcode Fuzzy Hash: 47beff361a7016510e6482b0399fa7114c6e678aca699df9604a878c8033f4fa
Instruction Fuzzy Hash: BD011B27F0868381FB249B279574BBD1351AB88788F594232DB7DA63D9DF3CE4968300

Function 00007FFDFF202EDD Relevance: 5.0, APIs: 4, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF2030A0: CloseHandle.KERNEL32(?,?,00000000,-8000000000000000,?,00000003,?,?,00007FFDFF202F50), ref: 00007FFDFF2031CA
Part of subcall function 00007FFDFF2030A0: CloseHandle.KERNEL32(?,?,00000000,-8000000000000000,?,00000003,?,?,00007FFDFF202F50), ref: 00007FFDFF2031D3

Part of subcall function 00007FFDFF2030A0: HeapFree.KERNEL32(?,?,00000000,-8000000000000000,?,00000003,?,?,00007FFDFF202F50), ref: 00007FFDFF203230
Part of subcall function 00007FFDFF2030A0: CloseHandle.KERNEL32(?,?,00000000,-8000000000000000,?,00000003,?,?,00007FFDFF202F50), ref: 00007FFDFF203241
Part of subcall function 00007FFDFF2030A0: CloseHandle.KERNEL32(?,?,00000000,-8000000000000000,?,00000003,?,?,00007FFDFF202F50), ref: 00007FFDFF20324A
Part of subcall function 00007FFDFF2030A0: HeapFree.KERNEL32(?,?,00000000,-8000000000000000,?,00000003,?,?,00007FFDFF202F50), ref: 00007FFDFF20325C

HeapFree.KERNEL32 ref: 00007FFDFF202F73
HeapFree.KERNEL32 ref: 00007FFDFF202F92
CloseHandle.KERNEL32 ref: 00007FFDFF202FA3
CloseHandle.KERNEL32 ref: 00007FFDFF202FAC

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: CloseHandle$FreeHeap
String ID:
API String ID: 2735614835-0
Opcode ID: 5d323919b5580d38be7eed752043bd3eaf73db904c3a2a8baf6ce1d2a95ff6d0
Instruction ID: 75e6823a4fc51184fbbb710968ff53eeefda571e781482849ce2ffea5ce5a516
Opcode Fuzzy Hash: 5d323919b5580d38be7eed752043bd3eaf73db904c3a2a8baf6ce1d2a95ff6d0
Instruction Fuzzy Hash: 7A01EC12B0858244EB24EB31C875BFC1761EF85788F880232E53EC66EE8F2CE585C341

Function 00007FFDFF202F42 Relevance: 5.0, APIs: 4, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF2030A0: CloseHandle.KERNEL32(?,?,00000000,-8000000000000000,?,00000003,?,?,00007FFDFF202F50), ref: 00007FFDFF2031CA
Part of subcall function 00007FFDFF2030A0: CloseHandle.KERNEL32(?,?,00000000,-8000000000000000,?,00000003,?,?,00007FFDFF202F50), ref: 00007FFDFF2031D3

Part of subcall function 00007FFDFF2030A0: HeapFree.KERNEL32(?,?,00000000,-8000000000000000,?,00000003,?,?,00007FFDFF202F50), ref: 00007FFDFF203230
Part of subcall function 00007FFDFF2030A0: CloseHandle.KERNEL32(?,?,00000000,-8000000000000000,?,00000003,?,?,00007FFDFF202F50), ref: 00007FFDFF203241
Part of subcall function 00007FFDFF2030A0: CloseHandle.KERNEL32(?,?,00000000,-8000000000000000,?,00000003,?,?,00007FFDFF202F50), ref: 00007FFDFF20324A
Part of subcall function 00007FFDFF2030A0: HeapFree.KERNEL32(?,?,00000000,-8000000000000000,?,00000003,?,?,00007FFDFF202F50), ref: 00007FFDFF20325C

HeapFree.KERNEL32 ref: 00007FFDFF202F73
HeapFree.KERNEL32 ref: 00007FFDFF202F92
CloseHandle.KERNEL32 ref: 00007FFDFF202FA3
CloseHandle.KERNEL32 ref: 00007FFDFF202FAC

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: CloseHandle$FreeHeap
String ID:
API String ID: 2735614835-0
Opcode ID: feda7e8ed015115c4593f38fe453994b2521cd6536051c130e2349f6982a6fda
Instruction ID: 75e6823a4fc51184fbbb710968ff53eeefda571e781482849ce2ffea5ce5a516
Opcode Fuzzy Hash: feda7e8ed015115c4593f38fe453994b2521cd6536051c130e2349f6982a6fda
Instruction Fuzzy Hash: 7A01EC12B0858244EB24EB31C875BFC1761EF85788F880232E53EC66EE8F2CE585C341

Function 00007FFDFF202F1A Relevance: 5.0, APIs: 4, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF2030A0: CloseHandle.KERNEL32(?,?,00000000,-8000000000000000,?,00000003,?,?,00007FFDFF202F50), ref: 00007FFDFF2031CA
Part of subcall function 00007FFDFF2030A0: CloseHandle.KERNEL32(?,?,00000000,-8000000000000000,?,00000003,?,?,00007FFDFF202F50), ref: 00007FFDFF2031D3

HeapFree.KERNEL32 ref: 00007FFDFF202F73
HeapFree.KERNEL32 ref: 00007FFDFF202F92
CloseHandle.KERNEL32 ref: 00007FFDFF202FA3
CloseHandle.KERNEL32 ref: 00007FFDFF202FAC

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: CloseHandle$FreeHeap
String ID:
API String ID: 2735614835-0
Opcode ID: 0ed71ea0263eb08d1fab25b516dcf43d65ab0e26a2db2f59876ce61ce2ba9b63
Instruction ID: 8d0f2c51834cd4a485c122b432e99fbddfa98f43291fd4130766c8a257fc4021
Opcode Fuzzy Hash: 0ed71ea0263eb08d1fab25b516dcf43d65ab0e26a2db2f59876ce61ce2ba9b63
Instruction Fuzzy Hash: C0F0CD12B0868244E774EB218875BFC1761EF85788F884632E53EC66EE8F2CE585C341

Function 00007FFDFF202F1F Relevance: 5.0, APIs: 4, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF202F73
HeapFree.KERNEL32 ref: 00007FFDFF202F92
CloseHandle.KERNEL32 ref: 00007FFDFF202FA3
CloseHandle.KERNEL32 ref: 00007FFDFF202FAC

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: CloseFreeHandleHeap
String ID:
API String ID: 1642312469-0
Opcode ID: 80717a6d2849b242457c18e5807101e40b1cebb3273e8d5bcd1ff437358af1c4
Instruction ID: 04f2ee848952496d7830b82d7b6ad508471ba1c36872a8d71708c529c9a5bb7d
Opcode Fuzzy Hash: 80717a6d2849b242457c18e5807101e40b1cebb3273e8d5bcd1ff437358af1c4
Instruction Fuzzy Hash: 6FF0CD12F0868284EB34EB218875BFD1761EF85788F484232E53ECA6EE8F6CE545C341

Function 00007FFDFF202EDF Relevance: 5.0, APIs: 4, Instructions: 25memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFDFF202F73
HeapFree.KERNEL32 ref: 00007FFDFF202F92
CloseHandle.KERNEL32 ref: 00007FFDFF202FA3
CloseHandle.KERNEL32 ref: 00007FFDFF202FAC

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: CloseFreeHandleHeap
String ID:
API String ID: 1642312469-0
Opcode ID: 6ded60c8fdec2acbce477e07da216e7172d79279870f0136a2d51ac420f81b80
Instruction ID: 9c853304ea42bca074e5f3740aed55b8d83913e636f03b456e06d5aca8e361ac
Opcode Fuzzy Hash: 6ded60c8fdec2acbce477e07da216e7172d79279870f0136a2d51ac420f81b80
Instruction Fuzzy Hash: 48F09C16B0868244EB34EB218875BFD1761EF85788F484636E53ECA6EE8F6CA585C341

Function 00007FFDFF1FF4D1 Relevance: 5.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFDFF1FF4DC
CloseHandle.KERNEL32 ref: 00007FFDFF1FF4E4
CloseHandle.KERNEL32 ref: 00007FFDFF1FF50A

Part of subcall function 00007FFDFF20BB90: abort.MSVCRT ref: 00007FFDFF20BCB7

CloseHandle.KERNEL32 ref: 00007FFDFF1FF4ED

Part of subcall function 00007FFDFF20BB90: RtlCaptureContext.NTDLL ref: 00007FFDFF20BC22
Part of subcall function 00007FFDFF20BB90: RtlUnwindEx.KERNEL32 ref: 00007FFDFF20BC5F
Part of subcall function 00007FFDFF20BB90: abort.MSVCRT ref: 00007FFDFF20BC65
Part of subcall function 00007FFDFF20BB90: RaiseException.KERNEL32 ref: 00007FFDFF20BCA2

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: CloseHandle$abort$CaptureContextExceptionRaiseUnwind
String ID:
API String ID: 2803952147-0
Opcode ID: d1af9469663f994219c1971fafe49392163632d6e4bd47c20482c2d77ad918fc
Instruction ID: caac82b35320e9cb63a8b2fbf99dce106fdce3e8eb4a8816efeab713f28d0e8c
Opcode Fuzzy Hash: d1af9469663f994219c1971fafe49392163632d6e4bd47c20482c2d77ad918fc
Instruction Fuzzy Hash: FEE07D12F0844649EB24FA6554717BC1B60BF85B81F481670ED3FC67EFCE2CA4458600

Function 00007FFDFF1FF3CE Relevance: 5.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFDFF1FF4DC
CloseHandle.KERNEL32 ref: 00007FFDFF1FF4E4
CloseHandle.KERNEL32 ref: 00007FFDFF1FF50A

Part of subcall function 00007FFDFF20BB90: abort.MSVCRT ref: 00007FFDFF20BCB7

CloseHandle.KERNEL32 ref: 00007FFDFF1FF4ED

Part of subcall function 00007FFDFF20BB90: RtlCaptureContext.NTDLL ref: 00007FFDFF20BC22
Part of subcall function 00007FFDFF20BB90: RtlUnwindEx.KERNEL32 ref: 00007FFDFF20BC5F
Part of subcall function 00007FFDFF20BB90: abort.MSVCRT ref: 00007FFDFF20BC65
Part of subcall function 00007FFDFF20BB90: RaiseException.KERNEL32 ref: 00007FFDFF20BCA2

Memory Dump Source

Source File: 00000004.00000002.3097882960.00007FFDFF1B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDFF1B0000, based on PE: true

Associated: 00000004.00000002.3097840370.00007FFDFF1B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098009317.00007FFDFF229000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098055942.00007FFDFF22A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098131403.00007FFDFF25E000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098204184.00007FFDFF25F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098267761.00007FFDFF260000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.3098338289.00007FFDFF263000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffdff1b0000_msedgewebview2.jbxd

Similarity

API ID: CloseHandle$abort$CaptureContextExceptionRaiseUnwind
String ID:
API String ID: 2803952147-0
Opcode ID: 2d1aee6d0d740ef199ad7ee89a18e86b782de8e99af04dcfe51f29699afc9d70
Instruction ID: 8ab0af404ae7d60d608df9747d4730b8457ba0cdb677827ea1b898d8495ccade
Opcode Fuzzy Hash: 2d1aee6d0d740ef199ad7ee89a18e86b782de8e99af04dcfe51f29699afc9d70
Instruction Fuzzy Hash: 73E07D12F0844645EB24FA6554717BC1B60BF85B81F5816B0ED3FC67EFCE2CA0458600

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 4iogI3WCTh.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GhostRat

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\9MCd.zip

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_15atcwyf.z10.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1edmsvzq.kbv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3eapmcwe.fjj.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3kghojya.ym3.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4edpade3.r1r.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5kk0bmp5.cne.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bztiphio.jr5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eoxnsdtj.rbu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fmmpaidy.vlz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ga1bcddm.ejo.psm1

Windows Analysis Report
4iogI3WCTh.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre