Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Analysis ID:1510261
MD5:45a5a443c01abd7618efef4827241312
SHA1:5390d36a371f0598b86301961d5fdb329e368e7a
SHA256:d7f98b8af8a3bfe9d93ce31558a62e4d5d0cd425bc30bbc0d517901e5b82bf46
Tags:exe
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

System process connects to network (likely due to code injection or exploit)
Contains functionality to automate explorer (e.g. start an application)
Query firmware table information (likely to detect VMs)
Sigma detected: Explorer NOUACCHECK Flag
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect sandboxes (foreground window change detection)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses taskkill to terminate processes
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe (PID: 2300 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe" MD5: 45A5A443C01ABD7618EFEF4827241312)
    • taskkill.exe (PID: 2848 cmdline: "C:\Windows\system32\taskkill.exe" /f /im explorer.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • conhost.exe (PID: 5604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1408 cmdline: "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4076 cmdline: "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • regsvr32.exe (PID: 4940 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • regsvr32.exe (PID: 5048 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • explorer.exe (PID: 1828 cmdline: "C:\Windows\explorer.exe" MD5: 662F4F92FDE3557E86D110526BB578D5)
  • explorer.exe (PID: 2980 cmdline: C:\Windows\explorer.exe /NoUACCheck MD5: 662F4F92FDE3557E86D110526BB578D5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Explorer NOUACCHECK Flag
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\explorer.exe /NoUACCheck, CommandLine: C:\Windows\explorer.exe /NoUACCheck, CommandLine|base64offset|contains: y, Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Windows\explorer.exe /NoUACCheck, ProcessId: 2980, ProcessName: explorer.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-09-12T18:31:25.080721+020028032742Potentially Bad Traffic192.168.2.549711140.82.121.3443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE4FE80 CreateFileW,GetLastError,GetFileSizeEx,GetLastError,CloseHandle,CloseHandle,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,GetLastError,CryptDestroyHash,CryptReleaseContext,CloseHandle,10_2_00007FF8BEE4FE80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcherJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_setup.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_gui.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_dwm.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_weather_host.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\WebView2Loader.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcherJump to behavior
Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\a\_work\e\src\out\Release_x64\WebView2Loader.dll.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2145293156.000001BF13B8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdb source: explorer.exe, 0000000B.00000003.2234944578.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2332407476.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: twinui.pcshell.pdb source: explorer.exe, 0000000A.00000003.2167375925.00000000027E3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2174577379.00000000023D5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2178744483.0000000002D5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2176793588.00000000023D4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: http://msdl.microsoft.com/download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdb source: explorer.exe, 0000000B.00000003.2198671395.0000000002ED7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2192876585.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235994933.0000000002F37000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2246571830.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2192876585.0000000002F48000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2193206748.0000000002EBD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2288267379.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2198671395.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2252874097.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235994933.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2204325725.0000000002F33000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2320144168.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2381212820.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2234944578.0000000002F37000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2234944578.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ExplorerPatcher.amd64.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2146053134.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_weather_host_stub.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2145109319.000001BF13BA7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2145084872.000001BF13B8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\e\src\out\Release_x64\WebView2Loader.dll.pdbOGP source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2145293156.000001BF13B8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: http://msdl.microsoft.com/download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdby source: explorer.exe, 0000000B.00000003.2192876585.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2198671395.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_dwm.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144537598.000001BF13B8D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144601951.000001BF13BA9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: StartUI.pdb source: explorer.exe, 0000000A.00000003.2166635686.00000000027EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2175731585.00000000023D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .pcshell.pdb source: explorer.exe, 0000000B.00000003.2235994933.0000000002F37000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2246571830.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2288267379.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2252874097.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2204325725.0000000002F33000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2320144168.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2381212820.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2234944578.0000000002F37000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: {"function" : "getkfmupsellstate", "args" : {}}.pdb source: explorer.exe, 0000000B.00000003.2377129178.000000000AF04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: http://msdl.microsoft.com/download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdbb source: explorer.exe, 0000000B.00000003.2198671395.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: http://msdl.microsoft.com/download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdb! source: explorer.exe, 0000000B.00000003.2192876585.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2246571830.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2288267379.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2198671395.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2252874097.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235994933.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2320144168.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2234944578.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb{ source: explorer.exe, 0000000B.00000003.2377129178.000000000AF04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\Win32\ExplorerPatcher.IA-32.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2143630593.000001BF13BB2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2143599851.000001BF13B8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_setup.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000002.2165080505.00007FF7F56F6000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000000.2108533057.00007FF7F56F6000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb source: explorer.exe, 0000000B.00000003.2377129178.000000000AF04000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2383069605.0000000008B96000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_gui.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144271915.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174585427.0000000002880000.00000002.00000001.00040000.00000009.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_weather_host.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144908523.000001BF13B8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: http://msdl.microsoft.com/download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdbO source: explorer.exe, 0000000B.00000003.2235994933.0000000002F37000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2246571830.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2288267379.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2252874097.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2204325725.0000000002F33000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2320144168.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2381212820.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2234944578.0000000002F37000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: StartUI.pdbH source: explorer.exe, 0000000A.00000003.2166635686.00000000027EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2175731585.00000000023D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: twinui.pcshell.pdbUGP source: explorer.exe, 0000000A.00000003.2167375925.00000000027E3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2174577379.00000000023D5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2178744483.0000000002D5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2176793588.00000000023D4000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE2DB90 InitializeCriticalSection,CreateEventW,CreateEventW,CreateEventW,SetEvent,SetEvent,SetEvent,CreateThread,CloseHandle,SHGetFolderPathW,PathFileExistsW,CreateDirectoryW,CreateMutexExW,CreateEventW,CreateEventW,CreateThread,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetCurrentProcess,K32GetModuleInformation,GetModuleHandleW,GetProcAddress,IsOS,GetCurrentProcess,K32GetModuleInformation,LoadLibraryW,LoadLibraryW,GetProcAddress,CreateWindowExW,FreeLibraryAndExitThread,SetWindowLongPtrW,FreeLibraryAndExitThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,GetModuleHandleW,GetProcAddress,SHELL32_Create_IEnumUICommand,VirtualProtect,VirtualProtect,GetProcAddress,VirtualProtect,VirtualProtect,LoadLibraryW,GetProcAddress,LoadLibraryW,GetModuleHandleExW,GetCurrentProcess,K32GetModuleInformation,VirtualProtect,VirtualProtect,GetCurrentProcess,K32GetModuleInformation,LoadLibraryW,LoadLibraryW,GetProcAddress,LoadLibraryExW,IsOS,FreeLibraryAndExitThread,CreateThread,CreateThread,RegDeleteKeyValueW,RegDeleteKeyValueW,CreateThread,CreateThread,CreateWindowInBand,CreateThread,CreateThread,GetWindowsDirectoryW,FindFirstFileW,FindClose,LoadLibraryW,GetProcAddress,GetLastError,10_2_00007FF8BEE2DB90
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE45CF0 RegCreateKeyExW,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetSystemDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,RegDeleteValueW,RegCloseKey,10_2_00007FF8BEE45CF0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE1CE30 CreateFileA,CreateFileMappingW,CloseHandle,MapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,PathRemoveFileSpecA,UnmapViewOfFile,CloseHandle,CloseHandle,FindFirstFileA,FindClose,DeleteFileA,UnmapViewOfFile,CloseHandle,CloseHandle,10_2_00007FF8BEE1CE30
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE73B58 FindFirstFileExW,10_2_00007FF8BEE73B58
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE1D920 GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,FindFirstFileW,10_2_00007FF8BEE1D920
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE1DAC0 SHGetFolderPathW,FindFirstFileW,FindClose,10_2_00007FF8BEE1DAC0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE452A0 RegCreateKeyExW,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryA,RegCloseKey,RegSetValueExW,RegSetValueExA,RegSetValueExW,RegCloseKey,10_2_00007FF8BEE452A0

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exeNetwork Connect: 140.82.121.3 443Jump to behavior
Source: C:\Windows\explorer.exeNetwork Connect: 185.199.108.133 443Jump to behavior
Source: Joe Sandbox ViewIP Address: 185.199.108.133 185.199.108.133
Source: Joe Sandbox ViewIP Address: 140.82.121.3 140.82.121.3
Source: Joe Sandbox ViewIP Address: 140.82.121.3 140.82.121.3
Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
Source: Joe Sandbox ViewASN Name: GITHUBUS GITHUBUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49711 -> 140.82.121.3:443
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE50750 InternetOpenA,InternetOpenUrlA,InternetReadFile,SHGetFolderPathW,CreateDirectoryW,GetLastError,ShellExecuteExW,WaitForSingleObject,CloseHandle,Sleep,DeleteFileW,InternetCloseHandle,InternetCloseHandle,10_2_00007FF8BEE50750
Source: global trafficHTTP traffic detected: GET /valinet/ExplorerPatcher/releases/latest/download/ep_setup.exe HTTP/1.1User-Agent: ExplorerPatcherHost: github.com
Source: global trafficHTTP traffic detected: GET /valinet/ExplorerPatcher/releases/download/22621.3880.66.5_5094108/ep_setup.exe HTTP/1.1User-Agent: ExplorerPatcherHost: github.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /github-production-release-asset-2e65be/394318710/d0ea7754-53d3-4f5a-b870-915f924fbb56?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240912%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240912T163119Z&X-Amz-Expires=300&X-Amz-Signature=ccbd5355f6cdf8d7af2b5fc3c342d46db9d98756c5381b9b25100712ee9e2190&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=394318710&response-content-disposition=attachment%3B%20filename%3Dep_setup.exe&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: ExplorerPatcherConnection: Keep-AliveHost: objects.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: api.msn.com
Source: global trafficDNS traffic detected: DNS query: github.com
Source: global trafficDNS traffic detected: DNS query: objects.githubusercontent.com
Source: explorer.exe, 0000000B.00000003.2235545227.00000000089C9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2259820542.00000000089CA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2221558741.00000000089AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 0000000B.00000003.2235545227.00000000089C9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2259820542.00000000089CA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2221558741.00000000089AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000000B.00000003.2235545227.00000000089C9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2259820542.00000000089CA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2221558741.00000000089AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 0000000B.00000003.2235545227.00000000089C9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2259820542.00000000089CA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2221558741.00000000089AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000000B.00000003.2381500814.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2319396261.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2311117328.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2377129178.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2317412632.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2378964916.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2388978276.000000000AE96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
Source: explorer.exe, 0000000B.00000003.2381500814.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2319396261.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2311117328.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2377129178.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2317412632.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2378964916.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2388978276.000000000AE96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft.co
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000000.2108533057.00007FF7F56F6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2146053134.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://api.github.com/repos/valinet/ExplorerPatcher/releases?per_page=1
Source: explorer.exe, 0000000B.00000003.2246946920.0000000008B81000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2237543521.0000000008B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2294706642.0000000008B81000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2383069605.0000000008B96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235377127.0000000008B81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000A.00000003.2167375925.00000000027E3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2174577379.00000000023D5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2178744483.0000000002D5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2176793588.00000000023D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?%08x%04x%04x%02x%02x%02x%02x%02x%02x%02x%02xFeedsCNhttps://
Source: explorer.exe, 0000000B.00000003.2221558741.00000000089AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000B.00000003.2221710068.0000000008A2A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235545227.00000000089C9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2259820542.00000000089CA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2221558741.00000000089AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comO
Source: explorer.exe, 0000000B.00000003.2235377127.0000000008BF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235817392.0000000008BF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144271915.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174585427.0000000002880000.00000002.00000001.00040000.00000009.sdmpString found in binary or memory: https://github.com/valinet
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144271915.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174585427.0000000002880000.00000002.00000001.00040000.00000009.sdmpString found in binary or memory: https://github.com/valinet)
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144271915.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174585427.0000000002880000.00000002.00000001.00040000.00000009.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher#donate
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144271915.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174585427.0000000002880000.00000002.00000001.00040000.00000009.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/blob/master/CHANGELOG.md
Source: explorer.exeString found in binary or memory: https://github.com/valinet/ExplorerPatcher/discussions
Source: explorer.exeString found in binary or memory: https://github.com/valinet/ExplorerPatcher/discussions/1102
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144271915.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174585427.0000000002880000.00000002.00000001.00040000.00000009.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/discussions/1679
Source: explorer.exeString found in binary or memory: https://github.com/valinet/ExplorerPatcher/issues
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2146053134.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/issueshttps://github.com/valinet/ExplorerPatcher/discussi
Source: explorer.exeString found in binary or memory: https://github.com/valinet/ExplorerPatcher/releases
Source: explorer.exe, 0000000B.00000003.2246884263.0000000008C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/releases/download/22621.3880.66.5_5094108/ep_setup.exe
Source: explorer.exe, 0000000B.00000003.2259820542.00000000089CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/releases/download/22621.3880.66.5_5094108/ep_setup.exen
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2146053134.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/releases/latest
Source: explorer.exe, 0000000B.00000003.2235377127.0000000008BF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2259790641.0000000008C40000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2247710864.0000000008BB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235968422.0000000008C52000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235545227.00000000089C9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235377127.0000000008BB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235817392.0000000008BF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2247687864.0000000008C40000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2247710864.0000000008BF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2383069605.0000000008BF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2294706642.0000000008B81000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2259820542.00000000089CA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2383069605.0000000008B96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235817392.0000000008BB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2237636676.0000000008C3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235771046.0000000008C3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2294706642.0000000008BF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235276763.0000000008C52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exe
Source: explorer.exe, 0000000B.00000003.2247710864.0000000008BB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235377127.0000000008BB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2294706642.0000000008B81000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2383069605.0000000008B96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235817392.0000000008BB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exe04w
Source: explorer.exe, 0000000B.00000003.2235377127.0000000008BF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2237636676.0000000008C3D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235771046.0000000008C3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exeQ
Source: explorer.exe, 0000000B.00000003.2235377127.0000000008BF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235817392.0000000008BF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2247710864.0000000008BF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2383069605.0000000008BF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2294706642.0000000008BF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exeut
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144271915.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174585427.0000000002880000.00000002.00000001.00040000.00000009.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/About-advanced-settings
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144271915.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174585427.0000000002880000.00000002.00000001.00040000.00000009.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Configure-updates
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144271915.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174585427.0000000002880000.00000002.00000001.00040000.00000009.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/ExplorerPatcher
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144271915.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174585427.0000000002880000.00000002.00000001.00040000.00000009.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Frequently-asked-questions
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144271915.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174585427.0000000002880000.00000002.00000001.00040000.00000009.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Settings-management
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144271915.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174585427.0000000002880000.00000002.00000001.00040000.00000009.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Simple-Window-Switcher
Source: explorer.exe, explorer.exe, 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmp, explorer.exe, 0000000A.00000002.2174380843.0000000000B9B000.00000004.00000010.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174887643.0000000002D7E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174887643.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2188541557.000000000273D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Symbols
Source: explorer.exe, 0000000B.00000003.2188541557.0000000002740000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Symbols=
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2146053134.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/SymbolsMicrosoft.Windows.Explorer
Source: explorer.exe, 0000000A.00000002.2174887643.0000000002D7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Symbolss
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144271915.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174585427.0000000002880000.00000002.00000001.00040000.00000009.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Using-ExplorerPatcher-as-shell-extension
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144271915.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174585427.0000000002880000.00000002.00000001.00040000.00000009.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Weather
Source: explorer.exe, 0000000A.00000003.2166635686.00000000027EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2175731585.00000000023D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://msn.comError
Source: explorer.exe, 0000000B.00000003.2383069605.0000000008BF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2294706642.0000000008BF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/
Source: explorer.exe, 0000000B.00000003.2259820542.00000000089CA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2259633111.000000000ADA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/394318710/d0ea7754-53d3
Source: explorer.exe, 0000000B.00000003.2247710864.0000000008BB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235377127.0000000008BB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2221330728.0000000008BBA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235817392.0000000008BB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
Source: explorer.exe, 0000000B.00000003.2234944578.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2246571830.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2237333080.0000000002E18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2146053134.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://raw.githubusercontent.com/valinet/ep_make/master/ep_make_safe.ps1
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949438-4e0c0e0d-67bc-4c76-b75e-e0ffcead3f48.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949442-63f14d44-ec0e-40b2-aa1b-8e4a27ec10f5.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949443-062a0fa9-88c1-4e07-b6b1-8e52ff64f4f3.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949444-d3aea936-4c22-4f17-a201-02155396684d.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949445-60d12efa-a21d-40e0-b9a8-1b7a84e58944.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949447-a6658710-567e-4977-9316-a80007df3076.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949448-cd1b69af-4028-4153-8e40-288526577b58.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949449-9320c6f5-15ef-4c17-9e72-740708f4828c.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949450-7e03a3f5-580e-4414-aaeb-3a0898afd1da.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949451-269d02a3-08cb-4237-9789-f1e60fdc723d.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949452-f347fe27-5005-48f2-9c9a-899bb7b8825e.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949454-81d5d47d-1f33-4859-a112-5a64ceb549a1.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949456-04a4bdbd-ff3b-4484-bb30-8909baff8aa8.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949458-dc66775d-8bb9-4d04-838e-7f550d305c26.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949459-dfe70eba-6c2c-4b1c-b51b-27c13ce7c08c.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949460-7c132d89-efb7-457f-8810-9bf235f5737f.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949461-1f058cf3-6fdd-4aeb-80b7-68fa27b02845.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949462-f50c21dd-85dd-4d9c-a4eb-516e6cddfb1f.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949463-a427edfb-3d7f-4167-bd6f-f5019c482ea1.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949465-54dd31c6-7e3a-464a-8e64-8b54b6fb7a65.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156950233-ccaadb4a-2e9a-4934-b41c-acd36a7f0d9c.png
Source: explorer.exe, 0000000B.00000003.2221558741.00000000089AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vsblobprodscussu5shard39.blob.core.windows.net/)a
Source: explorer.exe, 0000000B.00000003.2221558741.00000000089AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vsblobprodscussu5shard39.blob.core.windows.net/1a
Source: explorer.exe, 0000000B.00000003.2235994933.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2234944578.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2320144168.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2288267379.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2304015552.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2246571830.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2332407476.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2252874097.0000000002F00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vsblobprodscussu5shard39.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/39B7A82995
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144908523.000001BF13B8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?hl=%s&q=weather%s%s%s%s%s%s%s%spCoreWebView2ExecuteScriptCompletedHand
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144271915.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174585427.0000000002880000.00000002.00000001.00040000.00000009.sdmpString found in binary or memory: https://www.valinet.ro
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144271915.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174585427.0000000002880000.00000002.00000001.00040000.00000009.sdmpString found in binary or memory: https://www.valinet.ro)
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE31870 GetModuleFileNameW,PathStripPathW,GetCurrentProcessId,OpenProcess,QueryFullProcessImageNameW,CloseHandle,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetSystemMetrics,RegGetValueW,RegGetValueW,FindWindowExW,FindWindowExW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,RegSetKeyValueW,SHCreateThread,RegSetKeyValueW,SHCreateThread,LoadLibraryW,RegOpenKeyW,RegCloseKey,LoadLibraryW,LoadLibraryW,GetModuleHandleExW,10_2_00007FF8BEE31870
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Windows\dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dllJump to behavior
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE4FE8010_2_00007FF8BEE4FE80
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE2DB9010_2_00007FF8BEE2DB90
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE26B7010_2_00007FF8BEE26B70
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE45CF010_2_00007FF8BEE45CF0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE2690010_2_00007FF8BEE26900
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE3187010_2_00007FF8BEE31870
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE2880010_2_00007FF8BEE28800
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE1E50010_2_00007FF8BEE1E500
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE4562010_2_00007FF8BEE45620
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE3A35010_2_00007FF8BEE3A350
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE4F25010_2_00007FF8BEE4F250
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE22FD010_2_00007FF8BEE22FD0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE47FB010_2_00007FF8BEE47FB0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE1BFA010_2_00007FF8BEE1BFA0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE1EF9010_2_00007FF8BEE1EF90
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE12F6010_2_00007FF8BEE12F60
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE4DF4010_2_00007FF8BEE4DF40
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE16F2010_2_00007FF8BEE16F20
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE6EF2410_2_00007FF8BEE6EF24
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE5EF0810_2_00007FF8BEE5EF08
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE44F1010_2_00007FF8BEE44F10
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE4BF1010_2_00007FF8BEE4BF10
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE120D010_2_00007FF8BEE120D0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE6409410_2_00007FF8BEE64094
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE3007010_2_00007FF8BEE30070
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE6105C10_2_00007FF8BEE6105C
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE5F01410_2_00007FF8BEE5F014
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE4701010_2_00007FF8BEE47010
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE6CDBC10_2_00007FF8BEE6CDBC
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE64D9410_2_00007FF8BEE64D94
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE30D1010_2_00007FF8BEE30D10
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE13EF010_2_00007FF8BEE13EF0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE2CEC010_2_00007FF8BEE2CEC0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE75E9C10_2_00007FF8BEE75E9C
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE6AE7C10_2_00007FF8BEE6AE7C
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE60E5810_2_00007FF8BEE60E58
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE5EDFC10_2_00007FF8BEE5EDFC
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE1FBE010_2_00007FF8BEE1FBE0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE73B5810_2_00007FF8BEE73B58
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE17B5010_2_00007FF8BEE17B50
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE25B4010_2_00007FF8BEE25B40
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE11B2010_2_00007FF8BEE11B20
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE5ECF010_2_00007FF8BEE5ECF0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE79CA810_2_00007FF8BEE79CA8
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE60C2410_2_00007FF8BEE60C24
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE22C2010_2_00007FF8BEE22C20
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE6290810_2_00007FF8BEE62908
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE1CAC010_2_00007FF8BEE1CAC0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE19AA010_2_00007FF8BEE19AA0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE6EA9010_2_00007FF8BEE6EA90
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE50A5010_2_00007FF8BEE50A50
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE48A5010_2_00007FF8BEE48A50
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE60A1810_2_00007FF8BEE60A18
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE44A0010_2_00007FF8BEE44A00
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE75A0010_2_00007FF8BEE75A00
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE2C7A010_2_00007FF8BEE2C7A0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE5075010_2_00007FF8BEE50750
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE5674010_2_00007FF8BEE56740
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE648D010_2_00007FF8BEE648D0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE2388010_2_00007FF8BEE23880
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE4E83010_2_00007FF8BEE4E830
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE6081410_2_00007FF8BEE60814
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE2F81010_2_00007FF8BEE2F810
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE605E010_2_00007FF8BEE605E0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE6F5A410_2_00007FF8BEE6F5A4
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE305A010_2_00007FF8BEE305A0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE6258410_2_00007FF8BEE62584
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE5F54C10_2_00007FF8BEE5F54C
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE6B51810_2_00007FF8BEE6B518
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE4E52010_2_00007FF8BEE4E520
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE5F65810_2_00007FF8BEE5F658
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE4465010_2_00007FF8BEE44650
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE353F010_2_00007FF8BEE353F0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE603D410_2_00007FF8BEE603D4
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE483C010_2_00007FF8BEE483C0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE1538010_2_00007FF8BEE15380
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE2635010_2_00007FF8BEE26350
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE2335010_2_00007FF8BEE23350
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE5F33410_2_00007FF8BEE5F334
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE1A4E010_2_00007FF8BEE1A4E0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE644CC10_2_00007FF8BEE644CC
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE5F44010_2_00007FF8BEE5F440
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE621EC10_2_00007FF8BEE621EC
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE601D010_2_00007FF8BEE601D0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE201B010_2_00007FF8BEE201B0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE2D19010_2_00007FF8BEE2D190
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE1B15010_2_00007FF8BEE1B150
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE5F12010_2_00007FF8BEE5F120
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE1E10010_2_00007FF8BEE1E100
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE122F010_2_00007FF8BEE122F0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE452A010_2_00007FF8BEE452A0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE4E28010_2_00007FF8BEE4E280
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE6126810_2_00007FF8BEE61268
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE2427010_2_00007FF8BEE24270
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE5F22C10_2_00007FF8BEE5F22C
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE1E23010_2_00007FF8BEE1E230
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE651F810_2_00007FF8BEE651F8
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE1C20010_2_00007FF8BEE1C200
Source: C:\Windows\explorer.exeCode function: String function: 00007FF8BEE342F0 appears 70 times
Source: C:\Windows\explorer.exeCode function: String function: 00007FF8BEE1D290 appears 78 times
Source: C:\Windows\explorer.exeCode function: String function: 00007FF8BEE68004 appears 42 times
Source: C:\Windows\explorer.exeCode function: String function: 00007FF8BEE111B0 appears 172 times
Source: C:\Windows\explorer.exeCode function: String function: 00007FF8BEE67E1C appears 61 times
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: ep_setup.exe.0.drStatic PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: ep_gui.dll.0.drStatic PE information: Resource name: RT_STRING type: COM executable for DOS
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144271915.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_gui.dll@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2143630593.000001BF13BB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExplorerPatcher.dll@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2143994460.000001BF13B8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExplorerPatcher.dll@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2146053134.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExplorerPatcher.dll@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2145395795.000001BF13BB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebView2Loader.dll~/ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144537598.000001BF13B8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_dwm.exe@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_weather_host.exe@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144908523.000001BF13B8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_weather_host.exe@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144601951.000001BF13BA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_dwm.exe@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2143599851.000001BF13B8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExplorerPatcher.dll@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2145293156.000001BF13B8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebView2Loader.dll~/ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: classification engineClassification label: mal60.evad.winEXE@17/20@3/2
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE53030 VirtualAlloc,GetLastError,FormatMessageA,10_2_00007FF8BEE53030
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE1DCF0 GetWindowsDirectoryW,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,QueryFullProcessImageNameW,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,10_2_00007FF8BEE1DCF0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE2A830 CoCreateInstance,CoCreateInstance,10_2_00007FF8BEE2A830
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE30D10 LoadLibraryW,GetModuleHandleW,LoadLibraryW,LoadLibraryW,GetCurrentProcess,K32GetModuleInformation,LoadLibraryW,GetCurrentProcess,K32GetModuleInformation,FindResourceW,LoadResource,LockResource,SizeofResource,LoadLibraryW,GetModuleHandleW,CreateEventW,CreateThread,LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibraryAndExitThread,FreeLibraryAndExitThread,FreeLibraryAndExitThread,FreeLibraryAndExitThread,10_2_00007FF8BEE30D10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Program Files\ExplorerPatcherJump to behavior
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ExplorerPatcherJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:984:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5604:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4552:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\explorer.exeJump to behavior
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "explorer.exe")
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: explorer.exeString found in binary or memory: Could not modify already-installed funchook handle.
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /NoUACCheck
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: webview2loader.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.fileexplorer.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wincorlib.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: stobject.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wmiclnt.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: pnidui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mobilenetworking.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: peopleband.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wpnapps.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.fileexplorer.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wincorlib.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: stobject.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wmiclnt.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: pnidui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mobilenetworking.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: peopleband.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wpnapps.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: starttiledata.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: idstore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wlidprov.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.applicationmodel.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: appextension.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cldapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: fltlib.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: tiledatarepository.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: staterepository.core.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.staterepository.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorycore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.immersiveshell.serviceprovider.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: languageoverlayutil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: thumbcache.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: photometadatahandler.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinui.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: applicationframe.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ehstorshell.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cscui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: provsvc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: holographicextensions.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: virtualmonitormanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: abovelockapphost.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: npsm.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.shell.bluelightreduction.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mscms.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: coloradapterclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.web.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.internal.signals.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: tdh.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorybroker.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mfplat.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rtworkq.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: structuredquery.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.data.activities.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.security.authentication.web.core.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.internal.ui.shell.windowtabmanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.system.launcher.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: notificationcontrollerps.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.devices.enumeration.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: icu.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mswb7.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: devdispitemprovider.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.networking.connectivity.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.core.textinput.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uianimation.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windowsudk.shellcommon.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dictationmanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: pcshellcommonproxystub.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: shellcommoncommonproxystub.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptngc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cflapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: daxexec.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: container.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: capabilityaccessmanagerclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: batmeter.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: inputswitch.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.shell.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: prnfldr.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: workfoldersshell.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: syncreg.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: actioncenter.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wscinterop.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wscapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: werconcpl.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wer.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: hcproviders.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: audioses.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: networkuxbroker.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ethernetmediamanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dusmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wpnclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wpdshserviceobj.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: portabledevicetypes.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: portabledeviceapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cscobj.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wlanapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ncsi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: srchadmin.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.search.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: synccenter.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: imapi2.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: storageusage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: fhcfg.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: efsutil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ieproxy.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.internal.system.userprofile.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cloudexperiencehostbroker.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: credui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dui70.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wdscore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: settingsync.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: settingsynccore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.xaml.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windowsinternal.composableshell.desktophosting.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uiamanager.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: Properties (ExplorerPatcher).lnk.0.drLNK file: ..\..\..\..\..\..\Windows\System32\rundll32.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcherJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_setup.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_gui.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_dwm.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_weather_host.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\WebView2Loader.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcherJump to behavior
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic file information: File size 10525696 > 1048576
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x9d1a00
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a\_work\e\src\out\Release_x64\WebView2Loader.dll.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2145293156.000001BF13B8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdb source: explorer.exe, 0000000B.00000003.2234944578.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2332407476.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: twinui.pcshell.pdb source: explorer.exe, 0000000A.00000003.2167375925.00000000027E3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2174577379.00000000023D5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2178744483.0000000002D5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2176793588.00000000023D4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: http://msdl.microsoft.com/download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdb source: explorer.exe, 0000000B.00000003.2198671395.0000000002ED7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2192876585.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235994933.0000000002F37000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2246571830.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2192876585.0000000002F48000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2193206748.0000000002EBD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2288267379.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2198671395.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2252874097.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235994933.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2204325725.0000000002F33000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2320144168.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2381212820.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2234944578.0000000002F37000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2234944578.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ExplorerPatcher.amd64.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2146053134.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_weather_host_stub.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2145109319.000001BF13BA7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2145084872.000001BF13B8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\e\src\out\Release_x64\WebView2Loader.dll.pdbOGP source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2145293156.000001BF13B8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: http://msdl.microsoft.com/download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdby source: explorer.exe, 0000000B.00000003.2192876585.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2198671395.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_dwm.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144537598.000001BF13B8D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144601951.000001BF13BA9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: StartUI.pdb source: explorer.exe, 0000000A.00000003.2166635686.00000000027EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2175731585.00000000023D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .pcshell.pdb source: explorer.exe, 0000000B.00000003.2235994933.0000000002F37000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2246571830.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2288267379.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2252874097.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2204325725.0000000002F33000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2320144168.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2381212820.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2234944578.0000000002F37000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: {"function" : "getkfmupsellstate", "args" : {}}.pdb source: explorer.exe, 0000000B.00000003.2377129178.000000000AF04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: http://msdl.microsoft.com/download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdbb source: explorer.exe, 0000000B.00000003.2198671395.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: http://msdl.microsoft.com/download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdb! source: explorer.exe, 0000000B.00000003.2192876585.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2246571830.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2288267379.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2198671395.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2252874097.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235994933.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2320144168.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2234944578.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb{ source: explorer.exe, 0000000B.00000003.2377129178.000000000AF04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\Win32\ExplorerPatcher.IA-32.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2143630593.000001BF13BB2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2143599851.000001BF13B8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_setup.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000002.2165080505.00007FF7F56F6000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000000.2108533057.00007FF7F56F6000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb source: explorer.exe, 0000000B.00000003.2377129178.000000000AF04000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2383069605.0000000008B96000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_gui.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144271915.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174585427.0000000002880000.00000002.00000001.00040000.00000009.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_weather_host.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144908523.000001BF13B8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: http://msdl.microsoft.com/download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdbO source: explorer.exe, 0000000B.00000003.2235994933.0000000002F37000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2246571830.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2288267379.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2252874097.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2204325725.0000000002F33000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2320144168.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2381212820.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2234944578.0000000002F37000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: StartUI.pdbH source: explorer.exe, 0000000A.00000003.2166635686.00000000027EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2175731585.00000000023D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: twinui.pcshell.pdbUGP source: explorer.exe, 0000000A.00000003.2167375925.00000000027E3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2174577379.00000000023D5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2178744483.0000000002D5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2176793588.00000000023D4000.00000004.00000020.00020000.00000000.sdmp
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE2DB90 InitializeCriticalSection,CreateEventW,CreateEventW,CreateEventW,SetEvent,SetEvent,SetEvent,CreateThread,CloseHandle,SHGetFolderPathW,PathFileExistsW,CreateDirectoryW,CreateMutexExW,CreateEventW,CreateEventW,CreateThread,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetCurrentProcess,K32GetModuleInformation,GetModuleHandleW,GetProcAddress,IsOS,GetCurrentProcess,K32GetModuleInformation,LoadLibraryW,LoadLibraryW,GetProcAddress,CreateWindowExW,FreeLibraryAndExitThread,SetWindowLongPtrW,FreeLibraryAndExitThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,GetModuleHandleW,GetProcAddress,SHELL32_Create_IEnumUICommand,VirtualProtect,VirtualProtect,GetProcAddress,VirtualProtect,VirtualProtect,LoadLibraryW,GetProcAddress,LoadLibraryW,GetModuleHandleExW,GetCurrentProcess,K32GetModuleInformation,VirtualProtect,VirtualProtect,GetCurrentProcess,K32GetModuleInformation,LoadLibraryW,LoadLibraryW,GetProcAddress,LoadLibraryExW,IsOS,FreeLibraryAndExitThread,CreateThread,CreateThread,RegDeleteKeyValueW,RegDeleteKeyValueW,CreateThread,CreateThread,CreateWindowInBand,CreateThread,CreateThread,GetWindowsDirectoryW,FindFirstFileW,FindClose,LoadLibraryW,GetProcAddress,GetLastError,10_2_00007FF8BEE2DB90
Source: ep_weather_host_stub.dll.0.drStatic PE information: section name: .orpc
Source: WebView2Loader.dll.0.drStatic PE information: section name: .gxfg
Source: WebView2Loader.dll.0.drStatic PE information: section name: .retplne
Source: WebView2Loader.dll.0.drStatic PE information: section name: _RDATA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Windows\dxgi.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Program Files\ExplorerPatcher\ep_setup.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Program Files\ExplorerPatcher\ep_gui.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Program Files\ExplorerPatcher\WebView2Loader.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Program Files\ExplorerPatcher\ep_weather_host.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Program Files\ExplorerPatcher\ep_dwm.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Windows\dxgi.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcherJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnkJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE2DB90 InitializeCriticalSection,CreateEventW,CreateEventW,CreateEventW,SetEvent,SetEvent,SetEvent,CreateThread,CloseHandle,SHGetFolderPathW,PathFileExistsW,CreateDirectoryW,CreateMutexExW,CreateEventW,CreateEventW,CreateThread,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetCurrentProcess,K32GetModuleInformation,GetModuleHandleW,GetProcAddress,IsOS,GetCurrentProcess,K32GetModuleInformation,LoadLibraryW,LoadLibraryW,GetProcAddress,CreateWindowExW,FreeLibraryAndExitThread,SetWindowLongPtrW,FreeLibraryAndExitThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,GetModuleHandleW,GetProcAddress,SHELL32_Create_IEnumUICommand,VirtualProtect,VirtualProtect,GetProcAddress,VirtualProtect,VirtualProtect,LoadLibraryW,GetProcAddress,LoadLibraryW,GetModuleHandleExW,GetCurrentProcess,K32GetModuleInformation,VirtualProtect,VirtualProtect,GetCurrentProcess,K32GetModuleInformation,LoadLibraryW,LoadLibraryW,GetProcAddress,LoadLibraryExW,IsOS,FreeLibraryAndExitThread,CreateThread,CreateThread,RegDeleteKeyValueW,RegDeleteKeyValueW,CreateThread,CreateThread,CreateWindowInBand,CreateThread,CreateThread,GetWindowsDirectoryW,FindFirstFileW,FindClose,LoadLibraryW,GetProcAddress,GetLastError,10_2_00007FF8BEE2DB90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Windows\explorer.exeCode function: GetForegroundWindow,GetClassNameW,Sleep,GetForegroundWindow,GetClassNameW,GetForegroundWindow,GetClassNameW,Sleep,GetForegroundWindow,GetClassNameW,RegDeleteTreeW,Sleep,10_2_00007FF8BEE1DEA0
Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 653Jump to behavior
Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 633Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_gui.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_weather_host.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_dwm.exeJump to dropped file
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE17B50 GetSystemTimeAsFileTime followed by cmp: cmp r15, 02h and CTI: jne 00007FF8BEE18362h10_2_00007FF8BEE17B50
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE2DB90 InitializeCriticalSection,CreateEventW,CreateEventW,CreateEventW,SetEvent,SetEvent,SetEvent,CreateThread,CloseHandle,SHGetFolderPathW,PathFileExistsW,CreateDirectoryW,CreateMutexExW,CreateEventW,CreateEventW,CreateThread,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetCurrentProcess,K32GetModuleInformation,GetModuleHandleW,GetProcAddress,IsOS,GetCurrentProcess,K32GetModuleInformation,LoadLibraryW,LoadLibraryW,GetProcAddress,CreateWindowExW,FreeLibraryAndExitThread,SetWindowLongPtrW,FreeLibraryAndExitThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,GetModuleHandleW,GetProcAddress,SHELL32_Create_IEnumUICommand,VirtualProtect,VirtualProtect,GetProcAddress,VirtualProtect,VirtualProtect,LoadLibraryW,GetProcAddress,LoadLibraryW,GetModuleHandleExW,GetCurrentProcess,K32GetModuleInformation,VirtualProtect,VirtualProtect,GetCurrentProcess,K32GetModuleInformation,LoadLibraryW,LoadLibraryW,GetProcAddress,LoadLibraryExW,IsOS,FreeLibraryAndExitThread,CreateThread,CreateThread,RegDeleteKeyValueW,RegDeleteKeyValueW,CreateThread,CreateThread,CreateWindowInBand,CreateThread,CreateThread,GetWindowsDirectoryW,FindFirstFileW,FindClose,LoadLibraryW,GetProcAddress,GetLastError,10_2_00007FF8BEE2DB90
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE45CF0 RegCreateKeyExW,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetSystemDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,RegDeleteValueW,RegCloseKey,10_2_00007FF8BEE45CF0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE1CE30 CreateFileA,CreateFileMappingW,CloseHandle,MapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,PathRemoveFileSpecA,UnmapViewOfFile,CloseHandle,CloseHandle,FindFirstFileA,FindClose,DeleteFileA,UnmapViewOfFile,CloseHandle,CloseHandle,10_2_00007FF8BEE1CE30
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE73B58 FindFirstFileExW,10_2_00007FF8BEE73B58
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE1D920 GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,FindFirstFileW,10_2_00007FF8BEE1D920
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE1DAC0 SHGetFolderPathW,FindFirstFileW,FindClose,10_2_00007FF8BEE1DAC0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE452A0 RegCreateKeyExW,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryA,RegCloseKey,RegSetValueExW,RegSetValueExA,RegSetValueExW,RegCloseKey,10_2_00007FF8BEE452A0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE52FA0 GetSystemInfo,VirtualAlloc,10_2_00007FF8BEE52FA0
Source: explorer.exe, 0000000B.00000003.2317412632.000000000AE96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_
Source: explorer.exe, 0000000B.00000003.2304015552.0000000002F00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}5
Source: explorer.exe, 0000000B.00000003.2198671395.0000000002F1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000003.2192742798.00000000088D7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2198157372.00000000088D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW24%SystemRoot%\system32\mswsock.dll0B33D0DB0C2}
Source: explorer.exe, 0000000B.00000003.2381212820.0000000002E18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTVMWare
Source: explorer.exe, 0000000B.00000003.2377129178.000000000AF04000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000^
Source: explorer.exe, 0000000B.00000003.2221558741.0000000008921000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2202258071.000000000892C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2204359487.000000000891E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2200453807.000000000892C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000B.00000003.2294706642.0000000008BF9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000e
Source: explorer.exe, 0000000B.00000003.2304015552.0000000002F00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000003.2198671395.0000000002F1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
Source: explorer.exe, 0000000B.00000003.2304015552.0000000002F00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}H
Source: explorer.exe, 0000000B.00000003.2221558741.00000000089AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
Source: explorer.exe, 0000000B.00000003.2301615292.000000000AE96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:Yr
Source: explorer.exe, 0000000B.00000003.2381212820.0000000002E18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963M
Source: explorer.exe, 0000000B.00000003.2378964916.000000000AF04000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000003.2198671395.0000000002F1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE33F20 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,10_2_00007FF8BEE33F20
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE2DB90 InitializeCriticalSection,CreateEventW,CreateEventW,CreateEventW,SetEvent,SetEvent,SetEvent,CreateThread,CloseHandle,SHGetFolderPathW,PathFileExistsW,CreateDirectoryW,CreateMutexExW,CreateEventW,CreateEventW,CreateThread,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetCurrentProcess,K32GetModuleInformation,GetModuleHandleW,GetProcAddress,IsOS,GetCurrentProcess,K32GetModuleInformation,LoadLibraryW,LoadLibraryW,GetProcAddress,CreateWindowExW,FreeLibraryAndExitThread,SetWindowLongPtrW,FreeLibraryAndExitThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,GetModuleHandleW,GetProcAddress,SHELL32_Create_IEnumUICommand,VirtualProtect,VirtualProtect,GetProcAddress,VirtualProtect,VirtualProtect,LoadLibraryW,GetProcAddress,LoadLibraryW,GetModuleHandleExW,GetCurrentProcess,K32GetModuleInformation,VirtualProtect,VirtualProtect,GetCurrentProcess,K32GetModuleInformation,LoadLibraryW,LoadLibraryW,GetProcAddress,LoadLibraryExW,IsOS,FreeLibraryAndExitThread,CreateThread,CreateThread,RegDeleteKeyValueW,RegDeleteKeyValueW,CreateThread,CreateThread,CreateWindowInBand,CreateThread,CreateThread,GetWindowsDirectoryW,FindFirstFileW,FindClose,LoadLibraryW,GetProcAddress,GetLastError,10_2_00007FF8BEE2DB90
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE3AFA0 GetProcessHeap,HeapFree,10_2_00007FF8BEE3AFA0
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE510D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FF8BEE510D0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE51DC0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00007FF8BEE51DC0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE6BC98 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00007FF8BEE6BC98

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exeNetwork Connect: 140.82.121.3 443Jump to behavior
Source: C:\Windows\explorer.exeNetwork Connect: 185.199.108.133 443Jump to behavior
Contains functionality to automate explorer (e.g. start an application)
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE23DA0 FindWindowExW,FindWindowExW,FindWindowExW,SendMessageW,10_2_00007FF8BEE23DA0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE23880 GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,FindWindowExW,FindWindowExW,FindWindowW,FindWindowExW,FindWindowExW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,SetCursorPos,FindWindowW,PostMessageW,PostMessageW,FindWindowExW,FindWindowW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,FindWindowExW,PostMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SendMessageCallbackW,PostMessageW,10_2_00007FF8BEE23880
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE23880 GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,FindWindowExW,FindWindowExW,FindWindowW,FindWindowExW,FindWindowExW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,SetCursorPos,FindWindowW,PostMessageW,PostMessageW,FindWindowExW,FindWindowW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,FindWindowExW,PostMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SendMessageCallbackW,PostMessageW,10_2_00007FF8BEE23880
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE23880 GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,FindWindowExW,FindWindowExW,FindWindowW,FindWindowExW,FindWindowExW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,SetCursorPos,FindWindowW,PostMessageW,PostMessageW,FindWindowExW,FindWindowW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,FindWindowExW,PostMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SendMessageCallbackW,PostMessageW,10_2_00007FF8BEE23880
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE23880 GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,FindWindowExW,FindWindowExW,FindWindowW,FindWindowExW,FindWindowExW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,SetCursorPos,FindWindowW,PostMessageW,PostMessageW,FindWindowExW,FindWindowW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,FindWindowExW,PostMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SendMessageCallbackW,PostMessageW,10_2_00007FF8BEE23880
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE23880 GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,FindWindowExW,FindWindowExW,FindWindowW,FindWindowExW,FindWindowExW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,SetCursorPos,FindWindowW,PostMessageW,PostMessageW,FindWindowExW,FindWindowW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,FindWindowExW,PostMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SendMessageCallbackW,PostMessageW,10_2_00007FF8BEE23880
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE1F4C0 FindWindowW,SendMessageTimeoutW,10_2_00007FF8BEE1F4C0
Source: C:\Windows\explorer.exeCode function: GetModuleFileNameW,PathStripPathW,GetCurrentProcessId,OpenProcess,QueryFullProcessImageNameW,CloseHandle,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetSystemMetrics,RegGetValueW,RegGetValueW,FindWindowExW,FindWindowExW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,RegSetKeyValueW,SHCreateThread,RegSetKeyValueW,SHCreateThread,LoadLibraryW,RegOpenKeyW,RegCloseKey,LoadLibraryW,LoadLibraryW,GetModuleHandleExW, \explorer.exe10_2_00007FF8BEE31870
Source: C:\Windows\explorer.exeCode function: Sleep,GetWindowsDirectoryW,CreateProcessW,FreeConsole,GetCurrentProcessId,OpenProcess,TerminateProcess, \explorer.exe10_2_00007FF8BEE4FCC0
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE305A0 SetProcessDpiAwarenessContext,GetModuleFileNameW,GetCurrentDirectoryW,GetModuleHandleW,ShellExecuteExW,GetLastError,LoadStringW,LoadStringW,MessageBoxW,GetModuleFileNameW,GetLastError,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegCloseKey,PathRemoveExtensionW,PathRemoveExtensionW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegCloseKey,RegCreateKeyExW,RegSetValueExW,RegCloseKey,10_2_00007FF8BEE305A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exeJump to behavior
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE1E860 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,GetLengthSid,CopySid,DeriveAppContainerSidFromAppContainerName,SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,LocalFree,CreateMutexW,FreeSid,10_2_00007FF8BEE1E860
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE1D7C0 AllocateAndInitializeSid,CheckTokenMembership,GetLastError,FreeSid,10_2_00007FF8BEE1D7C0
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2146053134.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: Progman: %d
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2146053134.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: Progman hook: %d
Source: explorer.exeBinary or memory string: Shell_TrayWnd
Source: explorer.exeBinary or memory string: Progman
Source: explorer.exe, 0000000A.00000003.2167375925.00000000027E3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2174577379.00000000023D5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2178744483.0000000002D5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsAutoHideEnabledShell_TrayWndUIA_WindowVisibilityOverriddenCortanaExperienceManager_OnViewPropertiesChangingq
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144271915.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174585427.0000000002880000.00000002.00000001.00040000.00000009.sdmpBinary or memory string: eptmpw+Unknown exceptionbad array new lengthSoftware\ExplorerPatcherLanguageen-USvector too long\Shell_TrayWnd
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2143599851.000001BF13B8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ntdll.dllRtlGetVersion\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersionUBRShell_TrayWnd\explorer.exe\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI.dll\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dllep_taskbar.0.dllep_taskbar.1.dllep_taskbar.2.dllep_taskbar.3.dllep_taskbar.4.dllep_taskbar.5.dll\ExplorerPatcher\ImmersiveContextMenuArray[ROD]: Level %d Position %d/%d Status %d
Source: explorer.exeBinary or memory string: Progman: %d
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000002.2165080505.00007FF7F56F6000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000000.2108533057.00007FF7F56F6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: runasExplorerPatcherntdll.dllRtlGetVersion\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersionUBRShell_TrayWnd\explorer.exeopenep_taskbar.0.dllep_taskbar.1.dllep_taskbar.2.dllep_taskbar.3.dllep_taskbar.4.dllep_taskbar.5.dll\ExplorerFrame.dll (ExplorerPatcher).lnk\shell32.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcherUninstallStringDisplayNameVALINET Solutions SRLPublisherNoModifyNoRepair\ExplorerPatcher.amd64.dll%d.%d.%d.%dDisplayVersionVersionMajorVersionMinorDisplayIcon\ExplorerPatcher\cleanup_.tmp.preven-USmuipriep_taskbar.0.dllep_taskbar.2.dllep_taskbar.3.dllep_taskbar.4.dllep_taskbar.5.dll\*.../extractIsWow64Process2kernel32.dllx64ARM64/uninstall/uninstall_silentep_uninstall.exe/update_silentUndockingDisabledSOFTWARE\Microsoft\Windows\CurrentVersion\Shell\Update\PackagesGlobal\ep_setup_D17F1E1A-5919-4427-8F89-A1A8503CA3EB/f /im explorer.exeGlobal\ep_dwm_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBExplorerPatcher_GUI_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}Software\ExplorerPatcherOpenPropertiesAtNextStartep_setup.exeSOFTWARE\Classes\CLSID\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}\InProcServer32\ExplorerPatcher\ExplorerPatcher.amd64.dll"\regsvr32.exeExplorerPatcher.IA-32.dllExplorerPatcher.IA-32.dllExplorerPatcher.amd64.dllExplorerPatcher.amd64.dllep_gui.dllep_gui.dllep_dwm.exeep_dwm.exeep_weather_host.dllep_weather_host.dllep_weather_host_stub.dllep_weather_host_stub.dllWebView2Loader.dllWebView2Loader.dllar-SAbg-BGca-EScs-CZda-DKde-DEel-GRen-GBes-ESes-MXet-EEeu-ESfi-FIfr-CAfr-FRgl-EShe-ILhr-HRhu-HUid-IDit-ITja-JPko-KRlt-LTlv-LVnb-NOnl-NLpl-PLpt-BRpt-PTro-ROru-RUsk-SKsl-SIsr-Latn-RSsv-SEth-THtr-TRuk-UAvi-VNzh-CNzh-TWprisStartUIWindows.UI.ShellCommon.pripnidui/Windows.UI.ShellCommon/pnidui.dllpnidui/pnidui.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{C2796011-81BA-4148-8FCA-C6643245113F}AutoStartdxgi.dll\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewywincorlib.dllep_startmenu.dllwincorlib_orig.dll\wincorlib.dll\wincorlib_orig.dllStartUI_.dllStartUI/StartUI.dllAppResolverLegacy.dllStartTileDataLegacy.dll\en-USStartTileDataLegacy.dll.mui\pris2Windows.UI.ShellCommon.en-US.pri\SystemApps\ShellExperienceHost_cw5n1h2txyewy\rundll32.exe "\ExplorerPatcher\ep_gui.dll",ZZGUI\ExplorerPatcher\ep_setup.exe" /uninstallstart ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBdelete ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB\ExplorerPatcher\ep_weather_host.dll"\ExplorerPatcher\ep_weather_host_stub.dll"SOFTWARE\Policies\Microsoft\Windows\ExplorerSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\cleanupSOFTWARE\Microsoft\Windows\CurrentVersion\RunOncecmd /c rmdir /s /q ""ExplorerPatcherCleanupIsUpdatePendingrbr+bwb1.3.1.1-motley unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll@
Source: explorer.exeBinary or memory string: Progman hook: %d
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2146053134.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: Microsoft-Symbol-Server/10.0.10036.206msdl.microsoft.comabcdefghijklmnopqrstuvwxyzProgmanProxy Desktop\explorer.exeopenInputSwitch.dllxx??x??xxx????xxD8t
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2146053134.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: Shlwapi.dllSHRegGetValueFromHKCUHKLMShell_TrayWndntdll.dllRtlGetVersion\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersionUBRMicrosoft.Windows.ShellManagedWindowAsNormalWindowShell_SecondaryTrayWndvalinet.ExplorerPatcher.ShellManagedWindowExplorerFrame.dllDesktopSHELLDLL_DefViewWorkerWComctl32.dllLoadIconWithScaleDownwin32u.dllNtUserBuildHwndListuser32.dllHungWindowFromGhostWindowGhostWindowFromHungWindowSetWindowCompositionAttributeCreateWindowInBandGetWindowBandSetWindowBandIsTopLevelWindowInternalGetWindowTextInternalGetWindowIconuxtheme.dllshcore.dll
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE79AF0 cpuid 10_2_00007FF8BEE79AF0
Source: C:\Windows\explorer.exeCode function: RegCreateKeyExW,RegQueryValueExW,GetLocaleInfoW,GetLocaleInfoW,SetThreadPreferredUILanguages,RegCloseKey,10_2_00007FF8BEE350C0
Source: C:\Windows\explorer.exeCode function: CoCreateInstance,IUnknown_QueryService,FindWindowW,GetPropW,GetThreadUILanguage,GetLocaleInfoW,10_2_00007FF8BEE49620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeCode function: 0_2_00007FF7F56D8E2C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7F56D8E2C
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE50A50 SHParseDisplayName,SHBindToParent,CreatePopupMenu,TrackPopupMenuEx,RegQueryValueW,RegGetValueW,GetMenuItemInfoW,RegQueryValueW,RegGetValueW,GetMenuItemInfoW,InsertMenuItemW,InsertMenuItemW,InsertMenuItemW,GetMenuItemInfoW,DestroyMenu,CoTaskMemFree,10_2_00007FF8BEE50A50
Source: C:\Windows\explorer.exeCode function: 10_2_00007FF8BEE2A710 SHBindToObject,10_2_00007FF8BEE2A710

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
Exploitation for Privilege Escalation		1
Disable or Modify Tools		11
Input Capture		11
System Time Discovery		Remote Services1
Archive Collected Data		2
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		2
Windows Service		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory2
File and Directory Discovery		Remote Desktop Protocol11
Input Capture		21
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
Command and Scripting Interpreter		1
Registry Run Keys / Startup Folder		2
Windows Service		1
Obfuscated Files or Information		Security Account Manager35
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Service Execution		Login Hook122
Process Injection		1
DLL Side-Loading		NTDS141
Security Software Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
Registry Run Keys / Startup Folder		23
Masquerading		LSA Secrets11
Virtualization/Sandbox Evasion		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Virtualization/Sandbox Evasion		Cached Domain Credentials2
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items122
Process Injection		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Regsvr32		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1510261 Sample: SecuriteInfo.com.Trojan.Win... Startdate: 12/09/2024 Architecture: WINDOWS Score: 60 38 objects.githubusercontent.com 2->38 40 github.com 2->40 42 api.msn.com 2->42 48 Sigma detected: Explorer NOUACCHECK Flag 2->48 8 explorer.exe 125 133 2->8         started        12 SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe 9 15 2->12         started        signatures3 process4 dnsIp5 44 github.com 140.82.121.3, 443, 49711, 49712 GITHUBUS United States 8->44 46 objects.githubusercontent.com 185.199.108.133, 443, 49718 FASTLYUS Netherlands 8->46 50 System process connects to network (likely due to code injection or exploit) 8->50 52 Query firmware table information (likely to detect VMs) 8->52 30 C:\Windows\dxgi.dll, PE32+ 12->30 dropped 32 C:\Windows\SystemApps\...\dxgi.dll, PE32+ 12->32 dropped 34 C:\Program Files\...\ep_weather_host_stub.dll, PE32+ 12->34 dropped 36 7 other files (none is malicious) 12->36 dropped 15 explorer.exe 2 1 12->15         started        18 taskkill.exe 1 12->18         started        20 sc.exe 1 12->20         started        22 3 other processes 12->22 file6 signatures7 process8 signatures9 54 Contains functionality to automate explorer (e.g. start an application) 15->54 24 conhost.exe 18->24         started        26 conhost.exe 20->26         started        28 conhost.exe 22->28         started        process10

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\WebView2Loader.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\ep_dwm.exe0%ReversingLabs
C:\Program Files\ExplorerPatcher\ep_gui.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\ep_setup.exe5%ReversingLabs
C:\Program Files\ExplorerPatcher\ep_weather_host.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll3%ReversingLabs
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://www.valinet.ro)0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949459-dfe70eba-6c2c-4b1c-b51b-27c13ce7c08c.png0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949442-63f14d44-ec0e-40b2-aa1b-8e4a27ec10f5.png0%Avira URL Cloudsafe
https://github.com/valinet0%Avira URL Cloudsafe
https://api.msn.com/v1/News/Feed/Windows?%08x%04x%04x%02x%02x%02x%02x%02x%02x%02x%02xFeedsCNhttps://0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949445-60d12efa-a21d-40e0-b9a8-1b7a84e58944.png0%Avira URL Cloudsafe
https://powerpoint.office.com0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949465-54dd31c6-7e3a-464a-8e64-8b54b6fb7a65.png0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949451-269d02a3-08cb-4237-9789-f1e60fdc723d.png0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949452-f347fe27-5005-48f2-9c9a-899bb7b8825e.png0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949438-4e0c0e0d-67bc-4c76-b75e-e0ffcead3f48.png0%Avira URL Cloudsafe
http://schemas.micr0%Avira URL Cloudsafe
https://objects.githubusercontent.com/github-production-release-asset-2e65be/394318710/d0ea7754-53d30%Avira URL Cloudsafe
https://outlook.com0%Avira URL Cloudsafe
https://www.google.com/search?hl=%s&q=weather%s%s%s%s%s%s%s%spCoreWebView2ExecuteScriptCompletedHand0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949444-d3aea936-4c22-4f17-a201-02155396684d.png0%Avira URL Cloudsafe
https://raw.githubusercontent.com/valinet/ep_make/master/ep_make_safe.ps10%Avira URL Cloudsafe
https://github.com/0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949461-1f058cf3-6fdd-4aeb-80b7-68fa27b02845.png0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949443-062a0fa9-88c1-4e07-b6b1-8e52ff64f4f3.png0%Avira URL Cloudsafe
https://www.valinet.ro0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949449-9320c6f5-15ef-4c17-9e72-740708f4828c.png0%Avira URL Cloudsafe
https://objects.githubusercontent.com/0%Avira URL Cloudsafe
https://github.com/valinet)0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949462-f50c21dd-85dd-4d9c-a4eb-516e6cddfb1f.png0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949448-cd1b69af-4028-4153-8e40-288526577b58.png0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949458-dc66775d-8bb9-4d04-838e-7f550d305c26.png0%Avira URL Cloudsafe
http://www.winimage.com/zLibDll0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949456-04a4bdbd-ff3b-4484-bb30-8909baff8aa8.png0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949450-7e03a3f5-580e-4414-aaeb-3a0898afd1da.png0%Avira URL Cloudsafe
https://api.msn.com/0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949447-a6658710-567e-4977-9316-a80007df3076.png0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949460-7c132d89-efb7-457f-8810-9bf235f5737f.png0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949463-a427edfb-3d7f-4167-bd6f-f5019c482ea1.png0%Avira URL Cloudsafe
https://msn.comError0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949454-81d5d47d-1f33-4859-a112-5a64ceb549a1.png0%Avira URL Cloudsafe
http://schemas.microsoft.co0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156950233-ccaadb4a-2e9a-4934-b41c-acd36a7f0d9c.png0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
github.com
140.82.121.3
truetrue
    		unknown
    objects.githubusercontent.com
    		185.199.108.133
    		truetrue
      		unknown
      api.msn.com
      		unknown
      		unknownfalse
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://user-images.githubusercontent.com/6503598/156949459-dfe70eba-6c2c-4b1c-b51b-27c13ce7c08c.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.valinet.ro)SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144271915.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174585427.0000000002880000.00000002.00000001.00040000.00000009.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949442-63f14d44-ec0e-40b2-aa1b-8e4a27ec10f5.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://github.com/valinetSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144271915.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174585427.0000000002880000.00000002.00000001.00040000.00000009.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949445-60d12efa-a21d-40e0-b9a8-1b7a84e58944.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949452-f347fe27-5005-48f2-9c9a-899bb7b8825e.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://api.msn.com/v1/News/Feed/Windows?%08x%04x%04x%02x%02x%02x%02x%02x%02x%02x%02xFeedsCNhttps://explorer.exe, 0000000A.00000003.2167375925.00000000027E3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2174577379.00000000023D5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2178744483.0000000002D5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2176793588.00000000023D4000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949451-269d02a3-08cb-4237-9789-f1e60fdc723d.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949465-54dd31c6-7e3a-464a-8e64-8b54b6fb7a65.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://powerpoint.office.comexplorer.exe, 0000000B.00000003.2234944578.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2246571830.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2237333080.0000000002E18000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.micrexplorer.exe, 0000000B.00000003.2381500814.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2319396261.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2311117328.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2377129178.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2317412632.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2378964916.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2388978276.000000000AE96000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://outlook.comexplorer.exe, 0000000B.00000003.2247710864.0000000008BB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235377127.0000000008BB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2221330728.0000000008BBA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235817392.0000000008BB8000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949438-4e0c0e0d-67bc-4c76-b75e-e0ffcead3f48.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://raw.githubusercontent.com/valinet/ep_make/master/ep_make_safe.ps1SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2146053134.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.google.com/search?hl=%s&q=weather%s%s%s%s%s%s%s%spCoreWebView2ExecuteScriptCompletedHandSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144908523.000001BF13B8D000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949444-d3aea936-4c22-4f17-a201-02155396684d.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://objects.githubusercontent.com/github-production-release-asset-2e65be/394318710/d0ea7754-53d3explorer.exe, 0000000B.00000003.2259820542.00000000089CA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2259633111.000000000ADA7000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://github.com/explorer.exe, 0000000B.00000003.2235377127.0000000008BF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235817392.0000000008BF9000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949443-062a0fa9-88c1-4e07-b6b1-8e52ff64f4f3.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949461-1f058cf3-6fdd-4aeb-80b7-68fa27b02845.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.valinet.roSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144271915.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174585427.0000000002880000.00000002.00000001.00040000.00000009.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949449-9320c6f5-15ef-4c17-9e72-740708f4828c.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://github.com/valinet)SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144271915.000001BF162C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2174585427.0000000002880000.00000002.00000001.00040000.00000009.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://objects.githubusercontent.com/explorer.exe, 0000000B.00000003.2383069605.0000000008BF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2294706642.0000000008BF9000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949458-dc66775d-8bb9-4d04-838e-7f550d305c26.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949462-f50c21dd-85dd-4d9c-a4eb-516e6cddfb1f.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949448-cd1b69af-4028-4153-8e40-288526577b58.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.winimage.com/zLibDllSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000000.2108533057.00007FF7F56F6000.00000002.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949450-7e03a3f5-580e-4414-aaeb-3a0898afd1da.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949456-04a4bdbd-ff3b-4484-bb30-8909baff8aa8.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://api.msn.com/explorer.exe, 0000000B.00000003.2246946920.0000000008B81000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2237543521.0000000008B85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2294706642.0000000008B81000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2383069605.0000000008B96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2235377127.0000000008B81000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949460-7c132d89-efb7-457f-8810-9bf235f5737f.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949447-a6658710-567e-4977-9316-a80007df3076.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949463-a427edfb-3d7f-4167-bd6f-f5019c482ea1.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156950233-ccaadb4a-2e9a-4934-b41c-acd36a7f0d9c.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949454-81d5d47d-1f33-4859-a112-5a64ceb549a1.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.2144774735.000001BF162C1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.microsoft.coexplorer.exe, 0000000B.00000003.2381500814.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2319396261.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2311117328.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2377129178.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2317412632.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2378964916.000000000AE96000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2388978276.000000000AE96000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://msn.comErrorexplorer.exe, 0000000A.00000003.2166635686.00000000027EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2175731585.00000000023D3000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        185.199.108.133
        		objects.githubusercontent.comNetherlands
        		54113FASTLYUStrue
        140.82.121.3
        		github.comUnited States
        		36459GITHUBUStrue

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1510261
        Start date and time:2024-09-12 18:30:13 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 8m 31s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:27
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
        Detection:MAL
        Classification:mal60.evad.winEXE@17/20@3/2
        EGA Information:
        • Successful, ratio: 50%
        HCA Information:
        • Successful, ratio: 70%
        • Number of executed functions: 47
        • Number of non-executed functions: 214
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, UserOOBEBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe, StartMenuExperienceHost.exe, mobsync.exe, SearchApp.exe
        • Excluded IPs from analysis (whitelisted): 204.79.197.219, 20.150.79.68, 20.150.38.228, 20.150.70.36, 204.79.197.203
        • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, blob.sat09prdstrz08a.trafficmanager.net, slscr.update.microsoft.com, msdl-microsoft-com.a-0016.a-msedge.net, a-0003.a-msedge.net, ctldl.windowsupdate.com, vsblobprodscussu5shard6.blob.core.windows.net, msdl.microsoft.com, fe3cr.delivery.mp.microsoft.com, vsblobprodscussu5shard39.blob.core.windows.net, ocsp.digicert.com, a-0016.a-msedge.net, login.live.com, blob.sat09prdstrz08a.store.core.windows.net, r.bing.com, msdl.microsoft.akadns.net, api-msn-com.a-0003.a-msedge.net
        • Execution Graph export aborted for target SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, PID 2300 because there are no executed function
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtEnumerateKey calls found.
        • Report size getting too big, too many NtEnumerateValueKey calls found.
        • Report size getting too big, too many NtOpenKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtReadVirtualMemory calls found.
        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
        • VT rate limit hit for: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe

        Simulations

        Behavior and APIs

        TimeTypeDescription
        12:31:16API Interceptor969x Sleep call for process: explorer.exe modified
        18:31:17Task SchedulerRun new task: CreateExplorerShellUnelevatedTask path: C:\Windows\explorer.exe s>/NoUACCheck

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        185.199.108.133vm AUDIO_QzOXYQIfIQZ VOICE September 11th, 2024 attachment.htmlGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
          https://www.google.com/url?q=//www.google.com.br/amp/s/iKL5afRe0S6hy3p0slRKsXiNT5VzWqeGhx.desarrollodigitales.com/xiwitytevd/sotutybgetd/qoguhtunh/I6Gu0C/cWEtc3FpQHF2Y2pwLmNvbQ==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
            M 1votFC.emlGet hashmaliciousUnknownBrowse
              https://www.tiktok.com/link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bce%C2%ADsme%C2%ADdia%E2%80%8B.%C2%ADv%C2%ADn/.dev/tfbft0yf/ZGlhbmUuY3JhaWdAZ3JhY2VoZWFsdGhtaS5vcmc==$%E3%80%82Get hashmaliciousTycoon2FABrowse
                https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com////amp/s/jbmagneticos.com.br/.dev/VGCU2YC1/c211bGxpbmdzQHRtaGNjLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                  https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bc%C2%ADt%C2%ADh%E2%80%8B.%C2%ADv%C2%ADn/.dev/JCE6X4BH/cnVzc2VsbEBhZGtjcmVkaXR1bmlvbi5jb20==$%E3%80%82Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                    https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/cth.vn/.dev/JCE6X4BH/cnVzc2VsbEBhZGtjcmVkaXR1bmlvbi5jb20==$%E3%80%82Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                      http://xcelenergy.zonaclimber.com/json/activeBC/justin.l.billeter@xcelenergy.comGet hashmaliciousHTMLPhisherBrowse
                        https://e4x.heraybay.com/ze6t/#Dben.rigor@eclipsebank.comGet hashmaliciousHTMLPhisherBrowse
                          https://www.tiktok.com/////link/v2?aid=1988&lang=enpihd7s&scene=bio_url&target=google.com.////amp/s/skycom.com.sg/.access/47279/YmFja2VybWFuQHN1cGVybnVzLmNvbQ0=$%E3%80%82Get hashmaliciousHTMLPhisherBrowse
                            140.82.121.36glRBXzk6i.exeGet hashmaliciousRedLineBrowse
                            • github.com/dyrka314/Balumba/releases/download/ver2/encrypted_ImpulseCrypt_5527713376.2.exe
                            firefox.lnkGet hashmaliciousCobaltStrikeBrowse
                            • github.com/john-xor/temp/blob/main/index.html?raw=true
                            0XzeMRyE1e.exeGet hashmaliciousAmadey, VidarBrowse
                            • github.com/neiqops/ajajaj/raw/main/file_22613.exe
                            MzRn1YNrbz.exeGet hashmaliciousVidarBrowse
                            • github.com/AdobeInstal/Adobe-After-Effects-CC-2022-1.4/releases/download/123/Software.exe
                            RfORrHIRNe.docGet hashmaliciousUnknownBrowse
                            • github.com/ssbb36/stv/raw/main/5.mp3

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            github.comvm AUDIO_QzOXYQIfIQZ VOICE September 11th, 2024 attachment.htmlGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 140.82.121.4
                            https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exeGet hashmaliciousUnknownBrowse
                            • 140.82.121.3
                            Remittance AdviceNote c6b2e2a43485b7b75999a5332e86646fGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 140.82.121.4
                            https://www.google.com/url?q=//www.google.com.br/amp/s/iKL5afRe0S6hy3p0slRKsXiNT5VzWqeGhx.desarrollodigitales.com/xiwitytevd/sotutybgetd/qoguhtunh/I6Gu0C/cWEtc3FpQHF2Y2pwLmNvbQ==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 140.82.121.4
                            M 1votFC.emlGet hashmaliciousUnknownBrowse
                            • 140.82.121.4
                            https://www.tiktok.com/link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%74%72%61%6E%63%61%73%2E%63%6C/.dev/0958DTU/LWVpUSQT/YXNobGV5QG9tbmlzdXJlLmNvbQ==$%E3%80%82Get hashmaliciousHTMLPhisherBrowse
                            • 140.82.121.3
                            https://www.tiktok.com/link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bce%C2%ADsme%C2%ADdia%E2%80%8B.%C2%ADv%C2%ADn/.dev/tfbft0yf/ZGlhbmUuY3JhaWdAZ3JhY2VoZWFsdGhtaS5vcmc==$%E3%80%82Get hashmaliciousTycoon2FABrowse
                            • 140.82.121.4
                            https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bc%C2%ADt%C2%ADh%E2%80%8B.%C2%ADv%C2%ADn/.dev/b5EVLXJp/dGVyZXNhLmhhcnBlckBzb3V0aHNpZGUuY29t=$%E3%80%82Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 140.82.121.3
                            https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bc%C2%ADt%C2%ADh%E2%80%8B.%C2%ADv%C2%ADn/.dev/JCE6X4BH/cnVzc2VsbEBhZGtjcmVkaXR1bmlvbi5jb20==$%E3%80%82Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 140.82.121.3
                            https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/cth.vn/.dev/JCE6X4BH/cnVzc2VsbEBhZGtjcmVkaXR1bmlvbi5jb20==$%E3%80%82Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 140.82.121.4
                            objects.githubusercontent.comvm AUDIO_QzOXYQIfIQZ VOICE September 11th, 2024 attachment.htmlGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 185.199.110.133
                            https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exeGet hashmaliciousUnknownBrowse
                            • 185.199.110.133
                            Remittance AdviceNote c6b2e2a43485b7b75999a5332e86646fGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 185.199.109.133
                            https://www.google.com/url?q=//www.google.com.br/amp/s/iKL5afRe0S6hy3p0slRKsXiNT5VzWqeGhx.desarrollodigitales.com/xiwitytevd/sotutybgetd/qoguhtunh/I6Gu0C/cWEtc3FpQHF2Y2pwLmNvbQ==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 185.199.109.133
                            M 1votFC.emlGet hashmaliciousUnknownBrowse
                            • 185.199.108.133
                            https://www.tiktok.com/link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%74%72%61%6E%63%61%73%2E%63%6C/.dev/0958DTU/LWVpUSQT/YXNobGV5QG9tbmlzdXJlLmNvbQ==$%E3%80%82Get hashmaliciousHTMLPhisherBrowse
                            • 185.199.109.133
                            https://www.tiktok.com/link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bce%C2%ADsme%C2%ADdia%E2%80%8B.%C2%ADv%C2%ADn/.dev/tfbft0yf/ZGlhbmUuY3JhaWdAZ3JhY2VoZWFsdGhtaS5vcmc==$%E3%80%82Get hashmaliciousTycoon2FABrowse
                            • 185.199.108.133
                            https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bc%C2%ADt%C2%ADh%E2%80%8B.%C2%ADv%C2%ADn/.dev/b5EVLXJp/dGVyZXNhLmhhcnBlckBzb3V0aHNpZGUuY29t=$%E3%80%82Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 185.199.109.133
                            https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bc%C2%ADt%C2%ADh%E2%80%8B.%C2%ADv%C2%ADn/.dev/JCE6X4BH/cnVzc2VsbEBhZGtjcmVkaXR1bmlvbi5jb20==$%E3%80%82Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 185.199.110.133
                            https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/cth.vn/.dev/JCE6X4BH/cnVzc2VsbEBhZGtjcmVkaXR1bmlvbi5jb20==$%E3%80%82Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 185.199.109.133

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            GITHUBUSvm AUDIO_QzOXYQIfIQZ VOICE September 11th, 2024 attachment.htmlGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 140.82.121.4
                            https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exeGet hashmaliciousUnknownBrowse
                            • 140.82.121.3
                            Remittance AdviceNote c6b2e2a43485b7b75999a5332e86646fGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 140.82.121.4
                            https://www.google.com/url?q=//www.google.com.br/amp/s/iKL5afRe0S6hy3p0slRKsXiNT5VzWqeGhx.desarrollodigitales.com/xiwitytevd/sotutybgetd/qoguhtunh/I6Gu0C/cWEtc3FpQHF2Y2pwLmNvbQ==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 140.82.121.4
                            M 1votFC.emlGet hashmaliciousUnknownBrowse
                            • 140.82.121.4
                            https://www.tiktok.com/link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%74%72%61%6E%63%61%73%2E%63%6C/.dev/0958DTU/LWVpUSQT/YXNobGV5QG9tbmlzdXJlLmNvbQ==$%E3%80%82Get hashmaliciousHTMLPhisherBrowse
                            • 140.82.121.3
                            https://www.tiktok.com/link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bce%C2%ADsme%C2%ADdia%E2%80%8B.%C2%ADv%C2%ADn/.dev/tfbft0yf/ZGlhbmUuY3JhaWdAZ3JhY2VoZWFsdGhtaS5vcmc==$%E3%80%82Get hashmaliciousTycoon2FABrowse
                            • 140.82.121.4
                            https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bc%C2%ADt%C2%ADh%E2%80%8B.%C2%ADv%C2%ADn/.dev/b5EVLXJp/dGVyZXNhLmhhcnBlckBzb3V0aHNpZGUuY29t=$%E3%80%82Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 140.82.121.3
                            https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bc%C2%ADt%C2%ADh%E2%80%8B.%C2%ADv%C2%ADn/.dev/JCE6X4BH/cnVzc2VsbEBhZGtjcmVkaXR1bmlvbi5jb20==$%E3%80%82Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 140.82.121.3
                            https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/cth.vn/.dev/JCE6X4BH/cnVzc2VsbEBhZGtjcmVkaXR1bmlvbi5jb20==$%E3%80%82Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 140.82.121.4
                            FASTLYUShttps://nmgovdot-my.sharepoint.com/:f:/g/personal/brian_filip_nmgov_co/EopUqBu8fqpOvw_R7W8qXnEBWw032PoWoE-pjka6mBLMVw?e=G3klTxGet hashmaliciousHtmlDropperBrowse
                            • 151.101.66.137
                            vm AUDIO_QzOXYQIfIQZ VOICE September 11th, 2024 attachment.htmlGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 151.101.2.137
                            https://sesworld.com.au:443/it/mount/Get hashmaliciousUnknownBrowse
                            • 151.101.194.137
                            https://oakvillemdcsignin.softr.app/Get hashmaliciousUnknownBrowse
                            • 151.101.65.229
                            https://gdzrdzrgysetgragfvasrtgfsarjk.bukuyass.com/XTutbHeMDeSMGoeITGUIniHvuWseZB&4ARJKwSLsix&135229/372/menwhssrzn.home.php?sq=1726-248&lk=267587-14&page=048Get hashmaliciousPhisherBrowse
                            • 151.101.129.44
                            https://bit.ly/4dU5cz3#CIgedJLuqmncgJYdTfeyaCNmWsrQtR&4sWlQeNzELg&135070/182/fldptionns.home.php?sq=1726-248&lk=267585-14&page=362Get hashmaliciousPhisherBrowse
                            • 151.101.65.44
                            http://tplshare.com/iVX5CrQGet hashmaliciousUnknownBrowse
                            • 199.232.192.134
                            https://url.uk.m.mimecastprotect.com/s/mPYbC6R8kf47GAUxtNC5T-0g?domain=tplshare.comGet hashmaliciousHTMLPhisherBrowse
                            • 151.101.66.137
                            https://www.dropbox.com/scl/fo/dypnewy032frqiop6d7gh/AGQRgoJcNqKPbhsYQheP8nM?rlkey=t6ozmhhbporfamqnz8ddx2in0&st=r8w1wv0v&dl=0Get hashmaliciousUnknownBrowse
                            • 151.101.2.137
                            https://www.dropbox.com/scl/fo/dypnewy032frqiop6d7gh/AGQRgoJcNqKPbhsYQheP8nM?rlkey=t6ozmhhbporfamqnz8ddx2in0&st=r8w1wv0v&dl=0Get hashmaliciousUnknownBrowse
                            • 151.101.194.137

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, StealcBrowse
                            • 185.199.108.133
                            • 140.82.121.3
                            file.dllGet hashmaliciousMatanbuchusBrowse
                            • 185.199.108.133
                            • 140.82.121.3
                            file.dllGet hashmaliciousMatanbuchusBrowse
                            • 185.199.108.133
                            • 140.82.121.3
                            file.dllGet hashmaliciousMatanbuchusBrowse
                            • 185.199.108.133
                            • 140.82.121.3
                            SecuriteInfo.com.Win32.SuspectCrc.25896.32261.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                            • 185.199.108.133
                            • 140.82.121.3
                            rfq_last_quater_product_purchase_order_import_list_12_06_2024_000000120924.batGet hashmaliciousGuLoader, RemcosBrowse
                            • 185.199.108.133
                            • 140.82.121.3
                            KeB00e9poi.msiGet hashmaliciousUnknownBrowse
                            • 185.199.108.133
                            • 140.82.121.3
                            4TLr2kKeuX.exeGet hashmaliciousUnknownBrowse
                            • 185.199.108.133
                            • 140.82.121.3
                            X6jV3f2RXz.msiGet hashmaliciousUnknownBrowse
                            • 185.199.108.133
                            • 140.82.121.3
                            p0DLT5dJg2.msiGet hashmaliciousUnknownBrowse
                            • 185.199.108.133
                            • 140.82.121.3

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):156160
                            Entropy (8bit):6.375266888011147
                            Encrypted:false
                            SSDEEP:3072:0lIcmRRbHdf9AwLCwsOOU5/1uR9AsRAiwaCG27eMwtN:0lB2wwLCwsq5/URuaw4rN
                            MD5:5D1F22A4A8CB76C337FEC809463092E1
                            SHA1:B4F216C118FBF93C0B2FC9CFCD1D7BC981A2572F
                            SHA-256:6AFD7333E956C125C9D4D3E6F88C2ED27CC41E0AA9A4E0656BA17B87C655A306
                            SHA-512:B5FB3CFA44955DDA982AEF231C93F5F6D64CAE85325C616A54270B6E4E434CC3E3805AB8B5CD291310B3FE99137EFD5782D34EC3A0997A752FC4F2E75FF8304A
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Reputation:low
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S...2..2..2...J..2...J...2...J..2....2....2....2...J..2..2..>2.....2.....2...;.2..2S.2.....2..Rich.2..................PE..L..._..f...........!...).z...........J....................................................@.............................x...h........P...0..............................p........................... ...@...............H............................text....x.......z.................. ..`.rdata...............~..............@..@.data........0......................@....rsrc....0...P...2..................@..@.reloc...............L..............@..B........................................................................................................................................................................................................................................................................................

                            C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):716800
                            Entropy (8bit):6.219577157189828
                            Encrypted:false
                            SSDEEP:12288:3patAdcuir6DuAstdFwBgHaaRRZbv4XqTC6Ri3JRFrt6rd6F1tuuuuuuYGpK7bA+:Zat2cuir6K7tdFJlbv2qTD0bFrBFbuuD
                            MD5:57999FF1631929462DE24BA18F61AE1C
                            SHA1:2AAAE073E752D32C6FD08DAC578C040924FE4B59
                            SHA-256:B21C0ED7224784B642647A8EFAD45C634BF88646638823215818B25143FEE86E
                            SHA-512:0AD42CBE76CA39353FBFBDD95411DF7ED830C960ACF5D1B943ECC424972FB326B2C69CCE680EFD9003D9650D0E791120A91AC8F2BE1AF09404F3D1EC6C4553E7
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Reputation:low
                            Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........y...............`.......`.......................`4.......Z..............................`.......`................................X.......0.............Rich....................PE..d......f.........." ...).....N......|........................................P............`......................................... V..H...hZ...........0.......I...........@.......|..p...............................@...............p............................text.............................. ..`.rdata..............................@..@.data...H...........................@....pdata...I.......J...f..............@..@.rsrc....0.......2..................@..@.reloc.......@......................@..B................................................................................................................................................................................................

                            C:\Program Files\ExplorerPatcher\WebView2Loader.dll

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):165336
                            Entropy (8bit):6.238659206665009
                            Encrypted:false
                            SSDEEP:3072:7evoTTlTRTyiuPThTNTKm81SbbMYSPLNsknZiZ2HZ5AaliiT88FEtJ57dXSvlCW:HTlTRTyiuPThTNTKmFQdhsknZiMHfEti
                            MD5:C5F0C46E91F354C58ECEC864614157D7
                            SHA1:CB6F85C0B716B4FC3810DEB3EB9053BEB07E803C
                            SHA-256:465A7DDFB3A0DA4C3965DAF2AD6AC7548513F42329B58AEBC337311C10EA0A6F
                            SHA-512:287756078AA08130907BD8601B957E9E006CEF9F5C6765DF25CFAA64DDD0FFF7D92FFA11F10A00A4028687F3220EFDA8C64008DBCF205BEDAE5DA296E3896E91
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....sgf.........." .....\..........@F....................................................`A........................................Y...0.......(............P.......^...'..............T...................P...(....q..@...........h...........`....................text...][.......\.................. ..`.rdata..|....p.......`..............@..@.data...D....0......................@....pdata.......P......."..............@..@.gxfg...p....p.......8..............@..@.retplne.............J...................tls.................L..............@..._RDATA...............N..............@..@.rsrc................P..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                            C:\Program Files\ExplorerPatcher\ep_dwm.exe

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):118272
                            Entropy (8bit):5.883056677379098
                            Encrypted:false
                            SSDEEP:3072:ZmxpiUI+RrEAqTZLO1bLBbbmRYOalQIO:Z+iD+TqTZyhvlQ
                            MD5:85FFBD19F247F682DF7CB348429BF563
                            SHA1:A3534A2C41B46EF253ABE52D4F00F98EEDE00020
                            SHA-256:770379D1A2DFF974D3A0D1D282B2BFD69E1C25CC2BB161C4DFB9B208330FBCB3
                            SHA-512:DD78C6D09CA5831D9E5E5146AF6F5537142EE4B5DFCC40AB34271B81FACBA1C1F285EAB84FCBB8180460408FF888588BAEB3DA95D385A167EF0828B37367E1B7
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........m.Lk..Lk..Lk......Ik.......k......Fk..\...Ek..\...\k..\...dk......Gk..Lk..4k......Mk......Mk..Lk..Mk......Mk..RichLk..........PE..d...r..f.........."....).............'.........@..........................................`....................................................x...............................h...0...p...............................@...............`............................text...`........................... ..`.rdata..Z...........................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................................

                            C:\Program Files\ExplorerPatcher\ep_gui.dll

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):721408
                            Entropy (8bit):5.53410489167774
                            Encrypted:false
                            SSDEEP:6144:czq5NAtIjhy7rsdQiwH94aG0b3Ssy23643TWlIksV+G:qqPA2jhyPdpt
                            MD5:C83153FFC63411AAF525CAA6C50C1FFC
                            SHA1:76EE60BBEE697882FE5390D0F50A9F521F281BDA
                            SHA-256:422D9784435C893B810DC8D02B8EAA713A030ECDDE0C29AE5A588C889CE6A7DF
                            SHA-512:363F259AA9FF47FE9D8F65A308EB3732581ECB703B827A773DD2C9AAA61BD90F89BFD1F8B1A1C5CAA86F213799FC4487053182425676ABAAA3A301453C4E8A0D
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{|..{|..{|..0...}|..0....|..r.=.y|..k...r|..k...k|..k...X|..0...t|..0...z|..0...f|..{|.._}..3...s|..3...z|..3.Q.z|..{|9.j|..3...z|..Rich{|..........PE..d......f.........." ...).....P......x........................................`............`.................................................<...,....P.......0...............P.........p...............................@............................................text... ........................... ..`.rdata..,...........................@..@.data...0#..........................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................

                            C:\Program Files\ExplorerPatcher\ep_setup.exe

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):10525696
                            Entropy (8bit):7.989219365061286
                            Encrypted:false
                            SSDEEP:196608:aZN5gB3uI0Bn+2N8cL0yiao2ItCC2bO+WxNtTYneFC5YbMvr5GM6BZ2r34:QzgN4Bz7ieTCIKNtUniYYAvE
                            MD5:45A5A443C01ABD7618EFEF4827241312
                            SHA1:5390D36A371F0598B86301961D5FDB329E368E7A
                            SHA-256:D7F98B8AF8A3BFE9D93CE31558A62E4D5D0CD425BC30BBC0D517901E5B82BF46
                            SHA-512:0DF6330A020CE3B52320F087F56023DB069B56D4579B43A9827B8158BE430585B88FB43D98004EAE4E7A05F85086F5762DA17F51AF95FDB302669AE1C581F734
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 5%
                            Preview:MZ......................@...............................................!..L.!22622.3880.66.6.57999ff163192946S mode....$........^uOY?..Y?..Y?...G..\?...G...?......_?..I...P?..I...I?..I...q?...G..V?...G..X?...G..L?..Y?...?......]?......X?..Y?..H?......X?..RichY?..................PE..d......f.........."....).P...\................@.........................................`..................................................K..........p...........................p(..p...........................0'..@............`...............................text...0O.......P.................. ..`.rdata.. ....`.......T..............@..@.data...T....`.......R..............@....pdata...............^..............@..@.rsrc...p............z..............@..@.reloc..............................@..B........................................................................................................................................................................................................................

                            C:\Program Files\ExplorerPatcher\ep_setup.exe:Zone.Identifier

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):26
                            Entropy (8bit):3.95006375643621
                            Encrypted:false
                            SSDEEP:3:ggPYV:rPYV
                            MD5:187F488E27DB4AF347237FE461A079AD
                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                            Malicious:false
                            Preview:[ZoneTransfer]....ZoneId=0

                            C:\Program Files\ExplorerPatcher\ep_weather_host.dll

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):244224
                            Entropy (8bit):5.982282823910593
                            Encrypted:false
                            SSDEEP:3072:AjW86bHWeRLwF/ov4P3dUXqu/FYu9L33+C+TS9eEXB9aosuWoU6P:AEbHWK0gv4GXZ/rpjWoh
                            MD5:F2920695EA15CC80E479D79F536437F1
                            SHA1:3B65E31BD40D371303FB8C82A712BC8E3CBDD451
                            SHA-256:350535396C011ED00753F6CD2D30FA1D38FD0F48077B1F9D461CB3DF1B1CF39D
                            SHA-512:16FBF89D7B14F1FE6F1A2BF80838BBB28B9DB9D79255EB194A0952097D63B29438B5D95B2E64B49293828E1932BF73F47780E90F06502EB32A9386E9A23DE407
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&.6vb.X%b.X%b.X%).[$g.X%).]$..X%ry[$k.X%ry\$m.X%ry]$B.X%).\$l.X%).Y$v.X%b.X%a.X%b.Y%..X%*xP$a.X%*xX$c.X%*x.%c.X%b..%c.X%*xZ$c.X%Richb.X%........PE..d...y..f.........." ...).............e....................................................`..........................................~......,.......................................@^..p............................]..@...............@............................text...0........................... ..`.rdata.............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                            C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):111616
                            Entropy (8bit):5.926324663614139
                            Encrypted:false
                            SSDEEP:1536:/w+B6bvTxS8Si7ixJSHQ8YmpqvA9uf+UfKzwzsW7dJ9dlPbUremU:I3TxMpxJuQ8bpwouf+f07hJcemU
                            MD5:AB6AA536FCAE0D915FC6856F66FF693C
                            SHA1:9B20EB39735C80A2EC5974F477CDDDF72796D0FA
                            SHA-256:0578867D07DF70F0080E5EB864F77C7356745347B1D9CDDD568F68E10FA8AA50
                            SHA-512:E9BC6F57120F484C8E64A86F623E6B029E32F14BA49B70146AD6C16A84740C12A954F78B564F5619F55908AF200CA2FAC21E9E5DC35B6219A0FE7A6590B66524
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 3%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l.z.(...(...(...c...-...c.......c..."...8...!...8...&...8.......c.../...(...]...`...+...`...)...`..)...`...)...Rich(...........................PE..d...t..f.........." ...)............p.....................................................`.................................................X...P...............................x.......p...........................P...@...............8............................text... ........................... ..`.orpc...,........................... ..`.rdata.............................@..@.data...h...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..x...........................@..B........................................................................................................................................................................................

                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnk

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=39, Archive, ctime=Thu Sep 8 02:06:01 2022, mtime=Thu Sep 12 15:31:11 2024, atime=Thu Sep 8 02:06:01 2022, length=71680, window=hide
                            Category:modified
                            Size (bytes):1960
                            Entropy (8bit):3.2987134080978855
                            Encrypted:false
                            SSDEEP:24:80dnWsqSUlTyAoeiUHh+/Clo+sd/UW+fwT4o02QnzJ6f6Fqygm:86tUlt5iAlo7d/9fMoeoicyg
                            MD5:AE38E966FFCF7909E0509B3BA238A489
                            SHA1:A42F0C6DA9A13142BBBE13D338750DB6BC96A57F
                            SHA-256:A90CD3AF9EB56238A66E3B2FB36727FF8B1862DDC3DC1051CEC5026C8DD6C8A7
                            SHA-512:2628444B13A9671494625D50C0221C6F5F3DD40D57F00B846501B59C9A319E6B3CB00D1E88DAF8FDEFB4DC6A43289A2558F3846BC089CA28237B8D3490ECD3C2
                            Malicious:false
                            Preview:L..................F.@.. .....S./......-1.....S./.......'...................E....P.O. .:i.....+00.../C:\...................V.1.....DW!r..Windows.@......OwH,Y.....3........................W.i.n.d.o.w.s.....Z.1.....,Y...System32..B......OwH,Y............................w..S.y.s.t.e.m.3.2.....f.2.....(U.. .rundll32.exe..J......(U..,Y..........................b...r.u.n.d.l.l.3.2...e.x.e.......O...............-.......N.............Vl.....C:\Windows\System32\rundll32.exe....E.x.p.l.o.r.e.r.P.a.t.c.h.e.r./.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.r.u.n.d.l.l.3.2...e.x.e...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.3.".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.E.x.p.l.o.r.e.r.P.a.t.c.h.e.r.\.e.p._.g.u.i...d.l.l.".,.Z.Z.G.U.I...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.........%SystemRoot%\system32\shell32.dll.............................................................................................................................................

                            C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db

                            Download File
                            Process:C:\Windows\explorer.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):109000
                            Entropy (8bit):3.996240578535048
                            Encrypted:false
                            SSDEEP:768:alVCkDGeopQ1jk0ybncysAEN3Lxwm0jDfttPoelMPR1vPItSJ5bmLSypQg03pcf6:tk1oxncysAQHuxfhMi/GfnpAiFeKXWY
                            MD5:C04464A08F8E460A469442A3A4C6EAA9
                            SHA1:DE92FF8AD38DCEE3E26BDC11588F4383B3CD3479
                            SHA-256:59C84C1748C38191052691A0E2DF32128B4E0D849D7DE8C039D56DEE8CE4A161
                            SHA-512:9BCBE1FF514A18E9E951BCDE8F3B49CC8C1C23B4D37A0902A1BB60226CA57B5D288D25BC160CDB8356F80B01C25F84ECE5780F8D8A11E07C27B358C13FF0E807
                            Malicious:false
                            Preview:....h... ......x.......P...........x...Y......^...(...............X...W.......e.n.-.C.H.;.e.n.-.G.B...............H..............P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................a.l.f.o.n.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u......................(..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>...........................................

                            C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000014.db

                            Download File
                            Process:C:\Windows\explorer.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):104712
                            Entropy (8bit):4.0227245661996065
                            Encrypted:false
                            SSDEEP:768:9Pl1+kKGURcstjk0WB5CWDB6NMLnBLjJ8AUPZ45yR1v9VKrQnmzypI3vI4Gs5haG:9OkwRS5CWDBN9haitG4n90Ff4KZyVG96
                            MD5:BD04D9EF9CCC005C9501B4569D639F81
                            SHA1:691AAB90A268EC6355C9D12FAD48F43D3F020FAA
                            SHA-256:A2AF8A0626CF0C169AD0D3A57F5C5A27B20BB6A463D27EB1D241152897065EBF
                            SHA-512:CF4A9F92CCDEFE24C0838366DD44DA3618C9DA7764F21FD3DA93BB13FB663484D6854A3CC9234A5B4FD9B64C072B5F790EE469F5F9C41C093C5F50012F905ADB
                            Malicious:false
                            Preview:....h... ..............P..............Y...0...^...h...................W.......e.n.-.C.H.;.e.n.-.G.B..............................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................a.l.f.o.n.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u......................(..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>...........................................

                            C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.db

                            Download File
                            Process:C:\Windows\explorer.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):109000
                            Entropy (8bit):3.997031879927255
                            Encrypted:false
                            SSDEEP:768:clVIkBGeopQ1jk0ybncysAEN3Lxwm0jDfttPoelMPR1vPItSJ5bmLSypQg03pcfK:RkPoxncysAQHuxfhMi/GfnpWiFeKXUY
                            MD5:692608673A5557C444E35E612670A105
                            SHA1:7692626337CBA3D8F8CD4565D2F2367FE65F7C14
                            SHA-256:CF21D81106F4DB5594D2D6FF85C16196216A69FE68F4C411A59B57EC4AA73B69
                            SHA-512:022410D6A0D9BDF890C1F19169878F5CACF6F6674D29815E064D1A806D9F5EA4D6F9B0763981D6850390D03C91AA588B219ADDEE5FFD81223841199BDEF06AD8
                            Malicious:false
                            Preview:....h... ......x.......P...........x...Y......^...(...............X...W.......e.n.-.C.H.;.e.n.-.G.B...............H..............P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................a.l.f.o.n.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u......................(..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>...........................................

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\C0866EA3E544525B84B4BD79EA00F871272358DC594A98F105A217AFB95AD63000[1].blob

                            Download File
                            Process:C:\Windows\explorer.exe
                            File Type:MSVC program database ver 7.00, 4096*9067 bytes
                            Category:dropped
                            Size (bytes):37138432
                            Entropy (8bit):5.6992441330393016
                            Encrypted:false
                            SSDEEP:196608:QU+lpXOVPmAUg3kCksUni4PqhapsuG/qMNP9T4frVOlnzToSgGoCgsqwq06kUQ4E:TVQu
                            MD5:6EC8937793ABCA33686E941850AC379C
                            SHA1:C33459B6BBAB2E5D0051557E0AA6E35266145CA1
                            SHA-256:05E269FF0DD07EBF0B82857327B060CD5AF27870B88219C9257510E0AF312B52
                            SHA-512:6FF4CBBA814245A5E3269191BB63E7A82DC40D7D7F862C17F6651F28CDB640023143057CAB4E54DCA20C77C5C515EA0EAC05883CE50CD4F1FB84F2DFB2B7CF51
                            Malicious:false
                            Preview:Microsoft C/C++ MSF 7.00...DS...........k#..$.......j#..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\39B7A829951E377CD5C4AA3BD72155D9808470F724602420910673D8D0CC60C600[1].blob

                            Download File
                            Process:C:\Windows\explorer.exe
                            File Type:MSVC program database ver 7.00, 1024*18363 bytes
                            Category:dropped
                            Size (bytes):18803712
                            Entropy (8bit):5.737102497890461
                            Encrypted:false
                            SSDEEP:49152:oOA4SzAnbR+FIRUS+XHaGMXy9jI7S7Ok4bYBBhUoNWSBjj3hIrHfwP6cYR+9JXZR:7Al/MgnOAGBJF+ZYautg
                            MD5:C84AE6411BAC88E3A562ECC3F5F80A1B
                            SHA1:22C2554E1143DF454DC48D055EB6F470603DBFB7
                            SHA-256:766ADFB1144334B173FB47BA0CEFD7358F6B9D14FA656A92842849207A290A36
                            SHA-512:7706D7BC50BF175267CF48CADA9C37132AED1F7FBC6E6C156A73391124C2E8E86E4D24348603655853A14195FE8DDD426A82CA773C49F15F076D302ADEE30737
                            Malicious:false
                            Preview:Microsoft C/C++ MSF 7.00...DS............G...".......G..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Windows[2].json

                            Download File
                            Process:C:\Windows\explorer.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):746
                            Entropy (8bit):5.114709545056856
                            Encrypted:false
                            SSDEEP:12:YWgc2TMM+FBuH+gM+FBKVwEHVctmXwH+2yrZMAdrKC8K/y8kEhq1HLxycXNNZ/T8:Yzc2TeuHnK2SVwHt0drc6hE14
                            MD5:2736C0056996F53C05451AD555995ECE
                            SHA1:C9E9E797C1DAEE4138DE775CD434F0C50E2D3DD6
                            SHA-256:50EB0F78E4A9617CEA7D9EF801B4FA33530D00AA14059FF959FE5F63983E63D3
                            SHA-512:B2C8781101BF48E07170B78B4ECD9CA9B0FD732165F47E72540E238147FA05660CBA3730176FDF1668EE8BDBA6171F4E71F738E45B84D3F4C10D5FB78976C8AD
                            Malicious:false
                            Preview:{"serviceContext":{"serviceActivityId":"66e3175a-b7ea-4478-a075-b60acbb051ec","responseCreationDateTime":"0001-01-01T00:00:00","debugId":"66e3175a-b7ea-4478-a075-b60acbb051ec|2024-09-12T16:31:22.7740720Z|fabric_msn|ESU|News_84"},"expirationDateTime":"0001-01-01T00:00:00","showBadge":false,"settings":{"refreshIntervalMinutes":0,"feedEnabled":true,"evolvedNotificationLifecycleEnabled":false,"showBadgeOnRotationsForEvolvedNotificationLifecycle":false,"webView2Enabled":false,"webView2EnabledV1":false,"windowsSuppressClientRace":false,"flyoutV2EndpointEnabled":false,"showAnimation":false,"useTallerFlyoutSize":false,"useDynamicHeight":false,"useWiderFlyoutSize":false,"reclaimEnabled":false,"isPreviewDurationsEnabled":false},"isPartial":false}

                            C:\Users\user\AppData\Roaming\ExplorerPatcher\StartUI.pdb

                            Download File
                            Process:C:\Windows\explorer.exe
                            File Type:MSVC program database ver 7.00, 4096*9067 bytes
                            Category:dropped
                            Size (bytes):37138432
                            Entropy (8bit):5.6992441330393016
                            Encrypted:false
                            SSDEEP:196608:QU+lpXOVPmAUg3kCksUni4PqhapsuG/qMNP9T4frVOlnzToSgGoCgsqwq06kUQ4E:TVQu
                            MD5:6EC8937793ABCA33686E941850AC379C
                            SHA1:C33459B6BBAB2E5D0051557E0AA6E35266145CA1
                            SHA-256:05E269FF0DD07EBF0B82857327B060CD5AF27870B88219C9257510E0AF312B52
                            SHA-512:6FF4CBBA814245A5E3269191BB63E7A82DC40D7D7F862C17F6651F28CDB640023143057CAB4E54DCA20C77C5C515EA0EAC05883CE50CD4F1FB84F2DFB2B7CF51
                            Malicious:false
                            Preview:Microsoft C/C++ MSF 7.00...DS...........k#..$.......j#..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb

                            Download File
                            Process:C:\Windows\explorer.exe
                            File Type:MSVC program database ver 7.00, 1024*18363 bytes
                            Category:dropped
                            Size (bytes):18803712
                            Entropy (8bit):5.737102497890461
                            Encrypted:false
                            SSDEEP:49152:oOA4SzAnbR+FIRUS+XHaGMXy9jI7S7Ok4bYBBhUoNWSBjj3hIrHfwP6cYR+9JXZR:7Al/MgnOAGBJF+ZYautg
                            MD5:C84AE6411BAC88E3A562ECC3F5F80A1B
                            SHA1:22C2554E1143DF454DC48D055EB6F470603DBFB7
                            SHA-256:766ADFB1144334B173FB47BA0CEFD7358F6B9D14FA656A92842849207A290A36
                            SHA-512:7706D7BC50BF175267CF48CADA9C37132AED1F7FBC6E6C156A73391124C2E8E86E4D24348603655853A14195FE8DDD426A82CA773C49F15F076D302ADEE30737
                            Malicious:false
                            Preview:Microsoft C/C++ MSF 7.00...DS............G...".......G..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):716800
                            Entropy (8bit):6.219577157189828
                            Encrypted:false
                            SSDEEP:12288:3patAdcuir6DuAstdFwBgHaaRRZbv4XqTC6Ri3JRFrt6rd6F1tuuuuuuYGpK7bA+:Zat2cuir6K7tdFJlbv2qTD0bFrBFbuuD
                            MD5:57999FF1631929462DE24BA18F61AE1C
                            SHA1:2AAAE073E752D32C6FD08DAC578C040924FE4B59
                            SHA-256:B21C0ED7224784B642647A8EFAD45C634BF88646638823215818B25143FEE86E
                            SHA-512:0AD42CBE76CA39353FBFBDD95411DF7ED830C960ACF5D1B943ECC424972FB326B2C69CCE680EFD9003D9650D0E791120A91AC8F2BE1AF09404F3D1EC6C4553E7
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........y...............`.......`.......................`4.......Z..............................`.......`................................X.......0.............Rich....................PE..d......f.........." ...).....N......|........................................P............`......................................... V..H...hZ...........0.......I...........@.......|..p...............................@...............p............................text.............................. ..`.rdata..............................@..@.data...H...........................@....pdata...I.......J...f..............@..@.rsrc....0.......2..................@..@.reloc.......@......................@..B................................................................................................................................................................................................

                            C:\Windows\dxgi.dll

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):716800
                            Entropy (8bit):6.219649477306373
                            Encrypted:false
                            SSDEEP:12288:PpatAdcuir6DuAstdFwBgHaaRRZbv4XqTC6Ri3JRFrt6rd6F1tuuuuuuYGpK7bA+:Bat2cuir6K7tdFJlbv2qTD0bFrBFbuuD
                            MD5:A3F150CEC06C4434460EF680417AF1AC
                            SHA1:A32958417D97509BE368CC48BAB8D9A1C8A9050D
                            SHA-256:F0D8FA3DB3127ABCDED89ABBF13F8D3C0071169618A0340570AA9B389034F176
                            SHA-512:B7354B772DBC6C137D35ACA2E9094E013D05A624A1A71F4B169EDFB07E4212369EF9FD78F23D996EC2C2B3A1E4A4FD158B5E60E347A9CCBA35E07CBA97E64C80
                            Malicious:false
                            Preview:MZ......................@...................................0...........!..L.!22622.3880.66.6.57999ff163192946S mode....$........y...............`.......`.......................`4.......Z..............................`.......`................................X.......0.............Rich....................PE..d......f.........." ...).....N......|........................................P............`......................................... V..H...hZ...........0.......I...........@.......|..p...............................@...............p............................text.............................. ..`.rdata..............................@..@.data...H...........................@....pdata...I.......J...f..............@..@.rsrc....0.......2..................@..@.reloc.......@......................@..B................................................................................................................................................................................................

                            Static File Info

                            General

                            File type:PE32+ executable (GUI) x86-64, for MS Windows
                            Entropy (8bit):7.989219365061286
                            TrID:
                            • Win64 Executable GUI (202006/5) 92.65%
                            • Win64 Executable (generic) (12005/4) 5.51%
                            • Generic Win/DOS Executable (2004/3) 0.92%
                            • DOS Executable Generic (2002/1) 0.92%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File size:10'525'696 bytes
                            MD5:45a5a443c01abd7618efef4827241312
                            SHA1:5390d36a371f0598b86301961d5fdb329e368e7a
                            SHA256:d7f98b8af8a3bfe9d93ce31558a62e4d5d0cd425bc30bbc0d517901e5b82bf46
                            SHA512:0df6330a020ce3b52320f087f56023db069b56d4579b43a9827b8158be430585b88fb43d98004eae4e7a05f85086f5762da17f51af95fdb302669ae1c581f734
                            SSDEEP:196608:aZN5gB3uI0Bn+2N8cL0yiao2ItCC2bO+WxNtTYneFC5YbMvr5GM6BZ2r34:QzgN4Bz7ieTCIKNtUniYYAvE
                            TLSH:5AB63328B7E109CAF577D338C4B7584B52D97D0A1A30C87E9B60059E4D23BE1DA3877A
                            File Content Preview:MZ......................@...............................................!..L.!22622.3880.66.6.57999ff163192946S mode....$........^uOY?..Y?..Y?...G..\?...G...?......_?..I...P?..I...I?..I...q?...G..V?...G..X?...G..L?..Y?...?......]?......X?..Y?..H?......X?.

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x140008bd8
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x140000000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66E2DBAB [Thu Sep 12 12:16:43 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:0
                            File Version Major:6
                            File Version Minor:0
                            Subsystem Version Major:6
                            Subsystem Version Minor:0
                            Import Hash:f1499aa854493f33c80eb31e0ab8ae92

                            Entrypoint Preview

                            Instruction
                            dec eax
                            sub esp, 28h
                            call 00007F3730B79C30h
                            dec eax
                            add esp, 28h
                            jmp 00007F3730B7985Fh
                            int3
                            int3
                            dec eax
                            sub esp, 28h
                            call 00007F3730B7A2C8h
                            test eax, eax
                            je 00007F3730B79A03h
                            dec eax
                            mov eax, dword ptr [00000030h]
                            dec eax
                            mov ecx, dword ptr [eax+08h]
                            jmp 00007F3730B799E7h
                            dec eax
                            cmp ecx, eax
                            je 00007F3730B799F6h
                            xor eax, eax
                            dec eax
                            cmpxchg dword ptr [0002E460h], ecx
                            jne 00007F3730B799D0h
                            xor al, al
                            dec eax
                            add esp, 28h
                            ret
                            mov al, 01h
                            jmp 00007F3730B799D9h
                            int3
                            int3
                            int3
                            dec eax
                            sub esp, 28h
                            test ecx, ecx
                            jne 00007F3730B799E9h
                            mov byte ptr [0002E449h], 00000001h
                            call 00007F3730B79FB5h
                            call 00007F3730B7D640h
                            test al, al
                            jne 00007F3730B799E6h
                            xor al, al
                            jmp 00007F3730B799F6h
                            call 00007F3730B88E1Fh
                            test al, al
                            jne 00007F3730B799EBh
                            xor ecx, ecx
                            call 00007F3730B7D650h
                            jmp 00007F3730B799CCh
                            mov al, 01h
                            dec eax
                            add esp, 28h
                            ret
                            int3
                            int3
                            inc eax
                            push ebx
                            dec eax
                            sub esp, 20h
                            cmp byte ptr [0002E410h], 00000000h
                            mov ebx, ecx
                            jne 00007F3730B79A49h
                            cmp ecx, 01h
                            jnbe 00007F3730B79A4Ch
                            call 00007F3730B7A23Eh
                            test eax, eax
                            je 00007F3730B79A0Ah
                            test ebx, ebx
                            jne 00007F3730B79A06h
                            dec eax
                            lea ecx, dword ptr [0002E3FAh]
                            call 00007F3730B88C3Eh
                            test eax, eax
                            jne 00007F3730B799F2h
                            dec eax
                            lea ecx, dword ptr [0002E402h]
                            call 00007F3730B79A2Eh

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x34bfc0xb4.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x3a0000x9d1870.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x380000x1aac.pdata
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0c0000x6a4.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x328700x70.rdata
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x327300x140.rdata
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x260000x508.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x24f300x25000173e7f97391bc8314dd470c483309938False0.5402040223817568data6.4691102710132915IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0x260000xfd200xfe009e2d4b48d9fe068301a1f9d10650bbc7False0.48297551673228345data5.364699069479192IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0x360000x1f540xc0070729d2ec4f7f720830ce88e7a8defb2False0.138671875data1.9570761316523926IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .pdata0x380000x1aac0x1c00f7c2ea792d907b5dce52bcd41206cef3False0.4693080357142857PEX Binary Archive5.278111274874002IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .rsrc0x3a0000x9d18700x9d1a00608280b907541a797dcf705572785f4eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xa0c0000x6a40x800ed65753989fd21fecc4c316e3fbbc451False0.51025390625data5.001370553375213IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_STRING0xa0b2380x13edataChineseTaiwan0.7327044025157232
                            RT_STRING0xa03d180x2aedataGermanGermany0.43731778425655976
                            RT_STRING0xa034980x2a2dataEnglishUnited States0.4169139465875371
                            RT_STRING0xa047880x2b8dataFrenchFrance0.43103448275862066
                            RT_STRING0xa051180x280dataHungarianHungary0.46875
                            RT_STRING0xa063180x1b2dataJapaneseJapan0.6428571428571429
                            RT_STRING0xa068700x170dataKoreanNorth Korea0.7010869565217391
                            RT_STRING0xa068700x170dataKoreanSouth Korea0.7010869565217391
                            RT_STRING0xa076600x294dataDutchNetherlands0.4393939393939394
                            RT_STRING0xa07f980x2acdataPolishPoland0.4473684210526316
                            RT_STRING0xa089200x294dataRomanianRomania0.4348484848484849
                            RT_STRING0xa092b00x2acdataRussianRussia0.4780701754385965
                            RT_STRING0xa09b900x2c4dataTurkishTurkey0.4477401129943503
                            RT_STRING0xa05a400x292dataIndonesianIndonesia0.4133738601823708
                            RT_STRING0xa0a5580x2d4dataUkrainianUkrain0.47790055248618785
                            RT_STRING0xa06d500x2c8dataLithuanianLithuania0.45365168539325845
                            RT_STRING0xa0aea80x132dataChineseChina0.7320261437908496
                            RT_STRING0xa0b3780x272dataChineseTaiwan0.6597444089456869
                            RT_STRING0xa03fc80x7bcdataGermanGermany0.33636363636363636
                            RT_STRING0xa037400x5d4dataEnglishUnited States0.36126005361930297
                            RT_STRING0xa04a400x6d2dataFrenchFrance0.35051546391752575
                            RT_STRING0xa053980x6a2dataHungarianHungary0.37809187279151946
                            RT_STRING0xa064d00x39cdataJapaneseJapan0.5703463203463204
                            RT_STRING0xa069e00x36cdataKoreanNorth Korea0.5753424657534246
                            RT_STRING0xa069e00x36cdataKoreanSouth Korea0.5753424657534246
                            RT_STRING0xa078f80x69adataDutchNetherlands0.3502958579881657
                            RT_STRING0xa082480x6d2dataPolishPoland0.3722794959908362
                            RT_STRING0xa08bb80x6f8dataRomanianRomania0.34697309417040356
                            RT_STRING0xa095600x62edataRussianRussia0.3950695322376738
                            RT_STRING0xa09e580x700dataTurkishTurkey0.34933035714285715
                            RT_STRING0xa05cd80x63cdataIndonesianIndonesia0.3533834586466165
                            RT_STRING0xa0a8300x678dataUkrainianUkrain0.39492753623188404
                            RT_STRING0xa070180x648dataLithuanianLithuania0.36691542288557216
                            RT_STRING0xa0afe00x258dataChineseChina0.66
                            RT_RCDATA0x3a7b00x9c8ce4Zip archive data, at least v2.0 to extract, compression method=deflateEnglishUnited States0.9992465972900391
                            RT_VERSION0x3a4300x380dataEnglishUnited States0.43526785714285715
                            RT_MANIFEST0xa0b5f00x27eXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5517241379310345

                            Imports

                            DLLImport
                            KERNEL32.dllTerminateProcess, RemoveDirectoryW, GetModuleFileNameW, FindClose, K32GetProcessImageFileNameW, GetUserPreferredUILanguages, OpenProcess, MultiByteToWideChar, CreateThread, K32EnumProcesses, GetCurrentDirectoryW, GetProcAddress, GetCurrentProcessId, GetModuleHandleW, FreeLibrary, CopyFileW, CreateSymbolicLinkW, lstrcmpW, MoveFileW, GetProcessTimes, LoadLibraryExW, WriteConsoleW, SetEndOfFile, WriteFile, HeapSize, FlushFileBuffers, GetProcessHeap, GetStringTypeW, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindFirstFileExW, ReadConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, FindNextFileW, SetLastError, FindFirstFileW, GetExitCodeProcess, MapViewOfFile, CreateFileMappingW, LocalFree, GetWindowsDirectoryW, FindResourceW, LoadResource, CloseHandle, DeleteFileW, LockResource, GetLastError, Sleep, CreateEventW, FreeResource, UnmapViewOfFile, GetSystemDirectoryW, CreateFileW, LocalAlloc, WaitForSingleObject, GetCurrentProcess, GetFileSizeEx, SizeofResource, ReadFile, HeapReAlloc, CreateDirectoryW, LCMapStringW, FlsFree, FlsSetValue, FlsGetValue, FlsAlloc, GetFileType, HeapFree, HeapAlloc, GetStdHandle, GetModuleHandleExW, ExitProcess, RtlPcToFileHeader, RaiseException, EncodePointer, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, RtlUnwindEx, GetStartupInfoW, IsDebuggerPresent, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead
                            USER32.dllExitWindowsEx, GetWindowThreadProcessId, SetProcessDpiAwarenessContext, SendMessageTimeoutW, MessageBoxW, SendMessageW, LoadStringW, FindWindowW
                            ADVAPI32.dllRevertToSelf, EqualSid, RegDeleteKeyW, AllocateAndInitializeSid, RegDeleteKeyValueW, RegCreateKeyExW, CreateProcessWithTokenW, ImpersonateLoggedOnUser, RegDeleteTreeW, RegSetValueExW, FreeSid, CheckTokenMembership, DuplicateTokenEx, RegOpenKeyW, RegQueryValueExW, GetTokenInformation, LookupPrivilegeValueW, AdjustTokenPrivileges, RegCloseKey, OpenProcessToken, RegOpenKeyExW, RegGetValueW
                            SHELL32.dllSHGetFolderPathW, ShellExecuteW, SHFileOperationW, CommandLineToArgvW, ShellExecuteExW
                            ole32.dllCoInitialize, CoUninitialize, CoCreateInstance
                            RstrtMgr.DLLRmRegisterResources, RmGetList, RmStartSession, RmShutdown
                            VERSION.dllVerQueryValueW
                            SHLWAPI.dllPathRemoveExtensionW, PathRemoveFileSpecW, PathStripPathW, PathFileExistsW

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            ChineseTaiwan
                            GermanGermany
                            EnglishUnited States
                            FrenchFrance
                            HungarianHungary
                            JapaneseJapan
                            KoreanNorth Korea
                            KoreanSouth Korea
                            DutchNetherlands
                            PolishPoland
                            RomanianRomania
                            RussianRussia
                            TurkishTurkey
                            IndonesianIndonesia
                            UkrainianUkrain
                            LithuanianLithuania
                            ChineseChina

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-09-12T18:31:25.080721+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549711140.82.121.3443TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 12, 2024 18:31:24.181301117 CEST49711443192.168.2.5140.82.121.3
                            Sep 12, 2024 18:31:24.181343079 CEST44349711140.82.121.3192.168.2.5
                            Sep 12, 2024 18:31:24.181402922 CEST49711443192.168.2.5140.82.121.3
                            Sep 12, 2024 18:31:24.181694031 CEST49711443192.168.2.5140.82.121.3
                            Sep 12, 2024 18:31:24.181708097 CEST44349711140.82.121.3192.168.2.5
                            Sep 12, 2024 18:31:24.816498995 CEST44349711140.82.121.3192.168.2.5
                            Sep 12, 2024 18:31:24.816601038 CEST49711443192.168.2.5140.82.121.3
                            Sep 12, 2024 18:31:24.827924013 CEST49711443192.168.2.5140.82.121.3
                            Sep 12, 2024 18:31:24.827958107 CEST44349711140.82.121.3192.168.2.5
                            Sep 12, 2024 18:31:24.828099966 CEST49711443192.168.2.5140.82.121.3
                            Sep 12, 2024 18:31:24.828108072 CEST44349711140.82.121.3192.168.2.5
                            Sep 12, 2024 18:31:24.828320980 CEST44349711140.82.121.3192.168.2.5
                            Sep 12, 2024 18:31:24.828391075 CEST49711443192.168.2.5140.82.121.3
                            Sep 12, 2024 18:31:25.080730915 CEST44349711140.82.121.3192.168.2.5
                            Sep 12, 2024 18:31:25.080828905 CEST44349711140.82.121.3192.168.2.5
                            Sep 12, 2024 18:31:25.080888987 CEST49711443192.168.2.5140.82.121.3
                            Sep 12, 2024 18:31:25.080907106 CEST44349711140.82.121.3192.168.2.5
                            Sep 12, 2024 18:31:25.081027985 CEST44349711140.82.121.3192.168.2.5
                            Sep 12, 2024 18:31:25.081082106 CEST49711443192.168.2.5140.82.121.3
                            Sep 12, 2024 18:31:25.084069014 CEST49711443192.168.2.5140.82.121.3
                            Sep 12, 2024 18:31:25.084079981 CEST44349711140.82.121.3192.168.2.5
                            Sep 12, 2024 18:31:25.084753990 CEST49712443192.168.2.5140.82.121.3
                            Sep 12, 2024 18:31:25.084785938 CEST44349712140.82.121.3192.168.2.5
                            Sep 12, 2024 18:31:25.085002899 CEST49712443192.168.2.5140.82.121.3
                            Sep 12, 2024 18:31:25.085277081 CEST49712443192.168.2.5140.82.121.3
                            Sep 12, 2024 18:31:25.085290909 CEST44349712140.82.121.3192.168.2.5
                            Sep 12, 2024 18:31:25.747603893 CEST44349712140.82.121.3192.168.2.5
                            Sep 12, 2024 18:31:25.747764111 CEST49712443192.168.2.5140.82.121.3
                            Sep 12, 2024 18:31:26.705178976 CEST49712443192.168.2.5140.82.121.3
                            Sep 12, 2024 18:31:26.705216885 CEST44349712140.82.121.3192.168.2.5
                            Sep 12, 2024 18:31:26.705580950 CEST49712443192.168.2.5140.82.121.3
                            Sep 12, 2024 18:31:26.705586910 CEST44349712140.82.121.3192.168.2.5
                            Sep 12, 2024 18:31:26.893964052 CEST44349712140.82.121.3192.168.2.5
                            Sep 12, 2024 18:31:26.894085884 CEST49712443192.168.2.5140.82.121.3
                            Sep 12, 2024 18:31:26.894469023 CEST44349712140.82.121.3192.168.2.5
                            Sep 12, 2024 18:31:26.894529104 CEST44349712140.82.121.3192.168.2.5
                            Sep 12, 2024 18:31:26.894537926 CEST49712443192.168.2.5140.82.121.3
                            Sep 12, 2024 18:31:26.894576073 CEST49712443192.168.2.5140.82.121.3
                            Sep 12, 2024 18:31:26.959115982 CEST49712443192.168.2.5140.82.121.3
                            Sep 12, 2024 18:31:26.959115982 CEST49712443192.168.2.5140.82.121.3
                            Sep 12, 2024 18:31:26.959148884 CEST44349712140.82.121.3192.168.2.5
                            Sep 12, 2024 18:31:26.959209919 CEST49712443192.168.2.5140.82.121.3
                            Sep 12, 2024 18:31:27.052664995 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.052719116 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.052792072 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.055124998 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.055141926 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.521555901 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.521923065 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.686562061 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.686598063 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.686654091 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.686661005 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.687612057 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.687690020 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.826867104 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.826939106 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.827013969 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.827205896 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.827253103 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.827253103 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.827284098 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.827349901 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.827363968 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.827438116 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.827450991 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.827512026 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.827523947 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.827569962 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.827584028 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.827636003 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.827660084 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.827683926 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.827730894 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.827763081 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.827792883 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.827847004 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.828190088 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.828248024 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.833906889 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.833988905 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.911892891 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.911952019 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.911979914 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.912017107 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.912024021 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.912055969 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.912061930 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.912072897 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.912092924 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.912151098 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.912250996 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.912301064 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.912307978 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.912343025 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.912343979 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.912352085 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.912374973 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.912400961 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.912947893 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.912995100 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.913047075 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.913116932 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.913155079 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.913165092 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.913202047 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.913829088 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.913866043 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.913876057 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.913913012 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.913918018 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.913954973 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.913960934 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.914022923 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.914668083 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.914716005 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.914724112 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.914762020 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.914768934 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.914815903 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.914853096 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.914859056 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.914891958 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.915494919 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.915540934 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.958498001 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.958549976 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.958583117 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.958643913 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.958650112 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.958884001 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.998409986 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.998477936 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.998492002 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.998522043 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.998539925 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.998549938 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.998553991 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.998589039 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.998622894 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.998630047 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.998668909 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.998689890 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.998694897 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.998714924 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.998739958 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:27.998744965 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:27.998775959 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.000415087 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.000422955 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.000456095 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.000509977 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.000529051 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.000555038 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.000576019 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.002119064 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.002136946 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.002197981 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.002207994 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.002242088 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.045892954 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.045913935 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.045989037 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.046020985 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.046041965 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.046066046 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.086139917 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.086163998 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.086308956 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.086350918 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.086913109 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.086935997 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.086976051 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.086983919 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.087007999 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.087054968 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.087922096 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.087938070 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.087994099 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.088001013 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.088022947 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.088044882 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.089096069 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.089112997 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.089186907 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.089196920 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.089792967 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.089811087 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.089857101 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.089864969 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.089888096 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.089907885 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.132361889 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.132384062 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.132550001 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.132579088 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.132944107 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.132962942 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.133013010 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.133028984 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.133081913 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.133081913 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.172548056 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.172573090 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.172738075 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.172775030 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.172815084 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.172837973 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.172871113 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.172878027 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.172910929 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.172929049 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.173546076 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.173577070 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.173604965 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.173609018 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.173631907 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.173645020 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.174180984 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.174197912 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.174226999 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.174231052 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.174257040 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.174276114 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.177122116 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.177144051 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.177208900 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.177217960 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.177423000 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.177443981 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.177479029 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.177484035 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.177499056 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.177529097 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.219300032 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.219330072 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.219466925 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.219499111 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.219717979 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.259141922 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.259205103 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.259332895 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.259332895 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.259371996 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.259454966 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.259512901 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.259520054 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.259546995 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.259598970 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.259604931 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.259639025 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.259704113 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.259723902 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.259773970 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.259780884 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.259912968 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.259931087 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.259957075 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.259963036 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.259984970 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.260006905 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.260308981 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.260329008 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.260370016 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.260376930 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.260711908 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.260729074 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.260760069 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.260767937 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.260788918 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.260812998 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.261106968 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.261127949 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.261169910 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.261177063 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.261244059 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.310622931 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.310678959 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.310755014 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.310790062 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.310811996 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.311469078 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.345999956 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.346050024 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.346087933 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.346124887 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.346144915 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.346159935 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.346355915 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.346398115 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.346419096 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.346426964 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.346450090 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.346467972 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.346719980 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.346772909 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.346777916 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.346834898 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.551414013 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.551493883 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:28.759433031 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:28.759608984 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:29.179404020 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:29.179558039 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:29.219444990 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:29.219455957 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:29.219465971 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:29.219535112 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:29.219541073 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:29.219551086 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:29.219610929 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:29.219616890 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:29.219631910 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:29.219641924 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:29.219728947 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:29.219749928 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:29.219769955 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:29.219789982 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:29.219795942 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:29.219883919 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:29.219892979 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:29.219937086 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:29.219944000 CEST44349718185.199.108.133192.168.2.5
                            Sep 12, 2024 18:31:29.219990969 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:29.220015049 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:29.220196962 CEST49718443192.168.2.5185.199.108.133
                            Sep 12, 2024 18:31:29.220395088 CEST49718443192.168.2.5185.199.108.133

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 12, 2024 18:31:22.091531992 CEST5324453192.168.2.51.1.1.1
                            Sep 12, 2024 18:31:24.167186022 CEST5643753192.168.2.51.1.1.1
                            Sep 12, 2024 18:31:24.176265955 CEST53564371.1.1.1192.168.2.5
                            Sep 12, 2024 18:31:27.044583082 CEST5928353192.168.2.51.1.1.1
                            Sep 12, 2024 18:31:27.051902056 CEST53592831.1.1.1192.168.2.5

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Sep 12, 2024 18:31:22.091531992 CEST192.168.2.51.1.1.10xf6e5Standard query (0)api.msn.comA (IP address)IN (0x0001)false
                            Sep 12, 2024 18:31:24.167186022 CEST192.168.2.51.1.1.10xaac1Standard query (0)github.comA (IP address)IN (0x0001)false
                            Sep 12, 2024 18:31:27.044583082 CEST192.168.2.51.1.1.10xcb28Standard query (0)objects.githubusercontent.comA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Sep 12, 2024 18:31:22.098771095 CEST1.1.1.1192.168.2.50xf6e5No error (0)api.msn.comapi-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false
                            Sep 12, 2024 18:31:24.176265955 CEST1.1.1.1192.168.2.50xaac1No error (0)github.com140.82.121.3A (IP address)IN (0x0001)false
                            Sep 12, 2024 18:31:27.051902056 CEST1.1.1.1192.168.2.50xcb28No error (0)objects.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                            Sep 12, 2024 18:31:27.051902056 CEST1.1.1.1192.168.2.50xcb28No error (0)objects.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                            Sep 12, 2024 18:31:27.051902056 CEST1.1.1.1192.168.2.50xcb28No error (0)objects.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                            Sep 12, 2024 18:31:27.051902056 CEST1.1.1.1192.168.2.50xcb28No error (0)objects.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • github.com
                            • objects.githubusercontent.com

                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.549711140.82.121.34432980C:\Windows\explorer.exe
                            TimestampBytes transferredDirectionData
                            2024-09-12 16:31:24 UTC126OUTGET /valinet/ExplorerPatcher/releases/latest/download/ep_setup.exe HTTP/1.1
                            User-Agent: ExplorerPatcher
                            Host: github.com
                            2024-09-12 16:31:25 UTC547INHTTP/1.1 302 Found
                            Server: GitHub.com
                            Date: Thu, 12 Sep 2024 16:31:18 GMT
                            Content-Type: text/html; charset=utf-8
                            Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                            Location: https://github.com/valinet/ExplorerPatcher/releases/download/22621.3880.66.5_5094108/ep_setup.exe
                            Cache-Control: no-cache
                            Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                            X-Frame-Options: deny
                            X-Content-Type-Options: nosniff
                            X-XSS-Protection: 0
                            Referrer-Policy: no-referrer-when-downgrade
                            2024-09-12 16:31:25 UTC3162INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f
                            Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co
                            2024-09-12 16:31:25 UTC782INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 67 68 5f 73 65 73 73 3d 76 25 32 42 47 43 7a 25 32 42 44 67 38 68 78 46 68 61 4f 33 75 6a 6d 33 47 49 41 56 79 44 5a 59 72 42 63 48 30 6b 63 6d 45 63 57 4c 62 25 32 42 79 6f 68 6a 25 32 42 57 31 6e 6a 48 30 49 6b 57 62 55 55 47 4e 25 32 42 63 49 50 70 37 79 50 25 32 46 32 63 4c 4c 34 4a 5a 63 46 73 59 78 76 6a 54 4e 76 68 6b 35 67 41 46 76 6c 46 50 4c 54 79 41 73 45 33 47 39 42 55 32 7a 46 51 71 4c 33 6e 6b 4d 68 4f 38 6c 67 4f 33 4a 74 42 57 34 65 7a 47 57 32 6e 37 6f 50 4a 67 42 74 45 6d 51 6e 76 42 69 25 32 42 42 50 4c 62 36 57 36 43 57 65 36 6f 41 64 41 47 48 35 57 4a 58 25 32 46 75 50 70 53 51 46 42 58 25 32 42 35 47 70 66 5a 48 71 37 43 34 36 4b 51 59 6b 58 78 45 65 65 41 54 79 4f 37 34 4c 58 4e 25 32 46 68 62
                            Data Ascii: Set-Cookie: _gh_sess=v%2BGCz%2BDg8hxFhaO3ujm3GIAVyDZYrBcH0kcmEcWLb%2Byohj%2BW1njH0IkWbUUGN%2BcIPp7yP%2F2cLL4JZcFsYxvjTNvhk5gAFvlFPLTyAsE3G9BU2zFQqL3nkMhO8lgO3JtBW4ezGW2n7oPJgBtEmQnvBi%2BBPLb6W6CWe6oAdAGH5WJX%2FuPpSQFBX%2B5GpfZHq7C46KQYkXxEeeATyO74LXN%2Fhb


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            1192.168.2.549712140.82.121.34432980C:\Windows\explorer.exe
                            TimestampBytes transferredDirectionData
                            2024-09-12 16:31:26 UTC167OUTGET /valinet/ExplorerPatcher/releases/download/22621.3880.66.5_5094108/ep_setup.exe HTTP/1.1
                            User-Agent: ExplorerPatcher
                            Host: github.com
                            Connection: Keep-Alive
                            2024-09-12 16:31:26 UTC997INHTTP/1.1 302 Found
                            Server: GitHub.com
                            Date: Thu, 12 Sep 2024 16:31:19 GMT
                            Content-Type: text/html; charset=utf-8
                            Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                            Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/394318710/d0ea7754-53d3-4f5a-b870-915f924fbb56?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240912%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240912T163119Z&X-Amz-Expires=300&X-Amz-Signature=ccbd5355f6cdf8d7af2b5fc3c342d46db9d98756c5381b9b25100712ee9e2190&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=394318710&response-content-disposition=attachment%3B%20filename%3Dep_setup.exe&response-content-type=application%2Foctet-stream
                            Cache-Control: no-cache
                            Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                            X-Frame-Options: deny
                            X-Content-Type-Options: nosniff
                            X-XSS-Protection: 0
                            Referrer-Policy: no-referrer-when-downgrade
                            2024-09-12 16:31:26 UTC3263INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f
                            Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            2192.168.2.549718185.199.108.1334432980C:\Windows\explorer.exe
                            TimestampBytes transferredDirectionData
                            2024-09-12 16:31:27 UTC617OUTGET /github-production-release-asset-2e65be/394318710/d0ea7754-53d3-4f5a-b870-915f924fbb56?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240912%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240912T163119Z&X-Amz-Expires=300&X-Amz-Signature=ccbd5355f6cdf8d7af2b5fc3c342d46db9d98756c5381b9b25100712ee9e2190&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=394318710&response-content-disposition=attachment%3B%20filename%3Dep_setup.exe&response-content-type=application%2Foctet-stream HTTP/1.1
                            User-Agent: ExplorerPatcher
                            Connection: Keep-Alive
                            Host: objects.githubusercontent.com
                            2024-09-12 16:31:27 UTC800INHTTP/1.1 200 OK
                            Connection: close
                            Content-Length: 10525184
                            Content-Type: application/octet-stream
                            Last-Modified: Tue, 03 Sep 2024 02:49:02 GMT
                            ETag: "0x8DCCBC2F824451F"
                            Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
                            x-ms-request-id: 3218f093-301e-0031-6aab-fd0046000000
                            x-ms-version: 2020-10-02
                            x-ms-creation-time: Tue, 03 Sep 2024 02:49:02 GMT
                            x-ms-lease-status: unlocked
                            x-ms-lease-state: available
                            x-ms-blob-type: BlockBlob
                            Content-Disposition: attachment; filename=ep_setup.exe
                            x-ms-server-encrypted: true
                            Via: 1.1 varnish, 1.1 varnish
                            Fastly-Restarts: 1
                            Accept-Ranges: bytes
                            Date: Thu, 12 Sep 2024 16:31:27 GMT
                            Age: 5257
                            X-Served-By: cache-iad-kcgs7200179-IAD, cache-ewr-kewr1740048-EWR
                            X-Cache: HIT, HIT
                            X-Cache-Hits: 4648, 1
                            X-Timer: S1726158688.737418,VS0,VE1
                            2024-09-12 16:31:27 UTC1378INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 32 32 36 32 32 2e 33 38 38 30 2e 36 36 2e 35 2e 33 32 30 63 34 62 62 36 66 38 38 36 65 63 61 62 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad a7 1e 97 e9 c6 70 c4 e9 c6 70 c4 e9 c6 70 c4 a2 be 73 c5 ec c6 70 c4 a2 be 75 c5 7e c6 70 c4 a1 43 74 c5 ef c6 70 c4 f9 42 73 c5 e0 c6 70 c4 f9 42 74 c5 fb c6 70 c4 f9 42 75 c5 c1 c6 70 c4 a2 be 74 c5 f9 c6 70 c4 a2 be 76 c5 e8 c6 70 c4 a2 be 71 c5 fc c6 70 c4 e9 c6 71 c4 33 c6 70 c4 a1 43 78 c5 ed c6 70 c4 a1 43 8f c4 e8 c6 70 c4 e9 c6 e7 c4 f8 c6 70 c4 a1 43 72 c5 e8 c6 70
                            Data Ascii: MZ@ !L!22622.3880.66.5.320c4bb6f886ecabS mode.$pppspu~pCtpBspBtpBuptpvpqpq3pCxpCppCrp
                            2024-09-12 16:31:27 UTC1378INData Raw: 8b 7c 9c 60 3b 7c 24 30 75 6c 44 8b c7 33 d2 b9 10 04 00 00 ff 15 0c 61 02 00 48 8b f0 48 85 c0 74 54 41 b8 04 01 00 00 48 8d 94 24 60 20 00 00 48 8b c8 ff 15 0d 61 02 00 48 8d 44 24 40 48 8b ce 4c 8d 4c 24 48 48 89 44 24 20 4c 8d 44 24 50 48 8d 54 24 38 ff 15 0b 5f 02 00 48 8b 44 24 38 41 3b 46 04 73 07 41 89 3e 49 89 46 04 48 8b ce ff 15 80 60 02 00 48 ff c3 48 3b dd 7c 82 48 8b bc 24 98 22 00 00 48 8b b4 24 90 22 00 00 49 8b c6 48 8b 8c 24 70 22 00 00 48 33 cc e8 0d 77 00 00 4c 8d 9c 24 80 22 00 00 49 8b 5b 20 49 8b 6b 28 49 8b e3 41 5e c3 cc cc cc cc cc cc cc b8 48 2a 00 00 e8 56 3e 02 00 48 2b e0 48 8b 05 cc 5d 03 00 48 33 c4 48 89 84 24 30 2a 00 00 4c 8d 05 9a 7b 03 00 33 d2 48 8d 0d 25 68 03 00 ff 15 db 61 02 00 85 c0 0f 85 8f 00 00 00 48 8d 4c 24
                            Data Ascii: |`;|$0ulD3aHHtTAH$` HaHD$@HLL$HHD$ LD$PHT$8_HD$8A;FsA>IFH`HH;|H$"H$"IH$p"H3wL$"I[ Ik(IA^H*V>H+H]H3H$0*L{3H%haHL$
                            2024-09-12 16:31:27 UTC1378INData Raw: 00 00 00 33 c0 c3 cc cc cc cc cc cc 33 c0 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 40 53 48 81 ec a0 08 00 00 48 8b 05 10 59 03 00 48 33 c4 48 89 84 24 90 08 00 00 48 8b 02 4c 8d 84 24 80 00 00 00 48 8b da 45 33 c9 33 d2 48 8b cb ff 50 20 48 8b 03 48 8d 54 24 30 48 8b cb 48 c7 44 24 30 00 00 00 00 ff 50 28 48 8b 03 48 8d 54 24 40 0f 57 c0 48 8b cb 0f 11 44 24 40 0f 11 44 24 50 0f 11 44 24 60 0f 11 44 24 70 ff 50 18 48 8b 44 24 30 48 8d 0d 58 07 03 00 44 8b 8c 24 80 00 00 00 48 8d 15 4d 07 03 00 4c 8b 44 24 48 48 85 c0 48 0f 45 c8 48 8b 44 24 50 48 89 4c 24 28 41 ff c1 48 8d 8c 24 90 00 00 00 48 89 44 24 20 ff 15 09 5d 02 00 48 8b 4c 24 30 ff 15 6e 5c 02 00 48 8b 4c 24 48 ff 15 63 5c 02 00 48 8b 4c 24 50 ff 15 58 5c 02 00 48 8b 4c 24 58 ff 15 4d 5c 02 00
                            Data Ascii: 33@SHHYH3H$HL$HE33HP HHT$0HHD$0P(HHT$@WHD$@D$PD$`D$pPHD$0HXD$HMLD$HHHEHD$PHL$(AH$HD$ ]HL$0n\HL$Hc\HL$PX\HL$XM\
                            2024-09-12 16:31:27 UTC1378INData Raw: 01 00 00 48 8d 8d 90 01 00 00 e8 df 36 01 00 33 c9 ff 15 cb 58 02 00 85 c0 0f 88 f5 00 00 00 48 8d 44 24 30 4c 89 7c 24 30 4c 8d 0d 9a 59 02 00 48 89 44 24 20 33 d2 48 8d 0d 9c 59 02 00 41 b8 03 00 00 00 ff 15 a0 58 02 00 85 c0 0f 88 bc 00 00 00 48 8b 4c 24 30 48 8b d6 48 8b 01 ff 90 a0 00 00 00 48 8b 4c 24 30 49 8b d6 48 8b 01 ff 50 58 48 8b 4c 24 30 48 8d 95 90 01 00 00 41 b8 27 00 00 00 48 8b 01 ff 90 88 00 00 00 48 8d 8d 90 01 00 00 ff 15 b9 57 02 00 48 8b 4c 24 30 48 8d 95 90 01 00 00 48 8b 01 ff 50 48 48 8b 4c 24 30 48 8d 15 13 02 03 00 48 8b 01 ff 50 38 48 8b 4c 24 30 4c 8d 44 24 38 4c 89 7c 24 38 48 8d 15 27 59 02 00 48 8b 01 ff 10 85 c0 78 27 48 8b 4c 24 38 48 8d 55 80 bf 01 00 00 00 44 8b c7 48 8b 01 ff 50 30 48 8b 4c 24 38 85 c0 0f 49 df 48 8b
                            Data Ascii: H63XHD$0L|$0LYHD$ 3HYAXHL$0HHHL$0IHPXHL$0HA'HHWHL$0HHPHHL$0HHP8HL$0LD$8L|$8H'YHx'HL$8HUDHP0HL$8IH
                            2024-09-12 16:31:27 UTC1378INData Raw: ff 15 b2 4e 02 00 8b d8 48 8b 4d cf ff 15 ee 4e 02 00 85 db 41 0f 94 c4 41 8b c4 48 8b 4d 2f 48 33 cc e8 61 67 00 00 48 81 c4 c8 00 00 00 41 5d 41 5c 5b 5d c3 cc cc cc 48 8b c1 c3 cc cc cc cc cc cc cc cc cc cc cc cc 48 89 74 24 10 57 48 83 ec 20 48 8b f2 41 8b f9 48 8b 52 10 4d 8b c8 48 8b 4e 08 48 8d 04 3a 48 3b c1 76 04 8b f9 2b fa 85 ff 74 1e 48 03 16 49 8b c9 48 89 5c 24 30 44 8b c7 8b df e8 cf 33 02 00 48 01 5e 10 48 8b 5c 24 30 48 8b 74 24 38 8b c7 48 83 c4 20 5f c3 cc cc cc cc cc cc cc cc cc 48 8b 42 10 c3 cc cc cc cc cc cc cc cc cc cc cc 45 85 c9 74 16 41 83 e9 01 74 0c 41 83 f9 01 75 10 4c 03 42 08 eb 04 4c 03 42 10 4c 3b 42 08 76 06 b8 ff ff ff ff c3 4c 89 42 10 33 c0 c3 cc cc 48 89 5c 24 08 48 89 6c 24 10 48 89 74 24 18 48 89 7c 24 20 41 56 48
                            Data Ascii: NHMNAAHM/H3agHA]A\[]HHt$WH HAHRMHNH:H;v+tHIH\$0D3H^H\$0Ht$8H _HBEtAtAuLBLBL;BvLB3H\$Hl$Ht$H|$ AVH
                            2024-09-12 16:31:27 UTC1378INData Raw: 00 00 8b f7 ff 15 44 4b 02 00 85 c0 0f 84 91 01 00 00 4c 8d 05 cd f2 02 00 ba 04 01 00 00 48 8d 8d f0 03 00 00 e8 00 2c 01 00 48 8d 95 f0 03 00 00 48 2b d3 66 90 0f b7 0b 0f b7 04 13 2b c8 75 08 48 83 c3 02 85 c0 75 ed 85 c9 0f 85 52 01 00 00 33 c9 ff 15 4d 4a 02 00 41 b8 04 01 00 00 48 8d 95 e0 01 00 00 48 8b c8 ff 15 a7 49 02 00 48 89 7c 24 30 48 8d 8d e0 01 00 00 c7 44 24 28 80 00 00 00 45 33 c9 ba 00 00 00 80 c7 44 24 20 03 00 00 00 41 b8 01 00 00 00 ff 15 2f 4b 02 00 48 8b d8 48 83 f8 ff 0f 84 b5 00 00 00 48 89 7c 24 28 45 33 c9 33 d2 89 7c 24 20 41 b8 02 00 00 00 48 8b c8 ff 15 05 49 02 00 48 8b f0 48 85 c0 75 0e 48 8b cb ff 15 94 4a 02 00 e9 82 00 00 00 45 33 c9 4c 89 ac 24 10 07 00 00 45 33 c0 48 89 7c 24 20 ba 04 00 00 00 48 8b ce ff 15 d6 48 02
                            Data Ascii: DKLH,HH+f+uHuR3MJAHHIH|$0HD$(E3D$ A/KHHH|$(E33|$ AHIHHuHJE3L$E3H|$ HH
                            2024-09-12 16:31:27 UTC1378INData Raw: a0 37 01 00 85 c0 0f 85 86 02 00 00 48 8d 75 c0 ba 2f 00 00 00 49 03 f4 48 8b ce e8 20 9b 00 00 48 85 c0 ba 2e 00 00 00 48 8d 58 01 48 0f 44 de 48 8b cb e8 08 9b 00 00 48 85 c0 4c 8b f0 48 8d 48 01 b8 00 00 00 00 48 0f 44 c8 8b 85 70 05 00 00 83 f8 01 75 34 48 85 c9 0f 84 97 00 00 00 48 8d 15 52 f8 02 00 e8 f5 37 01 00 85 c0 0f 85 83 00 00 00 ba 2f 00 00 00 48 8b ce e8 44 9a 00 00 2b c6 48 8b d6 44 8b c0 eb 5a 83 f8 02 75 67 48 85 c9 74 62 48 8d 15 21 f8 02 00 e8 c0 37 01 00 85 c0 75 52 ba 2d 00 00 00 48 8b cb e8 13 9a 00 00 48 85 c0 74 40 33 c0 8b d0 49 8d 46 ff 48 3b c3 72 13 90 80 38 2e 74 0a 48 ff c8 48 3b c3 73 f3 eb 03 48 8b d0 49 3b d6 74 1b 48 ff c2 44 2b f2 45 8b c6 48 8b 4c 24 50 e8 f6 fc ff ff 85 c0 0f 84 8b 01 00 00 48 8b cf e8 56 56 00 00 85
                            Data Ascii: 7Hu/IH H.HXHDHHLHHHDpu4HHR7/HD+HDZugHtbH!7uR-HHt@3IFH;r8.tHH;sHI;tHD+EHL$PHVV
                            2024-09-12 16:31:27 UTC1378INData Raw: 85 db 74 32 48 8b cf 66 66 66 0f 1f 84 00 00 00 00 00 0f b7 44 4b 02 66 3b 44 4a 02 75 18 48 83 c1 02 48 83 f9 11 0f 84 bc 00 00 00 0f b7 04 4b 66 3b 04 4a 74 dc 33 c9 48 89 54 24 28 4c 8d 0d 66 f3 02 00 49 8b d5 4c 89 74 24 20 4d 8b c7 e8 ee f6 ff ff 41 89 04 24 85 c0 74 5a 48 8d 0d 8f ef 02 00 85 ed 74 2b 48 85 db 74 26 66 0f 1f 44 00 00 0f b7 44 7b 02 66 3b 44 79 02 75 14 48 83 c7 02 48 83 ff 11 74 0c 0f b7 04 7b 66 3b 04 79 74 e0 33 f6 48 89 4c 24 28 4c 8d 0d 22 f3 02 00 8b ce 4c 89 74 24 20 4d 8b c7 49 8b d5 e8 90 f6 ff ff 41 89 04 24 48 8b 5c 24 60 48 8b 6c 24 68 48 8b 74 24 70 48 83 c4 30 41 5f 41 5e 41 5d 41 5c 5f c3 8b ce e9 22 fe ff ff 8b ce e9 8a fe ff ff 8b ce e9 e4 fe ff ff 8b ce e9 49 ff ff ff cc cc cc 48 89 74 24 18 57 48 81 ec a0 06 00 00
                            Data Ascii: t2HfffDKf;DJuHHKf;Jt3HT$(LfILt$ MA$tZHt+Ht&fDD{f;DyuHHt{f;yt3HL$(L"Lt$ MIA$H\$`Hl$hHt$pH0A_A^A]A\_"IHt$WH
                            2024-09-12 16:31:27 UTC1378INData Raw: 01 00 c7 85 1c 01 00 00 01 00 00 00 85 c0 74 06 89 9d 1c 01 00 00 85 f6 75 5f 48 8b 0f 48 8d 15 c4 ee 02 00 e8 b3 29 01 00 85 c0 74 05 45 85 ff 74 47 41 b9 00 01 00 00 66 89 9d 30 01 00 00 4c 8d 85 30 01 00 00 ba 2e 01 00 00 49 8b cc ff 15 6c 3d 02 00 41 b9 24 01 00 00 4c 8d 05 7f e7 02 00 48 8d 95 30 01 00 00 33 c9 ff 15 60 3d 02 00 83 f8 07 0f 84 f7 23 00 00 48 8d 44 24 70 89 9d 00 01 00 00 48 89 44 24 50 48 8d 8d f8 00 00 00 89 5c 24 48 41 b9 20 02 00 00 89 5c 24 40 41 b8 20 00 00 00 89 5c 24 38 b2 02 89 5c 24 30 8b fb 89 5c 24 28 89 5c 24 20 48 89 5c 24 70 89 9d f8 00 00 00 66 c7 85 fc 00 00 00 00 05 ff 15 36 38 02 00 85 c0 74 18 48 8b 54 24 70 4c 8d 85 00 01 00 00 33 c9 ff 15 5e 38 02 00 85 c0 75 08 ff 15 6c 3a 02 00 8b f8 48 8b 4c 24 70 48 85 c9 74
                            Data Ascii: tu_HH)tEtGAf0L0.Il=A$LH03`=#HD$pHD$PH\$HA \$@A \$8\$0\$(\$ H\$pf68tHT$pL3^8ul:HL$pHt
                            2024-09-12 16:31:27 UTC1378INData Raw: 40 48 89 5d 38 0f 11 45 50 48 89 5d 10 0f 11 45 60 48 89 5d 08 c7 45 30 02 00 00 00 ff 15 d4 37 02 00 85 c0 74 1e 48 8b 4d 68 48 85 c9 74 15 ba ff ff ff ff ff 15 1c 36 02 00 48 8b 4d 68 ff 15 a2 35 02 00 b9 f4 01 00 00 ff 15 b7 35 02 00 4c 8d 0d 08 eb 02 00 45 33 c0 33 d2 33 c9 ff 15 ab 35 02 00 4c 8b e0 48 85 c0 74 19 ff 15 8d 35 02 00 49 8b cc 8b f8 ff 15 6a 35 02 00 81 ff b7 00 00 00 eb 09 ff 15 74 35 02 00 83 f8 05 75 12 41 8b d6 e8 07 d6 ff ff ba 03 00 00 00 e8 fd d5 ff ff ba 04 01 00 00 48 8d 8d 70 11 00 00 ff 15 7b 35 02 00 4c 8d 05 54 dc 02 00 ba 04 01 00 00 48 8d 8d 70 11 00 00 e8 d7 15 01 00 0f 57 c0 48 8d 05 61 e1 02 00 0f 11 45 70 48 8d 4d 70 c7 45 70 70 00 00 00 0f 11 85 80 00 00 00 48 89 85 80 00 00 00 48 8d 85 70 11 00 00 0f 11 85 90 00 00
                            Data Ascii: @H]8EPH]E`H]E07tHMhHt6HMh55LE3335LHt5Ij5t5uAHp{5LTHpWHaEpHMpEppHHp


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:12:31:10
                            Start date:12/09/2024
                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe"
                            Imagebase:0x7ff7f56d0000
                            File size:10'525'696 bytes
                            MD5 hash:45A5A443C01ABD7618EFEF4827241312
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:12:31:11
                            Start date:12/09/2024
                            Path:C:\Windows\System32\taskkill.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\system32\taskkill.exe" /f /im explorer.exe
                            Imagebase:0x7ff76cb00000
                            File size:101'376 bytes
                            MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:3
                            Start time:12:31:11
                            Start date:12/09/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:12:31:12
                            Start date:12/09/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
                            Imagebase:0x7ff7c9860000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:5
                            Start time:12:31:12
                            Start date:12/09/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:6
                            Start time:12:31:14
                            Start date:12/09/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
                            Imagebase:0x7ff7c9860000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:7
                            Start time:12:31:14
                            Start date:12/09/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:8
                            Start time:12:31:14
                            Start date:12/09/2024
                            Path:C:\Windows\System32\regsvr32.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
                            Imagebase:0x7ff796d00000
                            File size:25'088 bytes
                            MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:9
                            Start time:12:31:15
                            Start date:12/09/2024
                            Path:C:\Windows\System32\regsvr32.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
                            Imagebase:0x7ff796d00000
                            File size:25'088 bytes
                            MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:10
                            Start time:12:31:16
                            Start date:12/09/2024
                            Path:C:\Windows\explorer.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\explorer.exe"
                            Imagebase:0x7ff674740000
                            File size:5'141'208 bytes
                            MD5 hash:662F4F92FDE3557E86D110526BB578D5
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:11
                            Start time:12:31:17
                            Start date:12/09/2024
                            Path:C:\Windows\explorer.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\explorer.exe /NoUACCheck
                            Imagebase:0x7ff674740000
                            File size:5'141'208 bytes
                            MD5 hash:662F4F92FDE3557E86D110526BB578D5
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            Disassembly

                            Reset < >

                              Non-executed Functions

                              Function 00007FF7F56D8E2C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2165056193.00007FF7F56D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F56D0000, based on PE: true
                              • Associated: 00000000.00000002.2165040970.00007FF7F56D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2165080505.00007FF7F56F6000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2165098986.00007FF7F5706000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2165115545.00007FF7F5708000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7f56d0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                              • String ID:
                              • API String ID: 2933794660-0
                              • Opcode ID: d490c774242d86a4b319619409adf73b8d724b4892db60fa64681951350df607
                              • Instruction ID: 1b90974ba470c9610a11e7a2623eceff44e5d25190d1a404476a5dcb1d7db51c
                              • Opcode Fuzzy Hash: d490c774242d86a4b319619409adf73b8d724b4892db60fa64681951350df607
                              • Instruction Fuzzy Hash: 39112E22B14F018AEB00EF60E8552B973A4F719F58F841E31DA7D867A4EF78D1548390

                              Executed Functions

                              Function 00007FF8BEE26B70 Relevance: 370.7, APIs: 121, Strings: 90, Instructions: 1468registrywindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Value$Create$CloseQuery$InvalidateNotifyRect$CacheChangeFindFlushMessageOpenSendWindow
                              • String ID: AllocConsole$AltTabSettings$ArchiveMenu$Attributes$CONOUT$$CenterMenus$ClassicThemeMitigations$ClockFlyoutOnWinC$DisableAeroSnapQuadrants$DisableImmersiveContextMenu$DisableOfficeHotkeys$DisableWinFHotkey$DoNotRedirectDateAndTimeToSettingsApp$DoNotRedirectNotificationIconsToSettingsApp$DoNotRedirectProgramsAndFeaturesToSettingsApp$DoNotRedirectSystemToSettingsApp$DwmExtendFrameIntoClientArea$EnableSymbolDownload$ExplorerPatcher_GUI_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$FileExplorerCommandUI$FlyoutMenus$HideControlCenterButton$HideExplorerSearchBar$HideIconAndTitleInExplorer$HookStartMenu$IMEStyle$IsUpdatePending$LegacyFileTransferDialog$MMOldTaskbarAl$MMTaskbarGlomLevel$Memcheck$MicaEffectOnTitlebar$MigratedFromOldSettings$MonitorOverride$NoMenuAccelerator$NoPropertiesInContextMenu$OldTaskbar$OldTaskbarAl$OpenAtLogon$OpenPropertiesAtNextStart$OrbStyle$PinnedItemsActAsQuickLaunch$PropertiesInWinX$RemoveExtraGapAroundPinnedItems$ReplaceNetwork$SOFTWARE\Classes\CLSID\{d93ed569-3b3e-4bff-8355-3c44f6a52bb5}\InProcServer32$SOFTWARE\Microsoft\TabletTip\1.7$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView\AltTabViewHost$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage$SOFTWARE\Microsoft\Windows\CurrentVersion\Search$ShrinkExplorerAddressBar$SkinIcons$SkinMenus$SnapAssistSettings$Software\Classes\CLSID\{2cc5ca98-6485-489a-920e-b3e88a6ccce3}\ShellFolder$Software\ExplorerPatcher$Software\ExplorerPatcher\sws$Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher$SpotlightDesktopMenuMask$SpotlightDisableIcon$SpotlightUpdateSchedule$StartDocked$TaskbarAutohideOnDoubleClick$TaskbarGlomLevel$ToolbarSeparators$TraySettings$UndeadStartCorner$UpdatePolicy$UseClassicDriveGrouping$WeatherContentUpdateMode$WeatherContentsMode$WeatherDevMode$WeatherFixedSize$WeatherIconPack$WeatherLanguage$WeatherLocation$WeatherLocationType$WeatherTemperatureUnit$WeatherTheme$WeatherToLeft$WeatherViewMode$WeatherWindowCornerPreference$WeatherZoomFactor$dwmapi.dll$en-US$uxtheme.dll
                              • API String ID: 1717770317-297309502
                              • Opcode ID: b0859b562d8a8e0df9ef140f90f2bffe2cf6c8f6902dfc79aa0bfecfd605e6c3
                              • Instruction ID: 59216b94026a2e52ee0e97dee7b14fbc15e7edb627736acf5d60bf99e848e46f
                              • Opcode Fuzzy Hash: b0859b562d8a8e0df9ef140f90f2bffe2cf6c8f6902dfc79aa0bfecfd605e6c3
                              • Instruction Fuzzy Hash: CE030B76A19B528EEB208F68E880AAD37B5FB49398F405135DB4D13B68DFBCD105CB14
                              Function 00007FF8BEE2DB90 Relevance: 368.9, APIs: 86, Strings: 124, Instructions: 1437libraryloaderthreadCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: AddressProc$Library$Create$Load$Thread$Module$Virtual$Protect$Handle$Free$Event$CurrentInformationProcess$DirectoryExitValue$CloseDeleteFileFindPathQuery$CommandCreate_CriticalDataEntryEnumErrorExistsFirstFolderImageInitializeL32_LastMutexOpenSectionWindows_invalid_parameter_noinfo
                              • String ID: API-MS-WIN-CORE-REGISTRY-L1-1-0.DLL$API-MS-WIN-NTUSER-RECTANGLE-L1-1-0.DLL$API-MS-WIN-SHCORE-REGISTRY-L1-1-0.DLL$Attempting to download symbol data; for now, the program may have limited functionality.$CascadeWindows$CloseThemeData$CoCreateInstance$CreateWindowExW$CreateWindowInBand$DeleteMenu$DllGetClassObject$DrawThemeBackground$DrawThemeTextEx$DwmUpdateThumbnailProperties$EP Service Window thread$Failed to install hooks. rv = %d$GetClientRect$GetSystemMetrics$GetThemeMargins$GetThemeMetric$GetWindowBand$Global\EP_Weather_Killswitch_{A6EA9C2D-4982-4827-9204-0AC532959F6D}$ITrayUIHost = %llX$Initialized taskbar centering module.$InputSwitch.dll$Installed hooks.$IsOS$LoadLibraryExW$LoadMenuW$Loaded symbols$MMTaskbarGlomLevel$MulDiv$NtUserFindWindowEx$Open Start on monitor thread$OpenThemeDataForDpi$PeopleBand.dll$QISearch$RegCreateKeyExW$RegGetValueW$RegOpenKeyExW$RegSetValueExW$RegisterHotKey$RoGetActivationFactory$Running on Windows %d, OS Build %d.%d.%d.%d.$SHCORE.dll$SHELL32_CanDisplayWin8CopyDialog$SHGetValueW$SHLWAPI.dll$SLGetWindowsInformationDWORD$SOFTWARE\Microsoft\TabletTip\1.7$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView\AltTabViewHost$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage$SOFTWARE\Microsoft\Windows\CurrentVersion\Search$SendMessageW$SetRect$SetWindowBand$SetWindowCompositionAttribute$Setup bthprops functions done$Setup combase functions done$Setup explorer functions done$Setup inputswitch functions done$Setup peopleband functions done$Setup shell32 functions done$Setup stobject functions done$Setup twinui functions done$Setup user32 functions done$Setup uxtheme functions done$Setup windows.storage functions done$ShellExecuteExW$ShellExecuteW$Software\ExplorerPatcher$Software\ExplorerPatcher\sws$Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced$StartTileData.dll$TaskbarGlomLevel$TileWindows$TrackPopupMenu$TrackPopupMenuEx$USER32.DLL$USER32.dll$[Extra] Finished running entry point.$[Extra] Found library: %p.$[Extra] LoadLibraryW failed with 0x%x.$[Extra] Running entry point...$[IME] Context menu patch status: %d$[TB] Unsupported build$\ExplorerPatcher$\ep_extra.dll$api-ms-win-core-com-l1-1-0.dll$api-ms-win-core-largeinteger-l1-1-0.dll$api-ms-win-core-libraryloader-l1-2-0.dll$api-ms-win-core-registry-l1-1-0.dll$api-ms-win-core-shlwapi-obsolete-l1-1-0.dll$api-ms-win-core-winrt-l1-1-0.dll$api-ms-win-ntuser-sysparams-l1-1-0.dll$api-ms-win-shcore-sysinfo-l1-1-0.dll$bthprops.cpl$combase.dll$dwmapi.dll$ep_extra_EntryPoint$explorer.exe!TrayUI_CreateInstance() = %llX$ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll$ext-ms-win-security-slc-l1-1-0.dll$ext-ms-win-shell-exports-internal-l1-1-0.dll$pnidui.dll$shcore.dll$shell32.dll$shell32.dll$slc.dll$stobject.dll$twinui.dll$user32.dll$user32.dll$uxtheme.dll$uxtheme.dll$win32u.dll$windows.storage.dll$windowsudk.shellcommon.dll$xx??x??xxx????xx$xxx????xxx????x????xx$xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx
                              • API String ID: 4277971903-1527841907
                              • Opcode ID: 561687ea2e422f9f9f42a53dd6bffec6658d988fac81d2d924c6c3c80d658436
                              • Instruction ID: 9390b77d3532311801147a333f1227fa7b67d0c27b29474d6bb808bc3a73890d
                              • Opcode Fuzzy Hash: 561687ea2e422f9f9f42a53dd6bffec6658d988fac81d2d924c6c3c80d658436
                              • Instruction Fuzzy Hash: E7032371A09A4799EB50DFA8E8902F923A1FF857C4F804136DB0E066A5DFBDE589C341
                              Function 00007FF8BEE45CF0 Relevance: 159.8, APIs: 52, Strings: 39, Instructions: 591registryfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 697 7ff8bee45cf0-7ff8bee45d67 call 7ff8bee12890 700 7ff8bee45d7b-7ff8bee45d8d 697->700 701 7ff8bee45d69-7ff8bee45d75 call 7ff8bee12890 697->701 702 7ff8bee45d93-7ff8bee45de2 RegCreateKeyExW 700->702 703 7ff8bee46027-7ff8bee46073 RegCreateKeyExW 700->703 701->700 706 7ff8bee4630a-7ff8bee4630d 702->706 707 7ff8bee45de8-7ff8bee45e27 GetWindowsDirectoryW call 7ff8bee67e1c call 7ff8bee4fe80 702->707 708 7ff8bee46079-7ff8bee460bd GetSystemDirectoryW call 7ff8bee67e1c call 7ff8bee4fe80 703->708 709 7ff8bee46857 703->709 710 7ff8bee46859-7ff8bee46883 call 7ff8bee510b0 706->710 721 7ff8bee45fff-7ff8bee46007 707->721 722 7ff8bee45e2d-7ff8bee45e65 RegQueryValueExA 707->722 723 7ff8bee4632d-7ff8bee46341 RegCloseKey RegDeleteTreeW 708->723 724 7ff8bee460c3-7ff8bee460fd RegQueryValueExA 708->724 709->710 725 7ff8bee46009 RegCloseKey 721->725 726 7ff8bee4600f-7ff8bee46011 721->726 728 7ff8bee45e6b-7ff8bee45e80 call 7ff8bee6a364 722->728 729 7ff8bee45fe7-7ff8bee45ffa call 7ff8bee111b0 722->729 727 7ff8bee46347-7ff8bee4634e 723->727 730 7ff8bee46103-7ff8bee46118 call 7ff8bee6a364 724->730 731 7ff8bee46312-7ff8bee4632a call 7ff8bee111b0 724->731 725->726 726->703 733 7ff8bee46013-7ff8bee46021 RegDeleteTreeW 726->733 735 7ff8bee46362-7ff8bee4636c 727->735 736 7ff8bee46350-7ff8bee4635c call 7ff8bee12890 727->736 728->729 750 7ff8bee45e86-7ff8bee45ec1 RegQueryValueExW 728->750 729->721 730->731 746 7ff8bee4611e-7ff8bee46159 RegQueryValueExW 730->746 731->723 733->703 743 7ff8bee46372-7ff8bee463fc RegCreateKeyExW GetWindowsDirectoryW call 7ff8bee67e1c call 7ff8bee4fe80 735->743 744 7ff8bee465e4-7ff8bee465ec 735->744 736->735 765 7ff8bee465b3-7ff8bee465bb 743->765 766 7ff8bee46402-7ff8bee46441 RegQueryValueExA 743->766 747 7ff8bee467ed-7ff8bee4683a RegCreateKeyExW 744->747 748 7ff8bee465f2-7ff8bee46677 RegCreateKeyExW GetWindowsDirectoryW call 7ff8bee67e1c FindFirstFileW 744->748 746->731 752 7ff8bee4615f-7ff8bee4616c 746->752 754 7ff8bee4683c-7ff8bee4684e RegDeleteValueW RegCloseKey 747->754 755 7ff8bee46854 747->755 763 7ff8bee46679-7ff8bee46682 FindClose 748->763 764 7ff8bee46684-7ff8bee466a9 GetWindowsDirectoryW call 7ff8bee67e1c 748->764 750->729 756 7ff8bee45ec7-7ff8bee45ed4 750->756 752->731 759 7ff8bee46172-7ff8bee46308 RegQueryValueExW * 9 RegCloseKey 752->759 754->755 755->709 756->729 761 7ff8bee45eda-7ff8bee45fe5 RegQueryValueExW * 6 756->761 759->727 761->721 767 7ff8bee466ae-7ff8bee466c3 call 7ff8bee4fe80 763->767 764->767 772 7ff8bee465bd RegCloseKey 765->772 773 7ff8bee465c3-7ff8bee465ce 765->773 769 7ff8bee4659d-7ff8bee465b0 call 7ff8bee111b0 766->769 770 7ff8bee46447-7ff8bee4645c call 7ff8bee6a364 766->770 779 7ff8bee466c9-7ff8bee46708 RegQueryValueExA 767->779 780 7ff8bee467c5-7ff8bee467cd 767->780 769->765 770->769 784 7ff8bee46462-7ff8bee4649d RegQueryValueExW 770->784 772->773 773->744 777 7ff8bee465d0-7ff8bee465de RegDeleteTreeW 773->777 777->744 785 7ff8bee467af-7ff8bee467c2 call 7ff8bee111b0 779->785 786 7ff8bee4670e-7ff8bee46723 call 7ff8bee6a364 779->786 782 7ff8bee467cf RegCloseKey 780->782 783 7ff8bee467d5-7ff8bee467d7 780->783 782->783 783->747 788 7ff8bee467d9-7ff8bee467e7 RegDeleteTreeW 783->788 784->769 789 7ff8bee464a3-7ff8bee464b0 784->789 785->780 786->785 794 7ff8bee46729-7ff8bee46764 RegQueryValueExW 786->794 788->747 789->769 792 7ff8bee464b6-7ff8bee4659b RegQueryValueExW * 5 789->792 792->765 794->785 795 7ff8bee46766-7ff8bee46773 794->795 795->785 796 7ff8bee46775-7ff8bee467ad RegQueryValueExW 795->796 796->780
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Value$Query$Close$CreateDirectory$DeleteWindows$Tree$Find$AddressFileFirstHandleModuleOpenProcSystem_invalid_parameter_noinfo
                              • String ID: !$CImmersiveContextMenuOwnerDrawHelper::s_ContextMenuWndProc$CLauncherTipContextMenu::GetMenuItemsAsync$CLauncherTipContextMenu::ShowLauncherTipContextMenu$CLauncherTipContextMenu::_ExecuteCommand$CLauncherTipContextMenu::_ExecuteShutdownCommand$CMultitaskingViewManager::_CreateDCompMTVHost$CMultitaskingViewManager::_CreateXamlMTVHost$CTaskBand_CreateInstance$HandleFirstTimeLegacy$Hash$ImmersiveContextMenuHelper::ApplyOwnerDrawToMenu$ImmersiveContextMenuHelper::RemoveOwnerDrawFromMenu$ImmersiveTray::AttachWindowToTray$ImmersiveTray::RaiseWindow$OSBuild$SetColorPreferenceForLogonUI$Software\ExplorerPatcher$Software\ExplorerPatcher\explorer$Software\ExplorerPatcher\twinui.pcshell$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartDocked$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartUI$StartDocked$StartDocked::LauncherFrame::OnVisibilityChanged$StartDocked::LauncherFrame::ShowAllApps$StartDocked::StartSizingFrame::StartSizingFrame$StartDocked::SystemListPolicyProvider::GetMaximumFrequentApps$StartUI$StartUI::SystemListPolicyProvider::GetMaximumFrequentApps$TrayUI::_UpdatePearlSize$Version$[Symbols] Symbols for "%s" are not available.$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartDocked.dll$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI.dll$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dll$\explorer.exe$\twinui.pcshell.dll$explorer$twinui.pcshell
                              • API String ID: 3716114926-1751072635
                              • Opcode ID: 7956ac15a74029a0eaab39bcb175e0c9f08ee52c61f66d83115e7b2160469f4a
                              • Instruction ID: 47c587ed0cd8f1a17d8e4e6f71ec36a469e976fd58e91563b6e8cda83eedfa04
                              • Opcode Fuzzy Hash: 7956ac15a74029a0eaab39bcb175e0c9f08ee52c61f66d83115e7b2160469f4a
                              • Instruction Fuzzy Hash: C3622272608A839AEB20CB58F4946AA77A5FB847D8F401136D78D47E68DFBCD159CB00
                              Function 00007FF8BEE31870 Relevance: 152.7, APIs: 49, Strings: 38, Instructions: 444libraryloaderregistryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 797 7ff8bee31870-7ff8bee318b1 798 7ff8bee32099-7ff8bee320cd call 7ff8bee510b0 797->798 799 7ff8bee318b7-7ff8bee31905 call 7ff8bee12890 GetModuleFileNameW PathStripPathW call 7ff8bee68004 797->799 806 7ff8bee3190f-7ff8bee3192b GetCurrentProcessId OpenProcess 799->806 807 7ff8bee31907-7ff8bee31909 799->807 806->798 808 7ff8bee31931-7ff8bee31994 QueryFullProcessImageNameW CloseHandle GetSystemDirectoryW call 7ff8bee67e1c call 7ff8bee68004 806->808 807->798 807->806 808->798 813 7ff8bee3199a-7ff8bee31a61 GetWindowsDirectoryW call 7ff8bee67e1c call 7ff8bee68004 GetWindowsDirectoryW call 7ff8bee67e1c call 7ff8bee68004 GetWindowsDirectoryW call 7ff8bee67e1c call 7ff8bee68004 808->813 826 7ff8bee31cea-7ff8bee31ced 813->826 827 7ff8bee31a67-7ff8bee31a6a 813->827 828 7ff8bee31c68-7ff8bee31c72 826->828 829 7ff8bee31cf3-7ff8bee31cf6 826->829 830 7ff8bee31a79-7ff8bee31c61 GetSystemDirectoryW call 7ff8bee67e1c LoadLibraryExW GetProcAddress * 19 827->830 831 7ff8bee31a6c-7ff8bee31a6f 827->831 833 7ff8bee31c78-7ff8bee31c85 GetSystemMetrics 828->833 834 7ff8bee31f1d-7ff8bee31f20 828->834 829->798 835 7ff8bee31cfc-7ff8bee31cff 829->835 830->828 831->830 836 7ff8bee31a71-7ff8bee31a73 831->836 838 7ff8bee31c8b-7ff8bee31cd8 RegGetValueW 833->838 839 7ff8bee32078 833->839 841 7ff8bee31f4e-7ff8bee31f51 834->841 842 7ff8bee31f22-7ff8bee31f2e call 7ff8bee30d10 call 7ff8bee1f230 834->842 835->798 840 7ff8bee31d05-7ff8bee31d08 835->840 836->798 836->830 843 7ff8bee31cda-7ff8bee31cdf 838->843 844 7ff8bee31d3f-7ff8bee31d8c RegGetValueW 838->844 847 7ff8bee3207d-7ff8bee3208f GetModuleHandleExW 839->847 840->798 848 7ff8bee31d0e-7ff8bee31d15 840->848 845 7ff8bee3206c-7ff8bee3206f 841->845 846 7ff8bee31f57-7ff8bee31f5f 841->846 842->839 878 7ff8bee31f34-7ff8bee31f49 LoadLibraryW call 7ff8bee1f170 842->878 853 7ff8bee31d1a-7ff8bee31d1f 843->853 854 7ff8bee31ce1-7ff8bee31ce6 843->854 850 7ff8bee31d8e-7ff8bee31d93 844->850 851 7ff8bee31dc3-7ff8bee31dda FindWindowExW 844->851 845->798 852 7ff8bee32071-7ff8bee32073 call 7ff8bee2db90 845->852 855 7ff8bee31f7d 846->855 856 7ff8bee31f61-7ff8bee31f7b call 7ff8bee12890 846->856 847->798 848->852 859 7ff8bee31d9e-7ff8bee31da3 850->859 860 7ff8bee31d95-7ff8bee31d9a 850->860 864 7ff8bee31de0-7ff8bee31df7 FindWindowExW 851->864 865 7ff8bee31f01 851->865 852->839 853->844 867 7ff8bee31d21-7ff8bee31d2c 853->867 854->844 862 7ff8bee31ce8 854->862 866 7ff8bee31f83-7ff8bee31f8e 855->866 856->866 859->851 871 7ff8bee31da5-7ff8bee31db0 859->871 860->851 870 7ff8bee31d9c 860->870 872 7ff8bee31d32-7ff8bee31d39 862->872 864->865 875 7ff8bee31dfd-7ff8bee31e0b call 7ff8bee2cd30 864->875 874 7ff8bee31f06-7ff8bee31f0e call 7ff8bee2db90 865->874 876 7ff8bee32024-7ff8bee32026 866->876 877 7ff8bee31f94-7ff8bee31f96 866->877 867->844 868 7ff8bee31d2e 867->868 868->872 879 7ff8bee31db6-7ff8bee31dbd 870->879 871->851 880 7ff8bee31db2 871->880 872->839 872->844 891 7ff8bee31f13-7ff8bee31f18 874->891 901 7ff8bee31e11-7ff8bee31e1f GetAsyncKeyState 875->901 902 7ff8bee31ea7-7ff8bee31ea9 875->902 881 7ff8bee32028-7ff8bee3203a call 7ff8bee12890 876->881 882 7ff8bee32040-7ff8bee32045 876->882 885 7ff8bee31f98-7ff8bee31fac call 7ff8bee12890 877->885 886 7ff8bee31fb2-7ff8bee31fb7 877->886 878->839 879->839 879->851 880->879 881->882 887 7ff8bee3204c-7ff8bee32053 call 7ff8bee1f230 882->887 892 7ff8bee32047 call 7ff8bee314b0 882->892 885->886 886->887 888 7ff8bee31fbd 886->888 887->839 909 7ff8bee32055-7ff8bee3206a LoadLibraryW call 7ff8bee1f170 887->909 896 7ff8bee31fcb-7ff8bee31fe6 RegOpenKeyW 888->896 897 7ff8bee31fbf-7ff8bee31fc5 888->897 891->847 892->887 896->887 907 7ff8bee31fe8-7ff8bee32003 RegCloseKey LoadLibraryW 896->907 897->887 897->896 904 7ff8bee31e21-7ff8bee31e2f GetAsyncKeyState 901->904 905 7ff8bee31e46 901->905 902->874 904->905 908 7ff8bee31e31-7ff8bee31e44 GetAsyncKeyState 904->908 910 7ff8bee31e48-7ff8bee31e50 905->910 907->887 911 7ff8bee32005-7ff8bee32022 call 7ff8bee1d290 907->911 908->905 908->910 909->839 913 7ff8bee31eab-7ff8bee31efc RegSetKeyValueW SHCreateThread 910->913 914 7ff8bee31e52-7ff8bee31e54 910->914 911->887 913->847 914->913 917 7ff8bee31e56-7ff8bee31ea1 RegSetKeyValueW SHCreateThread 914->917 917->902
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: AddressProc$DirectoryValue$LibraryLoad$AsyncHandleModuleOpenProcessStateSystemWindows$CloseCreateFindNamePathQueryThreadWindow$CurrentFileFullImageMetricsStrip_invalid_parameter_noinfo
                              • String ID: ApplyCompatResolutionQuirking$CompatString$CompatValue$Control Panel\Quick Actions\Control Center\QuickActionsStateCapture\ExplorerPatcher$CrashCounter$CreateDXGIFactory$CreateDXGIFactory1$CreateDXGIFactory2$DXGID3D10CreateDevice$DXGID3D10CreateLayeredDevice$DXGID3D10GetLayeredDeviceSize$DXGID3D10RegisterLayers$DXGIDeclareAdapterRemovalSupport$DXGIDumpJournal$DXGIGetDebugInterface1$DXGIReportAdapterConfiguration$GetProductInfo$LaunchCflScenario$LaunchUserOOBE$PIXBeginCapture$PIXEndCapture$PIXGetCaptureState$Progman$Proxy Desktop$SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\CFL\ExperienceManagerData$SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE$SetAppCompatStringPointer$Software\ExplorerPatcher$UpdateHMDEmulationStatus$Windows.UI.QuickActions.dll$Windows.UI.Xaml.dll$\SearchIndexer.exe$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe$\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe$\dxgi.dll$\explorer.exe$api-ms-win-core-sysinfo-l1-2-0.dll$dxgi.dll
                              • API String ID: 425412005-3433049922
                              • Opcode ID: 88c2c6aaff04b593eb52fcd9162841361041791d9db1d1db946c8d4002ca0a51
                              • Instruction ID: afb3c67d8e1aa965ce393815879fbeb45fa4c4ce0f79fadef05e2fe49da7193e
                              • Opcode Fuzzy Hash: 88c2c6aaff04b593eb52fcd9162841361041791d9db1d1db946c8d4002ca0a51
                              • Instruction Fuzzy Hash: 1C324B75A09A439DEB10DB68E8902B923A1FF857C4F800136DB4D466A8EFBDE549C740
                              Function 00007FF8BEE45620 Relevance: 58.1, APIs: 18, Strings: 15, Instructions: 354registrylibraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1163 7ff8bee45620-7ff8bee457ce call 7ff8bee7a140 SleepEx call 7ff8bee111b0 call 7ff8bee350c0 call 7ff8bee7a9f0 SHGetFolderPathW call 7ff8bee67e1c LoadLibraryExW call 7ff8bee12890 call 7ff8bee138f0 RegCreateKeyExW RegQueryValueExW 1178 7ff8bee457d0-7ff8bee457d7 1163->1178 1179 7ff8bee457d9-7ff8bee457e0 1178->1179 1180 7ff8bee457e7-7ff8bee457ea 1178->1180 1179->1178 1181 7ff8bee457e2-7ff8bee457e5 1179->1181 1182 7ff8bee457ee-7ff8bee45804 1180->1182 1181->1182 1183 7ff8bee4580a-7ff8bee45827 LoadStringW 1182->1183 1184 7ff8bee45914-7ff8bee459dd RegCloseKey call 7ff8bee11150 call 7ff8bee7a9f0 SHGetFolderPathA call 7ff8bee6a434 CreateDirectoryA call 7ff8bee6a434 call 7ff8bee111b0 1182->1184 1186 7ff8bee45829-7ff8bee45843 call 7ff8bee138f0 1183->1186 1187 7ff8bee45848-7ff8bee458ae LoadStringW call 7ff8bee138f0 1183->1187 1207 7ff8bee459df-7ff8bee459e5 1184->1207 1208 7ff8bee45a1d-7ff8bee45a23 1184->1208 1186->1187 1193 7ff8bee458b0-7ff8bee458b8 1187->1193 1193->1193 1195 7ff8bee458ba-7ff8bee458d0 call 7ff8bee444e0 call 7ff8bee44320 1193->1195 1204 7ff8bee458d5-7ff8bee458df 1195->1204 1206 7ff8bee458e0-7ff8bee458e8 1204->1206 1206->1206 1209 7ff8bee458ea-7ff8bee4590e RegSetValueExW 1206->1209 1210 7ff8bee459f9-7ff8bee45a03 1207->1210 1211 7ff8bee459e7-7ff8bee459f3 call 7ff8bee12890 1207->1211 1212 7ff8bee45a39-7ff8bee45a3f 1208->1212 1213 7ff8bee45a25-7ff8bee45a37 call 7ff8bee44a00 1208->1213 1209->1184 1210->1208 1217 7ff8bee45a05-7ff8bee45a1a call 7ff8bee44650 1210->1217 1211->1210 1214 7ff8bee45a7c-7ff8bee45a82 1212->1214 1215 7ff8bee45a41-7ff8bee45a48 1212->1215 1213->1212 1223 7ff8bee45aa1-7ff8bee45acf call 7ff8bee111b0 1214->1223 1224 7ff8bee45a84-7ff8bee45a8b 1214->1224 1220 7ff8bee45a4a-7ff8bee45a56 call 7ff8bee12890 1215->1220 1221 7ff8bee45a5c-7ff8bee45a66 1215->1221 1217->1208 1220->1221 1221->1214 1228 7ff8bee45a68-7ff8bee45a7a call 7ff8bee44f10 1221->1228 1235 7ff8bee45ad1-7ff8bee45ade LoadStringW 1223->1235 1236 7ff8bee45b40-7ff8bee45b42 1223->1236 1224->1223 1229 7ff8bee45a8d-7ff8bee45a9f call 7ff8bee452a0 1224->1229 1228->1214 1229->1223 1239 7ff8bee45aff-7ff8bee45b3e LoadStringW 1235->1239 1240 7ff8bee45ae0-7ff8bee45afa call 7ff8bee138f0 1235->1240 1241 7ff8bee45bd9-7ff8bee45be6 LoadStringW 1236->1241 1242 7ff8bee45b48-7ff8bee45b55 LoadStringW 1236->1242 1244 7ff8bee45bb5-7ff8bee45bd4 call 7ff8bee138f0 1239->1244 1240->1239 1247 7ff8bee45be8-7ff8bee45c02 call 7ff8bee138f0 1241->1247 1248 7ff8bee45c07-7ff8bee45c68 LoadStringW call 7ff8bee138f0 1241->1248 1245 7ff8bee45b57-7ff8bee45b71 call 7ff8bee138f0 1242->1245 1246 7ff8bee45b76-7ff8bee45bb0 LoadStringW 1242->1246 1255 7ff8bee45c6a-7ff8bee45c6f 1244->1255 1245->1246 1246->1244 1247->1248 1248->1255 1256 7ff8bee45c9e-7ff8bee45ce4 FreeLibrary call 7ff8bee111b0 call 7ff8bee510b0 1248->1256 1257 7ff8bee45c76-7ff8bee45c7e 1255->1257 1257->1257 1259 7ff8bee45c80-7ff8bee45c99 call 7ff8bee444e0 call 7ff8bee44320 1257->1259 1259->1256
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Load$String$Value$CreateQuery$CloseFolderInfoLibraryLocalePath$AddressDirectoryFreeHandleLanguagesModuleOpenPreferredProcSleepThread_invalid_parameter_noinfo
                              • String ID: %d.%d.%d.%d$<toast scenario="reminder" activationType="protocol" launch="%s" duration="%s"><visual><binding template="ToastGeneric">$@$Software\ExplorerPatcher$SymbolsLastNotifiedOSBuild$[Symbols] Attempting to download symbols for OS version %s.$[Symbols] Downloading to "%s".$[Symbols] Finished "Download symbols" thread.$[Symbols] Finished gathering symbol data.$[Symbols] Started "Download symbols" thread.$\ExplorerPatcher$\ExplorerPatcher\ep_gui.dll$https://github.com/valinet/ExplorerPatcher/wiki/Symbols$long$short
                              • API String ID: 3080592855-3895060210
                              • Opcode ID: db88c42cd2bff578304e446f47b52434223540bcc67150ca6e7fcab444a0de7b
                              • Instruction ID: 2f5c53b3c387241efe5d1009f43db8b8fd229a90562c3dd02a89ae42bae6117c
                              • Opcode Fuzzy Hash: db88c42cd2bff578304e446f47b52434223540bcc67150ca6e7fcab444a0de7b
                              • Instruction Fuzzy Hash: 9D026236A18A839DE760DF64E8506EE33B4FB44388F805136DA4D47A99EFBCD649C740
                              Function 00007FF8BEE4F250 Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 315registrysleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1266 7ff8bee4f250-7ff8bee4f297 RoInitialize 1267 7ff8bee4f3ac-7ff8bee4f3c3 FindWindowExW 1266->1267 1268 7ff8bee4f29d-7ff8bee4f2bd WindowsCreateStringReference 1266->1268 1271 7ff8bee4f3e9-7ff8bee4f404 Sleep call 7ff8bee111b0 1267->1271 1272 7ff8bee4f3c5-7ff8bee4f3e7 Sleep FindWindowExW 1267->1272 1269 7ff8bee4f6ff-7ff8bee4f706 call 7ff8bee3c060 1268->1269 1270 7ff8bee4f2c3-7ff8bee4f2e0 RoGetActivationFactory 1268->1270 1277 7ff8bee4f707-7ff8bee4f70e call 7ff8bee3c060 1269->1277 1270->1267 1274 7ff8bee4f2e6-7ff8bee4f30a WindowsCreateStringReference 1270->1274 1283 7ff8bee4f44a-7ff8bee4f450 1271->1283 1284 7ff8bee4f406-7ff8bee4f431 WindowsCreateStringReference 1271->1284 1272->1271 1272->1272 1274->1277 1278 7ff8bee4f310-7ff8bee4f32e RoGetActivationFactory 1274->1278 1295 7ff8bee4f70f-7ff8bee4f716 call 7ff8bee3c060 1277->1295 1281 7ff8bee4f398-7ff8bee4f39f 1278->1281 1282 7ff8bee4f330-7ff8bee4f344 1278->1282 1281->1267 1287 7ff8bee4f3a1-7ff8bee4f3ab 1281->1287 1301 7ff8bee4f384-7ff8bee4f38b 1282->1301 1302 7ff8bee4f346-7ff8bee4f371 WindowsCreateStringReference 1282->1302 1285 7ff8bee4f491-7ff8bee4f4de CreateEventW * 3 1283->1285 1286 7ff8bee4f452-7ff8bee4f472 WindowsCreateStringReference 1283->1286 1289 7ff8bee4f717-7ff8bee4f724 call 7ff8bee3c060 1284->1289 1290 7ff8bee4f437-7ff8bee4f446 1284->1290 1293 7ff8bee4f4e4-7ff8bee4f4e9 1285->1293 1294 7ff8bee4f690-7ff8bee4f697 1285->1294 1291 7ff8bee4f478-7ff8bee4f48d RoGetActivationFactory 1286->1291 1292 7ff8bee4f6f7-7ff8bee4f6fe call 7ff8bee3c060 1286->1292 1287->1267 1313 7ff8bee4f726-7ff8bee4f72a SwitchToThread 1289->1313 1314 7ff8bee4f731 1289->1314 1290->1283 1291->1285 1292->1269 1293->1294 1298 7ff8bee4f4ef-7ff8bee4f4f2 1293->1298 1306 7ff8bee4f699-7ff8bee4f6a3 1294->1306 1307 7ff8bee4f6a4-7ff8bee4f6ab 1294->1307 1295->1289 1298->1294 1310 7ff8bee4f4f8-7ff8bee4f51a call 7ff8bee51370 1298->1310 1301->1281 1315 7ff8bee4f38d-7ff8bee4f397 1301->1315 1302->1295 1312 7ff8bee4f377-7ff8bee4f37b 1302->1312 1306->1307 1308 7ff8bee4f6ad-7ff8bee4f6b7 1307->1308 1309 7ff8bee4f6b8-7ff8bee4f6bf 1307->1309 1308->1309 1319 7ff8bee4f6cc-7ff8bee4f6f6 call 7ff8bee510b0 1309->1319 1320 7ff8bee4f6c1-7ff8bee4f6cb 1309->1320 1326 7ff8bee4f51c-7ff8bee4f541 1310->1326 1327 7ff8bee4f56d-7ff8bee4f574 1310->1327 1325 7ff8bee4f380 1312->1325 1313->1314 1315->1281 1320->1319 1325->1301 1330 7ff8bee4f54a-7ff8bee4f56a 1326->1330 1331 7ff8bee4f543-7ff8bee4f549 1326->1331 1332 7ff8bee4f57a-7ff8bee4f5d3 call 7ff8bee4e520 RegCreateKeyExW 1327->1332 1333 7ff8bee4f616-7ff8bee4f61f 1327->1333 1330->1327 1331->1330 1342 7ff8bee4f5d5-7ff8bee4f610 RegSetValueExW RegCloseKey 1332->1342 1343 7ff8bee4f612 1332->1343 1334 7ff8bee4f640-7ff8bee4f65a WaitForMultipleObjects 1333->1334 1335 7ff8bee4f621 1333->1335 1339 7ff8bee4f65c-7ff8bee4f65f 1334->1339 1340 7ff8bee4f682-7ff8bee4f68e 1334->1340 1338 7ff8bee4f624-7ff8bee4f63e call 7ff8bee4e830 1335->1338 1338->1334 1345 7ff8bee4f674-7ff8bee4f680 1339->1345 1346 7ff8bee4f661-7ff8bee4f664 1339->1346 1340->1338 1342->1333 1343->1333 1345->1338 1346->1334 1348 7ff8bee4f666-7ff8bee4f672 1346->1348 1348->1338
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Create$ReferenceStringWindows$ActivationEventFactory$FindSleepWindow$CloseInitializeMultipleObjectsValueWait
                              • String ID: EP_Ev_CheckForUpdates_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$EP_Ev_InstallUpdatesNoConfirm_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$EP_Ev_InstallUpdates_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$IsUpdatePending$Microsoft.Windows.Explorer$Shell_TrayWnd$Software\ExplorerPatcher$Windows.UI.Notifications.ToastNotification$Windows.UI.Notifications.ToastNotificationManager$[Updates] Starting daemon.$ep_updates
                              • API String ID: 515347756-3464217809
                              • Opcode ID: c18357ae3e18e56df48e9b90b3782d440a669a27c2374db1899b79d48f0226c5
                              • Instruction ID: e48f8cb4f519e02b6c134b26d03442f86ebeec12928504c0cd7e46aa51d5e856
                              • Opcode Fuzzy Hash: c18357ae3e18e56df48e9b90b3782d440a669a27c2374db1899b79d48f0226c5
                              • Instruction Fuzzy Hash: 0EE14632B09B429AEB10DF69E8506AD33B1FB49B88F405536DB0D57AA8DFBDE515C300
                              Function 00007FF8BEE28800 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 190registrywindowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1470 7ff8bee28800-7ff8bee28839 1471 7ff8bee2883b-7ff8bee2883e 1470->1471 1472 7ff8bee28844-7ff8bee28889 RegCreateKeyExW 1470->1472 1471->1472 1475 7ff8bee2897a-7ff8bee2897d 1471->1475 1473 7ff8bee2888f-7ff8bee288c4 RegQueryValueExW 1472->1473 1474 7ff8bee28971 1472->1474 1476 7ff8bee288d1-7ff8bee2890d RegQueryValueExW 1473->1476 1477 7ff8bee288c6-7ff8bee288cc call 7ff8bee28700 1473->1477 1478 7ff8bee28975-7ff8bee28978 1474->1478 1479 7ff8bee28983-7ff8bee289c8 RegCreateKeyExW 1475->1479 1480 7ff8bee28a24-7ff8bee28a5d SendNotifyMessageW FindWindowExW 1475->1480 1484 7ff8bee2891b-7ff8bee28957 RegQueryValueExW 1476->1484 1485 7ff8bee2890f-7ff8bee28915 1476->1485 1477->1476 1478->1475 1478->1479 1486 7ff8bee289ca-7ff8bee28a02 RegQueryValueExW 1479->1486 1487 7ff8bee28a17 1479->1487 1482 7ff8bee28a5f-7ff8bee28a77 FindWindowExW 1480->1482 1483 7ff8bee28ad0-7ff8bee28aeb FindWindowExW 1480->1483 1482->1483 1489 7ff8bee28a79 1482->1489 1492 7ff8bee28aed-7ff8bee28af4 1483->1492 1493 7ff8bee28af6-7ff8bee28b01 1483->1493 1490 7ff8bee28959-7ff8bee2895f 1484->1490 1491 7ff8bee28965-7ff8bee2896f RegCloseKey 1484->1491 1485->1484 1488 7ff8bee28a1b-7ff8bee28a1e 1486->1488 1494 7ff8bee28a04-7ff8bee28a15 call 7ff8bee28700 1486->1494 1487->1488 1488->1480 1495 7ff8bee28b08-7ff8bee28b29 call 7ff8bee510b0 1488->1495 1496 7ff8bee28a80-7ff8bee28a94 FindWindowExW 1489->1496 1490->1491 1491->1478 1492->1496 1493->1495 1497 7ff8bee28b03 call 7ff8bee1e230 1493->1497 1494->1488 1496->1483 1500 7ff8bee28a96-7ff8bee28aa7 GetWindowLongPtrW 1496->1500 1497->1495 1500->1483 1504 7ff8bee28aa9-7ff8bee28aca InvalidateRect 1500->1504 1504->1483
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Window$FindQueryValue$Create$CloseInvalidateLongMessageNotifyRectSend
                              • String ID: ClockButton$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SOFTWARE\Microsoft\Windows\CurrentVersion\Search$SearchboxTaskbarMode$Shell_SecondaryTrayWnd$Shell_TrayWnd$ShowTaskViewButton$TaskbarDa$TaskbarSmallIcons$TrayClockWClass$TrayNotifyWnd$TraySettings
                              • API String ID: 3959271719-3714636963
                              • Opcode ID: 4ab373a0b3cc1fd82646b3130a35559c248819b11f2c73222ac6e96f04d1f03e
                              • Instruction ID: eb5b296b46bce54fd18c0907faf974b397d8e9445b2a5a31d42eeae884545eb6
                              • Opcode Fuzzy Hash: 4ab373a0b3cc1fd82646b3130a35559c248819b11f2c73222ac6e96f04d1f03e
                              • Instruction Fuzzy Hash: 5F918A72A09B428EEB60CF68E8906AD77A0FB49798F444535DB4D13B98DFBCE104C710
                              Function 00007FF8BEE4FE80 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 172encryptionfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1506 7ff8bee4fe80-7ff8bee4ff08 CreateFileW 1507 7ff8bee4ff0a-7ff8bee4ff10 GetLastError 1506->1507 1508 7ff8bee4ff15-7ff8bee4ff30 GetFileSizeEx 1506->1508 1509 7ff8bee5007a-7ff8bee50093 call 7ff8bee510b0 1507->1509 1510 7ff8bee4ff4a-7ff8bee4ff5f call 7ff8bee67ea8 1508->1510 1511 7ff8bee4ff32-7ff8bee4ff45 GetLastError CloseHandle 1508->1511 1517 7ff8bee4ff74-7ff8bee4ff93 CryptAcquireContextW 1510->1517 1518 7ff8bee4ff61-7ff8bee4ff6f CloseHandle 1510->1518 1512 7ff8bee50072 1511->1512 1512->1509 1520 7ff8bee4ff95-7ff8bee4ff9d GetLastError 1517->1520 1521 7ff8bee4ffa2-7ff8bee4ffc2 CryptCreateHash 1517->1521 1519 7ff8bee5006a 1518->1519 1519->1512 1522 7ff8bee5005f-7ff8bee50062 CloseHandle 1520->1522 1523 7ff8bee4ffc4-7ff8bee4ffe1 GetLastError CloseHandle CryptReleaseContext 1521->1523 1524 7ff8bee4ffe6-7ff8bee50001 ReadFile 1521->1524 1525 7ff8bee50068 1522->1525 1523->1525 1526 7ff8bee50041-7ff8bee50059 GetLastError CryptReleaseContext CryptDestroyHash 1524->1526 1527 7ff8bee50003-7ff8bee5000e 1524->1527 1525->1519 1526->1522 1528 7ff8bee50094-7ff8bee500b5 CryptGetHashParam 1527->1528 1529 7ff8bee50014-7ff8bee50022 CryptHashData 1527->1529 1531 7ff8bee500ff-7ff8bee50105 GetLastError 1528->1531 1532 7ff8bee500b7-7ff8bee500bd 1528->1532 1529->1526 1530 7ff8bee50024-7ff8bee5003f ReadFile 1529->1530 1530->1526 1530->1527 1533 7ff8bee50108-7ff8bee5012a CryptDestroyHash CryptReleaseContext CloseHandle call 7ff8bee67e94 1531->1533 1532->1533 1534 7ff8bee500bf 1532->1534 1538 7ff8bee5012f-7ff8bee50132 1533->1538 1536 7ff8bee500c0-7ff8bee500fb call 7ff8bee1c640 1534->1536 1540 7ff8bee500fd 1536->1540 1538->1519 1540->1533
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CryptErrorLast$CloseFileHandleHash$ContextCreateDestroyParamReleaseSize
                              • String ID: %c%c
                              • API String ID: 1362656601-3228636524
                              • Opcode ID: 55f61f22b1cfa79a35e07c728d9ce9c7de5a9daabe5a9ab501b041ea079c1ec8
                              • Instruction ID: d0cac3d69af3e74e4ca5687c349129fb1274d6ab15918cad5b237730f848cf2c
                              • Opcode Fuzzy Hash: 55f61f22b1cfa79a35e07c728d9ce9c7de5a9daabe5a9ab501b041ea079c1ec8
                              • Instruction Fuzzy Hash: 5A718E22B19A828EE7108F79E8907BD27A1FF49BD8F004535EF4E16A58DFBCE5459700
                              Function 00007FF8BEE1E500 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 122windowregistrytimeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              • EP_Service_Window_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}, xrefs: 00007FF8BEE1E55D
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Message$Register$CriticalHandleModuleSectionWindow$ClassCloseCreateCursorDestroyDispatchEnterEventInvalidateLeaveLoadObjectOpenRectStockTimerTranslate
                              • String ID: EP_Service_Window_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}
                              • API String ID: 124686274-1881722731
                              • Opcode ID: b57f66ebaee192715d19923a7331629b467761d4b72bedacc28b2662b6677ca9
                              • Instruction ID: 4e97261112ebd16eabcaaf082bc4a2c81e2514498aef3f424496da1f5ffc297c
                              • Opcode Fuzzy Hash: b57f66ebaee192715d19923a7331629b467761d4b72bedacc28b2662b6677ca9
                              • Instruction Fuzzy Hash: AE51FC31A09B828AFB608B69F89477A77A4FF857C0F504035DB8E42AA4DFBDE445C701
                              Function 00007FF8BEE3A350 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 78windowsynchronizationthreadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Message$Window$CreateDispatchEventHookObjectProcessShellSingleSleepThreadTranslateWaitWindows
                              • String ID: Ended "Open Start on current monitor" thread.$Failed to start "Open Start on current monitor" thread.$Progman hook: %d$Progman: %d$ShellDesktopSwitchEvent$Started "Open Start on current monitor" thread.
                              • API String ID: 2718461970-1416847937
                              • Opcode ID: 18bf67a80918c840e866fcac94c4f4813b1a4977c1fff13bfa3f28c22d21dea2
                              • Instruction ID: d37d8656ab6a21916b9abd20c6ca5aa177c0c09e8dc4972035810b4aede0cf97
                              • Opcode Fuzzy Hash: 18bf67a80918c840e866fcac94c4f4813b1a4977c1fff13bfa3f28c22d21dea2
                              • Instruction Fuzzy Hash: 43316025E1DA428AFB50DB29F86527A63A0FFD97C4F805235EB4E42664EFBCE5448700
                              Function 00007FF8BEE26900 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 130synchronizationwindowsleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1757 7ff8bee26900-7ff8bee26920 1758 7ff8bee26922-7ff8bee2692e call 7ff8bee12890 1757->1758 1759 7ff8bee26934-7ff8bee2693e 1757->1759 1758->1759 1761 7ff8bee26940-7ff8bee2694c WaitForSingleObject 1759->1761 1762 7ff8bee26952-7ff8bee26959 1759->1762 1761->1762 1764 7ff8bee2695b-7ff8bee26967 WaitForSingleObject 1762->1764 1765 7ff8bee2696d-7ff8bee26978 SleepEx 1762->1765 1764->1765 1766 7ff8bee26980-7ff8bee26997 FindWindowExW 1765->1766 1767 7ff8bee26999 1766->1767 1768 7ff8bee269d0-7ff8bee269e9 Sleep call 7ff8bee26350 1766->1768 1770 7ff8bee269a0-7ff8bee269ce call 7ff8bee111b0 Sleep FindWindowExW 1767->1770 1774 7ff8bee26b3a-7ff8bee26b4c WaitForSingleObject 1768->1774 1775 7ff8bee269ef-7ff8bee26a06 call 7ff8bee67eb0 1768->1775 1770->1768 1774->1766 1778 7ff8bee26a0c-7ff8bee26a2e call 7ff8bee26350 call 7ff8bee19aa0 call 7ff8bee114c0 1775->1778 1779 7ff8bee26b56-7ff8bee26b6f call 7ff8bee510b0 1775->1779 1788 7ff8bee26b51 call 7ff8bee67e94 1778->1788 1789 7ff8bee26a34-7ff8bee26a88 call 7ff8bee14910 MsgWaitForMultipleObjectsEx 1778->1789 1788->1779 1793 7ff8bee26a8e 1789->1793 1794 7ff8bee26b21-7ff8bee26b35 call 7ff8bee196f0 call 7ff8bee67e94 1789->1794 1796 7ff8bee26a90-7ff8bee26a93 1793->1796 1794->1766 1798 7ff8bee26aaa-7ff8bee26aad 1796->1798 1799 7ff8bee26a95-7ff8bee26aa6 call 7ff8bee26350 1796->1799 1802 7ff8bee26abb-7ff8bee26abe 1798->1802 1803 7ff8bee26aaf-7ff8bee26ab9 call 7ff8bee14910 1798->1803 1799->1794 1808 7ff8bee26aa8 1799->1808 1802->1794 1807 7ff8bee26ac0-7ff8bee26add PeekMessageW 1802->1807 1811 7ff8bee26af5-7ff8bee26b1b MsgWaitForMultipleObjectsEx 1803->1811 1810 7ff8bee26adf-7ff8bee26aef TranslateMessage DispatchMessageW 1807->1810 1807->1811 1808->1811 1810->1811 1811->1794 1811->1796
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Wait$MessageObjectSingleSleep$FindMultipleObjectsWindow$AddressDispatchHandleModuleOpenPeekProcQueryTranslateValue
                              • String ID: Shell_TrayWnd$[sws] Waiting for taskbar...
                              • API String ID: 3550486598-3608668894
                              • Opcode ID: 57ef6079be94384d59322cd3f65a3ec6f8af3f743da513ca34b37038eed0cc18
                              • Instruction ID: e630b9ae72f533c0985d86767dc050639de42fa5849a3f6fb7bae0f757f48f30
                              • Opcode Fuzzy Hash: 57ef6079be94384d59322cd3f65a3ec6f8af3f743da513ca34b37038eed0cc18
                              • Instruction Fuzzy Hash: BC517931A1DA838AFB60AF28E89437A27A1EF85BD4F404235D75E466E4DFBDE445C700
                              Function 00007FF8BEE350C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 107registrythreadCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: InfoLocale$CloseCreateLanguagesPreferredQueryThreadValue
                              • String ID: Language$Software\ExplorerPatcher
                              • API String ID: 3850668847-1772575399
                              • Opcode ID: ea0f2633b2db62804292e248124bc3add90470c825c55f2f621eeaab03a689b2
                              • Instruction ID: f0d380c3b01cc743f7e4d37aed659af3f6a16a99dc5b956905403c112e4364e7
                              • Opcode Fuzzy Hash: ea0f2633b2db62804292e248124bc3add90470c825c55f2f621eeaab03a689b2
                              • Instruction Fuzzy Hash: A4516E62A18BC186E7218F68E4543AD7760F7D9B44F41A325DB8C13B56EF78E1D8C700
                              Function 00007FF8BEE53030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146memorywindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: AllocErrorFormatLastMessageVirtual
                              • String ID: commit page %p (base=%p(used=%d), idx=%llu, size=%llu)$Failed to commit page %p (base=%p(used=%d), idx=%llu, size=%llu, error=%lu(%s))$Unknown Error
                              • API String ID: 1689221563-3447313879
                              • Opcode ID: 59323bae295cc87d067fa3d69b427ca384efa90ba0425ecc8e87ce7c99d47a62
                              • Instruction ID: ec9f1e4229d87d47090ae6a1cdbc7b232cfd7cd055f3921d7142ff381e944331
                              • Opcode Fuzzy Hash: 59323bae295cc87d067fa3d69b427ca384efa90ba0425ecc8e87ce7c99d47a62
                              • Instruction Fuzzy Hash: 50517071A09B968AEB60CB2AF89076667A4FB49BC5F400135DF8C47B58DFBCE546C700
                              Function 00007FF8BEE1D7C0 Relevance: 6.0, APIs: 4, Instructions: 49memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: AllocateCheckErrorFreeInitializeLastMembershipToken
                              • String ID:
                              • API String ID: 3835361876-0
                              • Opcode ID: 9b719a42994329497dcb58755b7362de631d7cd6d6f1faceb73e96b81b9f4dc6
                              • Instruction ID: 2390c97ae4a0e06e6832fd64d7276bfa5a9c7be73fa5c787d97d7993c19bbfbb
                              • Opcode Fuzzy Hash: 9b719a42994329497dcb58755b7362de631d7cd6d6f1faceb73e96b81b9f4dc6
                              • Instruction Fuzzy Hash: B811B472A087818AE7508F6AF49035AFAE5FFD4780F10512AE78983A69DFBCD4458F40
                              Function 00007FF8BEE2A830 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135comCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CreateInstance$AddressHandleModuleOpenProcQueryValue
                              • String ID: Taskbar10.cpp
                              • API String ID: 1469795854-890630466
                              • Opcode ID: df370a4c7a5dd7268f0eb4ce98fc46467527f5121e2d07c21181c0f23ce58fb0
                              • Instruction ID: b10f189c04c82a392a6aa1478ee3e429568583460eeaa940b7c8a6747ae14954
                              • Opcode Fuzzy Hash: df370a4c7a5dd7268f0eb4ce98fc46467527f5121e2d07c21181c0f23ce58fb0
                              • Instruction Fuzzy Hash: 30510275A09B4289EA509F6DE59437933A0BF44BC4F409036DB5E437A4DFBCE8858701
                              Function 00007FF8BEE52FA0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                              Download Yara Rule
                              APIs
                              • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF8BEE52099), ref: 00007FF8BEE52FB5
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: InfoSystem
                              • String ID:
                              • API String ID: 31276548-0
                              • Opcode ID: 2c7f24313fb382f4fdd3077e00c0e51945971d3bd079279820afc05c3462abc3
                              • Instruction ID: 801c6115885999a80a81a67e9049cfa6a550d437749f65eae5018743bd2c42f6
                              • Opcode Fuzzy Hash: 2c7f24313fb382f4fdd3077e00c0e51945971d3bd079279820afc05c3462abc3
                              • Instruction Fuzzy Hash: C3F0F8B5B1ED428AEB548B49FC9062567B1EB5ABC5F004135DB4D82764DE6DE1808700
                              Function 00007FF8BEE2C1F0 Relevance: 75.5, APIs: 17, Strings: 26, Instructions: 277libraryloaderregistryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 919 7ff8bee2c1f0-7ff8bee2c224 LoadLibraryW 920 7ff8bee2c23d-7ff8bee2c25f LoadLibraryW 919->920 921 7ff8bee2c226-7ff8bee2c236 GetProcAddress 919->921 922 7ff8bee2c397-7ff8bee2c3a7 LoadLibraryW 920->922 923 7ff8bee2c265-7ff8bee2c270 920->923 921->920 924 7ff8bee2c3a9-7ff8bee2c3b7 GetProcAddress 922->924 925 7ff8bee2c3be-7ff8bee2c3d1 LoadLibraryExW 922->925 926 7ff8bee2c27e 923->926 927 7ff8bee2c272-7ff8bee2c27c 923->927 924->925 928 7ff8bee2c5bf-7ff8bee2c5da LoadLibraryExW 925->928 929 7ff8bee2c3d7-7ff8bee2c3f7 call 7ff8bee1d290 925->929 930 7ff8bee2c283 926->930 927->930 932 7ff8bee2c670-7ff8bee2c6cf RegGetValueW call 7ff8bee1d920 928->932 933 7ff8bee2c5e0-7ff8bee2c618 call 7ff8bee1d460 * 2 928->933 941 7ff8bee2c3f9-7ff8bee2c438 GetCurrentProcess K32GetModuleInformation call 7ff8bee1d890 929->941 942 7ff8bee2c45f-7ff8bee2c49a call 7ff8bee1d290 * 2 929->942 934 7ff8bee2c289 930->934 935 7ff8bee2c285-7ff8bee2c287 930->935 945 7ff8bee2c6d1 932->945 946 7ff8bee2c6d7-7ff8bee2c6de 932->946 933->932 963 7ff8bee2c61a-7ff8bee2c66b call 7ff8bee1d290 * 2 933->963 936 7ff8bee2c28e-7ff8bee2c2b8 call 7ff8bee1d290 934->936 935->936 953 7ff8bee2c2ba-7ff8bee2c301 GetCurrentProcess K32GetModuleInformation call 7ff8bee1d890 936->953 954 7ff8bee2c320-7ff8bee2c338 call 7ff8bee1d290 936->954 955 7ff8bee2c43d-7ff8bee2c440 941->955 979 7ff8bee2c49c-7ff8bee2c4ed call 7ff8bee1d290 * 2 942->979 980 7ff8bee2c4f2-7ff8bee2c550 call 7ff8bee1d290 * 2 GetCurrentProcess K32GetModuleInformation 942->980 945->946 951 7ff8bee2c6e4-7ff8bee2c710 GetModuleHandleW GetProcAddress 946->951 952 7ff8bee2c775-7ff8bee2c78c call 7ff8bee510b0 946->952 958 7ff8bee2c732-7ff8bee2c739 call 7ff8bee111b0 951->958 959 7ff8bee2c712-7ff8bee2c730 call 7ff8bee52760 951->959 953->954 975 7ff8bee2c303-7ff8bee2c31b call 7ff8bee52760 953->975 971 7ff8bee2c33d-7ff8bee2c33f 954->971 955->942 961 7ff8bee2c442-7ff8bee2c45a call 7ff8bee52760 955->961 976 7ff8bee2c73e-7ff8bee2c740 958->976 959->958 959->976 961->942 963->932 971->922 977 7ff8bee2c341-7ff8bee2c392 call 7ff8bee1d290 * 2 971->977 975->954 976->952 984 7ff8bee2c742-7ff8bee2c749 call 7ff8bee1f230 976->984 977->922 979->980 997 7ff8bee2c5a2-7ff8bee2c5ba call 7ff8bee1d290 980->997 998 7ff8bee2c552-7ff8bee2c561 980->998 984->952 996 7ff8bee2c74b-7ff8bee2c770 LoadLibraryW call 7ff8bee1d290 984->996 996->952 997->928 1001 7ff8bee2c56f-7ff8bee2c576 998->1001 1002 7ff8bee2c563-7ff8bee2c56d 998->1002 1004 7ff8bee2c578-7ff8bee2c58a call 7ff8bee12890 1001->1004 1005 7ff8bee2c590-7ff8bee2c596 1001->1005 1002->1001 1003 7ff8bee2c598-7ff8bee2c59d call 7ff8bee2bc00 1002->1003 1003->997 1004->1005 1005->997 1005->1003
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Library$Load$Module$AddressCurrentFreeInformationProcProcessVirtual$HandleProtect$DataDirectoryEntryImageQueryValue
                              • String ID: API-MS-WIN-CORE-STRING-L1-1-0.DLL$CoCreateInstance$CompareStringOrdinal$CreateWindowExW$ExplorerFrame.dll$Failed to hook RtlQueryFeatureConfiguration(). rv = %d$GetSystemMetricsForDpi$LoadLibraryExW$RtlQueryFeatureConfiguration$SHRegGetValueFromHKCUHKLM$SetWindowLongPtrW$Shlwapi.dll$Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced$Start_ShowClassicMode$SystemParametersInfoW$TrackPopupMenu$Windows.UI.FileExplorer.dll$api-ms-win-core-com-l1-1-0.dll$api-ms-win-core-libraryloader-l1-2-0.dll$combase.dll$ntdll.dll$shcore.dll$shcore.dll$shell32.dll$user32.dll$xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx
                              • API String ID: 404060323-2645642614
                              • Opcode ID: ce5ff56efb26852bf13776ef3bf0b7fc33ae2dd4a0aa4cba935d9fd63c312870
                              • Instruction ID: e4fce595fcced90f43348f982cb9bf630b5daf496bf52da0011a96b13034da5a
                              • Opcode Fuzzy Hash: ce5ff56efb26852bf13776ef3bf0b7fc33ae2dd4a0aa4cba935d9fd63c312870
                              • Instruction Fuzzy Hash: 12F1F361A09A4B9DFB40DF6CE8906F923A0BF497C5F844136DA0D462A5EFFCE589C341
                              Function 00007FF8BEE4B3C0 Relevance: 68.7, APIs: 12, Strings: 27, Instructions: 421memorylibraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1009 7ff8bee4b3c0-7ff8bee4b42b LoadLibraryExW GetCurrentProcess K32GetModuleInformation call 7ff8bee4aeb0 1012 7ff8bee4b42d-7ff8bee4b430 1009->1012 1013 7ff8bee4b437-7ff8bee4b440 1009->1013 1012->1013 1014 7ff8bee4b44d-7ff8bee4b456 1013->1014 1015 7ff8bee4b442-7ff8bee4b446 1013->1015 1016 7ff8bee4b458-7ff8bee4b45c 1014->1016 1017 7ff8bee4b463-7ff8bee4b46c 1014->1017 1015->1014 1016->1017 1018 7ff8bee4b46e-7ff8bee4b472 1017->1018 1019 7ff8bee4b479-7ff8bee4b482 1017->1019 1018->1019 1020 7ff8bee4b48f-7ff8bee4b498 1019->1020 1021 7ff8bee4b484-7ff8bee4b488 1019->1021 1022 7ff8bee4b49a-7ff8bee4b49e 1020->1022 1023 7ff8bee4b4a5-7ff8bee4b4b7 1020->1023 1021->1020 1022->1023 1024 7ff8bee4b4b9-7ff8bee4b4e2 call 7ff8bee52760 1023->1024 1025 7ff8bee4b4e4-7ff8bee4b4eb call 7ff8bee111b0 1023->1025 1024->1025 1029 7ff8bee4b4f0-7ff8bee4b4f7 1024->1029 1025->1029 1030 7ff8bee4b4f9-7ff8bee4b505 call 7ff8bee12890 1029->1030 1031 7ff8bee4b50b-7ff8bee4b515 1029->1031 1030->1031 1033 7ff8bee4b569-7ff8bee4b570 1031->1033 1034 7ff8bee4b517-7ff8bee4b523 1031->1034 1035 7ff8bee4b584-7ff8bee4b591 1033->1035 1036 7ff8bee4b572-7ff8bee4b57e call 7ff8bee12890 1033->1036 1038 7ff8bee4b55d-7ff8bee4b564 call 7ff8bee111b0 1034->1038 1039 7ff8bee4b525-7ff8bee4b55b call 7ff8bee52760 1034->1039 1042 7ff8bee4b59a 1035->1042 1043 7ff8bee4b593-7ff8bee4b598 1035->1043 1036->1035 1038->1033 1039->1033 1039->1038 1047 7ff8bee4b59c-7ff8bee4b5ab 1042->1047 1048 7ff8bee4b5ad 1042->1048 1046 7ff8bee4b5b0-7ff8bee4b5bd 1043->1046 1050 7ff8bee4ba20-7ff8bee4ba47 1046->1050 1051 7ff8bee4b5c3-7ff8bee4b5f4 call 7ff8bee1d890 1046->1051 1047->1046 1047->1048 1048->1046 1052 7ff8bee4ba49 1050->1052 1053 7ff8bee4ba54-7ff8bee4ba5b 1050->1053 1063 7ff8bee4b728-7ff8bee4b74b call 7ff8bee1d890 1051->1063 1064 7ff8bee4b5fa-7ff8bee4b613 call 7ff8bee111b0 1051->1064 1055 7ff8bee4ba4b-7ff8bee4ba52 1052->1055 1056 7ff8bee4ba87-7ff8bee4ba8e 1052->1056 1057 7ff8bee4ba5d-7ff8bee4ba64 1053->1057 1058 7ff8bee4ba66-7ff8bee4ba73 call 7ff8bee2cd30 1053->1058 1055->1053 1055->1056 1061 7ff8bee4ba90-7ff8bee4ba9c call 7ff8bee12890 1056->1061 1062 7ff8bee4baa2-7ff8bee4baac 1056->1062 1057->1056 1057->1058 1058->1056 1075 7ff8bee4ba75-7ff8bee4ba80 call 7ff8bee49cf0 1058->1075 1061->1062 1067 7ff8bee4baae-7ff8bee4bab5 1062->1067 1068 7ff8bee4bac0-7ff8bee4bafb call 7ff8bee1d290 call 7ff8bee111b0 call 7ff8bee510b0 1062->1068 1082 7ff8bee4b878-7ff8bee4b8af call 7ff8bee48ef0 call 7ff8bee1d890 1063->1082 1083 7ff8bee4b751-7ff8bee4b785 call 7ff8bee111b0 call 7ff8bee1d890 1063->1083 1077 7ff8bee4b629 1064->1077 1078 7ff8bee4b615-7ff8bee4b627 call 7ff8bee12890 1064->1078 1067->1068 1073 7ff8bee4bab7-7ff8bee4babb call 7ff8bee4ad00 1067->1073 1073->1068 1075->1056 1095 7ff8bee4ba82 call 7ff8bee1e860 1075->1095 1086 7ff8bee4b62f-7ff8bee4b639 1077->1086 1078->1086 1109 7ff8bee4b8dd-7ff8bee4b92d call 7ff8bee111b0 * 2 VirtualProtect 1082->1109 1110 7ff8bee4b8b1-7ff8bee4b8d7 call 7ff8bee1d890 1082->1110 1083->1082 1108 7ff8bee4b78b-7ff8bee4b7c0 call 7ff8bee111b0 call 7ff8bee1d890 1083->1108 1092 7ff8bee4b64c-7ff8bee4b66e call 7ff8bee1d890 1086->1092 1093 7ff8bee4b63b 1086->1093 1099 7ff8bee4b724 1092->1099 1111 7ff8bee4b674-7ff8bee4b68b call 7ff8bee111b0 1092->1111 1093->1099 1100 7ff8bee4b641-7ff8bee4b646 1093->1100 1095->1056 1099->1063 1100->1092 1100->1099 1108->1082 1132 7ff8bee4b7c6-7ff8bee4b7dd call 7ff8bee111b0 1108->1132 1121 7ff8bee4b976-7ff8bee4b9d5 LoadLibraryW GetCurrentProcess K32GetModuleInformation call 7ff8bee492d0 call 7ff8bee1d890 1109->1121 1130 7ff8bee4b92f-7ff8bee4b971 call 7ff8bee7a9f0 VirtualProtect call 7ff8bee111b0 1109->1130 1110->1109 1110->1121 1123 7ff8bee4b68d-7ff8bee4b691 1111->1123 1124 7ff8bee4b699-7ff8bee4b69d 1111->1124 1146 7ff8bee4b9d7-7ff8bee4ba0f call 7ff8bee111b0 call 7ff8bee52760 1121->1146 1147 7ff8bee4ba11-7ff8bee4ba1b call 7ff8bee111b0 1121->1147 1123->1124 1126 7ff8bee4b693-7ff8bee4b697 1123->1126 1124->1099 1127 7ff8bee4b6a3 1124->1127 1131 7ff8bee4b6a8-7ff8bee4b6ae 1126->1131 1127->1131 1130->1121 1131->1099 1135 7ff8bee4b6b0-7ff8bee4b6e1 call 7ff8bee111b0 VirtualProtect 1131->1135 1144 7ff8bee4b7df-7ff8bee4b7e3 1132->1144 1145 7ff8bee4b7eb-7ff8bee4b7ef 1132->1145 1135->1099 1149 7ff8bee4b6e3-7ff8bee4b71f VirtualProtect call 7ff8bee111b0 1135->1149 1144->1145 1150 7ff8bee4b7e5-7ff8bee4b7e9 1144->1150 1145->1082 1152 7ff8bee4b7f5 1145->1152 1146->1050 1146->1147 1147->1050 1149->1099 1154 7ff8bee4b7fa-7ff8bee4b800 1150->1154 1152->1154 1154->1082 1157 7ff8bee4b802-7ff8bee4b833 call 7ff8bee111b0 VirtualProtect 1154->1157 1157->1082 1161 7ff8bee4b835-7ff8bee4b873 VirtualProtect call 7ff8bee111b0 1157->1161 1161->1082
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ProtectVirtual$CurrentInformationLibraryLoadModuleProcess$CreateDirectoryFileSystem
                              • String ID: API-MS-WIN-CORE-REGISTRY-L1-1-0.DLL$Failed to hook CLauncherTipContextMenu::ShowLauncherTipContextMenu(). rv = %d$Failed to hook CMultitaskingViewManager::_CreateXamlMTVHost(). rv = %d$Failed to hook PenMenuSystemTrayManager::GetDynamicSystemTrayHeightForMonitor(). rv = %d$PenMenuSystemTrayManager::GetDynamicSystemTrayHeightForMonitor() = %llX$RegGetValueW$Setup twinui.pcshell functions done$Windows.Internal.HardwareConfirmator.dll$[AC] Patched!$[AC] blockBegin = %llX$[AC] blockEnd = %llX$[AC] rcMonitorAssignment = %llX$[CC] Patched!$[CC] blockBegin = %llX$[CC] blockEnd = %llX$[CC] rcMonitorAssignment = %llX$[CC] rcWorkAssignment = %llX$[TV] Patched!$[TV] firstCallCall = %llX$[TV] firstCallPrep = %llX$twinui.pcshell.dll$x?xxx?xx?x????xxxx$x?xxxx?xx?x????xxxx$xxx?xxx?x???xxx$xxx?xxxxx?x$xxxx?xxxx?xxxxxxx?xxx$xxxx?xxxxx?x
                              • API String ID: 823495189-2224694150
                              • Opcode ID: 140e55937894aa280f122c5a5f5b0c6c3e0876ff0e009991bc6cba66966b06aa
                              • Instruction ID: 9854dd666347eb55713a4305d1fad53c941c7a09a86f3f4ca5eb5b9d36f9ff98
                              • Opcode Fuzzy Hash: 140e55937894aa280f122c5a5f5b0c6c3e0876ff0e009991bc6cba66966b06aa
                              • Instruction Fuzzy Hash: 82223621A09A478DEB10DB69E8882BD73B1BF447D4F804136DB0D47AA5EFBCE949C700
                              Function 00007FF8BEE4AEB0 Relevance: 45.8, APIs: 5, Strings: 21, Instructions: 333fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1349 7ff8bee4aeb0-7ff8bee4af2e GetSystemDirectoryW call 7ff8bee67e1c CreateFileW 1352 7ff8bee4af30-7ff8bee4af3c call 7ff8bee111b0 1349->1352 1353 7ff8bee4af41-7ff8bee4af90 GetFileSize call 7ff8bee67ea8 ReadFile 1349->1353 1358 7ff8bee4b39d-7ff8bee4b3b8 call 7ff8bee510b0 1352->1358 1359 7ff8bee4b368-7ff8bee4b36f call 7ff8bee111b0 1353->1359 1360 7ff8bee4af96-7ff8bee4af9b 1353->1360 1364 7ff8bee4b374-7ff8bee4b395 call 7ff8bee67e94 CloseHandle 1359->1364 1360->1359 1363 7ff8bee4afa1-7ff8bee4afa7 1360->1363 1366 7ff8bee4afa9-7ff8bee4afb5 call 7ff8bee12890 1363->1366 1367 7ff8bee4afbb-7ff8bee4afc5 1363->1367 1364->1358 1366->1367 1367->1364 1369 7ff8bee4afcb-7ff8bee4afd5 1367->1369 1372 7ff8bee4b018-7ff8bee4b021 1369->1372 1373 7ff8bee4afd7-7ff8bee4aff4 call 7ff8bee1d890 1369->1373 1376 7ff8bee4b033-7ff8bee4b050 call 7ff8bee1d890 1372->1376 1377 7ff8bee4b023-7ff8bee4b02d 1372->1377 1381 7ff8bee4aff6-7ff8bee4b000 1373->1381 1382 7ff8bee4b002-7ff8bee4b008 1373->1382 1386 7ff8bee4b08b-7ff8bee4b094 1376->1386 1387 7ff8bee4b052-7ff8bee4b05d 1376->1387 1377->1376 1379 7ff8bee4b0b9-7ff8bee4b0c4 1377->1379 1383 7ff8bee4b0c6-7ff8bee4b0e3 call 7ff8bee1d890 1379->1383 1384 7ff8bee4b102-7ff8bee4b10d 1379->1384 1381->1382 1382->1372 1390 7ff8bee4b00a-7ff8bee4b013 call 7ff8bee111b0 1382->1390 1408 7ff8bee4b0ec-7ff8bee4b0f2 1383->1408 1409 7ff8bee4b0e5-7ff8bee4b0e9 1383->1409 1388 7ff8bee4b10f-7ff8bee4b12c call 7ff8bee1d890 1384->1388 1389 7ff8bee4b14b-7ff8bee4b156 1384->1389 1394 7ff8bee4b096-7ff8bee4b09d call 7ff8bee111b0 1386->1394 1395 7ff8bee4b0a2-7ff8bee4b0ab 1386->1395 1387->1386 1392 7ff8bee4b05f-7ff8bee4b069 1387->1392 1413 7ff8bee4b12e-7ff8bee4b132 1388->1413 1414 7ff8bee4b135-7ff8bee4b13b 1388->1414 1397 7ff8bee4b158-7ff8bee4b175 call 7ff8bee1d890 1389->1397 1398 7ff8bee4b19a-7ff8bee4b1a5 1389->1398 1390->1372 1400 7ff8bee4b06b-7ff8bee4b073 1392->1400 1401 7ff8bee4b076-7ff8bee4b07e 1392->1401 1394->1395 1395->1379 1406 7ff8bee4b0ad-7ff8bee4b0b4 call 7ff8bee111b0 1395->1406 1424 7ff8bee4b184-7ff8bee4b18a 1397->1424 1425 7ff8bee4b177-7ff8bee4b181 1397->1425 1402 7ff8bee4b208-7ff8bee4b212 1398->1402 1403 7ff8bee4b1a7-7ff8bee4b1c4 call 7ff8bee1d890 1398->1403 1400->1401 1401->1386 1411 7ff8bee4b080-7ff8bee4b088 1401->1411 1417 7ff8bee4b218-7ff8bee4b238 call 7ff8bee1d890 1402->1417 1418 7ff8bee4b2b2-7ff8bee4b2bc 1402->1418 1429 7ff8bee4b1e5-7ff8bee4b1ef 1403->1429 1430 7ff8bee4b1c6-7ff8bee4b1e3 call 7ff8bee1d890 1403->1430 1406->1379 1408->1384 1410 7ff8bee4b0f4-7ff8bee4b0fd call 7ff8bee111b0 1408->1410 1409->1408 1410->1384 1411->1386 1413->1414 1414->1389 1423 7ff8bee4b13d-7ff8bee4b146 call 7ff8bee111b0 1414->1423 1432 7ff8bee4b23a-7ff8bee4b245 1417->1432 1433 7ff8bee4b247-7ff8bee4b264 call 7ff8bee1d890 1417->1433 1418->1364 1421 7ff8bee4b2c2-7ff8bee4b2df call 7ff8bee1d890 1418->1421 1440 7ff8bee4b2ed-7ff8bee4b30d call 7ff8bee1d890 1421->1440 1441 7ff8bee4b2e1-7ff8bee4b2eb 1421->1441 1423->1389 1424->1398 1427 7ff8bee4b18c-7ff8bee4b195 call 7ff8bee111b0 1424->1427 1425->1424 1427->1398 1437 7ff8bee4b1f2-7ff8bee4b1f8 1429->1437 1430->1429 1430->1437 1438 7ff8bee4b298 1432->1438 1448 7ff8bee4b29b-7ff8bee4b2a4 1433->1448 1450 7ff8bee4b266-7ff8bee4b26d 1433->1450 1437->1402 1443 7ff8bee4b1fa-7ff8bee4b203 call 7ff8bee111b0 1437->1443 1438->1448 1449 7ff8bee4b34f-7ff8bee4b358 1440->1449 1457 7ff8bee4b30f-7ff8bee4b315 1440->1457 1445 7ff8bee4b34c 1441->1445 1443->1402 1445->1449 1448->1418 1452 7ff8bee4b2a6-7ff8bee4b2ad call 7ff8bee111b0 1448->1452 1449->1364 1454 7ff8bee4b35a-7ff8bee4b366 call 7ff8bee111b0 1449->1454 1455 7ff8bee4b27c-7ff8bee4b27f 1450->1455 1456 7ff8bee4b26f-7ff8bee4b273 1450->1456 1452->1418 1454->1364 1455->1448 1460 7ff8bee4b281 1455->1460 1456->1448 1459 7ff8bee4b275-7ff8bee4b27a 1456->1459 1461 7ff8bee4b328-7ff8bee4b32a 1457->1461 1462 7ff8bee4b317-7ff8bee4b31c 1457->1462 1464 7ff8bee4b286-7ff8bee4b28c 1459->1464 1460->1464 1461->1449 1466 7ff8bee4b32c-7ff8bee4b331 1461->1466 1462->1449 1465 7ff8bee4b31e-7ff8bee4b326 1462->1465 1464->1448 1467 7ff8bee4b28e-7ff8bee4b296 1464->1467 1468 7ff8bee4b335-7ff8bee4b340 1465->1468 1466->1468 1467->1438 1468->1449 1469 7ff8bee4b342-7ff8bee4b34a 1468->1469 1469->1445
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: File$CreateDirectoryReadSizeSystem_invalid_parameter_noinfo
                              • String ID: CImmersiveContextMenuOwnerDrawHelper::s_ContextMenuWndProc() = %lX$CLauncherTipContextMenu::GetMenuItemsAsync() = %lX$CLauncherTipContextMenu::ShowLauncherTipContextMenu() = %lX$CLauncherTipContextMenu::_ExecuteCommand() = %lX$CLauncherTipContextMenu::_ExecuteShutdownCommand() = %lX$CMultitaskingViewManager::_CreateDCompMTVHost() = %lX$CMultitaskingViewManager::_CreateXamlMTVHost() = %lX$Failed to open twinui.pcshell.dll$Failed to read twinui.pcshell.dll$ImmersiveContextMenuHelper::ApplyOwnerDrawToMenu() = %lX$ImmersiveContextMenuHelper::RemoveOwnerDrawFromMenu() = %lX$\twinui.pcshell.dll$xx?x????xx?xx?xxxx????x$xx?x????xxxxxxx????xxxx????x$xx?x????xxxxxxx????xxxx?xxx$xxx?????x?x??x??x?xxxxxxxx$xxx????xxxxxxxxx????xxxxxxx????xxxxxxx????xxxxxxx????xxxx$xxxx??x??x?xxxxxx????x$xxxx?xxxx?xxxxxxxxxxxxxxx$xxxxx????x????xxx$xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx
                              • API String ID: 1602095072-3745368841
                              • Opcode ID: f84e96306b30a0f295d584e1bb5d815ec3794e38e58154dc3a94890206953a3d
                              • Instruction ID: cf8c8a0b0368dc78fbf811d7279fbb7b4735f8f639586fb8d75b760d80a01cd5
                              • Opcode Fuzzy Hash: f84e96306b30a0f295d584e1bb5d815ec3794e38e58154dc3a94890206953a3d
                              • Instruction Fuzzy Hash: 36F15A72A085438AEB64DB69D8502BD33B1AF80BE4F454232DB6D836E5DFBCE945C740
                              Function 00007FF8BEE52BC0 Relevance: 37.0, APIs: 11, Strings: 10, Instructions: 226windowmemoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1541 7ff8bee52bc0-7ff8bee52c03 VirtualQuery 1542 7ff8bee52c09 1541->1542 1543 7ff8bee52ca4-7ff8bee52ce1 GetLastError FormatMessageA 1541->1543 1546 7ff8bee52c10-7ff8bee52c56 call 7ff8bee52470 1542->1546 1544 7ff8bee52f2b-7ff8bee52f3b 1543->1544 1545 7ff8bee52ce7-7ff8bee52cee 1543->1545 1547 7ff8bee52f40-7ff8bee52f47 1544->1547 1548 7ff8bee52f5d-7ff8bee52f72 call 7ff8bee52ab0 1545->1548 1556 7ff8bee52c58-7ff8bee52c76 1546->1556 1557 7ff8bee52c83-7ff8bee52c9e VirtualQuery 1546->1557 1550 7ff8bee52f4d-7ff8bee52f51 1547->1550 1551 7ff8bee52f49-7ff8bee52f4b 1547->1551 1555 7ff8bee52f77 1548->1555 1550->1547 1554 7ff8bee52f53-7ff8bee52f58 1550->1554 1551->1550 1551->1554 1554->1548 1559 7ff8bee52f7c-7ff8bee52f99 call 7ff8bee510b0 1555->1559 1556->1557 1558 7ff8bee52c78-7ff8bee52c81 1556->1558 1557->1543 1557->1546 1558->1557 1560 7ff8bee52cf3-7ff8bee52d2a call 7ff8bee52470 VirtualAlloc 1558->1560 1565 7ff8bee52d30-7ff8bee52d6d GetLastError FormatMessageA 1560->1565 1566 7ff8bee52de1-7ff8bee52e24 call 7ff8bee52470 VirtualAlloc 1560->1566 1568 7ff8bee52d6f-7ff8bee52d76 1565->1568 1569 7ff8bee52d78-7ff8bee52d88 1565->1569 1573 7ff8bee52edf-7ff8bee52f29 call 7ff8bee52470 1566->1573 1574 7ff8bee52e2a-7ff8bee52e67 GetLastError FormatMessageA 1566->1574 1571 7ff8bee52dad-7ff8bee52ddc call 7ff8bee52ab0 1568->1571 1572 7ff8bee52d90-7ff8bee52d97 1569->1572 1571->1559 1575 7ff8bee52d9d-7ff8bee52da1 1572->1575 1576 7ff8bee52d99-7ff8bee52d9b 1572->1576 1573->1559 1579 7ff8bee52e69-7ff8bee52e70 1574->1579 1580 7ff8bee52e72-7ff8bee52e7e 1574->1580 1575->1572 1581 7ff8bee52da3-7ff8bee52da8 1575->1581 1576->1575 1576->1581 1584 7ff8bee52e9f-7ff8bee52eda call 7ff8bee52ab0 VirtualFree 1579->1584 1585 7ff8bee52e82-7ff8bee52e89 1580->1585 1581->1571 1584->1555 1586 7ff8bee52e8f-7ff8bee52e93 1585->1586 1587 7ff8bee52e8b-7ff8bee52e8d 1585->1587 1586->1585 1589 7ff8bee52e95-7ff8bee52e9a 1586->1589 1587->1586 1587->1589 1589->1584
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Virtual$ErrorFormatLastMessage$AllocQuery$Free
                              • String ID: change hint address from %p to %p$ commit memory %p for read-write (hint=%p, size=%llu)$ process map: %08llx-%08llx %s$ reserve memory %p (hint=%p, size=%llu)$Failed to commit memory %p for read-write (hint=%p, size=%llu, error=%lu(%s))$Failed to execute VirtualQuery (addr=%p, error=%lu(%s))$Failed to reserve memory %p (hint=%p, size=%llu, errro=%lu(%s))$Unknown Error$free$used
                              • API String ID: 2999834170-966645287
                              • Opcode ID: ac436147e9372ba52faa06f986f0cedc3b6d744b3a35cd07e7307206f472d4b0
                              • Instruction ID: a7742dfada0c37cfaa066d88d51e9fb9fd8b413440e9006cf418d9be583c1ec6
                              • Opcode Fuzzy Hash: ac436147e9372ba52faa06f986f0cedc3b6d744b3a35cd07e7307206f472d4b0
                              • Instruction Fuzzy Hash: B6A17071B1DB868AEB608B1AE45037967E0FB49BC4F440135EB8D47BA4EFBCE1458B00
                              Function 00007FF8BEE28B30 Relevance: 35.3, APIs: 9, Strings: 11, Instructions: 301threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1591 7ff8bee28b30-7ff8bee28be2 1592 7ff8bee28d2a-7ff8bee28d40 1591->1592 1593 7ff8bee28be8-7ff8bee28beb 1591->1593 1596 7ff8bee28d46-7ff8bee28d4c 1592->1596 1597 7ff8bee28de7-7ff8bee28e4c CreateWindowExW 1592->1597 1594 7ff8bee28c4a-7ff8bee28c54 1593->1594 1595 7ff8bee28bed-7ff8bee28bf4 1593->1595 1594->1592 1601 7ff8bee28c5a-7ff8bee28c61 1594->1601 1598 7ff8bee28bf6-7ff8bee28bfe 1595->1598 1596->1597 1602 7ff8bee28d52-7ff8bee28d56 1596->1602 1599 7ff8bee28e52-7ff8bee28e56 1597->1599 1600 7ff8bee29025-7ff8bee2904b call 7ff8bee510b0 1597->1600 1604 7ff8bee28c1a-7ff8bee28c21 1598->1604 1605 7ff8bee28c00-7ff8bee28c0a 1598->1605 1606 7ff8bee28e5c-7ff8bee28e66 1599->1606 1607 7ff8bee28fa6 1599->1607 1608 7ff8bee28c64-7ff8bee28c6c 1601->1608 1602->1597 1609 7ff8bee28d5c-7ff8bee28d5f 1602->1609 1614 7ff8bee28c24-7ff8bee28c2e 1604->1614 1605->1604 1612 7ff8bee28c0c-7ff8bee28c14 1605->1612 1615 7ff8bee28e70-7ff8bee28e79 1606->1615 1613 7ff8bee28fad-7ff8bee28fb1 1607->1613 1616 7ff8bee28c6e-7ff8bee28c78 1608->1616 1617 7ff8bee28c86-7ff8bee28c8d 1608->1617 1610 7ff8bee28d60-7ff8bee28d68 1609->1610 1610->1597 1618 7ff8bee28d6a-7ff8bee28d74 1610->1618 1612->1598 1620 7ff8bee28c16 1612->1620 1613->1600 1621 7ff8bee28fb3-7ff8bee28fba 1613->1621 1614->1594 1622 7ff8bee28c30-7ff8bee28c38 1614->1622 1623 7ff8bee28e7b-7ff8bee28e86 1615->1623 1624 7ff8bee28ea5-7ff8bee28eaf 1615->1624 1616->1617 1625 7ff8bee28c7a-7ff8bee28c82 1616->1625 1619 7ff8bee28c90-7ff8bee28c98 1617->1619 1618->1597 1627 7ff8bee28d76-7ff8bee28d7e 1618->1627 1619->1592 1629 7ff8bee28c9e-7ff8bee28ca8 1619->1629 1620->1604 1630 7ff8bee28fc0-7ff8bee28fca 1621->1630 1631 7ff8bee28c3a-7ff8bee28c42 1622->1631 1632 7ff8bee28c46 1622->1632 1623->1624 1633 7ff8bee28e88-7ff8bee28e90 1623->1633 1628 7ff8bee28eb0-7ff8bee28eb8 1624->1628 1625->1608 1626 7ff8bee28c84 1625->1626 1635 7ff8bee28cb8-7ff8bee28cfd call 7ff8bee7a9f0 GetAncestor GetClassNameW 1626->1635 1627->1610 1636 7ff8bee28d80-7ff8bee28db9 call 7ff8bee7a9f0 GetClassNameW 1627->1636 1637 7ff8bee28eba-7ff8bee28ec4 1628->1637 1638 7ff8bee28ee3-7ff8bee28ee7 1628->1638 1629->1592 1639 7ff8bee28cae-7ff8bee28cb6 1629->1639 1640 7ff8bee28fcc-7ff8bee28fd4 1630->1640 1641 7ff8bee28fe0-7ff8bee28fe4 1630->1641 1631->1614 1642 7ff8bee28c44 1631->1642 1632->1594 1633->1615 1634 7ff8bee28e92-7ff8bee28ea0 1633->1634 1643 7ff8bee29019-7ff8bee2901f #410 1634->1643 1657 7ff8bee28d04-7ff8bee28d0d 1635->1657 1656 7ff8bee28dc0-7ff8bee28dc9 1636->1656 1637->1638 1645 7ff8bee28ec6-7ff8bee28ece 1637->1645 1638->1607 1647 7ff8bee28eed-7ff8bee28ef7 1638->1647 1639->1619 1639->1635 1648 7ff8bee2904c-7ff8bee2905a 1640->1648 1649 7ff8bee28fd6-7ff8bee28fde 1640->1649 1641->1600 1650 7ff8bee28fe6-7ff8bee28ff7 call 7ff8bee68004 1641->1650 1642->1594 1643->1600 1645->1628 1652 7ff8bee28ed0-7ff8bee28ede 1645->1652 1654 7ff8bee28f00-7ff8bee28f08 1647->1654 1648->1643 1649->1630 1649->1641 1650->1600 1664 7ff8bee28ff9-7ff8bee29009 FindWindowW 1650->1664 1652->1643 1658 7ff8bee28f0a-7ff8bee28f14 1654->1658 1659 7ff8bee28f33-7ff8bee28f37 1654->1659 1656->1597 1661 7ff8bee28dcb-7ff8bee28dd6 1656->1661 1657->1592 1662 7ff8bee28d0f-7ff8bee28d1a 1657->1662 1658->1659 1663 7ff8bee28f16-7ff8bee28f1e 1658->1663 1659->1607 1665 7ff8bee28f39 1659->1665 1661->1597 1666 7ff8bee28dd8-7ff8bee28de0 1661->1666 1662->1592 1667 7ff8bee28d1c-7ff8bee28d24 1662->1667 1663->1654 1668 7ff8bee28f20-7ff8bee28f2e 1663->1668 1664->1600 1669 7ff8bee2900b-7ff8bee29012 1664->1669 1670 7ff8bee28f40-7ff8bee28f49 1665->1670 1666->1656 1671 7ff8bee28de2 1666->1671 1667->1657 1672 7ff8bee28d26 1667->1672 1668->1643 1669->1643 1670->1613 1673 7ff8bee28f4b-7ff8bee28f56 1670->1673 1671->1597 1672->1592 1673->1613 1674 7ff8bee28f58-7ff8bee28f60 1673->1674 1674->1670 1675 7ff8bee28f62-7ff8bee28fa4 #410 GetCurrentThreadId SetWindowsHookExW 1674->1675 1675->1600
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: #410ClassNameWindow$AncestorCreateCurrentFindHookThreadWindows
                              • String ID: CabinetWClass$ClockButton$NotifyIconOverflowWindow$ReBarWindow32$Shell_SecondaryTrayWnd$Shell_TrayWnd$SysListView32$SysTreeView32$TrayClockWClass$TrayNotifyWnd$TrayShowDesktopButtonWClass
                              • API String ID: 2746137922-373551488
                              • Opcode ID: e27cfe17aae0ae7c93bef44b9aaa07cf2fe1a1013142067cdfbd1078846d3aa7
                              • Instruction ID: 8e34099b564dc8f7795b155eda2854a06aa66b2384b199020a73da4930e4c36b
                              • Opcode Fuzzy Hash: e27cfe17aae0ae7c93bef44b9aaa07cf2fe1a1013142067cdfbd1078846d3aa7
                              • Instruction Fuzzy Hash: 65E18562A08A4689FBA49F0DE45057D73A1FB94FD0F844132DF4E52698EFBCE895C305
                              Function 00007FF8BEE1E350 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 106registrywindowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Window$MessageProcRegister
                              • String ID: Refreshed Spotlight$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$TaskbarAl$TaskbarCreated$Windows.UI.Core.CoreWindow$d
                              • API String ID: 136062168-2101710627
                              • Opcode ID: 3b09d4f9d53760f7fe3767ce1d9f3c804247ff1e6b53c71246f0daace642527b
                              • Instruction ID: 26b218c9cb8442a73674a1178851260468eb7b47a8683428fb2d6fce9d6de28f
                              • Opcode Fuzzy Hash: 3b09d4f9d53760f7fe3767ce1d9f3c804247ff1e6b53c71246f0daace642527b
                              • Instruction Fuzzy Hash: 80416361E0C6428DFBA09B6DE8946BA6690BF557E4F840131FB4E026E5DFECE4C4C712
                              Function 00007FF8BEE444E0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 90COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: StringWindows$CreateDeleteInitializeReference$ActivateInstance
                              • String ID: %s:%d:: QueryInterface = %d$%s:%d:: RoActivateInstance = %d$String2IXMLDocument$Windows.Data.Xml.Dom.XmlDocument
                              • API String ID: 2286360050-3498695339
                              • Opcode ID: 29bb18efdd665beadc699538b6af495fe490c6f4a0d1ec4f190c8520a347695b
                              • Instruction ID: e3686d9e2a3e3e1175b54c36d1726c7059a83ff2411130245fff550d45ed0682
                              • Opcode Fuzzy Hash: 29bb18efdd665beadc699538b6af495fe490c6f4a0d1ec4f190c8520a347695b
                              • Instruction Fuzzy Hash: 02410E76B08A4686EB109F69E49026A67B1FF88BD9F404132EF4E43B64DFBCD549C700
                              Function 00007FF8BEE2ADC0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 87registrystringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Value$lstrcmp$AddressHandleModuleOpenProcQuery
                              • String ID: MMTaskbarGlomLevel$ShowCortanaButton$Software\ExplorerPatcher$TaskbarDa$TaskbarGlomLevel
                              • API String ID: 2197982753-1130954207
                              • Opcode ID: 5fc2345eeb559a7a51ed9741c2e5903653179be25ee697d7bc4c4906fda69bd8
                              • Instruction ID: be13ce5ec4cca5be4a4b9d2ebff018743f6e7fbac1955fe0c12571a777c69c94
                              • Opcode Fuzzy Hash: 5fc2345eeb559a7a51ed9741c2e5903653179be25ee697d7bc4c4906fda69bd8
                              • Instruction Fuzzy Hash: 96413F71A18B82C9EB508F2AF88466AB7A5FB44BD4F444135DB8D43B68DFBCD445CB04
                              Function 00007FF8BEE44320 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 110COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CreateInitializeReferenceStringWindows
                              • String ID: Microsoft.Windows.Explorer$Windows.UI.Notifications.ToastNotification$Windows.UI.Notifications.ToastNotificationManager
                              • API String ID: 3973075819-205246331
                              • Opcode ID: bad3cb61ad32a0b5546914f8a6ca0e8b2114f70bdd3b9801e6c1c526c0c049c0
                              • Instruction ID: b33a11bf4ab37c2627328f96afe366bfb4ed0ba817b8a674a510ca2cf8fce9b9
                              • Opcode Fuzzy Hash: bad3cb61ad32a0b5546914f8a6ca0e8b2114f70bdd3b9801e6c1c526c0c049c0
                              • Instruction Fuzzy Hash: 5051C966B05A568AEB10DBA9D4A43AD27B1FB48BC8F400432DF0E63B58DFB9D509C351
                              Function 00007FF8BEE21DF0 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 54libraryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: LibraryModule$CurrentDataDirectoryEntryFreeHandleImageInformationLoadProcess
                              • String ID: RegGetValueW$Setup sndvolsso functions done$TrackPopupMenuEx$api-ms-win-core-registry-l1-1-0.dll$sndvolsso.dll$user32.dll$xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx
                              • API String ID: 2511907732-965438320
                              • Opcode ID: d55d94c0579eabded5e0c3831d6f3bd1030193f69442e971412faabfb3a5b2e3
                              • Instruction ID: 9fcfff5a7ea992733e248201b43cd30a1038c01a09468f85368146f2a24937f1
                              • Opcode Fuzzy Hash: d55d94c0579eabded5e0c3831d6f3bd1030193f69442e971412faabfb3a5b2e3
                              • Instruction Fuzzy Hash: FA214F61A19A4B98EA50DF69F8510FA2361BF897C0F844132EB4E037A6DEFCF145C742
                              Function 00007FF8BEE2DA80 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 52COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF8BEE1D290: GetModuleHandleExW.KERNEL32 ref: 00007FF8BEE1D2C6
                                • Part of subcall function 00007FF8BEE1D290: ImageDirectoryEntryToDataEx.DBGHELP ref: 00007FF8BEE1D2F9
                                • Part of subcall function 00007FF8BEE1D290: FreeLibrary.KERNEL32 ref: 00007FF8BEE1D32F
                              • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00007FF8BEE230C8), ref: 00007FF8BEE2DB03
                              • K32GetModuleInformation.KERNEL32(?,?,?,?,?,?,?,00007FF8BEE230C8), ref: 00007FF8BEE2DB1A
                                • Part of subcall function 00007FF8BEE1D290: FreeLibrary.KERNEL32 ref: 00007FF8BEE1D3B9
                                • Part of subcall function 00007FF8BEE1D290: VirtualQuery.KERNEL32 ref: 00007FF8BEE1D3F8
                                • Part of subcall function 00007FF8BEE1D290: VirtualProtect.KERNEL32 ref: 00007FF8BEE1D413
                                • Part of subcall function 00007FF8BEE1D290: VirtualProtect.KERNEL32 ref: 00007FF8BEE1D43B
                                • Part of subcall function 00007FF8BEE1D290: FreeLibrary.KERNEL32 ref: 00007FF8BEE1D446
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: FreeLibraryVirtual$ModuleProtect$CurrentDataDirectoryEntryHandleImageInformationProcessQuery
                              • String ID: CoCreateInstance$RegGetValueW$Setup pnidui functions done$TrackPopupMenu$api-ms-win-core-com-l1-1-0.dll$api-ms-win-core-registry-l1-1-0.dll$user32.dll$xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx
                              • API String ID: 430087472-2450567920
                              • Opcode ID: e9e4abc3c9c468b89c24930d4d63e9cd5367572069bf472c9ec42d5176aea36f
                              • Instruction ID: df15b476bd18a709c2785af1172ecf5fca57057cea1477e669c758023780be82
                              • Opcode Fuzzy Hash: e9e4abc3c9c468b89c24930d4d63e9cd5367572069bf472c9ec42d5176aea36f
                              • Instruction Fuzzy Hash: 5F211B61A0DA4799EA50DF69F8500F92360BF447C4F844133EB0E16766DEFCE589C781
                              Function 00007FF8BEE2CD30 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 84registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Value
                              • String ID: CrashCounter$CrashCounterDisabled$CrashCounterThreshold$CrashThresholdTime$Software\ExplorerPatcher
                              • API String ID: 3702945584-694238707
                              • Opcode ID: b5187abff7cff12360a2aadd25fd6aa9536eda466c1bd5ed562ffc37d15f0430
                              • Instruction ID: 6e98982e43afc93ac512c50c0210ca6235eef16a14cbeabe9b20bc77e99ac0cc
                              • Opcode Fuzzy Hash: b5187abff7cff12360a2aadd25fd6aa9536eda466c1bd5ed562ffc37d15f0430
                              • Instruction Fuzzy Hash: D6416DB2508B40CAE720CF58F4402997BB4FB857A4F904226EB9C07798DFBED145CB44
                              Function 00007FF8BEE527F0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 161COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID: failed to get page$ failed to make trampoline$Could not allocate memory near address %p$Could not modify already-installed funchook handle.
                              • API String ID: 0-2189554615
                              • Opcode ID: 8698435a8b958e4643bd2e633bbc31b9c9ec2b6ca923fe9917008f672881973e
                              • Instruction ID: a0585607d309958ea103abb791639521827845aeee2119c8eced18e626bf2bc7
                              • Opcode Fuzzy Hash: 8698435a8b958e4643bd2e633bbc31b9c9ec2b6ca923fe9917008f672881973e
                              • Instruction Fuzzy Hash: F1715262A19B868ADB60DF29E4402AA73B0FB49BC4F445036EF8E47759EF7CE545C700
                              Function 00007FF8BEE12890 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64registrylibraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: AddressHandleModuleOpenProcQueryValue
                              • String ID: RtlGetVersion$UBR$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion$ntdll.dll
                              • API String ID: 3749297518-2374052841
                              • Opcode ID: 138d03d2620e87957fa60c226b165fc95dbeabef36849e6ed6bd8574009bb8fd
                              • Instruction ID: c0011d48d8e20e2164cbe1d2834c9fee664e278b7ac775e12e0ba1e1ac587dc7
                              • Opcode Fuzzy Hash: 138d03d2620e87957fa60c226b165fc95dbeabef36849e6ed6bd8574009bb8fd
                              • Instruction Fuzzy Hash: 39219371A19A428AEB50DB18E89127A73E0FF887C0F841136EB5D47795EF7CD144CB00
                              Function 00007FF8BEE537B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92memorywindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ErrorLast$FormatMessageProtectVirtual
                              • String ID: unprotect memory %p (size=%llu) <- %p (size=%llu)$Failed to unprotect memory %p (size=%llu) <- %p (size=%llu, error=%lu(%s))$Unknown Error
                              • API String ID: 2888148163-2742179861
                              • Opcode ID: 77621f6088311bb16b2a1a1736ac767bba04458eefaa33bc65850d377d01560e
                              • Instruction ID: 1d542642f36f8b4266d670a84a021499fe8f3b69a8834d4a8c70504470e00a04
                              • Opcode Fuzzy Hash: 77621f6088311bb16b2a1a1736ac767bba04458eefaa33bc65850d377d01560e
                              • Instruction Fuzzy Hash: 4741A062A09B8689EB248F19F89037977A0FB49BC4F044136EB8D57798DF7CE455C700
                              Function 00007FF8BEE53930 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68memorywindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ErrorLast$FormatMessageProtectVirtual
                              • String ID: protect memory %p (size=%llu)$Failed to protect memory %p (size=%llu, error=%lu(%s))$Unknown Error
                              • API String ID: 2888148163-2522531280
                              • Opcode ID: c5c763f95a8c7ad05ca221d15951da865442d1dedde559e9e1de8ae9c109cd39
                              • Instruction ID: a17a282ce31fa31558457d4505e7e65a41361710c8d1f2bca89390c025824ca3
                              • Opcode Fuzzy Hash: c5c763f95a8c7ad05ca221d15951da865442d1dedde559e9e1de8ae9c109cd39
                              • Instruction Fuzzy Hash: 39314F6160CAC68AEB608B19E4503BAB7A0FB49BC8F044136DB8D57B99DFBCE445C740
                              Function 00007FF8BEE534A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 67memorywindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ErrorLast$FormatMessageProtectVirtual
                              • String ID: protect page %p (size=%llu, prot=read,exec)$Failed to protect page %p (size=%llu, prot=read,exec, error=%lu(%s))$Unknown Error
                              • API String ID: 2888148163-3855186111
                              • Opcode ID: 06213efa1661eafe047554ef56b97f22fd05762a321bc7c6cdb9fcd96fde09df
                              • Instruction ID: 7eb5eb5da11f1118b8a460a05b4b04a05d789661a7ff595057a041e23d949aee
                              • Opcode Fuzzy Hash: 06213efa1661eafe047554ef56b97f22fd05762a321bc7c6cdb9fcd96fde09df
                              • Instruction Fuzzy Hash: 01319360A0CA868AFB608B59F8503BA67E0FB48BC4F440136DB8D57B99DFBCE544C700
                              Function 00007FF8BEE2AC20 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 50memorystringregistryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify, xrefs: 00007FF8BEE2AC48
                              • Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB, xrefs: 00007FF8BEE2AC7F
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ProtectVirtual$Openlstrcmpilstrcpy
                              • String ID: Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB$Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify
                              • API String ID: 3588037206-2075971939
                              • Opcode ID: e99585d31a0eb10509ab71d1ff8db9e99c385f03bc4c8402c0fab63be74c322f
                              • Instruction ID: bb7dff48fa6747ea0cce7308e42daa1f585a6e95ac7ec68cbdf1a39ee91c213f
                              • Opcode Fuzzy Hash: e99585d31a0eb10509ab71d1ff8db9e99c385f03bc4c8402c0fab63be74c322f
                              • Instruction Fuzzy Hash: E2117061719B428AE7508F1ABC50A7A6761BB8AFD0F445035EE0E47B18DE7CE446C700
                              Function 00007FF8BEE5176C Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                              • String ID:
                              • API String ID: 190073905-0
                              • Opcode ID: db39cd3f2f16f5343a8e4e09a2e3fed93350a9b5ce6b027fd328810dc9bbf990
                              • Instruction ID: 8be5c8ade655b895781a0a272d9fb4ca835574dd0aece9599a1de6cc64e61468
                              • Opcode Fuzzy Hash: db39cd3f2f16f5343a8e4e09a2e3fed93350a9b5ce6b027fd328810dc9bbf990
                              • Instruction Fuzzy Hash: 0581A0A1E0CA4B8EFA60AB6DA4A12B966D0AF457C0F144435FB0D47797DEFCF9458301
                              Function 00007FF8BEE1D290 Relevance: 12.1, APIs: 8, Instructions: 118memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: FreeLibraryVirtual$Protect$DataDirectoryEntryHandleImageModuleQuery_invalid_parameter_noinfo
                              • String ID:
                              • API String ID: 3041990818-0
                              • Opcode ID: 682e78e4db77ee8b47885a981a1b213cddc3e3f46b588dca37eddaf2f5718b7c
                              • Instruction ID: 73b41f1a733ef29fdda8c59fd870e5fe81443528741b881eccdb65f9d694889f
                              • Opcode Fuzzy Hash: 682e78e4db77ee8b47885a981a1b213cddc3e3f46b588dca37eddaf2f5718b7c
                              • Instruction Fuzzy Hash: F8515272B1D6428AEB909F2AE59037F63A0FB85BC5F445035EB4E87798DE7CE4848701
                              Function 00007FF8BEE39E43 Relevance: 10.7, APIs: 7, Instructions: 165registrysynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CloseCreateWait$ChangeEventHandleMultipleNotifyObjectObjectsSingleValue
                              • String ID:
                              • API String ID: 3111792343-0
                              • Opcode ID: e950b941e2b3aeec993550c333e84e614fc6404132692e977b1ab77bf58c0bb6
                              • Instruction ID: d9ed4c82a3044965a5a0b35fce854d0646139ffed4ade9242cc2938a855f2d38
                              • Opcode Fuzzy Hash: e950b941e2b3aeec993550c333e84e614fc6404132692e977b1ab77bf58c0bb6
                              • Instruction Fuzzy Hash: C661C032715A418AEB15CB69E49477967A1FB84BC4F088235CF5E477A8DF7DE882C700
                              Function 00007FF8BEE1D460 Relevance: 7.6, APIs: 5, Instructions: 105memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: FreeLibraryProtectVirtual$HandleModule_invalid_parameter_noinfo
                              • String ID:
                              • API String ID: 172810297-0
                              • Opcode ID: ce3db9a925f55ecbca5daaa1c5a6bf37ef528cf5e4f8c2f8d563e78c92f4414f
                              • Instruction ID: 53c4eccb140bad0836316d26d7ba8b6813d6020c9bff3f486cb2bf1dcc61704e
                              • Opcode Fuzzy Hash: ce3db9a925f55ecbca5daaa1c5a6bf37ef528cf5e4f8c2f8d563e78c92f4414f
                              • Instruction Fuzzy Hash: 25415E62B08A418AEB64CF19E49073A67A1FF89BD9F044035EF8D47B58DE7CE480CB00
                              Function 00007FF8BEE2C050 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: NtUserFindWindowEx$win32u.dll
                              • API String ID: 1646373207-2703420062
                              • Opcode ID: e4bd7934b399dbc79271bff89f1285f6fc833ff83cee651dc7fb117a3296fabf
                              • Instruction ID: adcc9a781b02b1356204afeb40e78c8dc68d57c5acc172fabffc372c08ac61ac
                              • Opcode Fuzzy Hash: e4bd7934b399dbc79271bff89f1285f6fc833ff83cee651dc7fb117a3296fabf
                              • Instruction Fuzzy Hash: 6E01AD25A08B4589E600CF1AF88042AB7A0FB85BD0F500535DF8D47768DEBCE4428B40
                              Function 00007FF8BEE2D550 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: SleepValue
                              • String ID: CrashCounter$Software\ExplorerPatcher
                              • API String ID: 1540188156-2892006628
                              • Opcode ID: 8932f61db9e237cb56b2e6419a0636596f1e2fb8941f83692bf55bde4ec60dd6
                              • Instruction ID: 9cd5e24844fe0fec85717ba301c7e566dce543db9df7cc122de0e8b09b4868cb
                              • Opcode Fuzzy Hash: 8932f61db9e237cb56b2e6419a0636596f1e2fb8941f83692bf55bde4ec60dd6
                              • Instruction Fuzzy Hash: 01F082B5A29B8189EB50DB14F49035A37A0FF887E4F801235E74E06768DF7CD145CB00
                              Function 00007FF8BEE52270 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(?,00007FF8BEE5224B,?,?,00000000,00007FF8BEE21EA7), ref: 00007FF8BEE52355
                              • FlushInstructionCache.KERNEL32(?,00007FF8BEE5224B,?,?,00000000,00007FF8BEE21EA7), ref: 00007FF8BEE52364
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CacheCurrentFlushInstructionProcess
                              • String ID: Patched Instructions:
                              • API String ID: 2564211676-4020029282
                              • Opcode ID: ed4c4f6c62a2f8c717e28cde53f487d8b1a712bfc88bbde7716ad91db4ce9ee1
                              • Instruction ID: dfed38d51b1ae28ee21983f0983c6c6d991bb7b55ac54966e1f6f6d427660cac
                              • Opcode Fuzzy Hash: ed4c4f6c62a2f8c717e28cde53f487d8b1a712bfc88bbde7716ad91db4ce9ee1
                              • Instruction Fuzzy Hash: D6415EA2A18A8689EB60DB29E4413BA77E4FB48BC4F405031DF4D57B59EFBCE405C744
                              Function 00007FF8BEE509E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • Software\Classes\CLSID\{2CC5CA98-6485-489A-920E-B3E88A6CCCE3}, xrefs: 00007FF8BEE50A0F
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CloseOpen
                              • String ID: Software\Classes\CLSID\{2CC5CA98-6485-489A-920E-B3E88A6CCCE3}
                              • API String ID: 47109696-1447196730
                              • Opcode ID: 63e2e3eee6d020e2cd3f80c23a1dc357a0f66dbddb58984caf15a9489333853d
                              • Instruction ID: b26ef0f23742240f82feb7effc4b6f1c4d4d5eb206a1a19084f1d76c7b28bbbb
                              • Opcode Fuzzy Hash: 63e2e3eee6d020e2cd3f80c23a1dc357a0f66dbddb58984caf15a9489333853d
                              • Instruction Fuzzy Hash: 87F05B71729B4586EB504B29F8D156673A4FF447D4F802135FA4E46758EF6CD0558700
                              Function 00007FF8BEE1F230 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Value
                              • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher$XamlSounds
                              • API String ID: 3702945584-1822384862
                              • Opcode ID: 97a367034ec62005128dc975c952e63d6e4a6bcd7d34eb2bbcb373900e4ece20
                              • Instruction ID: c4dca3edee946dcb82c75e18904a64c1919758dac597efe67833b1334b65a43e
                              • Opcode Fuzzy Hash: 97a367034ec62005128dc975c952e63d6e4a6bcd7d34eb2bbcb373900e4ece20
                              • Instruction Fuzzy Hash: CAF06272618B4186EB108F18F48019A77B4FB89784FD0123AE78C07B98EF7DD554CB00
                              Function 00007FF8BEE6DDEC Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RtlFreeHeap.NTDLL(?,?,834800000B7CE800,00007FF8BEE7764A,?,?,?,00007FF8BEE77687,?,?,00000000,00007FF8BEE75669,?,?,00007FF8BEE6D14A,00007FF8BEE7559B), ref: 00007FF8BEE6DE02
                              • GetLastError.KERNEL32(?,?,834800000B7CE800,00007FF8BEE7764A,?,?,?,00007FF8BEE77687,?,?,00000000,00007FF8BEE75669,?,?,00007FF8BEE6D14A,00007FF8BEE7559B), ref: 00007FF8BEE6DE0C
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 485612231-0
                              • Opcode ID: a6678511dc5ac773f7913335461e1c2c7be48ef586cd0cba9a917b621943f4cf
                              • Instruction ID: 4392f04f9fbe06cfc3dff60108ec902815be1239905467e5bfcbe639647a08df
                              • Opcode Fuzzy Hash: a6678511dc5ac773f7913335461e1c2c7be48ef586cd0cba9a917b621943f4cf
                              • Instruction Fuzzy Hash: 04E0C250F1A6428EFF287FFA68840752260EFA87C1F404034CB0D47361DFACB8554200
                              Function 00007FF8BEE51568 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              • __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF8BEE5157C
                                • Part of subcall function 00007FF8BEE5AB58: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF8BEE5AB60
                                • Part of subcall function 00007FF8BEE5AB58: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FF8BEE5AB65
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
                              • String ID:
                              • API String ID: 1208906642-0
                              • Opcode ID: 9ff4ce4781127c8bc802118fd2a34e64d87eed5673847b4679c47d8435940bb9
                              • Instruction ID: a7500f9759f2355ac1d62cce856ab8c3ea62eff3f29f6cc29f86ad680aa9b8ea
                              • Opcode Fuzzy Hash: 9ff4ce4781127c8bc802118fd2a34e64d87eed5673847b4679c47d8435940bb9
                              • Instruction Fuzzy Hash: A5E0ECD4D0DE4B5DFEA83A6D25622B913C01F2A3C4F5001B5FB0F021C3AEED705A9162
                              Function 00007FF8BEE6DD74 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • HeapAlloc.KERNEL32(?,?,00000000,00007FF8BEE7046A,?,?,00004B6BF894E032,00007FF8BEE6C0D9,?,?,?,?,00007FF8BEE706D2,?,?,00000000), ref: 00007FF8BEE6DDC9
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: AllocHeap
                              • String ID:
                              • API String ID: 4292702814-0
                              • Opcode ID: e578c43444c32e6720132160586d7cc94147cb681874c574235c8713629e0420
                              • Instruction ID: 91ef33e1914bd0a910e6e7a40af14d491c601a399b5c86cc0abdae37646e6e2a
                              • Opcode Fuzzy Hash: e578c43444c32e6720132160586d7cc94147cb681874c574235c8713629e0420
                              • Instruction Fuzzy Hash: B5F06D40B0960B8DFE987E6A99503B962806F59BC0F8C5131CF0E863D6EFDCF4809250
                              Function 00007FF8BEE6E630 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMON
                              Download Yara Rule
                              APIs
                              • HeapAlloc.KERNEL32(?,?,?,00007FF8BEE706B9,?,?,00000000,00007FF8BEE750A7,?,?,?,00007FF8BEE6CE73,?,?,?,00007FF8BEE6CD69), ref: 00007FF8BEE6E66E
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: AllocHeap
                              • String ID:
                              • API String ID: 4292702814-0
                              • Opcode ID: 32244fcb8596d69c427d8a13f20aa17588a93e41e7ee2a9feca6fe38006fab21
                              • Instruction ID: 9b48eb903abfa897e92c609a5f39577d809c036793a1289ed557fed7cb84bb4a
                              • Opcode Fuzzy Hash: 32244fcb8596d69c427d8a13f20aa17588a93e41e7ee2a9feca6fe38006fab21
                              • Instruction Fuzzy Hash: 7FF08C00F0D6068DFF542EA9698027966819F847E4F080234DF2F863E5DEECF6818520

                              Non-executed Functions

                              Function 00007FF8BEE17B50 Relevance: 180.1, APIs: 97, Strings: 5, Instructions: 1573timewindowkeyboardCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Window$Timer$KillSystemTime$#339FileInfoMessageParametersStateThreadVisible$ForegroundLongPostPropRedrawShow$#328#329#334ActiveAsyncCompareCreateCurrentDesktopDestroyEnumEventHungLastOrdinalPopupProcQuitSendStringTaskWindows
                              • String ID: &$ImmersiveColorSet$Microsoft.Windows.ShellManagedWindowAsNormalWindow$\rundll32.exe$valinet.ExplorerPatcher.ShellManagedWindow
                              • API String ID: 1047848470-551150430
                              • Opcode ID: 5ea5d6b7ec779afa1acab4212b65c5d61fb9129dcb8deb0b8248f5ca86f2707b
                              • Instruction ID: de289680f65498aad2a5be674a2b1980634899d42cb148da90094a38db7679a7
                              • Opcode Fuzzy Hash: 5ea5d6b7ec779afa1acab4212b65c5d61fb9129dcb8deb0b8248f5ca86f2707b
                              • Instruction Fuzzy Hash: A1E29F71A096468AEBA88F29D58437A77A1FB49BC0F044235DB1E47790DFBCE8D1C742
                              Function 00007FF8BEE47010 Relevance: 149.6, APIs: 75, Strings: 10, Instructions: 867windowregistryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Window$Rect$Client$Find$Message$Send$Invalidate$ClassVisibleWord$Move$ParentPropRegister$Monitor$FromInfoLongNotifyRemove
                              • String ID: !@$EPTBLEN$MSTaskListWClass$MSTaskSwWClass$PeopleBand$ReBarWindow32$Start$TrayButton$TrayDummySearchControl$TraySettings
                              • API String ID: 2509908205-217918233
                              • Opcode ID: df11b95f88c1c0d937a37726a203e0aab8b3c820706bcc3d3b8b3aecafb5995a
                              • Instruction ID: 88b6b37a35f2737f217b08485c2e24aaa24cb82b679e37214ddb6c208ade2736
                              • Opcode Fuzzy Hash: df11b95f88c1c0d937a37726a203e0aab8b3c820706bcc3d3b8b3aecafb5995a
                              • Instruction Fuzzy Hash: D5826C36A096428EE710CF39E8846A97BA1FB89BC8F444235DF4967B58DFBCE5448740
                              Function 00007FF8BEE16F20 Relevance: 117.9, APIs: 64, Strings: 3, Instructions: 685windowtimeregistryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: PerformanceQuery$Window$CounterFrequency$CountTick$RectTimeVisible$#339EnumFileSystem$AttributeBufferedEventForegroundMessagePaintProcessShowTimerWindows$#328#329#338#386BeginCallbackClassCloseCursorDirectoryDisplayErrorFromHandleHungInvalidateLastModuleMonitorMonitorsNameOpenPointPropertiesRegisterReleaseSendThreadThumbnailUpdateWord_invalid_parameter_noinfo
                              • String ID: WorkerW$[sws] WindowSwitcher::Show %x [[ %lld + %lld + %lld + %lld = %lld ]]$\rundll32.exe
                              • API String ID: 3472475047-3998000322
                              • Opcode ID: e327f96872e015b853de3b058e537f335c508d4a14a0122e6e260d717f3477a2
                              • Instruction ID: 72852d239b64509507c6df5b9469f4bf1413fe57b9efdee8637185af6bbd64fe
                              • Opcode Fuzzy Hash: e327f96872e015b853de3b058e537f335c508d4a14a0122e6e260d717f3477a2
                              • Instruction Fuzzy Hash: 7A726E32A09B428AE790DF69E48426E77A0FB89BC4F140235DB4D577A8DFBCE585C701
                              Function 00007FF8BEE4DF40 Relevance: 98.2, APIs: 7, Strings: 49, Instructions: 183registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: QueryValue$CreateStringWindows$InternetOpen$BufferCloseDeleteEvent_invalid_parameter_noinfo
                              • String ID: /download/$/update_silent$CheckElevationEnabled$ConsentPromptBehaviorAdmin$ExplorerPatcher$ExplorerPatcher$ExplorerPatcher_GUI_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$FilterAdministratorToken$S-1-5-$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System$Software\ExplorerPatcher$UpdateAllowDowngrades$UpdatePreferStaging$UpdateTimeout$UpdateURL$UpdateURLStaging$UpdateUseLocal$Windows.Data.Json.JsonArray$[Updates] Checking against hash "%s"$[Updates] Download path is "%s".$[Updates] Downloaded finished.$[Updates] Failed. Read %d bytes.$[Updates] Hash of remote file is "%s" (%s).$[Updates] In order to install this update for the product "ExplorerPatcher", please allow the request.$[Updates] Local version obtained from hash is %d.%d.%d.%d.$[Updates] Prerelease update URL: "%s"$[Updates] Release notes URL: "%s"$[Updates] Update URL: %s$[Updates] Update failed because the following error has occured: %d.$[Updates] Update failed because the request was denied.$[Updates] Update successful, File Explorer will probably restart momentarily.$\ExplorerPatcher$\ExplorerPatcher\ep_gui.dll$\Update for ExplorerPatcher from $\WindowsPowerShell\v1.0\powershell.exe$assets$browser_download_url$ep_setup.exe$html_url$https://api.github.com/repos/valinet/ExplorerPatcher/releases?per_page=1$https://github.com/valinet/ExplorerPatcher/releases/latest$iex (irm 'https://raw.githubusercontent.com/valinet/ep_make/master/ep_make_safe.ps1')$invalid$kernel32.dll$name$open$runas$updates.cpp$valid
                              • API String ID: 1866200-3143775457
                              • Opcode ID: 040291f58ba558a885b2c0bcf4542b59f3c709bf8426a0f927b8f1bcb1741c4a
                              • Instruction ID: 0b35d7a5ef7144b92745c868f407fb47b2a36b81ba6e431265911e76970abeeb
                              • Opcode Fuzzy Hash: 040291f58ba558a885b2c0bcf4542b59f3c709bf8426a0f927b8f1bcb1741c4a
                              • Instruction Fuzzy Hash: 38910C72A08A529EF7608FA8E8446EE77B0FB44398F501236DB4D57A68DF7CD549CB00
                              Function 00007FF8BEE19AA0 Relevance: 89.8, APIs: 43, Strings: 8, Instructions: 577registrycomsleepCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CreateErrorLast$Window$BrushEventSolid$Register$EnumHandleHookInitializeInstanceModuleSleepThreadWindows$#328AttributeBufferedClassCursorDataInitLoadLongMessageOpenPaintRectShellTheme
                              • String ID: $ControlPanelStyle$Grid_backgroundPercent$SHELLHOOK$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView\AltTabViewHost$SimpleWindowSwitcher_{BEA057BB-66C7-4758-A610-FAE6013E9F98}$Static$[sws] Wallpaper RECT %d %d %d %d
                              • API String ID: 2117921315-4056204263
                              • Opcode ID: 4f75617dc93189382ac3fef9dec2e945391e7ebfe1089fca1c2c852bd3cdda7b
                              • Instruction ID: 72ab82c783293ad469b1fdd5faff0827a78a8ad759e9730d75dda22e9b7478e9
                              • Opcode Fuzzy Hash: 4f75617dc93189382ac3fef9dec2e945391e7ebfe1089fca1c2c852bd3cdda7b
                              • Instruction Fuzzy Hash: FA425C31B08B828AE7949B79A8547BA36E4FF44788F004139DB4D87795EFBDE4A4C701
                              Function 00007FF8BEE23880 Relevance: 89.6, APIs: 45, Strings: 6, Instructions: 320windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Window$Find$Monitor$From$Cursor$MessagePointPost$Info$Rect
                              • String ID: ClockButton$ClockFlyoutWindow$Shell_SecondaryTrayWnd$Shell_TrayWnd$TrayClockWClass$TrayNotifyWnd
                              • API String ID: 3707082976-1578901108
                              • Opcode ID: 16f2e63d218c669eabb7d4e0ce2db9eb8d8b2f3126ba723a3e0b36579a2d8633
                              • Instruction ID: fb3831a1c6816f43112b6c07eaddf3809b42a91f3005e439bbc516f5cb2627f5
                              • Opcode Fuzzy Hash: 16f2e63d218c669eabb7d4e0ce2db9eb8d8b2f3126ba723a3e0b36579a2d8633
                              • Instruction Fuzzy Hash: 8AE18C75B0AA428EF7649F29E8546BD67A1FF89BD5F404035CE0E13B58DEBCE8458700
                              Function 00007FF8BEE4E830 Relevance: 88.1, APIs: 33, Strings: 17, Instructions: 568filelibrarymemoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Load$String$FileResource$CloseFree$CreateHandleLibrary$InfoLocalLocaleQueryValueView_invalid_parameter_noinfo$AllocFindFolderLanguagesLockMappingModuleNamePathPreferredSizeofThreadUnmap
                              • String ID: <progress value="{progressValue}" status="{progressStatus}"/>$<actions><action content="%s" arguments="%s"/></actions>$<toast scenario="reminder" activationType="protocol" launch="%s" duration="%s"><visual><binding template="ToastGeneric">$This$[Updates] An update is available.$[Updates] Configured update policy on this system: "Check for updates but let me choose whether to download and install them".$[Updates] Configured update policy on this system: "Install updates automatically".$[Updates] Configured update policy on this system: "Manually check for updates".$[Updates] No updates are available.$[Updates] Path to module: %s$[Updates] Unable to check for updates because the remote server is unavailable.$[Updates] Using hardcoded hash.$\ExplorerPatcher\ep_gui.dll$action=update$https://github.com/valinet/ExplorerPatcher/releases/latest$long$short
                              • API String ID: 3445338827-2029114158
                              • Opcode ID: 559e2b912634e1291cae8304e0bf23cc6b1779b18a3a70d6040deef8487f5299
                              • Instruction ID: 14585cb19880bc54e2889a89e651114df7ce360a08cd55e2a96974225636bb74
                              • Opcode Fuzzy Hash: 559e2b912634e1291cae8304e0bf23cc6b1779b18a3a70d6040deef8487f5299
                              • Instruction Fuzzy Hash: BB526136A18B828AE760CF29E8406EE77A4FB85788F405131DB4D17B69EF7CE645C740
                              Function 00007FF8BEE30D10 Relevance: 87.9, APIs: 24, Strings: 26, Instructions: 393librarythreadloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Library$Free$Load$Module$Thread$ExitHandleResource$Virtual$AddressCreateCurrentInformationProcProcessProtectQuery$DataDirectoryEntryEventFindImageLockOpenSizeofValue
                              • String ID: RegCloseKey$RegOpenKeyExW$RegQueryValueExW$SHRegGetValueFromHKCUHKLM$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer$SOFTWARE\Policies\Microsoft\Windows\Explorer$SetWindowRgn$Shlwapi.dll$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartDocked$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartUI$StartDocked.dll$StartDocked::LauncherFrame::OnVisibilityChanged$StartDocked::LauncherFrame::ShowAllApps$StartDocked::SystemListPolicyProvider::GetMaximumFrequentApps$StartUI.dll$StartUI::SystemListPolicyProvider::GetMaximumFrequentApps$StartUI_.dll$Windows.CloudStore.dll$Windows.UI.Xaml.dll$api-ms-win-core-registry-l1-1-0.dll$ext-ms-win-ntuser-draw-l1-1-0.dll$xxxxx????xx$xxxxxxxxx?xxxxxx
                              • API String ID: 1727790171-714608195
                              • Opcode ID: a6c211eb3d1282101e3cf187c5596701cd8cb8dbf5dd7bc9041fa49edd53e002
                              • Instruction ID: 3501949c94e280711545288c86e7ae4c690f68f67e3d8d92c94f2108accb4940
                              • Opcode Fuzzy Hash: a6c211eb3d1282101e3cf187c5596701cd8cb8dbf5dd7bc9041fa49edd53e002
                              • Instruction Fuzzy Hash: EE224875A09B4289EB10DFA8E8802A937A4FF48BD8F84013ADB4D477A4DFBDE545C350
                              Function 00007FF8BEE44A00 Relevance: 68.5, APIs: 18, Strings: 21, Instructions: 256registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Value$Create$CloseDirectoryFileProtectSystemVirtual_invalid_parameter_noinfo$AddressErrorHandleLastModuleOpenProcQuery
                              • String ID: .dll$CImmersiveContextMenuOwnerDrawHelper::s_ContextMenuWndProc$CLauncherTipContextMenu::GetMenuItemsAsync$CLauncherTipContextMenu::ShowLauncherTipContextMenu$CLauncherTipContextMenu::_ExecuteCommand$CLauncherTipContextMenu::_ExecuteShutdownCommand$CMultitaskingViewManager::_CreateDCompMTVHost$CMultitaskingViewManager::_CreateXamlMTVHost$Hash$ImmersiveContextMenuHelper::ApplyOwnerDrawToMenu$ImmersiveContextMenuHelper::RemoveOwnerDrawFromMenu$Software\ExplorerPatcher\twinui.pcshell$Version$[Symbols] Downloading symbols for "%s" ("%s")...$[Symbols] Failure in reading symbols for "%s".$[Symbols] Please refer to "https://github.com/valinet/ExplorerPatcher/wiki/Symbols" for more information.$[Symbols] Reading symbols...$[Symbols] Symbols for "%s" are not available - unable to download.$[Symbols] Unable to create registry key.$\twinui.pcshell.dll$twinui.pcshell
                              • API String ID: 2736650789-497210955
                              • Opcode ID: 7279e2340fd88a1bea62bff2242454aefb5ca5df99c5eae57e3fe0494704474e
                              • Instruction ID: 97447f40d901fde4a7b643066b24d4936ba375f93b81ce3be739715861f62b63
                              • Opcode Fuzzy Hash: 7279e2340fd88a1bea62bff2242454aefb5ca5df99c5eae57e3fe0494704474e
                              • Instruction Fuzzy Hash: 4ED17476A18A428AFB20DF68F8907A97760FB847D8F404132DB4D43AA8DFBCD545CB44
                              Function 00007FF8BEE305A0 Relevance: 63.3, APIs: 24, Strings: 12, Instructions: 291registrywindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Value$CloseCreateErrorLastModule$ExtensionFileLoadNamePathRemoveString$AllocateAwarenessCheckContextCurrentDirectoryExecuteFreeHandleInitializeMembershipMessageProcessShellToken
                              • String ID: .IA-32.dll$Apartment$DriveMask$MessageBoxW$SOFTWARE\Classes\CLSID\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}\InProcServer32$SOFTWARE\Classes\Drive\shellex\FolderExtensions\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$SOFTWARE\WOW6432Node\Classes\CLSID\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}\InProcServer32$ThreadingModel$\ExplorerPatcher.amd64.dll"$ext-ms-win-ntuser-dialogbox-l1-1-0.dll$p$runas
                              • API String ID: 3183597740-1688178669
                              • Opcode ID: c05d36aab759ccae8d75bceb780709277f0a3ce24c1ade3265239c1bb6372715
                              • Instruction ID: 77bc56f72f45d481d3343775d812bdc12d03240bd673ae514cc755fbf4a4947c
                              • Opcode Fuzzy Hash: c05d36aab759ccae8d75bceb780709277f0a3ce24c1ade3265239c1bb6372715
                              • Instruction Fuzzy Hash: EBE17731A08B818AE7209F69E4847AA77A1FB85794F405235DB9D43BD8DFFCE145CB00
                              Function 00007FF8BEE25B40 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 332memorylibraryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ProtectVirtual$Window$LibraryLoadLong$ClassCodeFreeNameStringText
                              • String ID: ControlCenterButton$CortanaButton$MultitaskingButton$PeopleBand.dll$PeopleButton$TrayButton$pnidui.dll
                              • API String ID: 3103532507-4160915873
                              • Opcode ID: e0476e56a3aecb8464881f4e6907b5f5c27fc42999c23e30719ac4a2253a5859
                              • Instruction ID: bc90f16a7ed2498cd07b4dcc7b3fdd2360cd339e12b3d05e7de1c36cf2fad28b
                              • Opcode Fuzzy Hash: e0476e56a3aecb8464881f4e6907b5f5c27fc42999c23e30719ac4a2253a5859
                              • Instruction Fuzzy Hash: 52027571A19A438AEB54CF29E8943BD33A1FB45B84F804136DB4E43664DFBCE989C701
                              Function 00007FF8BEE2F810 Relevance: 61.6, APIs: 20, Strings: 15, Instructions: 322registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: QueryValue$CloseCreate
                              • String ID: ForceStartSize$MakeAllAppsDefault$MonitorOverride$NoStartMenuMorePrograms$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer$SOFTWARE\Policies\Microsoft\Windows\Explorer$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher$StartDocked_DisableRecommendedSection$StartUI_EnableRoundedCorners$StartUI_ShowMoreTiles$Start_MaximumFrequentApps$Start_ShowClassicMode$TaskbarAl
                              • API String ID: 2657993070-1512199074
                              • Opcode ID: fa77e6e580e8ba6d01c16af590dcbac6f5a310362da92c6cbe026ad94f6406c1
                              • Instruction ID: 7d38d215526efd1f8542450202a295cb83ec5ab1eb3d28bdcae1e1ab9ac1affd
                              • Opcode Fuzzy Hash: fa77e6e580e8ba6d01c16af590dcbac6f5a310362da92c6cbe026ad94f6406c1
                              • Instruction Fuzzy Hash: 45F10676A19B428EEB20CF68E8906AD37A4FB48398F500535DB4D57A58DFBDD144CB40
                              Function 00007FF8BEE4BF10 Relevance: 54.8, APIs: 21, Strings: 10, Instructions: 574libraryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: String$Windows$CreateReference$ByteDeleteFormatLibraryLoadSize$ActivateCounterFolderFreeInstancePathPerformanceQuery_invalid_parameter_noinfo
                              • String ID: %s / %s$EP_Ev_InstallUpdatesNoConfirm_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$Windows.UI.Notifications.NotificationData$\ExplorerPatcher\ep_gui.dll$action=update$ep_updates$indeterminate$progressStatus$progressValue$updates.cpp
                              • API String ID: 2375332063-2428038664
                              • Opcode ID: 3e038110ad303b7245781c35bcd8e09fa420e93852786730b7b4aea4bf3d7499
                              • Instruction ID: 96ec62cf60f37f7d11dc272f429b166261abea44de147c54f8aee9ec5d670623
                              • Opcode Fuzzy Hash: 3e038110ad303b7245781c35bcd8e09fa420e93852786730b7b4aea4bf3d7499
                              • Instruction Fuzzy Hash: 61324936B09B468AEB119B69E8506AE67B1FF85BC4F404132DB4E53B68DFBCE445C700
                              Function 00007FF8BEE44650 Relevance: 52.7, APIs: 13, Strings: 17, Instructions: 191registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Value$Create$CloseDirectoryFileWindows_invalid_parameter_noinfo$ErrorLast
                              • String ID: CTaskBand_CreateInstance$HandleFirstTimeLegacy$Hash$ImmersiveTray::AttachWindowToTray$ImmersiveTray::RaiseWindow$SetColorPreferenceForLogonUI$Software\ExplorerPatcher\explorer$TrayUI::_UpdatePearlSize$Version$[Symbols] Downloading symbols for "%s" ("%s")...$[Symbols] Failure in reading symbols for "%s".$[Symbols] Please refer to "https://github.com/valinet/ExplorerPatcher/wiki/Symbols" for more information.$[Symbols] Reading symbols...$[Symbols] Symbols for "%s" are not available - unable to download.$[Symbols] Unable to create registry key.$\explorer.exe$\explorer.exe
                              • API String ID: 3922731654-964289750
                              • Opcode ID: 2999d926a6055610ebd9f8c3668666e27c1a31db4b43e24e8e7238bc69317f22
                              • Instruction ID: 1d6523b6b5ba7b84801f9fecd19637103a20b819bd82e242c74563848300adc9
                              • Opcode Fuzzy Hash: 2999d926a6055610ebd9f8c3668666e27c1a31db4b43e24e8e7238bc69317f22
                              • Instruction Fuzzy Hash: BEA17676B18A428AEB20DF68E4907A97771FB857D8F405232DB4D43AA9DFBCD145C700
                              Function 00007FF8BEE1CE30 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 248fileCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CreateFile$CloseHandleMapping_invalid_parameter_noinfo
                              • String ID: %08lX%04hX%04hX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX$%x/$/download/symbols/$RSDS
                              • API String ID: 1983873661-2402091955
                              • Opcode ID: 638dfb43851133801f2dc14af45ed182553db894b6b77104bbaf18ad00394b01
                              • Instruction ID: b82cde302dc05067a5998f72124970eb5f6bce74aa2f6c4d31a0b23d9e56de28
                              • Opcode Fuzzy Hash: 638dfb43851133801f2dc14af45ed182553db894b6b77104bbaf18ad00394b01
                              • Instruction Fuzzy Hash: 36B1D2B1A086C28AEB649F19E8543BA7760FB89BD5F404131DB5E03B94DFBCE495C701
                              Function 00007FF8BEE44F10 Relevance: 50.9, APIs: 12, Strings: 17, Instructions: 182registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Value$Create$CloseDirectoryFileWindows_invalid_parameter_noinfo$ErrorLast
                              • String ID: .dll$Hash$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartDocked$StartDocked$StartDocked::LauncherFrame::OnVisibilityChanged$StartDocked::LauncherFrame::ShowAllApps$StartDocked::StartSizingFrame::StartSizingFrame$StartDocked::SystemListPolicyProvider::GetMaximumFrequentApps$Version$[Symbols] Downloading symbols for "%s" ("%s")...$[Symbols] Failure in reading symbols for "%s".$[Symbols] Please refer to "https://github.com/valinet/ExplorerPatcher/wiki/Symbols" for more information.$[Symbols] Reading symbols...$[Symbols] Symbols for "%s" are not available - unable to download.$[Symbols] Unable to create registry key.$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartDocked.dll
                              • API String ID: 3922731654-50308056
                              • Opcode ID: ca77b8ddde9d7b1228341580207da3b5d40f45053d1f3dabb358db633d20350a
                              • Instruction ID: a670d6e650bbc82ac997801443e8d8d1464c37d452de2724eeb90a8ba22db197
                              • Opcode Fuzzy Hash: ca77b8ddde9d7b1228341580207da3b5d40f45053d1f3dabb358db633d20350a
                              • Instruction Fuzzy Hash: 26916776A18A428AEB10DF58E8503AD7771FB847D8F405232DB5D43AA9DFBCD149C740
                              Function 00007FF8BEE11B20 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 331windowthreadtimeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: IconImageList_ProcessWindow$Destroy$CreateCurrentFile$CharCopyDeleteFolderHungInfoItemKillKnownLongLowerMessageModuleNameObjectOpenPropertySendStoreThreadTimer
                              • String ID: \imageres.dll
                              • API String ID: 2056515760-856694671
                              • Opcode ID: fa4231e157aaf93894071cbadc55bdeb7f66d54dc3a3e305537413a899d70841
                              • Instruction ID: 824c3472b13ba977cdfbf90ad7b79ba1400869f7e92edddcce303c5a41b6926e
                              • Opcode Fuzzy Hash: fa4231e157aaf93894071cbadc55bdeb7f66d54dc3a3e305537413a899d70841
                              • Instruction Fuzzy Hash: 74F18332709A818AEB64CF29E8D466A77A0FF85BC4F40413ADB4E476A4DF7DE485C701
                              Function 00007FF8BEE30070 Relevance: 40.6, APIs: 18, Strings: 5, Instructions: 349COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Window$Monitor$From$FindStringWindows$ActivationCloseCreateCursorDeleteDisplayEnumFactoryHandleInfoMonitorsMutexOpenPointRectReferenceShow
                              • String ID: !@$EPStart10_AnimationsPatched_{A6EA9C2D-4982-4827-9204-0AC532959F6D}$Shell_SecondaryTrayWnd$Shell_TrayWnd$Windows.UI.Xaml.Window
                              • API String ID: 3798604058-3529946197
                              • Opcode ID: 9013be772f44af882ff57b6541dfcd952e3de35dc8bc2ed47a797580871492a2
                              • Instruction ID: accec2a162bc58c0a37a26d240c009d55ae2b73fa0a351acd1eac4cfa4d846c4
                              • Opcode Fuzzy Hash: 9013be772f44af882ff57b6541dfcd952e3de35dc8bc2ed47a797580871492a2
                              • Instruction Fuzzy Hash: D7F11636B49A429EF721CBB9D8846AD77B1BB447C8F004135CF0E53A99DEBDB9458B00
                              Function 00007FF8BEE2CEC0 Relevance: 40.4, APIs: 15, Strings: 8, Instructions: 163sleepregistryprocessCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CreateErrorEventLast$CloseHandle$ExecuteProcessShellSleepThreadValue
                              • String ID: EP_Ev_InstallUpdates_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$Software\ExplorerPatcher$UpdatePreferStaging$eplink://update$eplink://update/stable$eplink://update/staging$h$open
                              • API String ID: 2028834884-198725195
                              • Opcode ID: ee5818e020c4af8db8580b810069c4b8851a4d8c5bc1e6f6e8260e125535d6e4
                              • Instruction ID: ba6edcd164a2d7116fa30c259e5f7c065032164df9837c100a78d21c7d99293d
                              • Opcode Fuzzy Hash: ee5818e020c4af8db8580b810069c4b8851a4d8c5bc1e6f6e8260e125535d6e4
                              • Instruction Fuzzy Hash: CA715C21A0DB828AF7209F29E85036A67A1FB897D4F541235DB8D46AA5DFBCE185C700
                              Function 00007FF8BEE1FBE0 Relevance: 38.8, APIs: 17, Strings: 5, Instructions: 274comCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Window$FindFreeString$AddressAncestorClassCreateHandleInstanceModuleNameOpenProcQueryValue
                              • String ID: MSTaskListWClass$Taskbar.TaskbarFrameAutomationPeer$Windows.UI.Composition.DesktopWindowContentBridge$Windows.UI.Input.InputSite.WindowClass$WorkerW
                              • API String ID: 1963979031-3829649249
                              • Opcode ID: 395a62cfaa09d49961aa6f410cd0ab3f39cbac17818aa978afe4f4361d43f49e
                              • Instruction ID: 75ea73011e548ecce1e4adf5100d8062d074aa470e08384ca57a0bc473c593f4
                              • Opcode Fuzzy Hash: 395a62cfaa09d49961aa6f410cd0ab3f39cbac17818aa978afe4f4361d43f49e
                              • Instruction Fuzzy Hash: 3BD16E36A08A8286EB908F29E45467A77A1FF85FD0F444131DF4E47A68DFBCD884D741
                              Function 00007FF8BEE50A50 Relevance: 37.1, APIs: 16, Strings: 5, Instructions: 327windowregistryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Menu$PopupQueryValue$BindCreateDestroyDisplayFreeInsertItemNameParentParseTaskTrack
                              • String ID: ::{2CC5CA98-6485-489A-920E-B3E88A6CCCE3}$InfoTip$P$Software\Classes\CLSID\{2cc5ca98-6485-489a-920e-b3e88a6ccce3}$c
                              • API String ID: 3796425743-3612032762
                              • Opcode ID: 9cd229d3631c545b0634ef201122fc31d9eccefe4e429930d42113ac2ce186df
                              • Instruction ID: 0bebfd8b833288b2b388a3c2f74aa0b02b453f4b9e22578fb7d85f4cd25d932c
                              • Opcode Fuzzy Hash: 9cd229d3631c545b0634ef201122fc31d9eccefe4e429930d42113ac2ce186df
                              • Instruction Fuzzy Hash: E6E15172A08B558AE710CF65E8403AE77A4FB85B98F104235EB8D57B98DFBDE544CB00
                              Function 00007FF8BEE50750 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 137networkfilesleepCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Internet$CloseHandle$FileOpen$CreateDeleteDirectoryErrorExecuteFolderLastObjectPathReadShellSingleSleepWait_invalid_parameter_noinfo
                              • String ID: @$ExplorerPatcher$\ExplorerPatcher$\MicrosoftEdgeWebview2Setup.exe$https://go.microsoft.com/fwlink/p/?LinkId=2124703$p
                              • API String ID: 2895610840-1819798696
                              • Opcode ID: 73797eea3d20164ce8798a1fb41ad3299fb21ab335c1a1c90c84feb7e795d679
                              • Instruction ID: 6f11c95ad0bf559dae9a73b8bdb69a3b42345101790f5e592508800a1e4e5559
                              • Opcode Fuzzy Hash: 73797eea3d20164ce8798a1fb41ad3299fb21ab335c1a1c90c84feb7e795d679
                              • Instruction Fuzzy Hash: 40617022A18B828AF710DFA4E8806AA73B1FB857C4F444235EB8D13B59DFBCE545C700
                              Function 00007FF8BEE1CAC0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 206COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Options$CleanupInfoInitializeLoadModuleSystem
                              • String ID: Failed to open pool-size guide file.
                              • API String ID: 4119312768-3392875237
                              • Opcode ID: 683703a3d9c3a6bfb52f6d538efb8f5971c80577f3ec9791ce6834ea93cee3c5
                              • Instruction ID: 79c4cda96abf7645210c1f87b56b5a813edb6ef469c166688b91422ab5c5ade6
                              • Opcode Fuzzy Hash: 683703a3d9c3a6bfb52f6d538efb8f5971c80577f3ec9791ce6834ea93cee3c5
                              • Instruction Fuzzy Hash: B791CE71A0CA428AE7649F2AA89037A76A1FF897D4F144139DB1E877D4DFBCE4018B00
                              Function 00007FF8BEE1EF90 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 94windowsleepregistryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Message$HandleModuleWindow$ClassCreateCursorDestroyDispatchEventLoadObjectRegisterSleepStockTranslate
                              • String ID: 0$FixTaskbarAutohide_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}
                              • API String ID: 2692392126-3745785993
                              • Opcode ID: 7414187e4b0defae1d7e8932077febe665ab2e6b2044caf150748a7d02bb3947
                              • Instruction ID: e1cea2ec42ddaeaf9e99cb7fa8a73b9ec7810fdaf081d483b45834b8cbb3f9b5
                              • Opcode Fuzzy Hash: 7414187e4b0defae1d7e8932077febe665ab2e6b2044caf150748a7d02bb3947
                              • Instruction Fuzzy Hash: 96411332609B8286E7609B28F49436BB7E5FFC9784F404139D78E46AA8DFBCD455CB00
                              Function 00007FF8BEE47FB0 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 244windowsleepregistryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Menu$HandleModule$ItemLoadWindow$BandClassCountCreateCursorForegroundInsertMessageObjectPopupRegisterRemoveSendSleepStockStringTrack
                              • String ID: ExplorerFrame.dll$LauncherTipWnd
                              • API String ID: 1231917228-1828045394
                              • Opcode ID: 1bfc0e6d2432d13c82b1688de0999442273069d06b19c670a1dc122881063ff4
                              • Instruction ID: 5c272eaaba532fc67534f1371cd4d3026b130768d9948be81f648419f8e0c810
                              • Opcode Fuzzy Hash: 1bfc0e6d2432d13c82b1688de0999442273069d06b19c670a1dc122881063ff4
                              • Instruction Fuzzy Hash: D2C11732A09B428AEB508F69E8846AD37B4FB49B84F144139DF4D53BA8DFBDE454C704
                              Function 00007FF8BEE4E520 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 184librarymemorythreadCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Resource$Load$Free$InfoLibraryLocalLocaleQueryStringThreadValue$AllocCloseCreateFindFolderLanguagesLockPathPreferredSizeofSwitch_invalid_parameter_noinfo
                              • String ID: <toast scenario="reminder" activationType="protocol" launch="%s" duration="%s"><visual><binding template="ToastGeneric">$\ExplorerPatcher\ep_gui.dll$short
                              • API String ID: 2536480284-1480496686
                              • Opcode ID: 546dd401a5a785c6189ead9ee2808d47ca486de53805b17c410101108a167512
                              • Instruction ID: 7ca0f4758b93dd131d62cdb92c9e1530c16dd64e718a500c053e8508767a72c2
                              • Opcode Fuzzy Hash: 546dd401a5a785c6189ead9ee2808d47ca486de53805b17c410101108a167512
                              • Instruction Fuzzy Hash: 3A816E72A18B828AE710DF29D8402EA6760FB89BC4F409235DF4D57B65EF7CD689C700
                              Function 00007FF8BEE48A50 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 179comwindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Window$FindMonitor$From$CreateCursorInfoInstanceMessagePointRectSend
                              • String ID: Shell_SecondaryTrayWnd$Shell_TrayWnd$Start
                              • API String ID: 3957573836-2175658619
                              • Opcode ID: 573fc64ee00478b95f05a34165616ccb99621e87a27078ec0dff16ef2da4c20c
                              • Instruction ID: 9bad4c6f8bcf05c985de021202e91021677223c7e02da73040cf7562248f78d7
                              • Opcode Fuzzy Hash: 573fc64ee00478b95f05a34165616ccb99621e87a27078ec0dff16ef2da4c20c
                              • Instruction Fuzzy Hash: 96811A36B0AA428EEB04DF69E8546AD27B1FB49BC8F444436DE0E53B54DFB8E509C344
                              Function 00007FF8BEE1E860 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 173synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy, xrefs: 00007FF8BEE1E97F
                              • [SMA] Advertising successful animations patching., xrefs: 00007FF8BEE1EABD
                              • EPStart10_AnimationsPatched_{A6EA9C2D-4982-4827-9204-0AC532959F6D}, xrefs: 00007FF8BEE1EA95
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Token$ContainerDescriptorFreeInformationProcessSecurity$CopyCreateCurrentDaclDeriveEntriesErrorFromInitializeLastLengthLocalMutexNameOpen
                              • String ID: EPStart10_AnimationsPatched_{A6EA9C2D-4982-4827-9204-0AC532959F6D}$Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy$[SMA] Advertising successful animations patching.
                              • API String ID: 2912553727-3824306247
                              • Opcode ID: 67a4896977f1f6b5f01e95a0108ce3667e873733a66159467d333c9119caa885
                              • Instruction ID: 81011b44020113c65b809e52c62d907b02c4e6408f8a9354ffd0e2fb65337f6d
                              • Opcode Fuzzy Hash: 67a4896977f1f6b5f01e95a0108ce3667e873733a66159467d333c9119caa885
                              • Instruction Fuzzy Hash: 84711C22F09A428EFB509FA594403BD33A2BB45BD8F045539DF4D27A99DFBCE8858340
                              Function 00007FF8BEE22FD0 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 193registrylibrarysynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Create$CloseObjectSingleWait$AddressCurrentFolderHandleInformationInstanceLibraryLoadModulePathProcProcessSleepThread_invalid_parameter_noinfo
                              • String ID: Control Panel\Quick Actions\Control Center\QuickActionsStateCapture\ExplorerPatcher$DllGetClassObject$SOFTWARE\Microsoft\Windows\CurrentVersion\ImmersiveShell$UseWin32BatteryFlyout$\ExplorerPatcher\pnidui.dll
                              • API String ID: 1967696875-3120677660
                              • Opcode ID: 76deef73a58d889c98fb0fe58a42bdb190874f7b1166fc5dcd388d57ab8f2e9f
                              • Instruction ID: 8277c1d983c705231230ce52c302b6c49d49e706adb1475a5344694f2472fe0d
                              • Opcode Fuzzy Hash: 76deef73a58d889c98fb0fe58a42bdb190874f7b1166fc5dcd388d57ab8f2e9f
                              • Instruction Fuzzy Hash: A6912B31A08A438AEB609F69E89027AB7A1BF85BD5F404136DB4D477A4DFBCE545CB00
                              Function 00007FF8BEE13EF0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 147registrywindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CloseEnumFindInfoKeyboardLayoutLoadMessageOpenPostQueryValueWindow
                              • String ID: %04x$%08x$Layout Id$SYSTEM\CurrentControlSet\Control\Keyboard Layouts$SimpleWindowSwitcher_{BEA057BB-66C7-4758-A610-FAE6013E9F98}
                              • API String ID: 3475777497-1477449099
                              • Opcode ID: 9132b0ccc15526fe416643b61408110445139b31093ed296b2f54ec961a5aa36
                              • Instruction ID: 58667db5bee2f5210da028ed73380acab44fb69a1818a895943753846104eb2e
                              • Opcode Fuzzy Hash: 9132b0ccc15526fe416643b61408110445139b31093ed296b2f54ec961a5aa36
                              • Instruction Fuzzy Hash: 56613A32B18A418EE760CBA9E8502AE73B5FB88788F804135DB4D53A98DFBCD545C741
                              Function 00007FF8BEE1DEA0 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 127sleepregistryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ClassForegroundNameWindow$Sleep$DeleteTree
                              • String ID: Control Panel\Quick Actions\Control Center\QuickActionsStateCapture\ExplorerPatcher$Ended "Check foreground window" thread.$Started "Check foreground window" thread.$Windows.UI.Core.CoreWindow
                              • API String ID: 2021506011-749137266
                              • Opcode ID: 1808324265e1b4f00a334f618b225b2f6f3dd276802baf1ad187983293bd0fd5
                              • Instruction ID: c159a808439e8fbd407f45a37554d8fc201021308e1c3518bb07c7d3f659fca8
                              • Opcode Fuzzy Hash: 1808324265e1b4f00a334f618b225b2f6f3dd276802baf1ad187983293bd0fd5
                              • Instruction Fuzzy Hash: EC518425A08A5285E7A49B1DE4502BA7761FF85FE0F844331EB6E022E8DFBCE5D5C701
                              Function 00007FF8BEE1BFA0 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 124windowsleepcomCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Message$HandleModule$ClassCreateCursorDispatchInitializeInstanceLoadObjectRegisterShowSleepStockTranslateWindow
                              • String ID: ArchiveMenuWindowExplorer$Ended "Archive menu" thread.$Started "Archive menu" thread.
                              • API String ID: 3032281874-998171920
                              • Opcode ID: 4d74fd6a2cf0da61cd4a5a624b44ad2ef64646f31e6ffc1b7f6495a8bcd5a8a7
                              • Instruction ID: eeb17a78341e3c2d373b10149af66aa03e8989fbc201d723e1593688fce03ab6
                              • Opcode Fuzzy Hash: 4d74fd6a2cf0da61cd4a5a624b44ad2ef64646f31e6ffc1b7f6495a8bcd5a8a7
                              • Instruction Fuzzy Hash: 07511F32A1CB9586E7648F29F8543AA77B4FB89B84F404136DB8D83A68DF7CD055CB01
                              Function 00007FF8BEE22C20 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 177registrylibraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: #410$CloseOpenQueryValue$AddressAttributeLibraryLoadProcWindow
                              • String ID: %x %x$SOFTWARE\Classes\CLSID\{056440FD-8568-48e7-A632-72157243B55B}\InProcServer32$uxtheme.dll
                              • API String ID: 632063587-1665220535
                              • Opcode ID: 8809ad294020f8f06136afa753102ba5cd89006bdd11ff1725bd4fad45c707f4
                              • Instruction ID: 285920ab9f167966381fe2ad5197bac028655ae6751a1cdba861c5e17012ce51
                              • Opcode Fuzzy Hash: 8809ad294020f8f06136afa753102ba5cd89006bdd11ff1725bd4fad45c707f4
                              • Instruction Fuzzy Hash: AF818F31A19A428AEB608F59F88067973A1FF897D4F401136EB4E03BA4DFBCE445C700
                              Function 00007FF8BEE75E9C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                              • API String ID: 808467561-2761157908
                              • Opcode ID: f88eb4196e8c090f5eb5e315b2a1c7141e7dd7be7d0b1abaa8dd61c5c7a18be6
                              • Instruction ID: 12578c42ac2de4d99fd20653a300030ed47877ccf3f2a0d353796e9feb71514a
                              • Opcode Fuzzy Hash: f88eb4196e8c090f5eb5e315b2a1c7141e7dd7be7d0b1abaa8dd61c5c7a18be6
                              • Instruction Fuzzy Hash: FEB2AF72A182938FE7658F68D5807FD3BA1FB547C8F545135DB0E57A88DBB8AA00CB40
                              Function 00007FF8BEE12F60 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 135COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ObjectSelect$ColorCreateText$CompatibleDeleteDrawModeSection
                              • String ID: (
                              • API String ID: 2711897886-3887548279
                              • Opcode ID: d5834477a4f53630a89a527a8ccb016ae9399af608a247e866421f7ec8bb69b7
                              • Instruction ID: 19338993e3d7c18e9f061cc168d7a5f75ad5315c4a6089c92708557b6182e551
                              • Opcode Fuzzy Hash: d5834477a4f53630a89a527a8ccb016ae9399af608a247e866421f7ec8bb69b7
                              • Instruction Fuzzy Hash: 8651C472A197818AE7548F19B45072ABBA1FBC6BD1F145139EF8A07B68CE7CD445CB00
                              Function 00007FF8BEE1DCF0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 87processCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Process$CloseHandleProcess32$CreateDirectoryFirstFullImageNameNextOpenQuerySnapshotTerminateToolhelp32Windows_invalid_parameter_noinfo
                              • String ID: ShellExperienceHost.exe$\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
                              • API String ID: 2097983625-1597348990
                              • Opcode ID: e77504712daa658222e008976812c4fb319a79a22b6bac21e37dec3d71f4fc77
                              • Instruction ID: 951d1174af7a7aa37b0b275e58750bfe3f37c5d668804a7eb1a6cd03c07ce7f4
                              • Opcode Fuzzy Hash: e77504712daa658222e008976812c4fb319a79a22b6bac21e37dec3d71f4fc77
                              • Instruction Fuzzy Hash: 04419D61A0CA828AEB609B19E4443BA77A1FBD9B85F844131C74D53758DFBCD486C740
                              Function 00007FF8BEE120D0 Relevance: 16.6, APIs: 11, Instructions: 131registrywindowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Value$ErrorLastMessage$ChangeNotifyQuery$DispatchMultipleObjectsPeekTranslateWait
                              • String ID:
                              • API String ID: 2018483580-0
                              • Opcode ID: 5ed66558bf058ff837d0e89b5ba0056c682b7bb908da017999200782fc814397
                              • Instruction ID: 807d0f0ccf2fcacbe79733509e1773b0305951bc78121455396b892ac4633f5f
                              • Opcode Fuzzy Hash: 5ed66558bf058ff837d0e89b5ba0056c682b7bb908da017999200782fc814397
                              • Instruction Fuzzy Hash: 44515B31A18A428AEBA09F39A85073E23A1FF49BC4F404535EB4D877A8DE7CD484D712
                              Function 00007FF8BEE49620 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comserviceCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CreateInstanceQueryServiceUnknown_
                              • String ID: IsAutoHideEnabled$Shell_TrayWnd$TwinUIPatches.cpp
                              • API String ID: 2021386587-823477751
                              • Opcode ID: 0d4cf4251d629bd5bcdbda7a598c23087cc7563604198a71409a10a2d132eceb
                              • Instruction ID: 66bcb5aefd17b1544b521b54e80bff8662af00a91a3036ce7575009947a000f8
                              • Opcode Fuzzy Hash: 0d4cf4251d629bd5bcdbda7a598c23087cc7563604198a71409a10a2d132eceb
                              • Instruction Fuzzy Hash: 0C912726B05B0389EB11CFA9E8946AD27B0BB88BD8F545036DF0DA3B54DFB9D549C300
                              Function 00007FF8BEE4FCC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50sleepprocessCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Process$ConsoleCreateCurrentDirectoryFreeOpenSleepTerminateWindows_invalid_parameter_noinfo
                              • String ID: \explorer.exe$h
                              • API String ID: 3466857667-2845133803
                              • Opcode ID: cda5308915a13d06574020189d6d7aaf6b8acdb0efb87abf90eed449b8d0d85b
                              • Instruction ID: 4f9b13e8eeebb5163bb931b9798fd550c577597f781eaa096bb78cfe245d136b
                              • Opcode Fuzzy Hash: cda5308915a13d06574020189d6d7aaf6b8acdb0efb87abf90eed449b8d0d85b
                              • Instruction Fuzzy Hash: 7521972291DBC187E360CB24F8943AA77A1FBD9384F515235D78D42A69EFBCD194CB00
                              Function 00007FF8BEE6B518 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                              • String ID:
                              • API String ID: 1617910340-0
                              • Opcode ID: a1504f72b22edb44e8c50bebd93d8295a05326651a09e3343c6ef62df7a2d229
                              • Instruction ID: c30adf1554c2e0d66bf6b1dd899119897d05d94f557958413bc0380ff7e9d503
                              • Opcode Fuzzy Hash: a1504f72b22edb44e8c50bebd93d8295a05326651a09e3343c6ef62df7a2d229
                              • Instruction Fuzzy Hash: 9BC1A036B28A418DEB10DFA9C4906AC3B61FB49BD8F014236DB1E5B794CF78E455C300
                              Function 00007FF8BEE23DA0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 50windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: FindWindow$MessageSend
                              • String ID: MSTaskSwWClass$RebarWindow32$Shell_TrayWnd
                              • API String ID: 1134572027-589293716
                              • Opcode ID: 041a2b3641cbbbdc03d7a3709040c67ee58bbf39816446afd8bc18b7eef93851
                              • Instruction ID: 9d747d6af8851e0276c29d1bbbfbabe5aa1d21e906d7513a29100dade928109e
                              • Opcode Fuzzy Hash: 041a2b3641cbbbdc03d7a3709040c67ee58bbf39816446afd8bc18b7eef93851
                              • Instruction Fuzzy Hash: DC110A22F0974348FB64DF5AB500579A790AFA9BE0F484535DF2D13794DEBCE405C600
                              Function 00007FF8BEE1D920 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49fileCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • \SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dll, xrefs: 00007FF8BEE1D9DE
                              • \SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI.dll, xrefs: 00007FF8BEE1D973
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Find$DirectoryFileFirstWindows$AddressCloseHandleModuleOpenProcQueryValue_invalid_parameter_noinfo
                              • String ID: \SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI.dll$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dll
                              • API String ID: 658624814-2596525942
                              • Opcode ID: 6c5b868dc1bf34b6c28b3f7524fa1cf5bfe44591df538ab63d43f70cc730ed1d
                              • Instruction ID: 54712a5bfd640673c95555b058f97ee2cd7ba89f4169ebb51e704b9386d6a3e4
                              • Opcode Fuzzy Hash: 6c5b868dc1bf34b6c28b3f7524fa1cf5bfe44591df538ab63d43f70cc730ed1d
                              • Instruction Fuzzy Hash: 65212761A1C946CAEB60DB28E8953BA2360FB857A4F801636C36D425E9DFBCE54DC700
                              Function 00007FF8BEE2C7A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: HandleModuleProtectVirtual$DataDirectoryEntryFreeImageLibrary
                              • String ID: IsOS$api-ms-win-shcore-sysinfo-l1-1-0.dll
                              • API String ID: 2091478098-2234916554
                              • Opcode ID: 6b358573e863f66accf665c2514cb36af2d49b1e3ec548bedf7df8385c2d80db
                              • Instruction ID: 4afa85665e9494792082dc572082444204e56f3326f1b4e550bf643f681ce2e7
                              • Opcode Fuzzy Hash: 6b358573e863f66accf665c2514cb36af2d49b1e3ec548bedf7df8385c2d80db
                              • Instruction Fuzzy Hash: 4B31C061E2874A4AFF549B6CE45027E63A0AB9A7C0F401136EF8E87755EE7CF485C700
                              Function 00007FF8BEE51DC0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                              • String ID:
                              • API String ID: 3140674995-0
                              • Opcode ID: 0ff271a4c701bbf6033e5704cb7c6d0518fb9b611d7ee93b3fd0d8e4a3c14bc8
                              • Instruction ID: 372d43c2ac57068df3cc19d06a36abafef0a698f5d12c79946b21b15a7d68032
                              • Opcode Fuzzy Hash: 0ff271a4c701bbf6033e5704cb7c6d0518fb9b611d7ee93b3fd0d8e4a3c14bc8
                              • Instruction Fuzzy Hash: A3315072619F818AEB609F64E8903ED77A4FB85788F44403ADB4E47B98EF78D548C710
                              Function 00007FF8BEE6BC98 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                              • String ID:
                              • API String ID: 1239891234-0
                              • Opcode ID: 0d78a5eae3021c1939b228a5a7ab56fae872cbbac2d3b6b93bf4593b7becebcd
                              • Instruction ID: bcda87ed6c7126679783b5afb599f4913b7c302dac1c6b4b4d9259684de98dec
                              • Opcode Fuzzy Hash: 0d78a5eae3021c1939b228a5a7ab56fae872cbbac2d3b6b93bf4593b7becebcd
                              • Instruction Fuzzy Hash: 00316132618F818ADB60CF29E8802AE77A4FB89798F540135EB8D47B99DF7CD555CB00
                              Function 00007FF8BEE1DAC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56fileCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Find$CloseFileFirstFolderPath_invalid_parameter_noinfo
                              • String ID: \ExplorerPatcher\
                              • API String ID: 409097378-431723071
                              • Opcode ID: 8fc8b2df31c4937a697d720ca40b4ab76ec30407b439dca915a33157f5641370
                              • Instruction ID: e07d1f51bc6f0e8c24f9ae614dd83a2b30f91b10d2e6dbb2f58d47f4f3759b41
                              • Opcode Fuzzy Hash: 8fc8b2df31c4937a697d720ca40b4ab76ec30407b439dca915a33157f5641370
                              • Instruction Fuzzy Hash: DA21BA74A19A8389FBA09B18E4857A62350FF853A4F404335D76D466D5EFBCE4448B01
                              Function 00007FF8BEE75A00 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: memcpy_s
                              • String ID:
                              • API String ID: 1502251526-0
                              • Opcode ID: 6ece3bf2e3de7ac94e8577948797fb429e9ad7f61c3a20ff0b65188140a0a1e3
                              • Instruction ID: 9cdf747a432b850463dc610ffbfdde1a9f6cdb509adbb5ebf2cf353544016a03
                              • Opcode Fuzzy Hash: 6ece3bf2e3de7ac94e8577948797fb429e9ad7f61c3a20ff0b65188140a0a1e3
                              • Instruction Fuzzy Hash: FAC10472B186868BEB24CF59A08867ABB91F788BC4F449134DB5E47784DB7DF805CB40
                              Function 00007FF8BEE33F20 Relevance: 4.7, APIs: 3, Instructions: 203threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CurrentDebugDebuggerOutputPresentStringThread
                              • String ID:
                              • API String ID: 4268342597-0
                              • Opcode ID: 24a735b4c34a409f7b606dd159bc0e4cbe70d88125f6b84e8338d42fd8f7ba12
                              • Instruction ID: e43f60da7422aec6705dc49668dda39ee0e7a0c72b76f7b17b1681adda317655
                              • Opcode Fuzzy Hash: 24a735b4c34a409f7b606dd159bc0e4cbe70d88125f6b84e8338d42fd8f7ba12
                              • Instruction Fuzzy Hash: 39913B22A49B8689EB669F29A44037977E0FF59B84F088039DF8D47795DFBCE840C750
                              Function 00007FF8BEE79CA8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ExceptionRaise_clrfp
                              • String ID:
                              • API String ID: 15204871-0
                              • Opcode ID: 33b5f88446811188be24c7ee3ece16ab8b6728ac5aa6439a19ff987fd023b6f6
                              • Instruction ID: 98bba4e2db1fd07531e9ff28a8c569739c4d507546d4f656d8f18474c66c76c7
                              • Opcode Fuzzy Hash: 33b5f88446811188be24c7ee3ece16ab8b6728ac5aa6439a19ff987fd023b6f6
                              • Instruction Fuzzy Hash: 4BB11A73604B898EEB59CF2DC8863687BE0FB84B88F158925DB5D877A4CB7AD451C700
                              Function 00007FF8BEE64D94 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID: $
                              • API String ID: 0-227171996
                              • Opcode ID: 7f7f0f120929ccdea9899b2c338e7cbab634a7cd6eadc8fc6190f4c66d452753
                              • Instruction ID: bf5884e5a49c49689678ee9ac39062971f150e377018410678f7470fb775c824
                              • Opcode Fuzzy Hash: 7f7f0f120929ccdea9899b2c338e7cbab634a7cd6eadc8fc6190f4c66d452753
                              • Instruction Fuzzy Hash: 4FE1BC32A08A468EEB688F2D855053D37A1FF45BC8F241635DB0E0B794DFAAF856C750
                              Function 00007FF8BEE6EF24 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID: e+000$gfff
                              • API String ID: 0-3030954782
                              • Opcode ID: 330854c9a08150cabfdab81a219396c3ebe50cfdec1984435696eeed99272720
                              • Instruction ID: fd7ab8cef4bf999f45416a2d54789d3fca53a85116157bfdb5eaba629056dda7
                              • Opcode Fuzzy Hash: 330854c9a08150cabfdab81a219396c3ebe50cfdec1984435696eeed99272720
                              • Instruction Fuzzy Hash: 12514862B186C54EE7648E39D9007697B91E744BD4F48D232CBA84BAD9CFBEE444C700
                              Function 00007FF8BEE3AFA0 Relevance: 2.6, APIs: 2, Instructions: 65memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Heap$FreeProcess
                              • String ID:
                              • API String ID: 3859560861-0
                              • Opcode ID: 397cc0cfb075c3a398c8066f0586cc517b594cbddd4d4c54da37e61c28dd83eb
                              • Instruction ID: f988cc095ca5b802632dacf777f4e07dfcb36d523b918f79b96a860b73b82180
                              • Opcode Fuzzy Hash: 397cc0cfb075c3a398c8066f0586cc517b594cbddd4d4c54da37e61c28dd83eb
                              • Instruction Fuzzy Hash: 40110832E487418EE6629F3D54443792350DF85BD4F184234EF5D47289CF6DEC818B80
                              Function 00007FF8BEE73B58 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0f6bc96b91ddc7bbe43804159f79f8a365c0aa0f865d8c690f71511676f0bc2b
                              • Instruction ID: 663be1a22cd11d5f73137baf16d2e51fbff2c6178dd5b5c771d8af657f482f54
                              • Opcode Fuzzy Hash: 0f6bc96b91ddc7bbe43804159f79f8a365c0aa0f865d8c690f71511676f0bc2b
                              • Instruction Fuzzy Hash: EB51B122B087928DEB609F7AA8806AE7FA1EB447D4F144235EF5C67A99DF7CD4418700
                              Function 00007FF8BEE2A710 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: BindObject
                              • String ID:
                              • API String ID: 761158930-0
                              • Opcode ID: 77a18afadecf556dd972eab470cb3ef452f33122fe4faea18eb19b1da19a4fb6
                              • Instruction ID: c2cc404a96886774c0a9329b39a13c7b1926d0180452dd7be6231149f7d3db09
                              • Opcode Fuzzy Hash: 77a18afadecf556dd972eab470cb3ef452f33122fe4faea18eb19b1da19a4fb6
                              • Instruction Fuzzy Hash: A3C01221A1499086D714AF2CE80159533A0FB44344FE00236D74D01634CF3CD226CA04
                              Function 00007FF8BEE6EA90 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID: gfffffff
                              • API String ID: 0-1523873471
                              • Opcode ID: 979d1181f7594ebf822099a0a5612bbac61939aaab7f8b04981634fabc0f27c1
                              • Instruction ID: 000bd6a467390671428936e3aa33ae48f9b9959ac303f5e2b81d247f1f79a129
                              • Opcode Fuzzy Hash: 979d1181f7594ebf822099a0a5612bbac61939aaab7f8b04981634fabc0f27c1
                              • Instruction Fuzzy Hash: F1A11262A087C68EEB21CF29A4107BA7B91AB54BC4F059132DB8D477E5EE7DF601C701
                              Function 00007FF8BEE62584 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: 17984e1ebf6f52c5a0321db0bad31f3c03a934e62f99aea7f1152076bbda42fb
                              • Instruction ID: d7cc7ca57a27bea077c83cbc9b983fe5e3ffe6432d6bac01a413701ef93e8232
                              • Opcode Fuzzy Hash: 17984e1ebf6f52c5a0321db0bad31f3c03a934e62f99aea7f1152076bbda42fb
                              • Instruction Fuzzy Hash: B8B16B729087868EEB648F2D845427C3BA0EB4DB88F285139CB8E47395DFB9F441C705
                              Function 00007FF8BEE648D0 Relevance: .4, Instructions: 374COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e2178eea6b8680db749bb71d76538e559eb16e91ce432e8ec1b5271ec405486a
                              • Instruction ID: 8685307cce5a7a17d9cb2a45c3e3091fbe979aea97a0c0ab61c84a8d2106b773
                              • Opcode Fuzzy Hash: e2178eea6b8680db749bb71d76538e559eb16e91ce432e8ec1b5271ec405486a
                              • Instruction Fuzzy Hash: CFE19C26A082428EEA689E2DC14423D37A1FF45BD8F149235DB0E47799EFB9F941C320
                              Function 00007FF8BEE64094 Relevance: .4, Instructions: 351COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 340e75f0266e0d378c05b22f1ee62917085b474022d0ce01ce1f1d12fdc76c93
                              • Instruction ID: 3c9d556c5ff4f2501b6b74d5190a2ef7fd0db73700f7a4ae256f405c777de0bf
                              • Opcode Fuzzy Hash: 340e75f0266e0d378c05b22f1ee62917085b474022d0ce01ce1f1d12fdc76c93
                              • Instruction Fuzzy Hash: 67E1AD32A086528EEB648E2CC55537D27A2FB55BD8F248235CF5D076D9CFA9F881C720
                              Function 00007FF8BEE56740 Relevance: .3, Instructions: 337COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4f39e5ef37c5b5414bb101979ca6f9e1c30a57f72a5c07a720c26a61298b48f2
                              • Instruction ID: 01a6be2bbe71596ec9ec67dfc2645d6c2ab2b8f1eccef0535c3df80eede9fb5c
                              • Opcode Fuzzy Hash: 4f39e5ef37c5b5414bb101979ca6f9e1c30a57f72a5c07a720c26a61298b48f2
                              • Instruction Fuzzy Hash: 35E1CCF2A2865B8AFBA48B19D494A7933E1EF117D4F51453AD74E026D0DFACF885C700
                              Function 00007FF8BEE62908 Relevance: .2, Instructions: 241COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 345ccf8cd4252f3a55f576e31a2e5bc1095e2b1d812b81be06e85700c894eb1b
                              • Instruction ID: 2a3a681e520ba7e2f7dd516179e518e4ea083b4c0b1ac23127b0affdc5e2aa1c
                              • Opcode Fuzzy Hash: 345ccf8cd4252f3a55f576e31a2e5bc1095e2b1d812b81be06e85700c894eb1b
                              • Instruction Fuzzy Hash: 3BB16D72A08B868EE7658F3DC05427D3BA4EB49B88F244136CB4E47399DFB9E841D744
                              Function 00007FF8BEE6F5A4 Relevance: .2, Instructions: 198COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e032b8ac060ad56d4cc3c79350da94d72eac8fb95de0a81529a25f1222c0719d
                              • Instruction ID: cf02af93e831aebff6e9185ed7ee7a898598aa20f44b28a880b546661e0f557a
                              • Opcode Fuzzy Hash: e032b8ac060ad56d4cc3c79350da94d72eac8fb95de0a81529a25f1222c0719d
                              • Instruction Fuzzy Hash: 2381BF72A0C7818EEA648F2DA48136A7A91FB857D4F144235DB8D4BB99CEBDF440DB00
                              Function 00007FF8BEE6AE7C Relevance: .2, Instructions: 183COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID:
                              • API String ID: 3215553584-0
                              • Opcode ID: 52bbc561e8fe88e190a298857a924aceae854a114574bbb2491837d3f5a802fc
                              • Instruction ID: a6ef3c9ea8bc68d25771c25af488cd8474c5fc94ee4ea3588f291e70cd9ef886
                              • Opcode Fuzzy Hash: 52bbc561e8fe88e190a298857a924aceae854a114574bbb2491837d3f5a802fc
                              • Instruction Fuzzy Hash: 1161C562E186828EFBB48D6C84506796A81AF507E0F144739DB6D836CADFFDF8408641
                              Function 00007FF8BEE60C24 Relevance: .2, Instructions: 157COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2f485472bae5642d5470b27c5e078dd4e8eb73021fab2440680da5292189602a
                              • Instruction ID: ac7730a031e1a11c76c78ab5ea799d8f47851cc70099e6b3f3159d70e0798f23
                              • Opcode Fuzzy Hash: 2f485472bae5642d5470b27c5e078dd4e8eb73021fab2440680da5292189602a
                              • Instruction Fuzzy Hash: 325160729286668EEB758E2CD4047B837A0EF557A8F145231DF4E166D5CFBAF842C700
                              Function 00007FF8BEE605E0 Relevance: .2, Instructions: 157COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 439f276b1413397f7f142482712c9eeee927416365c9294a628622bddf7bd18c
                              • Instruction ID: 9be5cb1e5ccca7118c8a5f1fd6445302197be48ee33f4cadfe22ef019dd986d6
                              • Opcode Fuzzy Hash: 439f276b1413397f7f142482712c9eeee927416365c9294a628622bddf7bd18c
                              • Instruction Fuzzy Hash: 8C5181729286668EE7749E2CD0047B823A0EF547A8F145131EF5E0A6D5CFBEF842DB00
                              Function 00007FF8BEE6105C Relevance: .1, Instructions: 146COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 12618e01884bb422ffe44993d2c0e325e5b76a32ee4f8b2e108ee2c27f4fb0fd
                              • Instruction ID: 9b339fee57936561075fbcbc73b397768dd4c682e52e7630456f5e85978c5ee3
                              • Opcode Fuzzy Hash: 12618e01884bb422ffe44993d2c0e325e5b76a32ee4f8b2e108ee2c27f4fb0fd
                              • Instruction Fuzzy Hash: 6F515176A186918EEB658F2DC05422837B1EF45B98F248131EB4D577A4CBBAFC43C740
                              Function 00007FF8BEE60A18 Relevance: .1, Instructions: 146COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 16c516e3a0276565f87fe481db8a8bcb5e444f78a4791365d5a28fcd3f107c61
                              • Instruction ID: f1a971fdeea0818e1024dbbfdaea4a38068a686870ab09d5b67eed39ab9a261c
                              • Opcode Fuzzy Hash: 16c516e3a0276565f87fe481db8a8bcb5e444f78a4791365d5a28fcd3f107c61
                              • Instruction Fuzzy Hash: 77515176A286618EE7348F2DC05462937A1EB54BE8F248131DF4E177D4DBBAF842C780
                              Function 00007FF8BEE60E58 Relevance: .1, Instructions: 145COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e3b021623e9cd736667b84619bb56e45e40fad27f771f98220594c04ecd20f52
                              • Instruction ID: e31117165e127042b9dbd2551b8d1faacb27c89829d9c658134bb2f7597f8b12
                              • Opcode Fuzzy Hash: e3b021623e9cd736667b84619bb56e45e40fad27f771f98220594c04ecd20f52
                              • Instruction Fuzzy Hash: AE519F36A186658EEB758F2DC04033937A0EB54B98F285131DF4E577A9DBBAF842C740
                              Function 00007FF8BEE60814 Relevance: .1, Instructions: 145COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3b0c69970595cca4d2fb942626faf43534a998a3ca76b9535475eda3edb5b80b
                              • Instruction ID: 3cc28b8d82a6ea97517a6cbd4c079cc9c99b8d9774e7398ceeb40f1896349869
                              • Opcode Fuzzy Hash: 3b0c69970595cca4d2fb942626faf43534a998a3ca76b9535475eda3edb5b80b
                              • Instruction Fuzzy Hash: F4514F76A186618EE7358F2DC04423977A1EB84B98F249131CB8E57795CBBAFC52C780
                              Function 00007FF8BEE6CDBC Relevance: .1, Instructions: 126COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 485612231-0
                              • Opcode ID: 4558579b3b747d72a223f50ebb4469eec35441a5fc377fded0730746195cd657
                              • Instruction ID: 05ef5f6f972e35ee06c7aee2aba788aff4e0f0c501f48be1fe5910c60afb7992
                              • Opcode Fuzzy Hash: 4558579b3b747d72a223f50ebb4469eec35441a5fc377fded0730746195cd657
                              • Instruction Fuzzy Hash: 0D41F132714A548AEF48CF6ED95426973A1BB48FC0F48A036EF0D97B58DE7CE4428300
                              Function 00007FF8BEE5EF08 Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a81995dc725e745c91ef68e5add537126b3069e5817d0a70891599fc14a6951d
                              • Instruction ID: ac331ad4e12ef5fcc5a32d5bf77c3a432628e213c1a8f7a362eb6a2082b14a6f
                              • Opcode Fuzzy Hash: a81995dc725e745c91ef68e5add537126b3069e5817d0a70891599fc14a6951d
                              • Instruction Fuzzy Hash: DC316DB2618B858ADB608F29E0406BD77A5F788B88F644135DB8C4B760DF7AE092D704
                              Function 00007FF8BEE5F014 Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2dd18c2af8978401385c3a4d18cc3c4cea6f6c2de30805c37561c0fbe2471736
                              • Instruction ID: 6fa3fdfac8356fe44fb1d70584352ec35be4fc783ab7c885b7b9844b39da2b73
                              • Opcode Fuzzy Hash: 2dd18c2af8978401385c3a4d18cc3c4cea6f6c2de30805c37561c0fbe2471736
                              • Instruction Fuzzy Hash: 2A316DB36087498ADB608F29E4406BD77A4F788B8CF244135DB8C0B755DB7AE492D704
                              Function 00007FF8BEE5EDFC Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2cea8fc9d3c35b4ba6e35f22513a86051617c937147c9f35d60e5822ca5229d8
                              • Instruction ID: bf17af3cc09604985a4074372901b82310c80c6bbc2603a467a492e91d55b508
                              • Opcode Fuzzy Hash: 2cea8fc9d3c35b4ba6e35f22513a86051617c937147c9f35d60e5822ca5229d8
                              • Instruction Fuzzy Hash: 9A3170B2518A95C9DB648F69E0406AD77E1F788B88F244135DB8C4B761DF7AE092C704
                              Function 00007FF8BEE5ECF0 Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0be54d3e76ecebf5695559a9301ce031daf8649420322fd1321f7c4f9ba610e9
                              • Instruction ID: c7839f72a19a4b36d59252ef9eb69186483bb97e7bf9797c6a6e24d3f21d2bb1
                              • Opcode Fuzzy Hash: 0be54d3e76ecebf5695559a9301ce031daf8649420322fd1321f7c4f9ba610e9
                              • Instruction Fuzzy Hash: 033181B3608A958ADB648F29D4402AD7BE1F789B8CF245135DB8C4B761DF7AE052CB04
                              Function 00007FF8BEE5F54C Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a4b32a0ec8867fd1847959522346067af6a5e452e3e1d64f74d91d8c4bfa1493
                              • Instruction ID: 77df917b5c1d1106cf25e223b2c95a88174b18f17018867459e234e6617c701f
                              • Opcode Fuzzy Hash: a4b32a0ec8867fd1847959522346067af6a5e452e3e1d64f74d91d8c4bfa1493
                              • Instruction Fuzzy Hash: CD3181B2609A45CADB208F2DE09026D77A0F788B88F244135DF8C4B761DF7AE452D704
                              Function 00007FF8BEE5F658 Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 18b6748ca6a6a0d51e118e82d35fb9f5821d58e468e74478334e5de39f486265
                              • Instruction ID: 2d0414ea3e57127e74541c1e549d6f1bfc09fcb0bcc2ed81e8220ff5e60673c9
                              • Opcode Fuzzy Hash: 18b6748ca6a6a0d51e118e82d35fb9f5821d58e468e74478334e5de39f486265
                              • Instruction Fuzzy Hash: 2E3172B2518685CADB608F29E0406BD77E0FB58B8CF24413ADB4C4B761DF7AE092D704
                              Function 00007FF8BEE79AF0 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6e6cd7a5ca9aa2f8d717932288529d01fc50208ed9f3249ca50f6731b483e81c
                              • Instruction ID: 330a5460af728fa7c8d463ba1ec356edb11e82b08b2e1374e5b7ced90b9ceffc
                              • Opcode Fuzzy Hash: 6e6cd7a5ca9aa2f8d717932288529d01fc50208ed9f3249ca50f6731b483e81c
                              • Instruction Fuzzy Hash: 0DF0FF71A196958EDBA88F3CB8426697BA1F7483C4F908139D78D83B14DA7D94618F04
                              Function 00007FF8BEE196F0 Relevance: 64.9, APIs: 36, Strings: 1, Instructions: 195synchronizationwindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • SimpleWindowSwitcher_{BEA057BB-66C7-4758-A610-FAE6013E9F98}, xrefs: 00007FF8BEE1990C
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CloseHandle$FreeLibrary$Object$Delete$DestroyEvent$SingleUninitializeWaitWindow$#386BufferedClassDataGdiplusIconInitModulePaintShutdownThemeUnhookUnregister
                              • String ID: SimpleWindowSwitcher_{BEA057BB-66C7-4758-A610-FAE6013E9F98}
                              • API String ID: 4090220598-648101266
                              • Opcode ID: cf45190ffc6a625433c9a176bd6989e8bd087e80e78383ad2c7bfe856010b1c2
                              • Instruction ID: e2902a93fa9ed4effc370416780f0de2fed28ed2be4224e426e88e981bcd4bd6
                              • Opcode Fuzzy Hash: cf45190ffc6a625433c9a176bd6989e8bd087e80e78383ad2c7bfe856010b1c2
                              • Instruction Fuzzy Hash: 1CB11736A19A828AEB44DF29E8942793370FF89FD5F044236DB0E57664CFADE495C310
                              Function 00007FF8BEE49CF0 Relevance: 56.4, APIs: 12, Strings: 20, Instructions: 369memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID: Failed to hook CStartExperienceManager::GetMonitorInformation(). rv = %d$[SMA] CExperienceManagerAnimationHelper::Begin() = %llX$[SMA] CExperienceManagerAnimationHelper::End() = %llX$[SMA] CStartExperienceManager::GetMonitorInformation() = %llX$[SMA] Not all offsets were found, cannot perform patch$[SMA] matchAnimationHelperFields = %llX, +0x%X, +0x%X$[SMA] matchHideA in CStartExperienceManager::Hide() = %llX$[SMA] matchHideB in CStartExperienceManager::Hide() = %llX$[SMA] matchSingleViewShellExperienceFields = %llX$[SMA] matchTransitioningToCortanaField = %llX, +0x%X$[SMA] matchVtable = %llX$x??xxxxxx$xx????xx?xxxx$xx?x????x?xxxx????xxx?x$xxx????xx????xxxx$xxx????xxxxxxxxx$xxxx????xxxx$xxxxxx????x????xxxx$xxxxxxx????xxxxxxxxx$xxxxxxxxxx
                              • API String ID: 544645111-3813412712
                              • Opcode ID: db2ca1c07523192c2754963d3045411d7dae5b8228bd13c46922be45f88285eb
                              • Instruction ID: 602124d1d8ecad7b4c927c5d76422a0229c5bdd5bfd58e19b5066807b0b35a5b
                              • Opcode Fuzzy Hash: db2ca1c07523192c2754963d3045411d7dae5b8228bd13c46922be45f88285eb
                              • Instruction Fuzzy Hash: A3028F75B19A439AEA50CF69E8446BA63A0FF847D4F444036DB4E07BA4EFBDE549C300
                              Function 00007FF8BEE3DE10 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 291COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: StringWindows$CreateDelete
                              • String ID: Segoe Fluent Icons$StartMenuSettings.cpp$StartPin$StartTileData.dll$StartUnpin
                              • API String ID: 2860812039-2445808327
                              • Opcode ID: daadf6d07ec153a719abb3e733125f686cc5486d9d144e8a72000cd9387bcf49
                              • Instruction ID: 24ef9933ef021262dcd00fec511836304a0c48585cc146b1e21e745326cc19b2
                              • Opcode Fuzzy Hash: daadf6d07ec153a719abb3e733125f686cc5486d9d144e8a72000cd9387bcf49
                              • Instruction Fuzzy Hash: E3D1633AB09B429AE7669B69E4902B923A4FF94BD4F404132CF4D937A4DFBCE455C301
                              Function 00007FF8BEE2BC00 Relevance: 37.0, APIs: 12, Strings: 9, Instructions: 208memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ProtectVirtual$AddressHandleModuleOpenProcQueryValue
                              • String ID: xx??xx??x$xx??xxx????xxxxxx????xx??x$xx??xxxxxxxx????x????xx??x$xx?xx?xx?x$xx?xxx??x$xx?xxx??xx$xx?xxxx?xxxx$xxxxxxx????x$xxxxxxxxxx
                              • API String ID: 1029361184-2251541617
                              • Opcode ID: 044f627935ff8de0bb0f6f9492407accd689d468dc5f7e90265df4163516b2eb
                              • Instruction ID: 034ac2386f7dbd762b400de7b7b798b57c211d84091c9936d17616f2a5bf9316
                              • Opcode Fuzzy Hash: 044f627935ff8de0bb0f6f9492407accd689d468dc5f7e90265df4163516b2eb
                              • Instruction Fuzzy Hash: EDA17F31A09A4B99FB20DF69E4506EA6390EF84BC4F94403ADB4D0B795DFBCE549C740
                              Function 00007FF8BEE139F0 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 265COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: TextWindow$EventHandleLoadModuleNotifyString
                              • String ID: %s - %d running windows$%s - 1 running window$%s: %d of %d$Desktop$ExplorerFrame.dll$\rundll32.exe
                              • API String ID: 686194620-3935714908
                              • Opcode ID: 83b225e071095df5bde25635167391e81d8112e19932fd42b0c9defca7b3e116
                              • Instruction ID: 8dd3e55f0bc88657066b2e873ddeebc5448e2890a1d3e4d84aaeef8eb8a422d4
                              • Opcode Fuzzy Hash: 83b225e071095df5bde25635167391e81d8112e19932fd42b0c9defca7b3e116
                              • Instruction Fuzzy Hash: 8BD18572B08B818AEBA4DF28D4843BA6760FB84BC5F414136DB4E476A4DFBCD589C741
                              Function 00007FF8BEE30B00 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 107registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: DeleteTree$CloseModuleOpen$ExtensionFileNamePathRemove$AwarenessContextCurrentDirectoryErrorHandleLastProcess
                              • String ID: .IA-32.dll$SOFTWARE\Classes\CLSID\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$SOFTWARE\Classes\Drive\shellex\FolderExtensions\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$SOFTWARE\WOW6432Node\Classes\CLSID\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}
                              • API String ID: 3360383582-326433317
                              • Opcode ID: f64e4be203137b9e086229eeb70c6ba62c2093a0a25a6fe8a7ec120515eced2d
                              • Instruction ID: e89ad5a9567a58652e011463f84d1821f8301cd7ecb7cbebb1eeda74585c3d5b
                              • Opcode Fuzzy Hash: f64e4be203137b9e086229eeb70c6ba62c2093a0a25a6fe8a7ec120515eced2d
                              • Instruction Fuzzy Hash: AD514F65A1CB438AEB209B69E89437573A1FF847E4F405235DB5E427E8DFBCE509C600
                              Function 00007FF8BEE14910 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 219COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Window$Attribute$BrushCreateDeleteLongObjectSolid$AreaClientExtendFrameInto
                              • String ID: $&$Grid_backgroundPercent$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView\AltTabViewHost$[sws] Refreshing theme: %d$_
                              • API String ID: 97799080-1950453067
                              • Opcode ID: 9393b053c4d075cf8f99e8848a50bc2322899e3625217ffce7b706919a739f9a
                              • Instruction ID: 444a98f5066bfd1b32656a2be99c72650b4617fda0b91de668cb75c006dd4be6
                              • Opcode Fuzzy Hash: 9393b053c4d075cf8f99e8848a50bc2322899e3625217ffce7b706919a739f9a
                              • Instruction Fuzzy Hash: B4B16772B05A428DEB50CF69E8846AD33A1FB44B98F140136CE0E6B798DFBCD985C750
                              Function 00007FF8BEE2D5C0 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 124libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: AddressLibraryProc$FreeLoad$FolderPath_invalid_parameter_noinfo
                              • String ID: CopyExplorerSymbols$EP_TrayUI_CreateInstance$GetVersion$SetImmersiveMenuFunctions$[TB] '%s' not found$[TB] '%s' with version %d is not compatible$[TB] Failed to hook TrayUI_CreateInstance()$[TB] Using '%s'$\ExplorerPatcher\
                              • API String ID: 1805524761-1356000006
                              • Opcode ID: 1705b4b008712e1c0c71abb03680cc93c227db6ce33f5a991fa1471fc99d2c22
                              • Instruction ID: a3447f779bd265eaf64a2ae48c3a1d9d24db730ca786ae35ed9e8fe688272787
                              • Opcode Fuzzy Hash: 1705b4b008712e1c0c71abb03680cc93c227db6ce33f5a991fa1471fc99d2c22
                              • Instruction Fuzzy Hash: 45513B64A1AA438DFB909B6DEC943BA23A1AF897C0F444535DB0E466A5DEBCF449C700
                              Function 00007FF8BEE12A90 Relevance: 30.1, APIs: 20, Instructions: 145windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Window$Long$Rect$Visible$Empty
                              • String ID:
                              • API String ID: 2906060442-0
                              • Opcode ID: 66cc9ca4c79e996306753c0dd50f51a4686b0854f08af43f0c4547588e5d6ee5
                              • Instruction ID: ef0377e972b51cc72c970af49908094b3b2185e76501f8c39027fb544d9deb72
                              • Opcode Fuzzy Hash: 66cc9ca4c79e996306753c0dd50f51a4686b0854f08af43f0c4547588e5d6ee5
                              • Instruction Fuzzy Hash: 50513124B0DA038AFF949B2DAC5423A6695AF8ABD0F044034EF4E47794EFBCE585D305
                              Function 00007FF8BEE328F0 Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 174windowthreadCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CurrentFormatMessageThread
                              • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$LogNt$Msg:[%ws] $ReturnHr$ReturnNt$[%hs(%hs)]$[%hs]
                              • API String ID: 2411632146-1363043106
                              • Opcode ID: 36d649823e87f82759339c66bbeb98b13633b0336a965d9817c984a93a51ef7b
                              • Instruction ID: 6701efeec847719d551846d990e24b5499b7f209d7f9912c4fa6089eed8422f8
                              • Opcode Fuzzy Hash: 36d649823e87f82759339c66bbeb98b13633b0336a965d9817c984a93a51ef7b
                              • Instruction Fuzzy Hash: AE719B25A09B8289EB66CFA9A4406B963A4FF4CBC4F448536DF8D17768DFBCE541C340
                              Function 00007FF8BEE150A0 Relevance: 27.1, APIs: 18, Instructions: 148registrykeyboardCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ErrorLastRegister$Virtual
                              • String ID:
                              • API String ID: 270683995-0
                              • Opcode ID: f250d1fb01da1be5f6057db7c8c30dccb8d4b538fcd040e7f71cd891657f74d4
                              • Instruction ID: f9db54d312092a82fdb400d76aadf20553ffd8d8b8253aeb9da0217c28d23bf5
                              • Opcode Fuzzy Hash: f250d1fb01da1be5f6057db7c8c30dccb8d4b538fcd040e7f71cd891657f74d4
                              • Instruction Fuzzy Hash: F0515A24B09B438EF7A55BAA958033626A5BF55BD5F104138DB0D87790EFACE8988312
                              Function 00007FF8BEE22680 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 129COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Window$Prop$Ancestor$AreaAttributeClientExtendFindFrameIntoParentPointsRectRemoveText_invalid_parameter_noinfo
                              • String ID: EP_METB$FloatingWindow$Windows.UI.Composition.DesktopWindowContentBridge
                              • API String ID: 1583271118-1647979291
                              • Opcode ID: 53a8d3eddcce35e28cf9eb01f76bac162330d67d7152c2c4d55feb973546e689
                              • Instruction ID: 6fc7e2c0e33a94c148add28dfeb0950adb4975f38b7b3a783ca48852646c2e9f
                              • Opcode Fuzzy Hash: 53a8d3eddcce35e28cf9eb01f76bac162330d67d7152c2c4d55feb973546e689
                              • Instruction Fuzzy Hash: 28514D75B0DA428AFB64CB29E89466E23A1FB897C0F504135DB4E43698EFBCE945C700
                              Function 00007FF8BEE146F0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 118windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Window$ActiveLastPopup$ClassFindMessageNamePostShowSwitchThisVisible
                              • String ID: Shell_TrayWnd$[sws] Chosen window: %s$[sws] Last active popup: %s$[sws] Owner of window: %s
                              • API String ID: 4254927367-3099396148
                              • Opcode ID: 71ecf7340710745a63d3532cf271a1c267407e0aedfcf4d78fc2a0db5710b184
                              • Instruction ID: 12ba4e8216d66197c4d2ec5c546e9f3c20598da46e211352e8564328e8e821d1
                              • Opcode Fuzzy Hash: 71ecf7340710745a63d3532cf271a1c267407e0aedfcf4d78fc2a0db5710b184
                              • Instruction Fuzzy Hash: EF514C65705B428AEF64DB19F8D836A63A0FB89BC5F440139CB4E07764EEBCE586C740
                              Function 00007FF8BEE29CC0 Relevance: 25.6, APIs: 17, Instructions: 134COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ColorText$Object$DrawModeSelectWindow$CreateDeleteFontForegroundIndirectInfoParametersSystemTheme
                              • String ID:
                              • API String ID: 112896650-0
                              • Opcode ID: 28ea8d5eae088f08772c9eeea65bd47154936fb48cf4d2d88fb7ccf376b3ff1c
                              • Instruction ID: 35611e770fd83f19b401e0af72892c9f96c039fd62b1efb75387c0a7cd76080a
                              • Opcode Fuzzy Hash: 28ea8d5eae088f08772c9eeea65bd47154936fb48cf4d2d88fb7ccf376b3ff1c
                              • Instruction Fuzzy Hash: 3C515C75A0D6868AE7609F59E5843BEB7A0FB85BD4F404035DF8A03B58DFBCD4458B04
                              Function 00007FF8BEE2AF50 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 112registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Rect$MetricsSystem$Monitor$FromInfoValue
                              • String ID: ($0$0$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StuckRectsLegacy$Settings
                              • API String ID: 2079259257-2463101083
                              • Opcode ID: e3ba2d1712aa69b05d0cc4412f6e31071aec3149e790a87a1d63a65abc919344
                              • Instruction ID: a22704d6857dc35ea393786a4a22336116d25f9ec62469d637869f8a9c77f705
                              • Opcode Fuzzy Hash: e3ba2d1712aa69b05d0cc4412f6e31071aec3149e790a87a1d63a65abc919344
                              • Instruction Fuzzy Hash: E8514071A09A418AF7608F18A45077EB7A0FF89794F544239DB8D46694DFFDE884CB00
                              Function 00007FF8BEE22990 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 97COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Window$#412#413AncestorFindParentPropText
                              • String ID: FloatingWindow$ReBarWindow32$Windows.UI.Composition.DesktopWindowContentBridge
                              • API String ID: 2039485610-463711336
                              • Opcode ID: 369f8016e642424fef891f88ad728505f4c3c86f333c5f316952f8b682ccd038
                              • Instruction ID: afcc04fbb7d4d1a651d31c4a73eaeb700637e605d29bbb2b7c959293d16143bc
                              • Opcode Fuzzy Hash: 369f8016e642424fef891f88ad728505f4c3c86f333c5f316952f8b682ccd038
                              • Instruction Fuzzy Hash: 0D413861E09A8389FB749F2DA8847BD27A1BF8ABD4F440131CB4E17A94DEFCE445C201
                              Function 00007FF8BEE43510 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 290libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000000,?,?,?,00007FF8BEE3BF73), ref: 00007FF8BEE43575
                              • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000000,?,?,?,00007FF8BEE3BF73), ref: 00007FF8BEE43584
                              • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000000,?,?,?,00007FF8BEE3BF73), ref: 00007FF8BEE435BF
                              • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000000,?,?,?,00007FF8BEE3BF73), ref: 00007FF8BEE435CE
                              • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF8BEE4392E
                              • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF8BEE43934
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc_invalid_parameter_noinfo_noreturn
                              • String ID: CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
                              • API String ID: 3318250257-4036682018
                              • Opcode ID: 2ecc028865c093250c9af15a2ab985205f9ffb97af506014a12143e8977ba3ce
                              • Instruction ID: 35078173d3b9ce3e79dfcd7f4fd1dcec0350c06a806540fd0a7f1f65c3d4a7b4
                              • Opcode Fuzzy Hash: 2ecc028865c093250c9af15a2ab985205f9ffb97af506014a12143e8977ba3ce
                              • Instruction Fuzzy Hash: 4CC17DA2B04A5298FF10DF69D4542BC27B1AF48BD4F514136DF1E67B99EEBCE4848300
                              Function 00007FF8BEE3C660 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 248synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ErrorLast$CloseCreateHandleSemaphore$MutexRelease
                              • String ID: _p0$wil
                              • API String ID: 2058776845-1814513734
                              • Opcode ID: 0bbe0559d9e991cd5449ebe1a6f247e5b3b03628726d68834933351cc75b0c74
                              • Instruction ID: 1e09e1eac215035920c4b3768a612daf9ca8600f1ee353c4d36d867d258f5968
                              • Opcode Fuzzy Hash: 0bbe0559d9e991cd5449ebe1a6f247e5b3b03628726d68834933351cc75b0c74
                              • Instruction Fuzzy Hash: B091B126B19B828AEF629F69A45437A63A0FF85BD4F554035DB0E43794EFBCE405C310
                              Function 00007FF8BEE1C6A0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 137networkfileCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSend
                              • String ID: Content-Type: application/octet-stream;$GET$Microsoft-Symbol-Server/10.0.10036.206$msdl.microsoft.com
                              • API String ID: 1354133546-1066975914
                              • Opcode ID: 41f018024b2e1402be402bf47874eb35f41585cc902095506f4f1b62b090ebe7
                              • Instruction ID: 2a50084624d3fe1a5873f15bd8a6e3cd12161cb192f2543be4437ddc4573e4f8
                              • Opcode Fuzzy Hash: 41f018024b2e1402be402bf47874eb35f41585cc902095506f4f1b62b090ebe7
                              • Instruction Fuzzy Hash: A751B321A0C7428AE765CF1AA49076A67A0FF89BD0F540035EF9D47B95DFBDE441CB01
                              Function 00007FF8BEE2B7F0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 101windowregistryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Parent$ClassMessageRegisterWindowWord$CloseInfoItemMenuOpenProp
                              • String ID: DesktopWindow$P$Progman$WorkerW
                              • API String ID: 441032011-3530101500
                              • Opcode ID: d55ce2ffcf2a4f3241980fd005d1ca55513be418a9bb4b15c64a6e555f1f0545
                              • Instruction ID: 26b0660c05d5763b00faa5b4d92ce57b598dd3c11421653e99bfab163ed6e8a6
                              • Opcode Fuzzy Hash: d55ce2ffcf2a4f3241980fd005d1ca55513be418a9bb4b15c64a6e555f1f0545
                              • Instruction Fuzzy Hash: 66416035E0D6868AFB609B29A89077977A0BF85BC5F400139EF4E42B95DFBCE845C700
                              Function 00007FF8BEE46910 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 191registrylibraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Value$ActivationAddressCreateFactoryHandleModuleProcReferenceStringWindows
                              • String ID: ColorPrevalence$EnableTransparency$SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize$Taskbar10.cpp$WindowsUdk.UI.Themes.SystemVisualTheme$dcomp.dll
                              • API String ID: 342590677-1899219526
                              • Opcode ID: eee946c798044d8251f7ca42235a50e41222e666ccdf69a85a8b8b51cb7d667b
                              • Instruction ID: ae1a6e85c3d717329256821ac771921ec155bb2e33bfdc9cd476156f8e285f8a
                              • Opcode Fuzzy Hash: eee946c798044d8251f7ca42235a50e41222e666ccdf69a85a8b8b51cb7d667b
                              • Instruction Fuzzy Hash: F4913632A08A439EEB108FA9E4902AD33B5FB54788F408536DB4D57B94EFBCE558C750
                              Function 00007FF8BEE29060 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 175COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ClassName$AncestorParent
                              • String ID: CabinetWClass$NotifyIconOverflowWindow$ReBarWindow32$Shell_TrayWnd$SysListView32$SysTreeView32$TrayNotifyWnd
                              • API String ID: 1386181033-4244482235
                              • Opcode ID: ca88c2902e2076327cf4a345692ff7557c46ff9891392714a1ec89a9b70076fd
                              • Instruction ID: 6e77c8d7899e4d51cb625a7bcc52af4398280fb26a54c6eb5d430aee32b778c0
                              • Opcode Fuzzy Hash: ca88c2902e2076327cf4a345692ff7557c46ff9891392714a1ec89a9b70076fd
                              • Instruction Fuzzy Hash: F8717152A085568AEAB49F1D94102BD33A1FB55FE0FC49132EF4D122D9EFBDDD85C201
                              Function 00007FF8BEE25770 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 122windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CriticalSection$HandleLeaveLoadMessageModuleSendString$Enter
                              • String ID: (null)$H$pnidui.dll
                              • API String ID: 3318607081-2376156319
                              • Opcode ID: debec5b285005d5d4150191b1c7d40711cec09eeb1870b0a598bb594af1ce006
                              • Instruction ID: ba331d7d4c112a08dad2a36057f3967c0d47e19587ade6278dc8de050942986a
                              • Opcode Fuzzy Hash: debec5b285005d5d4150191b1c7d40711cec09eeb1870b0a598bb594af1ce006
                              • Instruction Fuzzy Hash: E2514E32A19B818AEB508F29F48026A77A0FB89B84F544136DB8D43B64DFBDE545CB00
                              Function 00007FF8BEE215C0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Monitor$Window$From$FindInfoPoint$Rect
                              • String ID: ($Shell_SecondaryTrayWnd$Shell_TrayWnd
                              • API String ID: 1776394408-174554928
                              • Opcode ID: 6d46088ce248ca7634d0e92b99f1a14fa79c9da0a1fe91aab654d17432cdedd6
                              • Instruction ID: f68ad7971bddec095ed255e23a61e034dd29cf492494a4cbd6ff1f42cdc827de
                              • Opcode Fuzzy Hash: 6d46088ce248ca7634d0e92b99f1a14fa79c9da0a1fe91aab654d17432cdedd6
                              • Instruction Fuzzy Hash: 1341E331B1D6418AEB608F29F90467E67A1EF89BD0F144135EE4E43B45DEFCE9858700
                              Function 00007FF8BEE1F530 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 92librarymemoryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ProtectVirtual$ModuleStringWindows$AddressCreateCurrentDeleteHandleInformationLibraryLoadProcProcessReferenceValue
                              • String ID: DllGetActivationFactory$Error in Windows11v22H2_combase_LoadLibraryExW on DllGetActivationFactory$Error in Windows11v22H2_combase_LoadLibraryExW on WindowsCreateStringReference$Windows.UI.Xaml.Hosting.WindowsXamlManager$Windows.UI.Xaml.dll
                              • API String ID: 2113071911-1359692214
                              • Opcode ID: f33fb8b91075de84eb5fc511b19a8dcb0b50f2b7fce2c8de30f4acace464332c
                              • Instruction ID: aad044803ac936f580e3ee99c41ea4f7b84bba4ecde9f03b88b715334349e1e1
                              • Opcode Fuzzy Hash: f33fb8b91075de84eb5fc511b19a8dcb0b50f2b7fce2c8de30f4acace464332c
                              • Instruction Fuzzy Hash: 88417F26B19B4289EB90DF29F49016A6360FF89BC4F441032EB4E47B64DFBCE985C741
                              Function 00007FF8BEE3D6D0 Relevance: 19.6, APIs: 6, Strings: 5, Instructions: 334registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Value$ActivationFactory_invalid_parameter_noinfo_noreturn
                              • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Start$ShowFrequentList$ShowRecentList$VisiblePlaces$WindowsInternal.Shell.CDSProperties.StartGlobalProperties
                              • API String ID: 3131312478-3545454060
                              • Opcode ID: 90357dd1e44263d1c1741ab5e10f4e9b9e5c9bd5d94a6f9f79fd4c0e9e16146a
                              • Instruction ID: cda954fddd2a3fba0084432082e60d988ed99bfa6c49e789dedf0b495b2a3855
                              • Opcode Fuzzy Hash: 90357dd1e44263d1c1741ab5e10f4e9b9e5c9bd5d94a6f9f79fd4c0e9e16146a
                              • Instruction Fuzzy Hash: CEF12672B09B069AEB119F69E4802ED33A5FB487C8F404136EB4D53B98EFB8E515C340
                              Function 00007FF8BEE29820 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 126registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: DataOpenTheme$#328#334Value
                              • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced$Taskband2$TaskbarPearl$TaskbarSD$TaskbarShowDesktop$TrayNotifyFlyout
                              • API String ID: 1534390305-1782666386
                              • Opcode ID: f7a95dd60248838b5c2f8b5c4e0e5b8f0d60dec5600c5041dd50f3fbc17f3f28
                              • Instruction ID: 4008b2ec2f7fe63e1994c40fd2a00c8c7a80cc8d62920d3ea6e77665bfb5ba6b
                              • Opcode Fuzzy Hash: f7a95dd60248838b5c2f8b5c4e0e5b8f0d60dec5600c5041dd50f3fbc17f3f28
                              • Instruction Fuzzy Hash: 8A518361A0865689FB689F19945027D73B0FF45FE0F885535EB4E426A8EFBDA881C210
                              Function 00007FF8BEE1FA30 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 96windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Menu$HandleItemLoadModule$CountInsertString
                              • String ID: D/$ExplorerFrame.dll$P$b
                              • API String ID: 1491413557-2753148976
                              • Opcode ID: 8da2e0ef13cb1ac62032a24ed978333d563a1b7812b734e6865a6b43ed5f8496
                              • Instruction ID: 528f040f4072544e4ea8ad6082b5a1d1a510386bbd1bf5efc15228660a9fe85d
                              • Opcode Fuzzy Hash: 8da2e0ef13cb1ac62032a24ed978333d563a1b7812b734e6865a6b43ed5f8496
                              • Instruction Fuzzy Hash: 6B418331A09B458AEB609F19E45476A73E0FF84B90F444139DB9D47B94EFBCE845CB40
                              Function 00007FF8BEE19560 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 86synchronizationwindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • [sws] Delayed showing by %lld ms due to: user configuration., xrefs: 00007FF8BEE19642
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: PerformanceQuery$CountCounterFrequencyObjectSingleTickWaitWindow$AttributeVisible
                              • String ID: [sws] Delayed showing by %lld ms due to: user configuration.
                              • API String ID: 3340259983-850836316
                              • Opcode ID: 93e57d240382d36971298e2f6fb32d0303e8c1185e93da05c63cb8323c29d6c8
                              • Instruction ID: f6bc1ba817bd10f5db765e231140532e0d96d1f8072ff5bf3054b7d3408fce6c
                              • Opcode Fuzzy Hash: 93e57d240382d36971298e2f6fb32d0303e8c1185e93da05c63cb8323c29d6c8
                              • Instruction Fuzzy Hash: A0319322B0DA428AEB90DF29F49422A77A0FF85BD4F140135EB4E466A8DF7DE481C711
                              Function 00007FF8BEE2B990 Relevance: 19.3, APIs: 4, Strings: 7, Instructions: 62registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: System$MetricsValue
                              • String ID: &$'$9$Control Panel\Desktop\WindowMetrics$IconSpacing$IconVerticalSpacing$MinWidth
                              • API String ID: 1597967150-2735893900
                              • Opcode ID: 191fad97566844dbb047568bc1ee29499f238f3586eeef47a5e0cc9316608776
                              • Instruction ID: 1c4b4aa33c54c4ff6aa4a332135c61141ba2c89b4c66629ebe4420e284061680
                              • Opcode Fuzzy Hash: 191fad97566844dbb047568bc1ee29499f238f3586eeef47a5e0cc9316608776
                              • Instruction Fuzzy Hash: 70215171A0CB86CAEB608F18E4883AE73A0BF94790F900139D75D466A5DFBDE9488700
                              Function 00007FF8BEE1F6F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 137registrywindowtimeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: MonitorValue$ClientFromInfoMessagePointScreenTimer
                              • String ID: ($SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$TaskbarAl
                              • API String ID: 2953988541-3876653080
                              • Opcode ID: 3d9653568afe72a3fbe7615afc0000f37ab072ddf69813c96f66c3d7dc0f7a43
                              • Instruction ID: 992d58c8440bf8af687070d6bd0feb8f03f12da56c493fc8bf7b810d61b22e7a
                              • Opcode Fuzzy Hash: 3d9653568afe72a3fbe7615afc0000f37ab072ddf69813c96f66c3d7dc0f7a43
                              • Instruction Fuzzy Hash: D6518B32F19A118EF750CB68E4846FE32A1FF44798F500236DB0D56A88DFBCA985C781
                              Function 00007FF8BEE29AC0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Window$Long$Find$MarginsTheme
                              • String ID: Shell_SecondaryTrayWnd$Shell_TrayWnd
                              • API String ID: 3366318519-1433838494
                              • Opcode ID: 82b878cdfae58637eeee74e4c7c7519577973b9c5241908f0a99c884d6322e1b
                              • Instruction ID: abaded276972a7ad12ce826b4ec3199c9d48ac7d7ed55e37efec400e2c218429
                              • Opcode Fuzzy Hash: 82b878cdfae58637eeee74e4c7c7519577973b9c5241908f0a99c884d6322e1b
                              • Instruction Fuzzy Hash: 2951A1729097858AEB608F29E84427D7791FB45BE8F049135CF490B798EFBED845C700
                              Function 00007FF8BEE48EF0 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 121memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID: [TC] Patched!$[TC] blockBegin = %llX$[TC] blockEnd = %llX$[TC] rcMonitorAssignment = %llX$xxx??xxx?xx$xxx??xxx?xxx$xxx??xxxx?xx$xxx??xxxx?xxx
                              • API String ID: 544645111-3560911239
                              • Opcode ID: 8536186f3ccecee405d877c6a376b0fd8946795391bdb4ec87c6d0f1bbc39c2e
                              • Instruction ID: 18dbcb8306ba7adfbbe54243f1b75ae06782b78c79ef2150446794808b76b8aa
                              • Opcode Fuzzy Hash: 8536186f3ccecee405d877c6a376b0fd8946795391bdb4ec87c6d0f1bbc39c2e
                              • Instruction Fuzzy Hash: C5519F61B096838CFB11DBAAE4542BE63A0AF44BD4F444132EB4C0779AEFBDE549C750
                              Function 00007FF8BEE535E0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 117COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CurrentProcess$FileHandleMappedModuleName
                              • String ID: -> func %p$ -> func %p in %.*s$ func %p is in %.*s$ indirect jump to addresss at %p$ relative jump to %p$%
                              • API String ID: 3110908827-1828122181
                              • Opcode ID: ca0a6748e9d3360911cfff6dcc7a3067248eed72ea2ca0493127803f5e3392c1
                              • Instruction ID: 34266f57420d345edfd76de4884487da0a94d555b3c780201fe48829e4caa231
                              • Opcode Fuzzy Hash: ca0a6748e9d3360911cfff6dcc7a3067248eed72ea2ca0493127803f5e3392c1
                              • Instruction Fuzzy Hash: 9D5192E2E0968A99FF608B19A4503BA67E0AF49BC5F484039DB4D07799DFBCF4418700
                              Function 00007FF8BEE20C20 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 74windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: FindWindow$#412#413MessagePost
                              • String ID: ClockFlyoutWindow$Shell_TrayWnd$Windows.UI.Core.CoreWindow
                              • API String ID: 103836485-3485964848
                              • Opcode ID: 9364a2b72bd7c163b7fe69fec9ecf0bf22491a923e0361172d4ea33bd59ce873
                              • Instruction ID: a6e6e129f774c222f69cc768793b309692fa8c9ce5cc4dff06bba48b602fd2d5
                              • Opcode Fuzzy Hash: 9364a2b72bd7c163b7fe69fec9ecf0bf22491a923e0361172d4ea33bd59ce873
                              • Instruction Fuzzy Hash: 9F318D74E0D6028EFB609F29A89567D2B61AF95BD0F544036CB0E126D5DEECF4858700
                              Function 00007FF8BEE29F10 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CompareOrdinalString
                              • String ID: ::{17CD9488-1228-4B2F-88CE-4298E93E0966}$::{7007ACC7-3202-11D1-AAD2-00805FC1270E}$::{7B81BE6A-CE2B-4676-A29E-EB907A5126C5}$::{8E908FC9-BECC-40F6-915B-F4CA0E70D03D}$::{A8A91A66-3A7D-4424-8D24-04E180695C7A}$::{BB06C0E4-D293-4F75-8A90-CB05B6477EEE}$::{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}$Advanced
                              • API String ID: 2409332303-3644713213
                              • Opcode ID: 3a128c15991b5f54e83503e02f1281c5f4841b565b0b582a6547265550964596
                              • Instruction ID: 6950332f6e494095af44cf270cbb28258d6a72e4cf7b6f33b17a5852691cb2a9
                              • Opcode Fuzzy Hash: 3a128c15991b5f54e83503e02f1281c5f4841b565b0b582a6547265550964596
                              • Instruction Fuzzy Hash: 10315A32A08B8289EB618F14E8842AD33A9FB487D0F550236DB9C27765DF7DE906C740
                              Function 00007FF8BEE4A7F0 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 383COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID: HorizontalAlign$Position$TwinUIPatches.cpp$VerticalAlign
                              • API String ID: 0-1987525340
                              • Opcode ID: 86c452996285e88f0f32f2e0bd98455b9e5865fe2c50332be65b1a5cd41143f1
                              • Instruction ID: b6b9cf7fd72b7a5dd323b75a1e0bc0e65b820528151c996372214b5b9d63b59e
                              • Opcode Fuzzy Hash: 86c452996285e88f0f32f2e0bd98455b9e5865fe2c50332be65b1a5cd41143f1
                              • Instruction Fuzzy Hash: BEF13336B18A468EF711CBBAD4506AD23B5AB89BD8F110536DF0DA7B94EE78D405C340
                              Function 00007FF8BEE46BD0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 272keyboardCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Window$AccessibleForegroundPropState$ChildrenFromObject
                              • String ID: EPTBLEN
                              • API String ID: 242652104-515233689
                              • Opcode ID: 19cb3f8b9309dde4596a65705deaba03d942f6790faeb5ebccd69a687ac3a77b
                              • Instruction ID: f90416dd17aeb5182f4c9f4380a41c13d28c100d8495182a4765f1e5beac247b
                              • Opcode Fuzzy Hash: 19cb3f8b9309dde4596a65705deaba03d942f6790faeb5ebccd69a687ac3a77b
                              • Instruction Fuzzy Hash: 23D13B72A08B428AE714CF7DD4402AD77B1FB84798F605226EF8D57A68DF78E845CB00
                              Function 00007FF8BEE3CB70 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 237COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CloseHandle$OpenSemaphore$ErrorLastObjectSingleWait
                              • String ID: _p0$wil
                              • API String ID: 2347786691-1814513734
                              • Opcode ID: 658d5da5be2d65d0a64760a8879232775a89bfe2652ae95c89e781813dd5dcb1
                              • Instruction ID: 000fda7847b9bebc9d830b3af0ce784241ac928cb34c4a8e65224fee08e7d756
                              • Opcode Fuzzy Hash: 658d5da5be2d65d0a64760a8879232775a89bfe2652ae95c89e781813dd5dcb1
                              • Instruction Fuzzy Hash: AE919462B49B8289EF229F69E4542BA63A1FF84BC0F944536DB4D57794EF7CE401C310
                              Function 00007FF8BEE3E520 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 226COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ActivationCreateFactoryReferenceStringWindows
                              • String ID: Start.TileGrid$StartMenuSettings.cpp$StartPin$WindowsInternal.Shell.UnifiedTile.CuratedTileCollections.CuratedTileCollectionManager
                              • API String ID: 1966789792-2245281551
                              • Opcode ID: 297cdcd0fa5751e38f8b4173c2d1ca68ead3741c106d6d747828a76f02c1754f
                              • Instruction ID: 634bb7ec8e1825c843baab7170faa5277123cd968b150055a7066e4e311bbee8
                              • Opcode Fuzzy Hash: 297cdcd0fa5751e38f8b4173c2d1ca68ead3741c106d6d747828a76f02c1754f
                              • Instruction Fuzzy Hash: D3913B36B54B428AFB118BB9D8906AD27B4FB88BC8F501432DF0DA3B68DF78D5458350
                              Function 00007FF8BEE3C9C0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ObjectSingleWait
                              • String ID: wil
                              • API String ID: 24740636-1589926490
                              • Opcode ID: 9a694e2a68fb19814e29b835e14bc2a27ed7f3b8424e4511df6a7ded76c7c385
                              • Instruction ID: 7e2e97966dbc3a09ed910c66c6d65f2677501d77f65ac00a7cbb5463ebe2568f
                              • Opcode Fuzzy Hash: 9a694e2a68fb19814e29b835e14bc2a27ed7f3b8424e4511df6a7ded76c7c385
                              • Instruction Fuzzy Hash: 7341A231A8CA438AF7619B2DF8442BA6391EF847C8F204531DB4F82A94EEBCE5458710
                              Function 00007FF8BEE2CC00 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 65libraryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: LibraryModule$CurrentDataDirectoryEntryFreeHandleImageInformationLoadProcess
                              • String ID: Failed to hook UnifiedTilePinUnpinVerbProvider::GetVerbs(). rv = %d$RoGetActivationFactory$StartMenuSettings.cpp$StartTileData.dll$api-ms-win-core-winrt-l1-1-0.dll$xxxxxxxxxxxxxxxxx?xxx????xxx????xxxxxxxxx?xx?xx?xx?xxx
                              • API String ID: 2511907732-536516541
                              • Opcode ID: 4f4503dd63b28e12f0db4223783623e8cc06f67312a36792264eb7e77a43a89b
                              • Instruction ID: fdb8b65deb601e33941d6aa2a353cb45eed652def0ac338ee64518d40fe874d2
                              • Opcode Fuzzy Hash: 4f4503dd63b28e12f0db4223783623e8cc06f67312a36792264eb7e77a43a89b
                              • Instruction Fuzzy Hash: 01317C60A09A479AEB509F69E8901BA23A0BF847C4F504236DB0E577A5EFFCE545C780
                              Function 00007FF8BEE2CB00 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 56libraryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: LibraryModuleProtectVirtual$CurrentFreeHandleInformationLoadProcess
                              • String ID: AppResolver.dll$CAppResolverCacheBuilder::_AddUserPinnedShortcutToStart() = %llX$Failed to hook CAppResolverCacheBuilder::_AddUserPinnedShortcutToStart(). rv = %d$RoGetActivationFactory$api-ms-win-core-winrt-l1-1-0.dll$x?xxxx????xxx
                              • API String ID: 1174645330-3507426587
                              • Opcode ID: 49c857abb259f8ab9d2353d70d94a63c221da5e82275cd52eb6cd3e6f3a37cca
                              • Instruction ID: ced70ca3748850267279b13f4f486ec757d5cb9a1285e21954e506e168b453dd
                              • Opcode Fuzzy Hash: 49c857abb259f8ab9d2353d70d94a63c221da5e82275cd52eb6cd3e6f3a37cca
                              • Instruction Fuzzy Hash: 8C213C60E19A4B99EA409B6CE8952F633A0BF847D4F944136D70E4B3A5EEBCF545C340
                              Function 00007FF8BEE68FB8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID: -$:$f$p$p
                              • API String ID: 3215553584-2013873522
                              • Opcode ID: fe036fb941fb11473cd2be1db92a5320d12a8278ca9cccc6ab9bb90505469060
                              • Instruction ID: 74c95e08b428e17494bd42ca091525da029dbfbf628e587ee07f41289b2f0ed3
                              • Opcode Fuzzy Hash: fe036fb941fb11473cd2be1db92a5320d12a8278ca9cccc6ab9bb90505469060
                              • Instruction Fuzzy Hash: 3C128261A0C2838EFB249E1CE0542BA77A1FB407D4F944135D79A476D8DFBEF8808B14
                              Function 00007FF8BEE5FA58 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID: f$f$p$p$f
                              • API String ID: 3215553584-1325933183
                              • Opcode ID: 5aec86bda318b381c8cda5d7efe2f57a5f961980edc2432a172610ea84918a7a
                              • Instruction ID: c82050057ef12a030e68e7e1f34d5852ea35f7409ee3077e2e7cc2307018c19f
                              • Opcode Fuzzy Hash: 5aec86bda318b381c8cda5d7efe2f57a5f961980edc2432a172610ea84918a7a
                              • Instruction Fuzzy Hash: 9F1294A2E0C1578EFB609E18D0547B976A2FB417D4F944435EB9A4A6C8DFBCF880DB10
                              Function 00007FF8BEE14CF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 214COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: BitsStretch
                              • String ID:
                              • API String ID: 350495539-3916222277
                              • Opcode ID: 88013bc2f38c8630722a96bcdcbf496357a59567b54d77f66b0e4f362f12a11e
                              • Instruction ID: 3032af873494123cae5df416cb77f75c85b746f027fd1a80ae8c0d36629f8ddc
                              • Opcode Fuzzy Hash: 88013bc2f38c8630722a96bcdcbf496357a59567b54d77f66b0e4f362f12a11e
                              • Instruction Fuzzy Hash: D1A120B26187C08ED7108F65F48465EBBB4F789398F205329EA8963B68DB7DD055CF40
                              Function 00007FF8BEE217A0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 196windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ClassNamePerformanceQuery$CounterCursorEnumFrequencyFromMenuPointPopupPropsTrackWindow
                              • String ID: Shell_SecondaryTrayWnd$Shell_TrayWnd
                              • API String ID: 1660317238-1433838494
                              • Opcode ID: 83934b789d8973376879005c48091409ce3cd31c50c9371e15847954d8c5b21b
                              • Instruction ID: 5a03b261d92fccf46465132affa61ba6209b1f0b3eabddf30bbf51ecbe53d4da
                              • Opcode Fuzzy Hash: 83934b789d8973376879005c48091409ce3cd31c50c9371e15847954d8c5b21b
                              • Instruction Fuzzy Hash: C6916462A086828AEB649F1DE44027E77A1FF85BD0F844136FF4E12694DFBCE985C741
                              Function 00007FF8BEE40040 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 125synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Mutex$CloseCreateCurrentErrorHandleLastObjectProcessReleaseSingleWait
                              • String ID: Local\SM0:%lu:%lu:%hs$wil$x
                              • API String ID: 908355122-984673096
                              • Opcode ID: 0eed1a0e6b6fa06b2c0e89e7213f101d1d7421deb94518413f30a7118700e111
                              • Instruction ID: 29bbfc5a1e09c4e19ceabc7f28b71804d94b72206f6647ed595c9a1f000dd0f4
                              • Opcode Fuzzy Hash: 0eed1a0e6b6fa06b2c0e89e7213f101d1d7421deb94518413f30a7118700e111
                              • Instruction Fuzzy Hash: 4C51903660DA8289FB619B69F4547BE63A1EF84BD0F504131DB4E93B99DEBCE4018701
                              Function 00007FF8BEE4FA80 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73threadtimeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Process$Window$CloseEnumFileFindHandleImageNameOpenProcessesThreadTimes
                              • String ID: Shell_TrayWnd
                              • API String ID: 205820467-2988720461
                              • Opcode ID: f023992688c57101c561ed79959dc3c03ba5d458641acb0f4f1228131208a279
                              • Instruction ID: c79331d15b271158bbb71cd511f11a01f7f184a928572c845254a7b52cf45e7d
                              • Opcode Fuzzy Hash: f023992688c57101c561ed79959dc3c03ba5d458641acb0f4f1228131208a279
                              • Instruction Fuzzy Hash: E6319C32609B829AE760CF59E49809A73A0FB89BD0F441135EF9E07B58EF7CD546CB00
                              Function 00007FF8BEE3A500 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 182COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: StringWindows$ActivationCreateDeleteFactoryReference
                              • String ID: WindowsUdk.UI.Shell.TaskbarLayout$[Positioning] Added settings for monitor %p : %d$[Positioning] Changed settings for monitor: %p : %d$[Positioning] Removed settings for monitor: %p
                              • API String ID: 2243136672-1634499889
                              • Opcode ID: fb3fc62111603dd1745c8325917876a59311e979fe064d816b692d01f6d50eee
                              • Instruction ID: abc92e7c756a0c64945452fd0698934c9e02d4e657330e2aeef343cd86314611
                              • Opcode Fuzzy Hash: fb3fc62111603dd1745c8325917876a59311e979fe064d816b692d01f6d50eee
                              • Instruction Fuzzy Hash: AF813736B49A028AEB158BA9E8901AC33B1FF44BD8F554036DF4E57B64DFBCE4958340
                              Function 00007FF8BEE40510 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 159libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ExclusiveLock$Release$AcquireAddressLibraryLoadProc
                              • String ID: RoGetAgileReference$combase.dll
                              • API String ID: 1925124437-3498391780
                              • Opcode ID: 191cc1bba3cdddc2a570c09a664181a4c98cecfbcb7b12238b7ca1c8183499ae
                              • Instruction ID: 01c9c71be0c0333be1262f01864f31948eb5fbbdfa4ef2c720db9f58cd6d1f8b
                              • Opcode Fuzzy Hash: 191cc1bba3cdddc2a570c09a664181a4c98cecfbcb7b12238b7ca1c8183499ae
                              • Instruction Fuzzy Hash: B8614922A09B1689FB50DBA9E8906BC23B4AF84BC4F454435DF0E17B65EFB8E951C301
                              Function 00007FF8BEE4BB60 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 157COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Initialize$ActivateCreateInstanceReferenceStringWindows
                              • String ID: Windows.Data.Xml.Dom.XmlDocument$updates.cpp
                              • API String ID: 2774375269-421020656
                              • Opcode ID: c17de4a74663ae1334d4dc68cb615cf5464bcc9af81c3d8218caca80331b9e32
                              • Instruction ID: e967316788ce4cb8e71da183da7e2894a8cba1847cd6f98b09a08c8ff158c9cf
                              • Opcode Fuzzy Hash: c17de4a74663ae1334d4dc68cb615cf5464bcc9af81c3d8218caca80331b9e32
                              • Instruction Fuzzy Hash: 5C611566B04B4689EB109BB9D8905ED27B0FB89BD8F544532CF0DA3B98DFBCE4458350
                              Function 00007FF8BEE2D800 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID: .rdata$[SSO] pguidTarget = %llX$[SSO] pssoEntryTarget = %llX
                              • API String ID: 544645111-3803262335
                              • Opcode ID: 5b9935208d114720107a600c19d56df1f3ab6656fc1db0a15f77e1c048a1198f
                              • Instruction ID: 2227acf9f7fda338588e3720a731e2ae0e73dc6fc66b2db47ab34f6218103366
                              • Opcode Fuzzy Hash: 5b9935208d114720107a600c19d56df1f3ab6656fc1db0a15f77e1c048a1198f
                              • Instruction Fuzzy Hash: 5351A632B0864699EB209F69E54027DA3A0FB44BC4F448136EB8E57798DFFCE549C710
                              Function 00007FF8BEE6DE28 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: AddressFreeLibraryProc
                              • String ID: api-ms-$ext-ms-
                              • API String ID: 3013587201-537541572
                              • Opcode ID: d4e28a9fedf3677cfce40951c100994421983aba29285a1f03a61ac34610fe8e
                              • Instruction ID: 8cebfe8b28098d5ff274ccbce24fc1ca7dd9f60bc9d61421cb8758be013c03ae
                              • Opcode Fuzzy Hash: d4e28a9fedf3677cfce40951c100994421983aba29285a1f03a61ac34610fe8e
                              • Instruction Fuzzy Hash: 0441F121B1AA428DFB16EF1E98005762391BF45BE4F894539EF1D87B88EEBCF4459300
                              Function 00007FF8BEE20060 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 81windowregistrytimeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Window$Message$CallClassClickCreateDoubleFindHookInstanceNameNextPostRegisterTime
                              • String ID: Shell_TrayWnd$Windows11ContextMenu_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}
                              • API String ID: 1587758685-4164012455
                              • Opcode ID: 4a94d0f5b2144612d70103909825023d10e6d7e11548533633b21430fc8d6477
                              • Instruction ID: fc70b9ee01cd287a797e33f19e50202086ff76b123af88d75f9b930f5615aa77
                              • Opcode Fuzzy Hash: 4a94d0f5b2144612d70103909825023d10e6d7e11548533633b21430fc8d6477
                              • Instruction Fuzzy Hash: C831F330E0DA478DFBA09F6DA89477A23A1AF457C0F040135EB4E426E6DFBDB481D601
                              Function 00007FF8BEE228A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: #412AncestorFindPropWindow
                              • String ID: DarkMode$NavbarComposited$Windows.UI.Composition.DesktopWindowContentBridge
                              • API String ID: 341881220-2358444603
                              • Opcode ID: b92026126a59136a9fa017cb57680c02266db8fe866fa5fef45f75a8e4542f46
                              • Instruction ID: 8523be385d1a4f8493def9a4aeb569fca4eaa1b535f094a905a05faf702547b3
                              • Opcode Fuzzy Hash: b92026126a59136a9fa017cb57680c02266db8fe866fa5fef45f75a8e4542f46
                              • Instruction Fuzzy Hash: 93214D21B09B8389FB209F1AA8402A967A1BF89BC4F584435DF4D47B59DEBCE556C300
                              Function 00007FF8BEE2AB70 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46memorystringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ProtectVirtual$OpenStreamlstrcmpilstrcpy
                              • String ID: TaskbarWinEP$TaskbarWinXP
                              • API String ID: 3070759360-188097361
                              • Opcode ID: 885aa519be0ac16dc9c4f2ce9ba4c8813ddacbb61ad6c77d6aca215c77959592
                              • Instruction ID: ebc6423726e407aac990a7d953a6cb6e4973d92cfed27a929e2349b78f2b64f4
                              • Opcode Fuzzy Hash: 885aa519be0ac16dc9c4f2ce9ba4c8813ddacbb61ad6c77d6aca215c77959592
                              • Instruction Fuzzy Hash: 00016D61B09B468AFA209F1ABC505696760AF8AFD4F844135DE0E17B54EE7CE549C700
                              Function 00007FF8BEE3E8C0 Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: DeleteStringWindows
                              • String ID:
                              • API String ID: 3152741638-0
                              • Opcode ID: 67f1ce15685d295fff3aeada26a4c3f3d4cb06d9198a5746176b713a9cdb96ef
                              • Instruction ID: 42146268176749c5a23564ff3e96f382587b3d9ce4a1afd02d4f989388aef0a9
                              • Opcode Fuzzy Hash: 67f1ce15685d295fff3aeada26a4c3f3d4cb06d9198a5746176b713a9cdb96ef
                              • Instruction Fuzzy Hash: 3331E532A15B468AEB41AF79E8952693364FF85FC4F484035DB4E47B69CFB8D856C300
                              Function 00007FF8BEE5B774 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 310COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchState
                              • String ID: csm$csm$csm
                              • API String ID: 1826822863-393685449
                              • Opcode ID: 06d37747ec23b99cccc750839291a7387a34138ff8a4e3128607efae63cc54a1
                              • Instruction ID: a4fac1a61680e2972f4d047bc16f75a071533c390cafd6988e7100000c72b5da
                              • Opcode Fuzzy Hash: 06d37747ec23b99cccc750839291a7387a34138ff8a4e3128607efae63cc54a1
                              • Instruction Fuzzy Hash: 57D16EA290874A8AEB60DB6994453AD77E0FB457D8F100136EF4D57B9ADFB8F181C700
                              Function 00007FF8BEE70FD8 Relevance: 10.8, APIs: 7, Instructions: 290COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID:
                              • API String ID: 3215553584-0
                              • Opcode ID: 9951ac33629f3783a2efaf7b1665c919d801720656d2e50ddd4d57e51d070b78
                              • Instruction ID: c13e9dc22fce55be43e2b6e65e811dfececb16ba51c10793bef016a6c56df5b8
                              • Opcode Fuzzy Hash: 9951ac33629f3783a2efaf7b1665c919d801720656d2e50ddd4d57e51d070b78
                              • Instruction Fuzzy Hash: D3C1EE22A0C78699EB609F1D94902BE7FA5EF90BC0F550235EB4E43795DEFDE8498300
                              Function 00007FF8BEE3ACC0 Relevance: 10.7, APIs: 7, Instructions: 203memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Heap$Process$Free$_invalid_parameter_noinfo
                              • String ID:
                              • API String ID: 1838106010-0
                              • Opcode ID: b594837bcafa6114a58da30faa14e04c973ed6eea13c8fea0de63908e2e9a346
                              • Instruction ID: 4566a4033751079fb732fbc11d0f5f2249a87452922ad842405dc13fac7d761b
                              • Opcode Fuzzy Hash: b594837bcafa6114a58da30faa14e04c973ed6eea13c8fea0de63908e2e9a346
                              • Instruction Fuzzy Hash: 3F81BD72B48B428EEA669F5EE44017973A0EF84BD1F594136DB4C077A6DFBDE8818300
                              Function 00007FF8BEE4A5B0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 154COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Monitor$FromInfoPoint
                              • String ID: ($TwinUIPatches.cpp
                              • API String ID: 1349325158-3972200677
                              • Opcode ID: 6248ba3d4a6800285093143097960151aa4c59b11e281124f03f80a7d9bad0e2
                              • Instruction ID: 06faf2294d5e3dc2fefb02bc636278ee4dc406fd35e808527f19c2f78ff9a44b
                              • Opcode Fuzzy Hash: 6248ba3d4a6800285093143097960151aa4c59b11e281124f03f80a7d9bad0e2
                              • Instruction Fuzzy Hash: 93614E26F04B0689FB218BAAE4542BD27B1BF89BE8F105132DF0D53B54EEBCD5498340
                              Function 00007FF8BEE24090 Relevance: 10.6, APIs: 7, Instructions: 142COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: MonitorWindow$From$InfoPointRect$Find
                              • String ID:
                              • API String ID: 2969468792-0
                              • Opcode ID: e990e4b1540854c73ea75753fca5cebc977366d4440490979d1a3de8ce620f80
                              • Instruction ID: 1ccdae899f23b1a676b5117dfccf509e060f5fd11fd01eeba213f1c69a6f2e01
                              • Opcode Fuzzy Hash: e990e4b1540854c73ea75753fca5cebc977366d4440490979d1a3de8ce620f80
                              • Instruction Fuzzy Hash: D8510533B089129EE714CF7DD8846AC37B1EB88788F455535DE08A7B48DEB9E9058B80
                              Function 00007FF8BEE5E02C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF8BEE5E233,?,?,?,00007FF8BEE5AD46,?,?,?,00007FF8BEE5AD01), ref: 00007FF8BEE5E0B1
                              • GetLastError.KERNEL32(?,?,00000000,00007FF8BEE5E233,?,?,?,00007FF8BEE5AD46,?,?,?,00007FF8BEE5AD01), ref: 00007FF8BEE5E0BF
                              • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF8BEE5E233,?,?,?,00007FF8BEE5AD46,?,?,?,00007FF8BEE5AD01), ref: 00007FF8BEE5E0E9
                              • FreeLibrary.KERNEL32(?,?,00000000,00007FF8BEE5E233,?,?,?,00007FF8BEE5AD46,?,?,?,00007FF8BEE5AD01), ref: 00007FF8BEE5E157
                              • GetProcAddress.KERNEL32(?,?,00000000,00007FF8BEE5E233,?,?,?,00007FF8BEE5AD46,?,?,?,00007FF8BEE5AD01), ref: 00007FF8BEE5E163
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Library$Load$AddressErrorFreeLastProc
                              • String ID: api-ms-
                              • API String ID: 2559590344-2084034818
                              • Opcode ID: 599aa7cf843937970ddcceeced45eda2783968fedc2164453d608f002cc62442
                              • Instruction ID: 49815f7092a639014cb899f47115ac5d212383947d63b65ee37c90edf956df10
                              • Opcode Fuzzy Hash: 599aa7cf843937970ddcceeced45eda2783968fedc2164453d608f002cc62442
                              • Instruction Fuzzy Hash: 0C3101B1A1AB4689EE15DB1AA80017A27D4FF49BE0F590634DF1D0B7A4EFBCF4418301
                              Function 00007FF8BEE32BE0 Relevance: 10.6, APIs: 7, Instructions: 74memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Heap$Process$Free$Alloc_invalid_parameter_noinfo
                              • String ID:
                              • API String ID: 823393853-0
                              • Opcode ID: 8c144cb2418d10e68452f3e411d94cff025c7d322b2be66c77ccad39f53e557e
                              • Instruction ID: 6378d74f46f2f6977793f9c6d40fd4102aa632c0cb4415bb00af14ad5850d6b7
                              • Opcode Fuzzy Hash: 8c144cb2418d10e68452f3e411d94cff025c7d322b2be66c77ccad39f53e557e
                              • Instruction Fuzzy Hash: 6D31AD31A0AB428AEB15CF6AE54036977A0FF89BD0F188530EB9D03794DF7DE4128340
                              Function 00007FF8BEE12E80 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: PropTime$#334FileSystem
                              • String ID: Microsoft.Windows.ShellManagedWindowAsNormalWindow$valinet.ExplorerPatcher.ShellManagedWindow
                              • API String ID: 1774183415-1567022081
                              • Opcode ID: 97238d729015d8dfd2b804d1bb3dafc32e9bfbc5c4abc83e114f203b59bb176e
                              • Instruction ID: be53bcee02d328b4077e6778228f5010c440de9f67118218335c53e1d05490bf
                              • Opcode Fuzzy Hash: 97238d729015d8dfd2b804d1bb3dafc32e9bfbc5c4abc83e114f203b59bb176e
                              • Instruction Fuzzy Hash: FD212161B0DB428AEB959F69B84027963A0FF4DBC0F485534DB4E57794EFBCE4949300
                              Function 00007FF8BEE47E90 Relevance: 9.1, APIs: 6, Instructions: 79COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Window$MenuPath$Foreground$InsertPopupProc$CreateCursorExtensionLongRemoveSpacesStripTrackUnquotewsprintf
                              • String ID:
                              • API String ID: 1129523998-0
                              • Opcode ID: 78930651f6e0dbf70c0a968884cc5667dec9041b8e6a20be2af9615704dcd25d
                              • Instruction ID: d1d225b6841f6fda6013f880ce234cb0be11644701ce26b22ff44651b9a9c951
                              • Opcode Fuzzy Hash: 78930651f6e0dbf70c0a968884cc5667dec9041b8e6a20be2af9615704dcd25d
                              • Instruction Fuzzy Hash: 10319822B09B5389FA108B5EA84057DA7A5AF85FD0F184635EF5E13B95DEBCE8418340
                              Function 00007FF8BEE1B020 Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: DeleteObject$#329DestroyFreeIconTaskThumbnailUnregister
                              • String ID:
                              • API String ID: 3142863258-0
                              • Opcode ID: 5b6668d6ae9ea2a99c552ac43f987bc3ae46d95cfd8ec898e4dde29fcaf8fde5
                              • Instruction ID: 3b44f40f1e5c4a02ce37b38574f5f1416e9cf4ff5f32a54064fca0c0113b3aba
                              • Opcode Fuzzy Hash: 5b6668d6ae9ea2a99c552ac43f987bc3ae46d95cfd8ec898e4dde29fcaf8fde5
                              • Instruction Fuzzy Hash: E3312921B1AA42C9EFA49F6AE49427A2360FF84F80F084539DF5E07654CFBCE4918701
                              Function 00007FF8BEE259B0 Relevance: 9.1, APIs: 6, Instructions: 58windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Window$CriticalSection$LeaveMonitorRect$EnterForegroundFromInfoPointSwitchThisVisible
                              • String ID:
                              • API String ID: 16346285-0
                              • Opcode ID: 3c5a7ed137fe8480b21572e18efabc9944883a76212bb524bd53722323f22adc
                              • Instruction ID: 50fd9870e9f71dfe596e5687a5bc41a74e8e5d1aaeb24108e58c97735a9e9202
                              • Opcode Fuzzy Hash: 3c5a7ed137fe8480b21572e18efabc9944883a76212bb524bd53722323f22adc
                              • Instruction Fuzzy Hash: B221E961A19E0289EF459FAEE9D517827A1BF85BC0F085431CB1E87260DEEDE848C311
                              Function 00007FF8BEE17A80 Relevance: 9.1, APIs: 6, Instructions: 52threadtimewindowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Time$#339DesktopFileHungMessagePostSystemTaskThreadWindow
                              • String ID:
                              • API String ID: 68357764-0
                              • Opcode ID: 943034d36bd88e25aeef4a402e739434912df28a9ce11465c727bd468174bb2f
                              • Instruction ID: b7d9aad7af95aed4835f221669a746cfa75c08eb19f053ceefa43c8bc8fd4cf5
                              • Opcode Fuzzy Hash: 943034d36bd88e25aeef4a402e739434912df28a9ce11465c727bd468174bb2f
                              • Instruction Fuzzy Hash: 41119022A09A418AEB50CF39E85467A33A1FB89FC4F144231CB1D877A4EF7CE8558300
                              Function 00007FF8BEE2AAF0 Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 31stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: lstrcmp
                              • String ID: MMStuckRects3$MMStuckRectsLegacy$StuckRects3$StuckRectsLegacy
                              • API String ID: 1534048567-4175609545
                              • Opcode ID: 8f35bc77936d02bd8bfb90192c4675876bf8a2cd4dcf7b6fb2d72930b64a54d9
                              • Instruction ID: 17ea1e769216e0d70dae753332947a85557aed7dc9e8b50e8f3e119a65a02899
                              • Opcode Fuzzy Hash: 8f35bc77936d02bd8bfb90192c4675876bf8a2cd4dcf7b6fb2d72930b64a54d9
                              • Instruction Fuzzy Hash: BCF01961B18B81C9E7008F0AEC4006AA761BF45BC0F884436EF4D47779EFACD941C700
                              Function 00007FF8BEE2AA70 Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 31stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: lstrcmp
                              • String ID: MMStuckRects3$MMStuckRectsLegacy$StuckRects3$StuckRectsLegacy
                              • API String ID: 1534048567-4175609545
                              • Opcode ID: bdb7a762ec4028ff19773bdbe32e6051e40cddc4f4050542620de6a89180ad4a
                              • Instruction ID: 883b92c0217aed4abd5a0fab2a3c799f349b0b6ecfd5726554fa90ec0555cd0f
                              • Opcode Fuzzy Hash: bdb7a762ec4028ff19773bdbe32e6051e40cddc4f4050542620de6a89180ad4a
                              • Instruction Fuzzy Hash: B1F01D71B18B81C9E7008F1AAC404697766BF45FC0F884531EB4E47729DFACE545C740
                              Function 00007FF8BEE1C8E0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 131memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Addr64AllocFromLineVirtual
                              • String ID: ($Allocation too large!$Memory pool exhausted.
                              • API String ID: 3708110707-2461089917
                              • Opcode ID: 82671644744429d4bb92d67069d6a7788f83aa68fdde564f51c0551beeb17465
                              • Instruction ID: 8fb2c9de72391b9bd176af8378c4e3833f237ec8b9f9197be917f82ae75e31f6
                              • Opcode Fuzzy Hash: 82671644744429d4bb92d67069d6a7788f83aa68fdde564f51c0551beeb17465
                              • Instruction Fuzzy Hash: 5F51A472A08A828AE754DF29E4902BA77A0FB88BD4F044135DB5D4779ADFBCE491C740
                              Function 00007FF8BEE498F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ProtectVirtual$CreateInstance
                              • String ID: xxxx
                              • API String ID: 1177339427-1813341303
                              • Opcode ID: b5191f9778e8723cfa23f8a8210c8aed8ac3987907ab5605c0ec9587bdf6d9f1
                              • Instruction ID: f4b9b560312e22f40903669caa33f410c7b6b790aad012ca0ad0eeee3fe9c8bd
                              • Opcode Fuzzy Hash: b5191f9778e8723cfa23f8a8210c8aed8ac3987907ab5605c0ec9587bdf6d9f1
                              • Instruction Fuzzy Hash: A7519131B19A5389FB508F29E8806AD73A5EB89BE0F540236DB5D47B90DF7ED845C700
                              Function 00007FF8BEE1ED40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: DisplayEnumInitializeMonitorsUninitialize
                              • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$TaskbarAl
                              • API String ID: 3377822461-945323219
                              • Opcode ID: b2532f4d77b0dfdbd43d4c7a74ebef4ee03557c86b55352911c67f019bd3c841
                              • Instruction ID: abc389877c57572f3a9a99a8f9481f71f4fe9fd9c70239864ef5cdb938446b3b
                              • Opcode Fuzzy Hash: b2532f4d77b0dfdbd43d4c7a74ebef4ee03557c86b55352911c67f019bd3c841
                              • Instruction Fuzzy Hash: CA413332A0DB428AE791CF68E49426AB7A0FF847D4F54153AE78D476A4CFBDE444CB40
                              Function 00007FF8BEE2B510 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Create$_invalid_parameter_noinfo
                              • String ID: ShellFolder$Software\Classes\CLSID\{2cc5ca98-6485-489a-920e-b3e88a6ccce3}
                              • API String ID: 219255893-1186126643
                              • Opcode ID: aed7e8650ed2a6a7fa3051a1e44cad45963077ced5e8af182ac4c206d37ed659
                              • Instruction ID: 31932e4006a99bd7f661bff3054baaeed05666d28736a33cb34ac44a5d1833e2
                              • Opcode Fuzzy Hash: aed7e8650ed2a6a7fa3051a1e44cad45963077ced5e8af182ac4c206d37ed659
                              • Instruction Fuzzy Hash: 3941E936618B8189DB60CF1AB88076AB7A5FB88BD4F444135EB8D87B59DF7CD054CB00
                              Function 00007FF8BEE1F920 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72registrywindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: #412#413ClassMessageRegisterWindowWord
                              • String ID: PeopleBand
                              • API String ID: 1253488571-1317317948
                              • Opcode ID: 00bf1fe5e74ed78e86a5325a78d99c602c0b160c2fae4a4883b20bc22997a9d9
                              • Instruction ID: f8d88305c49f4556dae30b95a350f9e540fb3408b8a0abbdc41bdb13c89ec037
                              • Opcode Fuzzy Hash: 00bf1fe5e74ed78e86a5325a78d99c602c0b160c2fae4a4883b20bc22997a9d9
                              • Instruction Fuzzy Hash: 3131B331E08642AEE7949B5DA58027A72A1FF487D0F040035DB5E57A94CFBCECE1D782
                              Function 00007FF8BEE20DB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ItemMenu$Info$Count
                              • String ID: P$[ROD]: Level %d Position %d/%d Status %d
                              • API String ID: 4286743509-735391699
                              • Opcode ID: e1e17733d45c5082e7cf109f97440a1acaccddaaf4d58eb13d68cb5c7e8099bd
                              • Instruction ID: dc03eb157d1575093deafbafd70c71f142f501199521d282ae7ec980e4334fe4
                              • Opcode Fuzzy Hash: e1e17733d45c5082e7cf109f97440a1acaccddaaf4d58eb13d68cb5c7e8099bd
                              • Instruction Fuzzy Hash: 9F2192717186818AEB508F29E49076E77A0FB89BC4F405035EF8E87799DF7DE4458B40
                              Function 00007FF8BEE48CF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47registrystringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CloseEventHandleValuelstrcmp
                              • String ID: AltTabSettings
                              • API String ID: 3692967019-1137623902
                              • Opcode ID: 0afcefe90346c281578279029c8a8ded8b7faa482209d6a9f591e38616476c66
                              • Instruction ID: 4a761f727a411d0fed8aae7d82d07f0f2645597696f860a37d0d1702edc095be
                              • Opcode Fuzzy Hash: 0afcefe90346c281578279029c8a8ded8b7faa482209d6a9f591e38616476c66
                              • Instruction Fuzzy Hash: 6D111C35A09B838AEB509B29F88422967A4FB98BD4F044536EB9D43B64DFBCD454CB04
                              Function 00007FF8BEE129E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 42libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: )J$RtlGetVersion$ntdll.dll
                              • API String ID: 1646373207-687753697
                              • Opcode ID: 40be109ccd2fee6e5b842ad493b5d4303245f2623818bb1acce2d90060769a0a
                              • Instruction ID: 0eea33cb70b89bda93ab2ae0e4c00388aec4b1d810339ad78d1b0cb8307bbc99
                              • Opcode Fuzzy Hash: 40be109ccd2fee6e5b842ad493b5d4303245f2623818bb1acce2d90060769a0a
                              • Instruction Fuzzy Hash: B8115671E096428EFFB19B18D8643763290AF4C7C4F480035CB5D46399DFBCE5859612
                              Function 00007FF8BEE68988 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: AddressFreeHandleLibraryModuleProc
                              • String ID: CorExitProcess$mscoree.dll
                              • API String ID: 4061214504-1276376045
                              • Opcode ID: 80209b7930936a9e189f19b39c85d751dd38e10808ff28b9e7b9a83a32d31e9a
                              • Instruction ID: 38426de5adbf2f8f2df93a054f2fdbd51a62efeb74fc090be17522a4ba061593
                              • Opcode Fuzzy Hash: 80209b7930936a9e189f19b39c85d751dd38e10808ff28b9e7b9a83a32d31e9a
                              • Instruction Fuzzy Hash: 93F06261A1960289EB148F28E4853796760EF85BE1F541335C76E451F4CFACE448C340
                              Function 00007FF8BEE5B044 Relevance: 7.8, APIs: 5, Instructions: 290COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: AdjustPointer
                              • String ID:
                              • API String ID: 1740715915-0
                              • Opcode ID: e528e13f9be41aad643f060d0d1199269f21a2fdd535f9fe7f289e6188888710
                              • Instruction ID: 34e850d55039116109c5b34835f5a299e8fbc80581bda0db9d89a737758e0ed3
                              • Opcode Fuzzy Hash: e528e13f9be41aad643f060d0d1199269f21a2fdd535f9fe7f289e6188888710
                              • Instruction Fuzzy Hash: D7B1A1A2E0A68A89EA659F5D958023D67D4AF44BC4F098836DF4D07799DFBCF4428310
                              Function 00007FF8BEE40A10 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Heap$Handle$CloseProcess$AddressAllocCreateFreeModuleMutexProcReleaseSemaphore
                              • String ID: wil
                              • API String ID: 3215620834-1589926490
                              • Opcode ID: 306703ea24084b581afddb5be4ed49465bea48b5cf6833c6ccc62fdb9fb647b1
                              • Instruction ID: 82f751f61423467143fb254cf919b0366ed1f30b429a04d061c16c59e53db07c
                              • Opcode Fuzzy Hash: 306703ea24084b581afddb5be4ed49465bea48b5cf6833c6ccc62fdb9fb647b1
                              • Instruction Fuzzy Hash: AD518422A18B828AE7609F25A95027A77B0FB98BD4F045235EF4D43B55EF7CF5A08704
                              Function 00007FF8BEE12D20 Relevance: 7.6, APIs: 5, Instructions: 73windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: MessageSendTimeout$ShellWindow
                              • String ID:
                              • API String ID: 1795729329-0
                              • Opcode ID: df9fee810fcfd716007199a647c37334879f3c85e0c05d576c8dc6250f3d142f
                              • Instruction ID: c1cfe883468e46ed403e6647f0f38e6256d0f77b414c0a97478670599812e1ec
                              • Opcode Fuzzy Hash: df9fee810fcfd716007199a647c37334879f3c85e0c05d576c8dc6250f3d142f
                              • Instruction Fuzzy Hash: 69313B32618B8187E7608B58F85061EBAA5FB89BB4F541325E6BD47BD8CFBCD5418F00
                              Function 00007FF8BEE247E0 Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CriticalSection$Leave$Enter
                              • String ID:
                              • API String ID: 2978645861-0
                              • Opcode ID: 1a92415a633d95fbb063690ab0e28c0a14bf50bd2e5e985193831506fdf3669f
                              • Instruction ID: 9a510f6a2f0080966c5b4fab2b1307de4bfced56ba5fa53e986d54da2adcbcda
                              • Opcode Fuzzy Hash: 1a92415a633d95fbb063690ab0e28c0a14bf50bd2e5e985193831506fdf3669f
                              • Instruction Fuzzy Hash: F7311021F2DA528AE7585F6DB8C423967A1FB85BC0F140039EB5E837A4DEEDF8448750
                              Function 00007FF8BEE33C10 Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Heap$FreeProcess$__std_exception_destroy
                              • String ID:
                              • API String ID: 107506009-0
                              • Opcode ID: 508a8f8c128779259fad8302647ce02a2afb58cfb7573152f94ff8ca8ed7eebd
                              • Instruction ID: d1ff9a2d16cde3d486b0ac3bd80e05f82cdcbb7aed8499c94c9e202459bb64e0
                              • Opcode Fuzzy Hash: 508a8f8c128779259fad8302647ce02a2afb58cfb7573152f94ff8ca8ed7eebd
                              • Instruction Fuzzy Hash: 57217F32A09B8186EB488B6AE980769B3A1FB85BD0F194135DF5D17B60CF79E4628300
                              Function 00007FF8BEE798E8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: _set_statfp
                              • String ID:
                              • API String ID: 1156100317-0
                              • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                              • Instruction ID: 52dd6ee43e7558787e25f2b81cb0a7cd67245f9696d3e699f10f322dd1311e8a
                              • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                              • Instruction Fuzzy Hash: 8B117C26E5CA039AFB64512CE4D63791D406F5D3F4F0A4A34EBAF062DACEEEAC415200
                              Function 00007FF8BEE13950 Relevance: 7.5, APIs: 5, Instructions: 42timesynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CloseHandleTimerWaitable$CreateObjectSingleWait
                              • String ID:
                              • API String ID: 2007961542-0
                              • Opcode ID: f35fe9c5397126d8a8b6cc2eeadd2e7ad3a421f9d1d1043d657964b9880001d4
                              • Instruction ID: 325cbe71fb51a4efdac443e462daf5769dec62717115a0be04e5fd6d67096599
                              • Opcode Fuzzy Hash: f35fe9c5397126d8a8b6cc2eeadd2e7ad3a421f9d1d1043d657964b9880001d4
                              • Instruction Fuzzy Hash: CB01962261DB8286EB504B68B85162B77A0FF897E1F441135EF5E06758DF7CD0408B00
                              Function 00007FF8BEE11592 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: FreeLocal
                              • String ID: ====================================$Description: %s$Here is the stack trace:$THIS IS NOT A BUG, A DELIBERATE STACK TRACE REQUEST HAS BEEN MADE
                              • API String ID: 2826327444-1300954401
                              • Opcode ID: 5b9c26d1a7a765aca19a893aaf8f3b37c14e8039537c0f65ca4f22efadb90e26
                              • Instruction ID: 69a029fbc4cb5b9b2e870133b4a64469321c5a47b05dd0bc2ca0f135bf4c04ed
                              • Opcode Fuzzy Hash: 5b9c26d1a7a765aca19a893aaf8f3b37c14e8039537c0f65ca4f22efadb90e26
                              • Instruction Fuzzy Hash: 1601E661E4D9468EF984EB1DF4511B96360AF857C0F890231FB0E572ABEEACF5808701
                              Function 00007FF8BEE11579 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: FreeLocal
                              • String ID: ====================================$Description: %s$Here is the stack trace:$Unable to set the requested DPI awareness context
                              • API String ID: 2826327444-4207243742
                              • Opcode ID: 24ab273f7025f721364c5b8674c767793bcd91a4831abff6f511bc7d305de6a9
                              • Instruction ID: e95d9687ed1f8acb9443b1ccadc60fa3749f62771c9f12ce46126bcbf88d566d
                              • Opcode Fuzzy Hash: 24ab273f7025f721364c5b8674c767793bcd91a4831abff6f511bc7d305de6a9
                              • Instruction Fuzzy Hash: 3001E661E0D9468EF984EB1DF4511B96360AF857C0F890231FB0E572ABEEACF5808701
                              Function 00007FF8BEE11582 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: FreeLocal
                              • String ID: ====================================$Description: %s$Here is the stack trace:$One or more of the parameters supplied is invalid
                              • API String ID: 2826327444-753373920
                              • Opcode ID: a5b4a8dfd45a7964cedd182faa343b30e744949b1f966e26c53bbf05beb9e18a
                              • Instruction ID: b7f84227d1dce6f3c2054b6415dc3a4cb773b4d76e2fbcb9211941dbc8de41e8
                              • Opcode Fuzzy Hash: a5b4a8dfd45a7964cedd182faa343b30e744949b1f966e26c53bbf05beb9e18a
                              • Instruction Fuzzy Hash: 7201E661E0D9468EF984EB1DF4511B96360AF857C0F890231EB0E572ABEEACF5818701
                              Function 00007FF8BEE11570 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: FreeLocal
                              • String ID: ====================================$Description: %s$Here is the stack trace:$The requested procedure was not found
                              • API String ID: 2826327444-1242647813
                              • Opcode ID: 75995d7f11c179413857d765ebe3de4459dd291b6dc8d62efb3aab6ee8e2e411
                              • Instruction ID: e09a108ed2e823649c433608b62299b1153de6c571c6de5ac95dec3a257b7571
                              • Opcode Fuzzy Hash: 75995d7f11c179413857d765ebe3de4459dd291b6dc8d62efb3aab6ee8e2e411
                              • Instruction Fuzzy Hash: 1401E661E0D9468EF984EB1DF4511B96360AF857C0F890231EB0E572ABEEACF5808701
                              Function 00007FF8BEE1155E Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: FreeLocal
                              • String ID: ====================================$Description: %s$Functionality is not initialized$Here is the stack trace:
                              • API String ID: 2826327444-176991105
                              • Opcode ID: 280dc8867c10ca6339ad6ffcc938aecfe2b24f13a88c74bc7b3b09a4a3860d90
                              • Instruction ID: b9e429c5865dcbea3083547235c53e46b583742bbb1547be937a44785acf6d2a
                              • Opcode Fuzzy Hash: 280dc8867c10ca6339ad6ffcc938aecfe2b24f13a88c74bc7b3b09a4a3860d90
                              • Instruction Fuzzy Hash: FE01E661E0D9468EFD84EB1DF4511B96360AF857C0F890231EB0E572ABEEACF5818711
                              Function 00007FF8BEE11567 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: FreeLocal
                              • String ID: ====================================$Description: %s$Here is the stack trace:$The requested library is not available
                              • API String ID: 2826327444-2487367941
                              • Opcode ID: 4a69e9522ff560458051ec1ba8836a3b4ef2975eb35f0b27065e212659313a78
                              • Instruction ID: 7151c4544b5a5fd994395aca003c57c00330b47b6bbedd503d8a7baf7145f13e
                              • Opcode Fuzzy Hash: 4a69e9522ff560458051ec1ba8836a3b4ef2975eb35f0b27065e212659313a78
                              • Instruction Fuzzy Hash: 7B01E661E0D9468EFD94EB1DF4511B96360AF857C0F890231FB0E572ABEEACF5808701
                              Function 00007FF8BEE11549 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: FreeLocal
                              • String ID: ====================================$A generic error has occured$Description: %s$Here is the stack trace:
                              • API String ID: 2826327444-2479978688
                              • Opcode ID: 4878480ea47d561040410f0f84e6f0f0e1a8efa5d006c276a542e0dabd8cca74
                              • Instruction ID: 3a5cd5e4e2b4b8e964a7614961b5b4459a5fe2eed46e9ff423aeab421171b852
                              • Opcode Fuzzy Hash: 4878480ea47d561040410f0f84e6f0f0e1a8efa5d006c276a542e0dabd8cca74
                              • Instruction Fuzzy Hash: 0301C261E0D9468EF984EB1DB4511B96360AF857C0F890231EB0E572ABEEACF5808701
                              Function 00007FF8BEE11555 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: FreeLocal
                              • String ID: ====================================$Description: %s$Here is the stack trace:$Insufficient memory. Please close some applications and try again
                              • API String ID: 2826327444-3218687599
                              • Opcode ID: 7bb42ebe61512666ec6cb57e6b43ee85e0bb6e591d5c5e8ac78c43debcde0836
                              • Instruction ID: c1092691d7ca00c6774266cbfd50d4397a10b164f859f4964b317082131e244b
                              • Opcode Fuzzy Hash: 7bb42ebe61512666ec6cb57e6b43ee85e0bb6e591d5c5e8ac78c43debcde0836
                              • Instruction Fuzzy Hash: 3101E661E0D9468EFD84EB1DF4511B96360AF857C0F890231FB4E572ABEEACF5818701
                              Function 00007FF8BEE5BC44 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 319COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Is_bad_exception_allowed
                              • String ID: csm$csm$csm
                              • API String ID: 2758241748-393685449
                              • Opcode ID: 0f408a928b9063f3cb43c95ecb0e6ad9ed1d94acb3a705d365a36861a7962b86
                              • Instruction ID: d7f43ab76bdb019a6727b0721f8586ee2fb5a439a85014db696162e9bfa8eadf
                              • Opcode Fuzzy Hash: 0f408a928b9063f3cb43c95ecb0e6ad9ed1d94acb3a705d365a36861a7962b86
                              • Instruction Fuzzy Hash: 1AE18CB290868A8EE7209F68D4912AD7BE0EB45788F140136EF9D57696DF7CF581CB00
                              Function 00007FF8BEE6A874 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID: UTF-16LEUNICODE$UTF-8$ccs
                              • API String ID: 3215553584-1196891531
                              • Opcode ID: 029c5fe67b73cdfdd60bdaa44205972f0f340c7a38dfe566cdf3be9392e55d4c
                              • Instruction ID: b5eb57417113c94416e8d948da965610a31ab2c7b9163b9bb00c1021b5d73f39
                              • Opcode Fuzzy Hash: 029c5fe67b73cdfdd60bdaa44205972f0f340c7a38dfe566cdf3be9392e55d4c
                              • Instruction Fuzzy Hash: 1E81AC72E0C2428DFB658F2DC25427977A1EF21BC8F55803ADB0E97295DBADF9019701
                              Function 00007FF8BEE6A5B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 212COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID: UTF-16LEUNICODE$UTF-8$ccs
                              • API String ID: 3215553584-1196891531
                              • Opcode ID: 79f6d62af0d2a11728363c4cf58a475a223f689a94163aa021ca5029a70fb927
                              • Instruction ID: 527476fc1feff71d2760ca205332bfdfe1316dd9955a706e7115169e6edab71f
                              • Opcode Fuzzy Hash: 79f6d62af0d2a11728363c4cf58a475a223f689a94163aa021ca5029a70fb927
                              • Instruction Fuzzy Hash: 4B817D32D0C2428DF7759E2C96583782BE19F12BC8F559035CB1E8B696EFEDB8429701
                              Function 00007FF8BEE5A8F4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                              • String ID: csm
                              • API String ID: 2395640692-1018135373
                              • Opcode ID: b0775caf7f1d2b05c3f24c6280081a2cbd6f04dd6fb58565bd2260f94b75ca7d
                              • Instruction ID: 6c56cb04be0beaaff447e5908b24b2186bcf8432592f68d5d1e5592d97505972
                              • Opcode Fuzzy Hash: b0775caf7f1d2b05c3f24c6280081a2cbd6f04dd6fb58565bd2260f94b75ca7d
                              • Instruction Fuzzy Hash: 9A519D72A1960A8EEB148F19E944A7937D1EB44BD8F558132EB4E47789DFBCF841C700
                              Function 00007FF8BEE410E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150threadCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • D:\a\ExplorerPatcher\ExplorerPatcher\packages\Microsoft.Windows.ImplementationLibrary.1.0.230824.2\include\wil\resource.h, xrefs: 00007FF8BEE4117B
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CurrentDebugDebuggerOutputPresentStringThread
                              • String ID: D:\a\ExplorerPatcher\ExplorerPatcher\packages\Microsoft.Windows.ImplementationLibrary.1.0.230824.2\include\wil\resource.h
                              • API String ID: 4268342597-2916856121
                              • Opcode ID: c2409748dd961db57dd970ab792968617b87b09f0f36ecc3f1e9a3576d394143
                              • Instruction ID: 9bfb778389cb74a28afabf871402568ee15939b19a86941e8fe1f58781f39e5f
                              • Opcode Fuzzy Hash: c2409748dd961db57dd970ab792968617b87b09f0f36ecc3f1e9a3576d394143
                              • Instruction Fuzzy Hash: D4613222A197868DEB619F69E4412AD77F4FF89784F440139EB8D82BA4DFBCE540C704
                              Function 00007FF8BEE5C938 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                              • String ID: csm$csm
                              • API String ID: 3896166516-3733052814
                              • Opcode ID: 263a83af241b7526f11cabccce44437bc8b50dcc97adeb20576438e6a8d85533
                              • Instruction ID: def648f0c4ba7b5bb4ced379b347d45e43b312b5430de1eda3ebb04be0495bb6
                              • Opcode Fuzzy Hash: 263a83af241b7526f11cabccce44437bc8b50dcc97adeb20576438e6a8d85533
                              • Instruction Fuzzy Hash: CB51BEB2A0838A8EEB648B1994A436877E1FB54BC4F244536DB8D47B85CFBCF490C701
                              Function 00007FF8BEE490F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121comCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Monitor$CreateFromInfoInstanceRect
                              • String ID: TwinUIPatches.cpp
                              • API String ID: 3092215291-2263794832
                              • Opcode ID: cd0172f9358455f7de5327db1c0183027fbaee7a9058c5023375d1bee2188970
                              • Instruction ID: 3d7339e8c20a7de7925ba651b603adcc754139b16e5fa5fa337ac9a3d97b1e39
                              • Opcode Fuzzy Hash: cd0172f9358455f7de5327db1c0183027fbaee7a9058c5023375d1bee2188970
                              • Instruction Fuzzy Hash: DE51FD32B05A429DEB00CFB9E4906AD73B4FB84B88F045536DA0D67A28DF79D559C340
                              Function 00007FF8BEE7B5B9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32 ref: 00007FF8BEE7B607
                              • SysFreeString.OLEAUT32 ref: 00007FF8BEE7B6B4
                                • Part of subcall function 00007FF8BEE3A9E0: GetProcessHeap.KERNEL32(?,?,?,?,?,?,00000000,00007FF8BEE3B2DF,?,?,?,?,?,00000000,?,00007FF8BEE3BADB), ref: 00007FF8BEE3AA03
                              • MultiByteToWideChar.KERNEL32 ref: 00007FF8BEE7B645
                                • Part of subcall function 00007FF8BEE3FFA0: GetProcessHeap.KERNEL32 ref: 00007FF8BEE3FFC4
                                • Part of subcall function 00007FF8BEE3FFA0: HeapFree.KERNEL32 ref: 00007FF8BEE3FFD1
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Heap$ByteCharFreeMultiProcessWide$String
                              • String ID: W
                              • API String ID: 3011908892-655174618
                              • Opcode ID: b955a97a5b32027b3c2abb87ce5cf3b74ac42c216eb46514c0301bc97ed473c0
                              • Instruction ID: d03fffdadbeec1648737b4bc8ed017d181c6e508013f12a00a31678939c11c6d
                              • Opcode Fuzzy Hash: b955a97a5b32027b3c2abb87ce5cf3b74ac42c216eb46514c0301bc97ed473c0
                              • Instruction Fuzzy Hash: FF318F62604A858DE710EF6AE8503AA6B91EB847E8F144234FB5E47BDADFB9D4418340
                              Function 00007FF8BEE2ACE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57registrystringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Value$AddressHandleModuleOpenProcQuerylstrcmp
                              • String ID: ShowCortanaButton$TaskbarDa
                              • API String ID: 4138643572-1008683796
                              • Opcode ID: fc8ece550bb8c7acf918c61d312ddb5ea9bba7b5a151fc2a031c54a26226eecd
                              • Instruction ID: 197081582bd83196de4b266d4b402ffc32114dfd552907db7fb8f552e3204e6f
                              • Opcode Fuzzy Hash: fc8ece550bb8c7acf918c61d312ddb5ea9bba7b5a151fc2a031c54a26226eecd
                              • Instruction Fuzzy Hash: B521A472A08A468EEB608F19F88067A77A0BB487D9F404035EB4E47755EFBCE845CB00
                              Function 00007FF8BEE20A00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Value$From_invalid_parameter_noinfo
                              • String ID: EnableMTCUVC$Software\Microsoft\Windows NT\CurrentVersion\MTCUVC
                              • API String ID: 1239731142-1716574372
                              • Opcode ID: 5861e141445f8e955a3289905a4e437a090633403b9959973d8ba9a70dd700b4
                              • Instruction ID: a840b5dcf0865e3aed1a56e1b7ca35c9e8cafa674cbe3456c9d15e2efac834f4
                              • Opcode Fuzzy Hash: 5861e141445f8e955a3289905a4e437a090633403b9959973d8ba9a70dd700b4
                              • Instruction Fuzzy Hash: CE116071A0CB4589EA60CF5AF44426AB3A1FB48BD4F544135EF8D43BA9DF7CE0408B04
                              Function 00007FF8BEE20EB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ItemMenu$CountInfo
                              • String ID: "$P
                              • API String ID: 115949281-1577843662
                              • Opcode ID: 16e21393e86f85a400357fa905794d203e81493258b4ba4839ecfb9ad0c58f16
                              • Instruction ID: 9047a68cb4f56f0648d3c27031d6e5ce0417c0b672a947087912456643a21fc3
                              • Opcode Fuzzy Hash: 16e21393e86f85a400357fa905794d203e81493258b4ba4839ecfb9ad0c58f16
                              • Instruction Fuzzy Hash: 2E111F31A19A828AF760CF29E45472E67A0FB49BD4F444135EB8D82B98CFBDE5458B04
                              Function 00007FF8BEE22F10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44registrystringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Value$Fromlstrcmp
                              • String ID: UseWin32BatteryFlyout
                              • API String ID: 276759952-619460319
                              • Opcode ID: c065c0d2f960dd8f936992df36bb8e8c96ba532300c4fed80597d46d2c895608
                              • Instruction ID: 139b009434fa1ea17eac823b8e8cc619e3490562e3634264773a4e03997f4bac
                              • Opcode Fuzzy Hash: c065c0d2f960dd8f936992df36bb8e8c96ba532300c4fed80597d46d2c895608
                              • Instruction Fuzzy Hash: F5110636A08B8185EA208F1AF88055AB7A4FB89BD4F584135EF8D57B28DF7CD0548B04
                              Function 00007FF8BEE23EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34threadCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ThreadWindow$EnumFindProcessWindows
                              • String ID: ApplicationManager_ImmersiveShellWindow
                              • API String ID: 274631990-213675812
                              • Opcode ID: 6e7747a90d7feac162397ed771bd533da0d24bf3604af7f567f007bcb59fafea
                              • Instruction ID: 62472bb47b6d2ec18a66a5439de2f76b9202fd56f532a6a366d248ca401f1015
                              • Opcode Fuzzy Hash: 6e7747a90d7feac162397ed771bd533da0d24bf3604af7f567f007bcb59fafea
                              • Instruction Fuzzy Hash: 3EF0C261F1874289FF64DB7AB980079A362AF8DBC0F489431DE0D47754DEBCD4848700
                              Function 00007FF8BEE12CC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: FindWindow
                              • String ID: SHELLDLL_DefView$WorkerW
                              • API String ID: 134000473-2583568628
                              • Opcode ID: bcb08aa4f46a98805f56447e0641afb3d08a4efac12ff943e5d5823cef5df09c
                              • Instruction ID: d3665633e80147c19f6ea9672b6d8896c54cbc58161977eef2e9ffe7a7dce045
                              • Opcode Fuzzy Hash: bcb08aa4f46a98805f56447e0641afb3d08a4efac12ff943e5d5823cef5df09c
                              • Instruction Fuzzy Hash: 1DE06561B0574245FB998B65FA54AA666A1EF4CBC0F488035CF0D17B54DE7CD484C300
                              Function 00007FF8BEE1E760 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24windowregistryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Message$ClassPostRegisterWindowWord
                              • String ID: WorkerW
                              • API String ID: 18795929-1267966093
                              • Opcode ID: 000a1699d6c733d8297f14a566244c7bad78dbd5b75204c92b2b73296a67d543
                              • Instruction ID: d61f3943a1d925ce528069f95699eb8d3cc25ee59088c6d1c0d34baaadfc3e28
                              • Opcode Fuzzy Hash: 000a1699d6c733d8297f14a566244c7bad78dbd5b75204c92b2b73296a67d543
                              • Instruction Fuzzy Hash: 27F03720A0869142F740475AB98457A6650EB85BD4F544131EF5D53F59DE6CD5918700
                              Function 00007FF8BEE32F30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: RaiseFailFastException$kernelbase.dll
                              • API String ID: 1646373207-919018592
                              • Opcode ID: aff523935e77aa5942e22dd7d409c00eae744fc5a90c305d315768be12512c97
                              • Instruction ID: 1061e8c51779c5bea6d327efbdb498269e2033bc041bb6b155846e0553945c2c
                              • Opcode Fuzzy Hash: aff523935e77aa5942e22dd7d409c00eae744fc5a90c305d315768be12512c97
                              • Instruction Fuzzy Hash: F1E03925B1979196EB458B5AF880029A7A0FF8DBC0F489035EE4D17B28CE7CD5418700
                              Function 00007FF8BEE71818 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: FileWrite$ConsoleErrorLastOutput
                              • String ID:
                              • API String ID: 2718003287-0
                              • Opcode ID: 827301bbf73ee794d4cbbb220726300af4e68b43f7bc6836aeb60430446fd9f0
                              • Instruction ID: 05abe28b4fbb44c69b62c635fd7ab139f2ae26be547047eae1116c0ed45017e9
                              • Opcode Fuzzy Hash: 827301bbf73ee794d4cbbb220726300af4e68b43f7bc6836aeb60430446fd9f0
                              • Instruction Fuzzy Hash: 98D1CE72B18B818DE715CFA9D4802AC3BB1EB45BD8F044225EF5E97B99DE78E406C340
                              Function 00007FF8BEE3CEC0 Relevance: 6.2, APIs: 4, Instructions: 211memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Heap_invalid_parameter_noinfo$FreeProcess
                              • String ID:
                              • API String ID: 3364316771-0
                              • Opcode ID: cea42ef51c2c06b5f114bfec80a09f6f38cf7f9a6300bdbeb4d183cee8b85edc
                              • Instruction ID: 4111af33accf473e67dd734312b8fb752711b905584e97a8c8088cbbbb2b3c74
                              • Opcode Fuzzy Hash: cea42ef51c2c06b5f114bfec80a09f6f38cf7f9a6300bdbeb4d183cee8b85edc
                              • Instruction Fuzzy Hash: FC81E266A49B8289EB168F199644279A7B6FF04FD8F188431DF4D07789CFBDE466C300
                              Function 00007FF8BEE220A0 Relevance: 6.1, APIs: 4, Instructions: 117windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: PerformanceQuery$#410#412CounterCursorFrequencyMenuPopupTrack
                              • String ID:
                              • API String ID: 2611046820-0
                              • Opcode ID: 6e4c59f5cddd525b48263cefdc0b17beb49f6c27f7a0b4ce120e260110584f11
                              • Instruction ID: ab8be73a9238bbd4e08afa2f0c16f938996d0bf57e95c9772066e4c2a64a879e
                              • Opcode Fuzzy Hash: 6e4c59f5cddd525b48263cefdc0b17beb49f6c27f7a0b4ce120e260110584f11
                              • Instruction Fuzzy Hash: 2D415132A086428EEB208F59E48066EA7A0FF897D0F504036EB4D57764CEBDE845CB40
                              Function 00007FF8BEE21EF0 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: PerformanceQuery$#410#412CounterCursorFrequencyMenuPopupTrack
                              • String ID:
                              • API String ID: 2611046820-0
                              • Opcode ID: 94383dd62891745bf7bce47a25c8260786a77ccf9eff9fd3b064278bc6400af2
                              • Instruction ID: 491874cf2d1b856c2e91ead0bd6f0f5fe5df3b266c619a727cfae182594d16a5
                              • Opcode Fuzzy Hash: 94383dd62891745bf7bce47a25c8260786a77ccf9eff9fd3b064278bc6400af2
                              • Instruction Fuzzy Hash: F5415D22A1D6828EFA608F59E88067EB7A1FF897D0F504036EB4D47654CEBCE941CB40
                              Function 00007FF8BEE1EBF0 Relevance: 6.1, APIs: 4, Instructions: 82memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ProtectVirtual$Search
                              • String ID:
                              • API String ID: 1061791571-0
                              • Opcode ID: 946f8cae8b5b9d015c77196a61e294205d4a01f28a426854e1f270abb1160bd5
                              • Instruction ID: 54cf023a2965fdc06208a077d9dcb3554b7a3e3fc3bebad2d8e80690669a55ad
                              • Opcode Fuzzy Hash: 946f8cae8b5b9d015c77196a61e294205d4a01f28a426854e1f270abb1160bd5
                              • Instruction Fuzzy Hash: 99413D76A09A468AFB608B19E49036677A0FB89BD4F115036EB0D437B4DFBCE8D5C740
                              Function 00007FF8BEE3F9C0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ExclusiveLock$AcquireRelease
                              • String ID:
                              • API String ID: 17069307-0
                              • Opcode ID: 313c56aac8693e6bd7644ef5f6484252a958648c6b86227760b8e058a361e185
                              • Instruction ID: 735ede42a42fe02237549e2ee6097648a85705bd3edadc400dab1354d53c013f
                              • Opcode Fuzzy Hash: 313c56aac8693e6bd7644ef5f6484252a958648c6b86227760b8e058a361e185
                              • Instruction Fuzzy Hash: 5221C122718B8685EB41DF29E5902AD73A0FB88BC4F484431EB8D83B89DF7CD551CB00
                              Function 00007FF8BEE4FBD0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Process$Window$CloseEnumFileFindHandleImageListNameOpenProcessesRegisterResourcesSessionShutdownStartThreadTimes
                              • String ID:
                              • API String ID: 1342731755-0
                              • Opcode ID: 20e33d10a4184354a0f613581d4d014b7fe66c7707c619d43fa3e48570e76614
                              • Instruction ID: 84ec262aaade6bf508dfd9c9f17c3062a2c6ac6954d140f52943849bc2fc807f
                              • Opcode Fuzzy Hash: 20e33d10a4184354a0f613581d4d014b7fe66c7707c619d43fa3e48570e76614
                              • Instruction Fuzzy Hash: D3210C72A18B828AE710DF28E8946AA73A1FFC9794F405135E78D42A64DFBCE545CB40
                              Function 00007FF8BEE51F08 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                              • String ID:
                              • API String ID: 2933794660-0
                              • Opcode ID: eb4a947963e005101faac0d65b8e27ef659be33c1a433e75e87c82fc8b7ad02a
                              • Instruction ID: 6a1cb80124c94dc24f69324ac14f79095dd00088fd2308e0f181577e5ce92340
                              • Opcode Fuzzy Hash: eb4a947963e005101faac0d65b8e27ef659be33c1a433e75e87c82fc8b7ad02a
                              • Instruction Fuzzy Hash: 2C113C22B15F058EEB00DF64E8942B833A4FB59798F441E35EB6D967A8DFBCD1548340
                              Function 00007FF8BEE1158B Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: FreeLocal
                              • String ID: ====================================$Description: %s$Here is the stack trace:
                              • API String ID: 2826327444-530566993
                              • Opcode ID: 5edbddd9c504f60b4359ff91c015bc9b2d895708f4c1124b9fa623321c0ba941
                              • Instruction ID: 81b2486e33239edf869d0e1b5279efe3fcaf46ec466e9f1566d71f68386955d6
                              • Opcode Fuzzy Hash: 5edbddd9c504f60b4359ff91c015bc9b2d895708f4c1124b9fa623321c0ba941
                              • Instruction Fuzzy Hash: 72F0E661E0D5468EFA80EB1DB45117D6360AF857C0F450231FB4E5729BEEACF5808711
                              Function 00007FF8BEE5CB70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: __except_validate_context_record
                              • String ID: csm$csm
                              • API String ID: 1467352782-3733052814
                              • Opcode ID: d8082b7006d163f8c35e851c49aec36f61e2f18eb4ee73712fd4fd4773bdb9fc
                              • Instruction ID: a27a2aefa33c3026900534287a531cca0f63b4c5a13b4f9302f9d49f2bbc0245
                              • Opcode Fuzzy Hash: d8082b7006d163f8c35e851c49aec36f61e2f18eb4ee73712fd4fd4773bdb9fc
                              • Instruction Fuzzy Hash: F17192B29086858EDB608F29D4607797BE0FB45BC8F149136DF8D57A89DF6CE491C700
                              Function 00007FF8BEE440D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                              • String ID: .dll
                              • API String ID: 73155330-2738580789
                              • Opcode ID: cfb59001a9207c6cd0ac9777086a35be51a90529a9f34389d0dafd787fd9ac5f
                              • Instruction ID: ac955c419ef165cc4d8494d65ef25547469f2cd329d131baf6aa9500e9368769
                              • Opcode Fuzzy Hash: cfb59001a9207c6cd0ac9777086a35be51a90529a9f34389d0dafd787fd9ac5f
                              • Instruction Fuzzy Hash: CC41E162B08A4289EE109B69E5542BE63A1EB44BE4F940732DB7D07BD5EFBCE041C304
                              Function 00007FF8BEE71EB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ErrorFileLastWrite
                              • String ID: U
                              • API String ID: 442123175-4171548499
                              • Opcode ID: 6e8b134f65fd2beae049d5b96ea9d5d6d5a4b9a636e8214698cef711629abd11
                              • Instruction ID: 8d1a5a049c94153c4426b3fcc56994d8a5b8569cc5c67db738255be57bfc19df
                              • Opcode Fuzzy Hash: 6e8b134f65fd2beae049d5b96ea9d5d6d5a4b9a636e8214698cef711629abd11
                              • Instruction Fuzzy Hash: AE41A262A19B818ADB208F69E4943A96BA0FF887D4F444035EF4D87798EFBCD441C710
                              Function 00007FF8BEE2A030 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 82comCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CreateInstance
                              • String ID: Microsoft.ProgramsAndFeatures$Microsoft.System
                              • API String ID: 542301482-3255149969
                              • Opcode ID: 92763ffc1d9867786412e0d7f6ff3e3557efa1aa0ba69767de9fc49c93acccc8
                              • Instruction ID: 93b92ea3ebd70530c2d9004768ef601973ea4d00e8a4e483e522d25ea934539b
                              • Opcode Fuzzy Hash: 92763ffc1d9867786412e0d7f6ff3e3557efa1aa0ba69767de9fc49c93acccc8
                              • Instruction Fuzzy Hash: C9315E26A18A428AFB518F6DE89067963A1BF84BD4F444435EF0E07768EFBDE485C700
                              Function 00007FF8BEE20F90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ClassName
                              • String ID: Shell_SecondaryTrayWnd$Shell_TrayWnd
                              • API String ID: 1191326365-1433838494
                              • Opcode ID: c9ea4d571e726979cd25428ce0d519139d513b68f189776e072e990548b2ae5e
                              • Instruction ID: 02a2aaccdf727e990aa65018dfa5ed459e2f06c5c8c7b0005eb676c095434032
                              • Opcode Fuzzy Hash: c9ea4d571e726979cd25428ce0d519139d513b68f189776e072e990548b2ae5e
                              • Instruction Fuzzy Hash: B521EB22A0968186F7649F19A450BBD3361FF98BE0F844136EF4D06799DFBCD585C301
                              Function 00007FF8BEE210B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ClassName
                              • String ID: Shell_SecondaryTrayWnd$Shell_TrayWnd
                              • API String ID: 1191326365-1433838494
                              • Opcode ID: a6af8759eadf375a40e26f1fd8c17b4b520a4968ee941da5d07fb15a920493dd
                              • Instruction ID: cd118e7b7c624e179c95aaa14ae409b02f36c57eb9dcc81e2ed6da1319e945d5
                              • Opcode Fuzzy Hash: a6af8759eadf375a40e26f1fd8c17b4b520a4968ee941da5d07fb15a920493dd
                              • Instruction Fuzzy Hash: FF21D922A0959586F7649F1DA4506BD33A1FF99BE0F848132EF4D02795DFBCD945D300
                              Function 00007FF8BEE2B6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: CacheFlushValue_invalid_parameter_noinfo
                              • String ID: Attributes
                              • API String ID: 3611136396-2126945696
                              • Opcode ID: 473fe7d18576862a84c3b9b6fe93c8222011de4fa89fb592f57f2bc12431410e
                              • Instruction ID: 9eb320a4288a31f9753a44f48c5e498168f4c29155b8e45976d7d0cf2007bc05
                              • Opcode Fuzzy Hash: 473fe7d18576862a84c3b9b6fe93c8222011de4fa89fb592f57f2bc12431410e
                              • Instruction Fuzzy Hash: FC116062A19B818DEB60CF29B88076A77A0AB497D4F041139EF4D47B59EF7CE445C700
                              Function 00007FF8BEE28700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ProtectVirtual$AddressHandleModuleOpenProcQueryValue
                              • String ID: xx????xxx????xxxxx
                              • API String ID: 1029361184-12075917
                              • Opcode ID: 2cdcb021fdd9f9cf0ca9e297d25b3595a024f5c45fdce59915cbe1e1a13bf1f2
                              • Instruction ID: eb3afaf19c4e9d9cd9ae11c0df7608038416b0a2aec2f31d78340312a9836290
                              • Opcode Fuzzy Hash: 2cdcb021fdd9f9cf0ca9e297d25b3595a024f5c45fdce59915cbe1e1a13bf1f2
                              • Instruction Fuzzy Hash: EB215921A0DA868EFF608F28E89126A33A0BF457C4F444036DB4E42AA5DFBCE544CB04
                              Function 00007FF8BEE5AB84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8BEE3503F), ref: 00007FF8BEE5ABD4
                              • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8BEE3503F), ref: 00007FF8BEE5AC15
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ExceptionFileHeaderRaise
                              • String ID: csm
                              • API String ID: 2573137834-1018135373
                              • Opcode ID: ee37ca2534bea36559d9d190c12bae42e93264b1f79909f83ca4179d035941a4
                              • Instruction ID: 8cc65e4e1099b93cac5d960ad2a089fcd8268957305e944a120761f2a1f09483
                              • Opcode Fuzzy Hash: ee37ca2534bea36559d9d190c12bae42e93264b1f79909f83ca4179d035941a4
                              • Instruction Fuzzy Hash: 57112B72618B4582EB618F29F440269B7E5FB88BC4F584235EF8C47758EF7CD5518B40
                              Function 00007FF8BEE2FEE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • $start.tilegrid$windows.data.curatedtilecollection.tilecollection\Current, xrefs: 00007FF8BEE2FEFE
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Open
                              • String ID: $start.tilegrid$windows.data.curatedtilecollection.tilecollection\Current
                              • API String ID: 71445658-2485209836
                              • Opcode ID: a4fe59345262f16846a98a3583e81d6852551d9273177763c1f1091658579aff
                              • Instruction ID: 5bddc50ea5b87453a0afc0f0e8ed94ae5492ef88fd5197624626909d122a8c5f
                              • Opcode Fuzzy Hash: a4fe59345262f16846a98a3583e81d6852551d9273177763c1f1091658579aff
                              • Instruction Fuzzy Hash: 9A014C35608B8185EB20CF0AB84002AB3A5FB89BC4F440535EF8D57B59CFBDE411C704
                              Function 00007FF8BEE2DA00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32registrystringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Valuelstrcmp
                              • String ID: ReplaceVan
                              • API String ID: 372169353-130473729
                              • Opcode ID: ea89487583a2989f85a63e4f3d37de35d909f03b5df420a7b1d84c36d94bc7b7
                              • Instruction ID: 7bf10551818ad9f99d624357d226e6bc0f84387b6c1ab8127894a9bc7ba4f07e
                              • Opcode Fuzzy Hash: ea89487583a2989f85a63e4f3d37de35d909f03b5df420a7b1d84c36d94bc7b7
                              • Instruction Fuzzy Hash: 4CF0FF72A08B81C6DB508F19F44051AB7A4F788BD4F584171EB8D43B28DFBCD5968B00
                              Function 00007FF8BEE1EF20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29windowregistryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Message$PostQuitRegisterWindow
                              • String ID: TaskbarCreated
                              • API String ID: 1640695409-2362178303
                              • Opcode ID: e40dd106e5c28cd757ea849553ffbbc5691f3de6786a5015d584f4b93040861c
                              • Instruction ID: df8ff6c5823ad233eac29dae15d3fd85d0cc2e063ddb5cf7823ad3a9667a0a65
                              • Opcode Fuzzy Hash: e40dd106e5c28cd757ea849553ffbbc5691f3de6786a5015d584f4b93040861c
                              • Instruction Fuzzy Hash: F0F06D31A1DF818AE7548F5AB98006AB764FB99BD0F184035EB4D03B69CEBCE890C700
                              Function 00007FF8BEE4FE30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Session$ListRegisterResourcesRestartShutdownStart
                              • String ID: RmRestart error: %d
                              • API String ID: 4293926141-2348054958
                              • Opcode ID: 54cc6a934dd87566f3e5259231cbfb4de4c3fcb9d1fe53514352706030b0dc14
                              • Instruction ID: 2acbb1d579c933e7c89057965fd31bb330b9c34d230547dd61743fb4bb16ba59
                              • Opcode Fuzzy Hash: 54cc6a934dd87566f3e5259231cbfb4de4c3fcb9d1fe53514352706030b0dc14
                              • Instruction Fuzzy Hash: 09E0ED24F199038EF305AB7D9C9167622B1AFC97A1F501234D31D466A1DFBC6846C744
                              Function 00007FF8BEE1F6B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16libraryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: ModuleProtectVirtual$CurrentHandleInformationLibraryLoadProcess
                              • String ID: Windows.UI.Xaml.dll
                              • API String ID: 3223347177-2173645706
                              • Opcode ID: 4705757b04769834add8c28f739ce60215544b2ab1f43437472e0612bcaeadca
                              • Instruction ID: 3d14605749baec30076ccf35415b31e1deca5b1e0c5e06260f0bc87a2076bdc0
                              • Opcode Fuzzy Hash: 4705757b04769834add8c28f739ce60215544b2ab1f43437472e0612bcaeadca
                              • Instruction Fuzzy Hash: D1D01700F1A60689EE559769A86007502509F5ABC1F481030CA0E0A3A2EEACE8D6D291
                              Function 00007FF8BEE1E7C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14threadCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Window$FindProcessThread
                              • String ID: ApplicationManager_ImmersiveShellWindow
                              • API String ID: 3928697162-213675812
                              • Opcode ID: 93a7cb4f59372fdb730c8bf98ddd9380fbeeac1c84da272d54703491c3626796
                              • Instruction ID: aa6629be17952dc547c0cd4ae63fd10be40dadb48b4733a29ed7ddd4e052e779
                              • Opcode Fuzzy Hash: 93a7cb4f59372fdb730c8bf98ddd9380fbeeac1c84da272d54703491c3626796
                              • Instruction Fuzzy Hash: 36D01265F0A70285F718D776A8905752662AB9A784F808435CA0912650DEBC91868301
                              Function 00007FF8BEE33D00 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.2175033966.00007FF8BEE11000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8BEE10000, based on PE: true
                              • Associated: 0000000A.00000002.2175011790.00007FF8BEE10000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175083796.00007FF8BEE7D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175117571.00007FF8BEEAA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175144996.00007FF8BEEAB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175165050.00007FF8BEEB0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175190381.00007FF8BEEB2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175215709.00007FF8BEEB8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 0000000A.00000002.2175238612.00007FF8BEEBB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7ff8bee10000_explorer.jbxd
                              Similarity
                              • API ID: Heap$FreeProcess
                              • String ID:
                              • API String ID: 3859560861-0
                              • Opcode ID: eb2518a923c2e680aae5d6174970ba7f06051d0c2a8381f7bbfd7a6f48999b07
                              • Instruction ID: 443df28a23106030e2f01a7c85afc371d286b480cce8d6a3c7a458f1f60762d0
                              • Opcode Fuzzy Hash: eb2518a923c2e680aae5d6174970ba7f06051d0c2a8381f7bbfd7a6f48999b07
                              • Instruction Fuzzy Hash: 51116332A0AB81DAEB598F6AE980269B375FB49BD1F484134CB6D43760DF78E461C740