Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Analysis ID:1510261
MD5:45a5a443c01abd7618efef4827241312
SHA1:5390d36a371f0598b86301961d5fdb329e368e7a
SHA256:d7f98b8af8a3bfe9d93ce31558a62e4d5d0cd425bc30bbc0d517901e5b82bf46
Tags:exe
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Contains functionality to automate explorer (e.g. start an application)
Query firmware table information (likely to detect VMs)
Sigma detected: Explorer NOUACCHECK Flag
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect sandboxes (foreground window change detection)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses taskkill to terminate processes
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe (PID: 6836 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe" MD5: 45A5A443C01ABD7618EFEF4827241312)
    • taskkill.exe (PID: 6956 cmdline: "C:\Windows\system32\taskkill.exe" /f /im explorer.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1436 cmdline: "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5328 cmdline: "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • regsvr32.exe (PID: 1836 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • regsvr32.exe (PID: 3288 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • explorer.exe (PID: 2944 cmdline: "C:\Windows\explorer.exe" MD5: 662F4F92FDE3557E86D110526BB578D5)
  • explorer.exe (PID: 6304 cmdline: C:\Windows\explorer.exe /NoUACCheck MD5: 662F4F92FDE3557E86D110526BB578D5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Explorer NOUACCHECK Flag
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\explorer.exe /NoUACCheck, CommandLine: C:\Windows\explorer.exe /NoUACCheck, CommandLine|base64offset|contains: y, Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\explorer.exe /NoUACCheck, ProcessId: 6304, ProcessName: explorer.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-09-12T18:41:55.035052+020028032742Potentially Bad Traffic192.168.2.449734140.82.121.4443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 83.0% probability
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1826FE80 CreateFileW,GetLastError,GetFileSizeEx,GetLastError,CloseHandle,CloseHandle,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,GetLastError,CryptDestroyHash,CryptReleaseContext,CloseHandle,9_2_00007FFE1826FE80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcherJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_setup.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_gui.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_dwm.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_weather_host.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\WebView2Loader.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcherJump to behavior
Source: unknownHTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\a\_work\e\src\out\Release_x64\WebView2Loader.dll.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754494111.000001B92F950000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: http://msdl.microsoft.com/download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdb source: explorer.exe, 0000000A.00000003.1912234304.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1863754048.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2034843476.000000000B8F3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2040664141.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2044927276.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb( source: explorer.exe, 0000000A.00000003.2032672748.000000000BA85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2044927276.000000000BA85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2040664141.000000000BA85000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: eehttp://msdl.microsoft.com/download/symbols/StartUI.pdb/74D47198CB4699BA710AD8B2C5310DD91/StartUI.pdb source: explorer.exe, 0000000A.00000003.2338063758.000000000F533000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2338182098.000000000F589000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2336219974.000000000F52D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_weather_host_stub.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754219678.000001B92F950000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754289039.000001B92F96A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdbi source: explorer.exe, 0000000A.00000003.2032672748.000000000BA85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2044927276.000000000BA85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2040664141.000000000BA85000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb0V source: explorer.exe, 0000000A.00000003.1901047401.000000000BD40000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: StartUI.pdb source: explorer.exe, 00000009.00000003.1772607654.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2045484810.00000000103C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sshttp://msdl.microsoft.com/download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdb source: explorer.exe, 0000000A.00000003.2032672748.000000000B946000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdbLXy source: explorer.exe, 0000000A.00000003.2038461778.000000000B9C5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1928410983.000000000B9C5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1912234304.000000000BA34000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2032672748.000000000B9C5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_gui.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753512064.000001B932081000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: http://msdl.microsoft.com/download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdb source: explorer.exe, 0000000A.00000003.2034843476.000000000B8F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: GET /download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdb HTTP/1.1 source: explorer.exe, 0000000A.00000003.1884335541.000000000B909000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1876558912.000000000B909000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: twinui.pcshell.pdbUGP source: explorer.exe, 00000009.00000003.1773648082.0000000002EE4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.1771490317.0000000002EEE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1777857049.00000000027F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1849449600.000000000D44B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: twinui.pcshell.pdb source: explorer.exe, 00000009.00000003.1773648082.0000000002EE4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.1771490317.0000000002EEE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1777857049.00000000027F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1849449600.000000000D44B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ExplorerPatcher.amd64.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753138409.000001B932081000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: D:\a\_work\e\src\out\Release_x64\WebView2Loader.dll.pdbOGP source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754494111.000001B92F950000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Hostmsdl.microsoft.comGET /download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdb HTTP/1.1/download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdb source: explorer.exe, 0000000A.00000003.1884335541.000000000B909000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1876558912.000000000B909000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb source: explorer.exe, 0000000A.00000003.2032672748.000000000BA85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2044927276.000000000BA85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2034843476.000000000B8F3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2040664141.000000000BA85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1912234304.000000000BA34000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1912557909.000000000BA84000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2040636400.000000000B905000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_dwm.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753761329.000001B92F950000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753794147.000001B92F96C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols/StartUI.pdb/74D47198CB4699BA710AD82C5 source: explorer.exe, 0000000A.00000003.2338567821.000000000BD25000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vC:\Users\user\AppData\Roaming\ExplorerPatcher\StartUI.pdb source: explorer.exe, 0000000A.00000003.2338774634.000000000BAFA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: tUI.pdb source: explorer.exe, 0000000A.00000003.2338567821.000000000BD25000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\Win32\ExplorerPatcher.IA-32.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1752836203.000001B92F950000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1752863673.000001B92F975000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_setup.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000000.1727366409.00007FF733126000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000002.1773069236.00007FF733126000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_weather_host.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754001005.000001B932081000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: StartUI.pdbH source: explorer.exe, 00000009.00000003.1772607654.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2045484810.00000000103C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /download/symbols/StartUI.pdb/74D47198CB4699BA710AD8B2C5310DD91/StartUI.pdb source: explorer.exe, 0000000A.00000003.2338567821.000000000BD25000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 2C21547311/twinui.pcshell.pdb HTTP/1.1 source: explorer.exe, 0000000A.00000003.1912234304.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1863754048.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2040664141.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2044927276.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1824DB90 InitializeCriticalSection,CreateEventW,CreateEventW,CreateEventW,SetEvent,SetEvent,SetEvent,CreateThread,CloseHandle,SHGetFolderPathW,PathFileExistsW,CreateDirectoryW,CreateMutexExW,CreateEventW,CreateEventW,CreateThread,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetCurrentProcess,K32GetModuleInformation,GetModuleHandleW,GetProcAddress,IsOS,GetCurrentProcess,K32GetModuleInformation,LoadLibraryW,LoadLibraryW,GetProcAddress,CreateWindowExW,FreeLibraryAndExitThread,SetWindowLongPtrW,FreeLibraryAndExitThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,GetModuleHandleW,GetProcAddress,SHELL32_Create_IEnumUICommand,VirtualProtect,VirtualProtect,GetProcAddress,VirtualProtect,VirtualProtect,LoadLibraryW,GetProcAddress,LoadLibraryW,GetModuleHandleExW,GetCurrentProcess,K32GetModuleInformation,VirtualProtect,VirtualProtect,GetCurrentProcess,K32GetModuleInformation,LoadLibraryW,LoadLibraryW,GetProcAddress,LoadLibraryExW,IsOS,FreeLibraryAndExitThread,CreateThread,CreateThread,RegDeleteKeyValueW,RegDeleteKeyValueW,CreateThread,CreateThread,CreateWindowInBand,CreateThread,CreateThread,GetWindowsDirectoryW,FindFirstFileW,FindClose,LoadLibraryW,GetProcAddress,GetLastError,9_2_00007FFE1824DB90
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18265CF0 RegCreateKeyExW,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetSystemDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,RegDeleteValueW,RegCloseKey,9_2_00007FFE18265CF0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1823D920 GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,FindFirstFileW,9_2_00007FFE1823D920
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1823DAC0 SHGetFolderPathW,FindFirstFileW,FindClose,9_2_00007FFE1823DAC0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18293B58 FindFirstFileExW,9_2_00007FFE18293B58
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1823CE30 CreateFileA,CreateFileMappingW,CloseHandle,MapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,PathRemoveFileSpecA,UnmapViewOfFile,CloseHandle,CloseHandle,FindFirstFileA,FindClose,DeleteFileA,UnmapViewOfFile,CloseHandle,CloseHandle,9_2_00007FFE1823CE30
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182652A0 RegCreateKeyExW,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryA,RegCloseKey,RegSetValueExW,RegSetValueExA,RegSetValueExW,RegCloseKey,9_2_00007FFE182652A0

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exeNetwork Connect: 140.82.121.4 443Jump to behavior
Source: C:\Windows\explorer.exeNetwork Connect: 185.199.110.133 443Jump to behavior
Source: Joe Sandbox ViewIP Address: 140.82.121.4 140.82.121.4
Source: Joe Sandbox ViewIP Address: 185.199.110.133 185.199.110.133
Source: Joe Sandbox ViewASN Name: GITHUBUS GITHUBUS
Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49734 -> 140.82.121.4:443
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1823C6A0 InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,9_2_00007FFE1823C6A0
Source: global trafficHTTP traffic detected: GET /valinet/ExplorerPatcher/releases/latest/download/ep_setup.exe HTTP/1.1User-Agent: ExplorerPatcherHost: github.com
Source: global trafficHTTP traffic detected: GET /valinet/ExplorerPatcher/releases/download/22621.3880.66.5_5094108/ep_setup.exe HTTP/1.1User-Agent: ExplorerPatcherHost: github.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /github-production-release-asset-2e65be/394318710/d0ea7754-53d3-4f5a-b870-915f924fbb56?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240912%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240912T163954Z&X-Amz-Expires=300&X-Amz-Signature=8fed816d98f14b6776e39f90b7c0f1faf84d31bab0f7367704e2bf907b99482b&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=394318710&response-content-disposition=attachment%3B%20filename%3Dep_setup.exe&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: ExplorerPatcherConnection: Keep-AliveHost: objects.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: api.msn.com
Source: global trafficDNS traffic detected: DNS query: github.com
Source: global trafficDNS traffic detected: DNS query: objects.githubusercontent.com
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000002.1773069236.00007FF733126000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753138409.000001B932081000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://api.github.com/repos/valinet/ExplorerPatcher/releases?per_page=1
Source: explorer.exe, 00000009.00000003.1773648082.0000000002EE4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.1771490317.0000000002EEE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1777857049.00000000027F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1849449600.000000000D44B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?%08x%04x%04x%02x%02x%02x%02x%02x%02x%02x%02xFeedsCNhttps://
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753512064.000001B932081000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753512064.000001B932081000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet)
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753512064.000001B932081000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher#donate
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753512064.000001B932081000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/blob/master/CHANGELOG.md
Source: explorer.exeString found in binary or memory: https://github.com/valinet/ExplorerPatcher/discussions
Source: explorer.exeString found in binary or memory: https://github.com/valinet/ExplorerPatcher/discussions/1102
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753512064.000001B932081000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/discussions/1679
Source: explorer.exeString found in binary or memory: https://github.com/valinet/ExplorerPatcher/issues
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753138409.000001B932081000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/issueshttps://github.com/valinet/ExplorerPatcher/discussi
Source: explorer.exeString found in binary or memory: https://github.com/valinet/ExplorerPatcher/releases
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753138409.000001B932081000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/releases/latest
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753512064.000001B932081000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/About-advanced-settings
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753512064.000001B932081000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Configure-updates
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753512064.000001B932081000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/ExplorerPatcher
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753512064.000001B932081000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Frequently-asked-questions
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753512064.000001B932081000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Settings-management
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753512064.000001B932081000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Simple-Window-Switcher
Source: explorer.exe, explorer.exe, 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Symbols
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753138409.000001B932081000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/SymbolsMicrosoft.Windows.Explorer
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753512064.000001B932081000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Using-ExplorerPatcher-as-shell-extension
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753512064.000001B932081000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Weather
Source: explorer.exe, 00000009.00000003.1772607654.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2045484810.00000000103C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://msn.comError
Source: explorer.exe, 0000000A.00000003.1912234304.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1863754048.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2040664141.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2044927276.000000000BAA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/
Source: explorer.exe, 0000000A.00000003.1912557909.000000000BACA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/394318710/d0ea7754-53d3
Source: explorer.exe, 0000000A.00000003.1912234304.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1863754048.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2040664141.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2044927276.000000000BAA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/s
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753138409.000001B932081000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://raw.githubusercontent.com/valinet/ep_make/master/ep_make_safe.ps1
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949438-4e0c0e0d-67bc-4c76-b75e-e0ffcead3f48.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949442-63f14d44-ec0e-40b2-aa1b-8e4a27ec10f5.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949443-062a0fa9-88c1-4e07-b6b1-8e52ff64f4f3.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949444-d3aea936-4c22-4f17-a201-02155396684d.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949445-60d12efa-a21d-40e0-b9a8-1b7a84e58944.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949447-a6658710-567e-4977-9316-a80007df3076.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949448-cd1b69af-4028-4153-8e40-288526577b58.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949449-9320c6f5-15ef-4c17-9e72-740708f4828c.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949450-7e03a3f5-580e-4414-aaeb-3a0898afd1da.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949451-269d02a3-08cb-4237-9789-f1e60fdc723d.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949452-f347fe27-5005-48f2-9c9a-899bb7b8825e.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949454-81d5d47d-1f33-4859-a112-5a64ceb549a1.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949456-04a4bdbd-ff3b-4484-bb30-8909baff8aa8.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949458-dc66775d-8bb9-4d04-838e-7f550d305c26.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949459-dfe70eba-6c2c-4b1c-b51b-27c13ce7c08c.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949460-7c132d89-efb7-457f-8810-9bf235f5737f.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949461-1f058cf3-6fdd-4aeb-80b7-68fa27b02845.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949462-f50c21dd-85dd-4d9c-a4eb-516e6cddfb1f.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949463-a427edfb-3d7f-4167-bd6f-f5019c482ea1.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949465-54dd31c6-7e3a-464a-8e64-8b54b6fb7a65.png
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156950233-ccaadb4a-2e9a-4934-b41c-acd36a7f0d9c.png
Source: explorer.exe, 0000000A.00000003.2032672748.000000000B9C5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1928410983.000000000B950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vsblobprodscussu5shard39.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/39B7A82995
Source: explorer.exe, 0000000A.00000003.2336219974.000000000F4BD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2336219974.000000000F52D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vsblobprodscussu5shard6.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/C0866EA3E54
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754001005.000001B932081000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?hl=%s&q=weather%s%s%s%s%s%s%s%spCoreWebView2ExecuteScriptCompletedHand
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753512064.000001B932081000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valinet.ro
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753512064.000001B932081000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valinet.ro)
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownHTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18251870 GetModuleFileNameW,PathStripPathW,GetCurrentProcessId,OpenProcess,QueryFullProcessImageNameW,CloseHandle,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetSystemMetrics,RegGetValueW,RegGetValueW,FindWindowExW,FindWindowExW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,RegSetKeyValueW,SHCreateThread,RegSetKeyValueW,SHCreateThread,LoadLibraryW,RegOpenKeyW,RegCloseKey,LoadLibraryW,LoadLibraryW,GetModuleHandleExW,9_2_00007FFE18251870
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Windows\dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dllJump to behavior
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182518709_2_00007FFE18251870
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182469009_2_00007FFE18246900
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18246B709_2_00007FFE18246B70
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1824DB909_2_00007FFE1824DB90
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18265CF09_2_00007FFE18265CF0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1826FE809_2_00007FFE1826FE80
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1826F2509_2_00007FFE1826F250
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1825A3509_2_00007FFE1825A350
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1823E5009_2_00007FFE1823E500
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182656209_2_00007FFE18265620
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182488009_2_00007FFE18248800
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182438809_2_00007FFE18243880
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182848D09_2_00007FFE182848D0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182829089_2_00007FFE18282908
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18280A189_2_00007FFE18280A18
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18264A009_2_00007FFE18264A00
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18295A009_2_00007FFE18295A00
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18270A509_2_00007FFE18270A50
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18268A509_2_00007FFE18268A50
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18239AA09_2_00007FFE18239AA0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1828EA909_2_00007FFE1828EA90
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1823CAC09_2_00007FFE1823CAC0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18231B209_2_00007FFE18231B20
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18237B509_2_00007FFE18237B50
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18293B589_2_00007FFE18293B58
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18245B409_2_00007FFE18245B40
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1823FBE09_2_00007FFE1823FBE0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18280C249_2_00007FFE18280C24
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18242C209_2_00007FFE18242C20
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18299CA89_2_00007FFE18299CA8
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1827ECF09_2_00007FFE1827ECF0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18250D109_2_00007FFE18250D10
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1828CDBC9_2_00007FFE1828CDBC
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18284D949_2_00007FFE18284D94
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1827EDFC9_2_00007FFE1827EDFC
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1828AE7C9_2_00007FFE1828AE7C
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18280E589_2_00007FFE18280E58
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18295E9C9_2_00007FFE18295E9C
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18233EF09_2_00007FFE18233EF0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1824CEC09_2_00007FFE1824CEC0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18236F209_2_00007FFE18236F20
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1828EF249_2_00007FFE1828EF24
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1826BF109_2_00007FFE1826BF10
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18264F109_2_00007FFE18264F10
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1827EF089_2_00007FFE1827EF08
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18232F609_2_00007FFE18232F60
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1826DF409_2_00007FFE1826DF40
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18267FB09_2_00007FFE18267FB0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1823BFA09_2_00007FFE1823BFA0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1823EF909_2_00007FFE1823EF90
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18242FD09_2_00007FFE18242FD0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1827F0149_2_00007FFE1827F014
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182670109_2_00007FFE18267010
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182500709_2_00007FFE18250070
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1828105C9_2_00007FFE1828105C
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182840949_2_00007FFE18284094
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182320D09_2_00007FFE182320D0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1827F1209_2_00007FFE1827F120
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1823E1009_2_00007FFE1823E100
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1823B1509_2_00007FFE1823B150
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182401B09_2_00007FFE182401B0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1824D1909_2_00007FFE1824D190
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182851F89_2_00007FFE182851F8
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182821EC9_2_00007FFE182821EC
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182801D09_2_00007FFE182801D0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1823E2309_2_00007FFE1823E230
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1827F22C9_2_00007FFE1827F22C
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1823C2009_2_00007FFE1823C200
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182442709_2_00007FFE18244270
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182812689_2_00007FFE18281268
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182652A09_2_00007FFE182652A0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1826E2809_2_00007FFE1826E280
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182322F09_2_00007FFE182322F0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1827F3349_2_00007FFE1827F334
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182463509_2_00007FFE18246350
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182433509_2_00007FFE18243350
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182353809_2_00007FFE18235380
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182553F09_2_00007FFE182553F0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182803D49_2_00007FFE182803D4
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182683C09_2_00007FFE182683C0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1827F4409_2_00007FFE1827F440
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1823A4E09_2_00007FFE1823A4E0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182844CC9_2_00007FFE182844CC
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1826E5209_2_00007FFE1826E520
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1828B5189_2_00007FFE1828B518
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1827F54C9_2_00007FFE1827F54C
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182505A09_2_00007FFE182505A0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1828F5A49_2_00007FFE1828F5A4
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182825849_2_00007FFE18282584
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182805E09_2_00007FFE182805E0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182646509_2_00007FFE18264650
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1827F6589_2_00007FFE1827F658
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182707509_2_00007FFE18270750
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182767409_2_00007FFE18276740
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1824C7A09_2_00007FFE1824C7A0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1826E8309_2_00007FFE1826E830
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182808149_2_00007FFE18280814
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1824F8109_2_00007FFE1824F810
Source: C:\Windows\explorer.exeCode function: String function: 00007FFE1823D290 appears 78 times
Source: C:\Windows\explorer.exeCode function: String function: 00007FFE182311B0 appears 172 times
Source: C:\Windows\explorer.exeCode function: String function: 00007FFE18287E1C appears 61 times
Source: C:\Windows\explorer.exeCode function: String function: 00007FFE18288004 appears 42 times
Source: C:\Windows\explorer.exeCode function: String function: 00007FFE182542F0 appears 70 times
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: ep_setup.exe.0.drStatic PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: ep_gui.dll.0.drStatic PE information: Resource name: RT_STRING type: COM executable for DOS
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754266792.000001B92F98A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_weather_host.exe@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1757521104.000001B92F98A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_weather_host.exe@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753138409.000001B932081000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExplorerPatcher.dll@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753761329.000001B92F950000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_dwm.exe@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1752836203.000001B92F950000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExplorerPatcher.dll@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1752863673.000001B92F975000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExplorerPatcher.dll@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754987941.000001B92F98A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_weather_host.exe@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000002.1772722804.000001B92F8FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesc.exej% vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754987941.000001B92F950000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExplorerPatcher.dll@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1757360440.000001B92F98A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_weather_host.exe@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_weather_host.exe@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000002.1772834654.000001B92F98A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_weather_host.exe@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753794147.000001B92F96C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_dwm.exe@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754494111.000001B92F950000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebView2Loader.dll~/ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753512064.000001B932081000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_gui.dll@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1756079750.000001B92F98A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_weather_host.exe@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1771841843.000001B92F8FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesc.exej% vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754558844.000001B92F977000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebView2Loader.dll~/ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1758655633.000001B92F98A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_weather_host.exe@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754001005.000001B932081000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_weather_host.exe@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1771745048.000001B92F98A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_weather_host.exe@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754494111.000001B92F98A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_weather_host.exe@ vs SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
Source: classification engineClassification label: mal64.evad.winEXE@17/18@3/2
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18273930 VirtualProtect,GetLastError,FormatMessageA,GetLastError,9_2_00007FFE18273930
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1823DCF0 GetWindowsDirectoryW,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,QueryFullProcessImageNameW,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,9_2_00007FFE1823DCF0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1824A830 CoCreateInstance,CoCreateInstance,9_2_00007FFE1824A830
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18250D10 LoadLibraryW,GetModuleHandleW,LoadLibraryW,LoadLibraryW,GetCurrentProcess,K32GetModuleInformation,LoadLibraryW,GetCurrentProcess,K32GetModuleInformation,FindResourceW,LoadResource,LockResource,SizeofResource,LoadLibraryW,GetModuleHandleW,CreateEventW,CreateThread,LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibraryAndExitThread,FreeLibraryAndExitThread,FreeLibraryAndExitThread,FreeLibraryAndExitThread,9_2_00007FFE18250D10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Program Files\ExplorerPatcherJump to behavior
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ExplorerPatcherJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2916:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5676:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\explorer.exeJump to behavior
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "explorer.exe")
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: explorer.exeString found in binary or memory: Could not modify already-installed funchook handle.
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /NoUACCheck
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: webview2loader.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.fileexplorer.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wincorlib.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: stobject.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wmiclnt.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: pnidui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mobilenetworking.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: peopleband.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wpnapps.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.fileexplorer.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wincorlib.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: stobject.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wmiclnt.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: pnidui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mobilenetworking.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: peopleband.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wpnapps.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: starttiledata.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: idstore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wlidprov.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.applicationmodel.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: appextension.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cldapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: fltlib.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: tiledatarepository.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: staterepository.core.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.staterepository.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorycore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: languageoverlayutil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.immersiveshell.serviceprovider.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: thumbcache.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinui.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: applicationframe.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: photometadatahandler.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ehstorshell.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cscui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: provsvc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: holographicextensions.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: virtualmonitormanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: abovelockapphost.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: npsm.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.web.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.shell.bluelightreduction.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.internal.signals.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: tdh.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mscms.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: coloradapterclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorybroker.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mfplat.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rtworkq.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: structuredquery.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.security.authentication.web.core.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.data.activities.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.internal.ui.shell.windowtabmanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.system.launcher.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: notificationcontrollerps.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.devices.enumeration.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: icu.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mswb7.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: devdispitemprovider.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.networking.connectivity.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uianimation.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.core.textinput.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windowsudk.shellcommon.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dictationmanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: workfoldersshell.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: pcshellcommonproxystub.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptngc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cflapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: daxexec.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: container.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: shellcommoncommonproxystub.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: batmeter.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: capabilityaccessmanagerclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: inputswitch.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.shell.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: prnfldr.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wpnclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: syncreg.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: actioncenter.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: audioses.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: networkuxbroker.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ethernetmediamanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dusmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wlanapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ncsi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wpdshserviceobj.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: portabledevicetypes.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: portabledeviceapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cscobj.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: srchadmin.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.search.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: synccenter.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: imapi2.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: settingsync.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: settingsynccore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.xaml.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windowsinternal.composableshell.desktophosting.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uiamanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wscinterop.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wscapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: werconcpl.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wer.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: hcproviders.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ieproxy.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: Properties (ExplorerPatcher).lnk.0.drLNK file: ..\..\..\..\..\..\Windows\System32\rundll32.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcherJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_setup.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_gui.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_dwm.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_weather_host.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDirectory created: C:\Program Files\ExplorerPatcher\WebView2Loader.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcherJump to behavior
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic file information: File size 10525696 > 1048576
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x9d1a00
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a\_work\e\src\out\Release_x64\WebView2Loader.dll.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754494111.000001B92F950000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: http://msdl.microsoft.com/download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdb source: explorer.exe, 0000000A.00000003.1912234304.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1863754048.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2034843476.000000000B8F3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2040664141.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2044927276.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb( source: explorer.exe, 0000000A.00000003.2032672748.000000000BA85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2044927276.000000000BA85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2040664141.000000000BA85000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: eehttp://msdl.microsoft.com/download/symbols/StartUI.pdb/74D47198CB4699BA710AD8B2C5310DD91/StartUI.pdb source: explorer.exe, 0000000A.00000003.2338063758.000000000F533000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2338182098.000000000F589000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2336219974.000000000F52D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_weather_host_stub.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754219678.000001B92F950000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754289039.000001B92F96A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdbi source: explorer.exe, 0000000A.00000003.2032672748.000000000BA85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2044927276.000000000BA85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2040664141.000000000BA85000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb0V source: explorer.exe, 0000000A.00000003.1901047401.000000000BD40000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: StartUI.pdb source: explorer.exe, 00000009.00000003.1772607654.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2045484810.00000000103C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sshttp://msdl.microsoft.com/download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdb source: explorer.exe, 0000000A.00000003.2032672748.000000000B946000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdbLXy source: explorer.exe, 0000000A.00000003.2038461778.000000000B9C5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1928410983.000000000B9C5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1912234304.000000000BA34000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2032672748.000000000B9C5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_gui.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753512064.000001B932081000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: http://msdl.microsoft.com/download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdb source: explorer.exe, 0000000A.00000003.2034843476.000000000B8F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: GET /download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdb HTTP/1.1 source: explorer.exe, 0000000A.00000003.1884335541.000000000B909000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1876558912.000000000B909000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: twinui.pcshell.pdbUGP source: explorer.exe, 00000009.00000003.1773648082.0000000002EE4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.1771490317.0000000002EEE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1777857049.00000000027F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1849449600.000000000D44B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: twinui.pcshell.pdb source: explorer.exe, 00000009.00000003.1773648082.0000000002EE4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.1771490317.0000000002EEE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1777857049.00000000027F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1849449600.000000000D44B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ExplorerPatcher.amd64.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753138409.000001B932081000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: D:\a\_work\e\src\out\Release_x64\WebView2Loader.dll.pdbOGP source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754494111.000001B92F950000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Hostmsdl.microsoft.comGET /download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdb HTTP/1.1/download/symbols/twinui.pcshell.pdb/56A53B20B8D4F79E69038072C21547311/twinui.pcshell.pdb source: explorer.exe, 0000000A.00000003.1884335541.000000000B909000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1876558912.000000000B909000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb source: explorer.exe, 0000000A.00000003.2032672748.000000000BA85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2044927276.000000000BA85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2034843476.000000000B8F3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2040664141.000000000BA85000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1912234304.000000000BA34000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1912557909.000000000BA84000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2040636400.000000000B905000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_dwm.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753761329.000001B92F950000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753794147.000001B92F96C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols/StartUI.pdb/74D47198CB4699BA710AD82C5 source: explorer.exe, 0000000A.00000003.2338567821.000000000BD25000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vC:\Users\user\AppData\Roaming\ExplorerPatcher\StartUI.pdb source: explorer.exe, 0000000A.00000003.2338774634.000000000BAFA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: tUI.pdb source: explorer.exe, 0000000A.00000003.2338567821.000000000BD25000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\Win32\ExplorerPatcher.IA-32.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1752836203.000001B92F950000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1752863673.000001B92F975000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_setup.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000000.1727366409.00007FF733126000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000002.1773069236.00007FF733126000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_weather_host.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754001005.000001B932081000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: StartUI.pdbH source: explorer.exe, 00000009.00000003.1772607654.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2045484810.00000000103C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /download/symbols/StartUI.pdb/74D47198CB4699BA710AD8B2C5310DD91/StartUI.pdb source: explorer.exe, 0000000A.00000003.2338567821.000000000BD25000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 2C21547311/twinui.pcshell.pdb HTTP/1.1 source: explorer.exe, 0000000A.00000003.1912234304.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1863754048.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2040664141.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2044927276.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1824DB90 InitializeCriticalSection,CreateEventW,CreateEventW,CreateEventW,SetEvent,SetEvent,SetEvent,CreateThread,CloseHandle,SHGetFolderPathW,PathFileExistsW,CreateDirectoryW,CreateMutexExW,CreateEventW,CreateEventW,CreateThread,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetCurrentProcess,K32GetModuleInformation,GetModuleHandleW,GetProcAddress,IsOS,GetCurrentProcess,K32GetModuleInformation,LoadLibraryW,LoadLibraryW,GetProcAddress,CreateWindowExW,FreeLibraryAndExitThread,SetWindowLongPtrW,FreeLibraryAndExitThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,GetModuleHandleW,GetProcAddress,SHELL32_Create_IEnumUICommand,VirtualProtect,VirtualProtect,GetProcAddress,VirtualProtect,VirtualProtect,LoadLibraryW,GetProcAddress,LoadLibraryW,GetModuleHandleExW,GetCurrentProcess,K32GetModuleInformation,VirtualProtect,VirtualProtect,GetCurrentProcess,K32GetModuleInformation,LoadLibraryW,LoadLibraryW,GetProcAddress,LoadLibraryExW,IsOS,FreeLibraryAndExitThread,CreateThread,CreateThread,RegDeleteKeyValueW,RegDeleteKeyValueW,CreateThread,CreateThread,CreateWindowInBand,CreateThread,CreateThread,GetWindowsDirectoryW,FindFirstFileW,FindClose,LoadLibraryW,GetProcAddress,GetLastError,9_2_00007FFE1824DB90
Source: ep_weather_host_stub.dll.0.drStatic PE information: section name: .orpc
Source: WebView2Loader.dll.0.drStatic PE information: section name: .gxfg
Source: WebView2Loader.dll.0.drStatic PE information: section name: .retplne
Source: WebView2Loader.dll.0.drStatic PE information: section name: _RDATA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Windows\dxgi.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Program Files\ExplorerPatcher\ep_setup.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Program Files\ExplorerPatcher\ep_gui.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Program Files\ExplorerPatcher\WebView2Loader.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Program Files\ExplorerPatcher\ep_weather_host.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Program Files\ExplorerPatcher\ep_dwm.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Windows\dxgi.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcherJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnkJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18251870 GetModuleFileNameW,PathStripPathW,GetCurrentProcessId,OpenProcess,QueryFullProcessImageNameW,CloseHandle,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetSystemMetrics,RegGetValueW,RegGetValueW,FindWindowExW,FindWindowExW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,RegSetKeyValueW,SHCreateThread,RegSetKeyValueW,SHCreateThread,LoadLibraryW,RegOpenKeyW,RegCloseKey,LoadLibraryW,LoadLibraryW,GetModuleHandleExW,9_2_00007FFE18251870
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Windows\explorer.exeCode function: GetForegroundWindow,GetClassNameW,Sleep,GetForegroundWindow,GetClassNameW,GetForegroundWindow,GetClassNameW,Sleep,GetForegroundWindow,GetClassNameW,RegDeleteTreeW,Sleep,9_2_00007FFE1823DEA0
Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 766Jump to behavior
Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 715Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_gui.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_weather_host.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_dwm.exeJump to dropped file
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18237B50 GetSystemTimeAsFileTime followed by cmp: cmp r15, 02h and CTI: jne 00007FFE18238362h9_2_00007FFE18237B50
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1824DB90 InitializeCriticalSection,CreateEventW,CreateEventW,CreateEventW,SetEvent,SetEvent,SetEvent,CreateThread,CloseHandle,SHGetFolderPathW,PathFileExistsW,CreateDirectoryW,CreateMutexExW,CreateEventW,CreateEventW,CreateThread,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetCurrentProcess,K32GetModuleInformation,GetModuleHandleW,GetProcAddress,IsOS,GetCurrentProcess,K32GetModuleInformation,LoadLibraryW,LoadLibraryW,GetProcAddress,CreateWindowExW,FreeLibraryAndExitThread,SetWindowLongPtrW,FreeLibraryAndExitThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,GetModuleHandleW,GetProcAddress,SHELL32_Create_IEnumUICommand,VirtualProtect,VirtualProtect,GetProcAddress,VirtualProtect,VirtualProtect,LoadLibraryW,GetProcAddress,LoadLibraryW,GetModuleHandleExW,GetCurrentProcess,K32GetModuleInformation,VirtualProtect,VirtualProtect,GetCurrentProcess,K32GetModuleInformation,LoadLibraryW,LoadLibraryW,GetProcAddress,LoadLibraryExW,IsOS,FreeLibraryAndExitThread,CreateThread,CreateThread,RegDeleteKeyValueW,RegDeleteKeyValueW,CreateThread,CreateThread,CreateWindowInBand,CreateThread,CreateThread,GetWindowsDirectoryW,FindFirstFileW,FindClose,LoadLibraryW,GetProcAddress,GetLastError,9_2_00007FFE1824DB90
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18265CF0 RegCreateKeyExW,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetSystemDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,RegDeleteValueW,RegCloseKey,9_2_00007FFE18265CF0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1823D920 GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,FindFirstFileW,9_2_00007FFE1823D920
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1823DAC0 SHGetFolderPathW,FindFirstFileW,FindClose,9_2_00007FFE1823DAC0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18293B58 FindFirstFileExW,9_2_00007FFE18293B58
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1823CE30 CreateFileA,CreateFileMappingW,CloseHandle,MapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,PathRemoveFileSpecA,UnmapViewOfFile,CloseHandle,CloseHandle,FindFirstFileA,FindClose,DeleteFileA,UnmapViewOfFile,CloseHandle,CloseHandle,9_2_00007FFE1823CE30
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182652A0 RegCreateKeyExW,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryA,RegCloseKey,RegSetValueExW,RegSetValueExA,RegSetValueExW,RegCloseKey,9_2_00007FFE182652A0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18272FA0 GetSystemInfo,VirtualAlloc,9_2_00007FFE18272FA0
Source: explorer.exe, 0000000A.00000003.1863754048.000000000BA84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Prod_VMware_SATA_CD00#4&224f
Source: explorer.exe, 0000000A.00000003.2034843476.000000000B8F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000A.00000003.1863754048.000000000BA84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}9+470022
Source: explorer.exe, 0000000A.00000003.1863754048.000000000BAA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\W
Source: explorer.exe, 0000000A.00000003.1863754048.000000000BA84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:6
Source: explorer.exe, 0000000A.00000003.1912557909.000000000BACA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000!
Source: explorer.exe, 0000000A.00000003.1863754048.000000000BAA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000000A.00000003.1863754048.000000000BACC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000000A.00000003.1863754048.000000000BAA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}I
Source: explorer.exe, 0000000A.00000003.1863754048.000000000BAA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e\"
Source: explorer.exe, 0000000A.00000003.1863754048.000000000BA84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000000A.00000003.1863754048.000000000BAA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000003.1863754048.000000000BA84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18254C20 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,9_2_00007FFE18254C20
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1824DB90 InitializeCriticalSection,CreateEventW,CreateEventW,CreateEventW,SetEvent,SetEvent,SetEvent,CreateThread,CloseHandle,SHGetFolderPathW,PathFileExistsW,CreateDirectoryW,CreateMutexExW,CreateEventW,CreateEventW,CreateThread,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetCurrentProcess,K32GetModuleInformation,GetModuleHandleW,GetProcAddress,IsOS,GetCurrentProcess,K32GetModuleInformation,LoadLibraryW,LoadLibraryW,GetProcAddress,CreateWindowExW,FreeLibraryAndExitThread,SetWindowLongPtrW,FreeLibraryAndExitThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,GetModuleHandleW,GetProcAddress,SHELL32_Create_IEnumUICommand,VirtualProtect,VirtualProtect,GetProcAddress,VirtualProtect,VirtualProtect,LoadLibraryW,GetProcAddress,LoadLibraryW,GetModuleHandleExW,GetCurrentProcess,K32GetModuleInformation,VirtualProtect,VirtualProtect,GetCurrentProcess,K32GetModuleInformation,LoadLibraryW,LoadLibraryW,GetProcAddress,LoadLibraryExW,IsOS,FreeLibraryAndExitThread,CreateThread,CreateThread,RegDeleteKeyValueW,RegDeleteKeyValueW,CreateThread,CreateThread,CreateWindowInBand,CreateThread,CreateThread,GetWindowsDirectoryW,FindFirstFileW,FindClose,LoadLibraryW,GetProcAddress,GetLastError,9_2_00007FFE1824DB90
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1825A9E0 GetProcessHeap,9_2_00007FFE1825A9E0
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1828BC98 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00007FFE1828BC98
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18271DC0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00007FFE18271DC0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182710D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00007FFE182710D0

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exeNetwork Connect: 140.82.121.4 443Jump to behavior
Source: C:\Windows\explorer.exeNetwork Connect: 185.199.110.133 443Jump to behavior
Contains functionality to automate explorer (e.g. start an application)
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18243880 GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,FindWindowExW,FindWindowExW,FindWindowW,FindWindowExW,FindWindowExW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,SetCursorPos,FindWindowW,PostMessageW,PostMessageW,FindWindowExW,FindWindowW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,FindWindowExW,PostMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SendMessageCallbackW,PostMessageW,9_2_00007FFE18243880
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18243880 GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,FindWindowExW,FindWindowExW,FindWindowW,FindWindowExW,FindWindowExW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,SetCursorPos,FindWindowW,PostMessageW,PostMessageW,FindWindowExW,FindWindowW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,FindWindowExW,PostMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SendMessageCallbackW,PostMessageW,9_2_00007FFE18243880
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18243880 GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,FindWindowExW,FindWindowExW,FindWindowW,FindWindowExW,FindWindowExW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,SetCursorPos,FindWindowW,PostMessageW,PostMessageW,FindWindowExW,FindWindowW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,FindWindowExW,PostMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SendMessageCallbackW,PostMessageW,9_2_00007FFE18243880
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18243880 GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,FindWindowExW,FindWindowExW,FindWindowW,FindWindowExW,FindWindowExW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,SetCursorPos,FindWindowW,PostMessageW,PostMessageW,FindWindowExW,FindWindowW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,FindWindowExW,PostMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SendMessageCallbackW,PostMessageW,9_2_00007FFE18243880
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18243880 GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,FindWindowExW,FindWindowExW,FindWindowW,FindWindowExW,FindWindowExW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,SetCursorPos,FindWindowW,PostMessageW,PostMessageW,FindWindowExW,FindWindowW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,FindWindowExW,PostMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SendMessageCallbackW,PostMessageW,9_2_00007FFE18243880
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18243DA0 FindWindowExW,FindWindowExW,FindWindowExW,SendMessageW,9_2_00007FFE18243DA0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1823F4C0 FindWindowW,SendMessageTimeoutW,9_2_00007FFE1823F4C0
Source: C:\Windows\explorer.exeCode function: GetModuleFileNameW,PathStripPathW,GetCurrentProcessId,OpenProcess,QueryFullProcessImageNameW,CloseHandle,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetSystemMetrics,RegGetValueW,RegGetValueW,FindWindowExW,FindWindowExW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,RegSetKeyValueW,SHCreateThread,RegSetKeyValueW,SHCreateThread,LoadLibraryW,RegOpenKeyW,RegCloseKey,LoadLibraryW,LoadLibraryW,GetModuleHandleExW, \explorer.exe9_2_00007FFE18251870
Source: C:\Windows\explorer.exeCode function: Sleep,GetWindowsDirectoryW,CreateProcessW,FreeConsole,GetCurrentProcessId,OpenProcess,TerminateProcess, \explorer.exe9_2_00007FFE1826FCC0
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE182505A0 SetProcessDpiAwarenessContext,GetModuleFileNameW,GetCurrentDirectoryW,GetModuleHandleW,ShellExecuteExW,GetLastError,LoadStringW,LoadStringW,MessageBoxW,GetModuleFileNameW,GetLastError,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegCloseKey,PathRemoveExtensionW,PathRemoveExtensionW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegCloseKey,RegCreateKeyExW,RegSetValueExW,RegCloseKey,9_2_00007FFE182505A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exeJump to behavior
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1823E860 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,GetLengthSid,CopySid,DeriveAppContainerSidFromAppContainerName,SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,LocalFree,CreateMutexW,FreeSid,9_2_00007FFE1823E860
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1823D7C0 AllocateAndInitializeSid,CheckTokenMembership,GetLastError,FreeSid,9_2_00007FFE1823D7C0
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753138409.000001B932081000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: Progman: %d
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753138409.000001B932081000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: Progman hook: %d
Source: explorer.exeBinary or memory string: Shell_TrayWnd
Source: explorer.exeBinary or memory string: Progman
Source: explorer.exe, 00000009.00000003.1773648082.0000000002EE4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.1771490317.0000000002EEE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1777857049.00000000027F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsAutoHideEnabledShell_TrayWndUIA_WindowVisibilityOverriddenCortanaExperienceManager_OnViewPropertiesChangingq
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753512064.000001B932081000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: eptmpw+Unknown exceptionbad array new lengthSoftware\ExplorerPatcherLanguageen-USvector too long\Shell_TrayWnd
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1752836203.000001B92F950000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ntdll.dllRtlGetVersion\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersionUBRShell_TrayWnd\explorer.exe\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI.dll\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dllep_taskbar.0.dllep_taskbar.1.dllep_taskbar.2.dllep_taskbar.3.dllep_taskbar.4.dllep_taskbar.5.dll\ExplorerPatcher\ImmersiveContextMenuArray[ROD]: Level %d Position %d/%d Status %d
Source: explorer.exeBinary or memory string: Progman: %d
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000000.1727366409.00007FF733126000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000002.1773069236.00007FF733126000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: runasExplorerPatcherntdll.dllRtlGetVersion\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersionUBRShell_TrayWnd\explorer.exeopenep_taskbar.0.dllep_taskbar.1.dllep_taskbar.2.dllep_taskbar.3.dllep_taskbar.4.dllep_taskbar.5.dll\ExplorerFrame.dll (ExplorerPatcher).lnk\shell32.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcherUninstallStringDisplayNameVALINET Solutions SRLPublisherNoModifyNoRepair\ExplorerPatcher.amd64.dll%d.%d.%d.%dDisplayVersionVersionMajorVersionMinorDisplayIcon\ExplorerPatcher\cleanup_.tmp.preven-USmuipriep_taskbar.0.dllep_taskbar.2.dllep_taskbar.3.dllep_taskbar.4.dllep_taskbar.5.dll\*.../extractIsWow64Process2kernel32.dllx64ARM64/uninstall/uninstall_silentep_uninstall.exe/update_silentUndockingDisabledSOFTWARE\Microsoft\Windows\CurrentVersion\Shell\Update\PackagesGlobal\ep_setup_D17F1E1A-5919-4427-8F89-A1A8503CA3EB/f /im explorer.exeGlobal\ep_dwm_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBExplorerPatcher_GUI_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}Software\ExplorerPatcherOpenPropertiesAtNextStartep_setup.exeSOFTWARE\Classes\CLSID\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}\InProcServer32\ExplorerPatcher\ExplorerPatcher.amd64.dll"\regsvr32.exeExplorerPatcher.IA-32.dllExplorerPatcher.IA-32.dllExplorerPatcher.amd64.dllExplorerPatcher.amd64.dllep_gui.dllep_gui.dllep_dwm.exeep_dwm.exeep_weather_host.dllep_weather_host.dllep_weather_host_stub.dllep_weather_host_stub.dllWebView2Loader.dllWebView2Loader.dllar-SAbg-BGca-EScs-CZda-DKde-DEel-GRen-GBes-ESes-MXet-EEeu-ESfi-FIfr-CAfr-FRgl-EShe-ILhr-HRhu-HUid-IDit-ITja-JPko-KRlt-LTlv-LVnb-NOnl-NLpl-PLpt-BRpt-PTro-ROru-RUsk-SKsl-SIsr-Latn-RSsv-SEth-THtr-TRuk-UAvi-VNzh-CNzh-TWprisStartUIWindows.UI.ShellCommon.pripnidui/Windows.UI.ShellCommon/pnidui.dllpnidui/pnidui.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{C2796011-81BA-4148-8FCA-C6643245113F}AutoStartdxgi.dll\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewywincorlib.dllep_startmenu.dllwincorlib_orig.dll\wincorlib.dll\wincorlib_orig.dllStartUI_.dllStartUI/StartUI.dllAppResolverLegacy.dllStartTileDataLegacy.dll\en-USStartTileDataLegacy.dll.mui\pris2Windows.UI.ShellCommon.en-US.pri\SystemApps\ShellExperienceHost_cw5n1h2txyewy\rundll32.exe "\ExplorerPatcher\ep_gui.dll",ZZGUI\ExplorerPatcher\ep_setup.exe" /uninstallstart ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBdelete ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB\ExplorerPatcher\ep_weather_host.dll"\ExplorerPatcher\ep_weather_host_stub.dll"SOFTWARE\Policies\Microsoft\Windows\ExplorerSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\cleanupSOFTWARE\Microsoft\Windows\CurrentVersion\RunOncecmd /c rmdir /s /q ""ExplorerPatcherCleanupIsUpdatePendingrbr+bwb1.3.1.1-motley unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll@
Source: explorer.exeBinary or memory string: Progman hook: %d
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753138409.000001B932081000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: Microsoft-Symbol-Server/10.0.10036.206msdl.microsoft.comabcdefghijklmnopqrstuvwxyzProgmanProxy Desktop\explorer.exeopenInputSwitch.dllxx??x??xxx????xxD8t
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753138409.000001B932081000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: Shlwapi.dllSHRegGetValueFromHKCUHKLMShell_TrayWndntdll.dllRtlGetVersion\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersionUBRMicrosoft.Windows.ShellManagedWindowAsNormalWindowShell_SecondaryTrayWndvalinet.ExplorerPatcher.ShellManagedWindowExplorerFrame.dllDesktopSHELLDLL_DefViewWorkerWComctl32.dllLoadIconWithScaleDownwin32u.dllNtUserBuildHwndListuser32.dllHungWindowFromGhostWindowGhostWindowFromHungWindowSetWindowCompositionAttributeCreateWindowInBandGetWindowBandSetWindowBandIsTopLevelWindowInternalGetWindowTextInternalGetWindowIconuxtheme.dllshcore.dll
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18299AF0 cpuid 9_2_00007FFE18299AF0
Source: C:\Windows\explorer.exeCode function: RegCreateKeyExW,RegQueryValueExW,GetLocaleInfoW,GetLocaleInfoW,SetThreadPreferredUILanguages,RegCloseKey,9_2_00007FFE182550C0
Source: C:\Windows\explorer.exeCode function: CoCreateInstance,IUnknown_QueryService,FindWindowW,GetPropW,GetThreadUILanguage,GetLocaleInfoW,9_2_00007FFE18269620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeCode function: 0_2_00007FF733108E2C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF733108E2C
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE18270A50 SHParseDisplayName,SHBindToParent,CreatePopupMenu,TrackPopupMenuEx,RegQueryValueW,RegGetValueW,GetMenuItemInfoW,RegQueryValueW,RegGetValueW,GetMenuItemInfoW,InsertMenuItemW,InsertMenuItemW,InsertMenuItemW,GetMenuItemInfoW,DestroyMenu,CoTaskMemFree,9_2_00007FFE18270A50
Source: C:\Windows\explorer.exeCode function: 9_2_00007FFE1824A710 SHBindToObject,9_2_00007FFE1824A710

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
Exploitation for Privilege Escalation		1
Disable or Modify Tools		11
Input Capture		11
System Time Discovery		Remote Services1
Archive Collected Data		2
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		2
Windows Service		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory2
File and Directory Discovery		Remote Desktop Protocol11
Input Capture		21
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
Command and Scripting Interpreter		1
Registry Run Keys / Startup Folder		2
Windows Service		1
Obfuscated Files or Information		Security Account Manager35
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Service Execution		Login Hook122
Process Injection		1
DLL Side-Loading		NTDS141
Security Software Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
Registry Run Keys / Startup Folder		23
Masquerading		LSA Secrets11
Virtualization/Sandbox Evasion		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Virtualization/Sandbox Evasion		Cached Domain Credentials2
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items122
Process Injection		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Regsvr32		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1510261 Sample: SecuriteInfo.com.Trojan.Win... Startdate: 12/09/2024 Architecture: WINDOWS Score: 64 38 objects.githubusercontent.com 2->38 40 github.com 2->40 42 api.msn.com 2->42 48 AI detected suspicious sample 2->48 50 Sigma detected: Explorer NOUACCHECK Flag 2->50 8 explorer.exe 105 144 2->8         started        12 SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe 9 15 2->12         started        signatures3 process4 dnsIp5 44 github.com 140.82.121.4, 443, 49734, 49735 GITHUBUS United States 8->44 46 objects.githubusercontent.com 185.199.110.133, 443, 49740 FASTLYUS Netherlands 8->46 52 System process connects to network (likely due to code injection or exploit) 8->52 54 Query firmware table information (likely to detect VMs) 8->54 30 C:\Windows\dxgi.dll, PE32+ 12->30 dropped 32 C:\Windows\SystemApps\...\dxgi.dll, PE32+ 12->32 dropped 34 C:\Program Files\...\ep_weather_host_stub.dll, PE32+ 12->34 dropped 36 7 other files (none is malicious) 12->36 dropped 15 explorer.exe 2 1 12->15         started        18 taskkill.exe 1 12->18         started        20 sc.exe 1 12->20         started        22 3 other processes 12->22 file6 signatures7 process8 signatures9 56 Contains functionality to automate explorer (e.g. start an application) 15->56 24 conhost.exe 18->24         started        26 conhost.exe 20->26         started        28 conhost.exe 22->28         started        process10

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe5%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\WebView2Loader.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\ep_dwm.exe0%ReversingLabs
C:\Program Files\ExplorerPatcher\ep_gui.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\ep_setup.exe5%ReversingLabs
C:\Program Files\ExplorerPatcher\ep_weather_host.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll3%ReversingLabs
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://github.com/valinet0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949442-63f14d44-ec0e-40b2-aa1b-8e4a27ec10f5.png0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949465-54dd31c6-7e3a-464a-8e64-8b54b6fb7a65.png0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949445-60d12efa-a21d-40e0-b9a8-1b7a84e58944.png0%Avira URL Cloudsafe
https://www.valinet.ro)0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949459-dfe70eba-6c2c-4b1c-b51b-27c13ce7c08c.png0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949452-f347fe27-5005-48f2-9c9a-899bb7b8825e.png0%Avira URL Cloudsafe
https://objects.githubusercontent.com/s0%Avira URL Cloudsafe
https://api.msn.com/v1/News/Feed/Windows?%08x%04x%04x%02x%02x%02x%02x%02x%02x%02x%02xFeedsCNhttps://0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949451-269d02a3-08cb-4237-9789-f1e60fdc723d.png0%Avira URL Cloudsafe
https://raw.githubusercontent.com/valinet/ep_make/master/ep_make_safe.ps10%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949438-4e0c0e0d-67bc-4c76-b75e-e0ffcead3f48.png0%Avira URL Cloudsafe
https://www.google.com/search?hl=%s&q=weather%s%s%s%s%s%s%s%spCoreWebView2ExecuteScriptCompletedHand0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949444-d3aea936-4c22-4f17-a201-02155396684d.png0%Avira URL Cloudsafe
https://www.valinet.ro0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949443-062a0fa9-88c1-4e07-b6b1-8e52ff64f4f3.png0%Avira URL Cloudsafe
https://objects.githubusercontent.com/github-production-release-asset-2e65be/394318710/d0ea7754-53d30%Avira URL Cloudsafe
https://github.com/valinet)0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949461-1f058cf3-6fdd-4aeb-80b7-68fa27b02845.png0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949449-9320c6f5-15ef-4c17-9e72-740708f4828c.png0%Avira URL Cloudsafe
https://objects.githubusercontent.com/0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949458-dc66775d-8bb9-4d04-838e-7f550d305c26.png0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949462-f50c21dd-85dd-4d9c-a4eb-516e6cddfb1f.png0%Avira URL Cloudsafe
http://www.winimage.com/zLibDll0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949448-cd1b69af-4028-4153-8e40-288526577b58.png0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949450-7e03a3f5-580e-4414-aaeb-3a0898afd1da.png0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949447-a6658710-567e-4977-9316-a80007df3076.png0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949456-04a4bdbd-ff3b-4484-bb30-8909baff8aa8.png0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949460-7c132d89-efb7-457f-8810-9bf235f5737f.png0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156950233-ccaadb4a-2e9a-4934-b41c-acd36a7f0d9c.png0%Avira URL Cloudsafe
https://msn.comError0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949454-81d5d47d-1f33-4859-a112-5a64ceb549a1.png0%Avira URL Cloudsafe
https://user-images.githubusercontent.com/6503598/156949463-a427edfb-3d7f-4167-bd6f-f5019c482ea1.png0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
github.com
140.82.121.4
truetrue
    		unknown
    objects.githubusercontent.com
    		185.199.110.133
    		truetrue
      		unknown
      api.msn.com
      		unknown
      		unknownfalse
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://user-images.githubusercontent.com/6503598/156949459-dfe70eba-6c2c-4b1c-b51b-27c13ce7c08c.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.valinet.ro)SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753512064.000001B932081000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://objects.githubusercontent.com/sexplorer.exe, 0000000A.00000003.1912234304.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1863754048.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2040664141.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2044927276.000000000BAA9000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949442-63f14d44-ec0e-40b2-aa1b-8e4a27ec10f5.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://github.com/valinetSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753512064.000001B932081000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949445-60d12efa-a21d-40e0-b9a8-1b7a84e58944.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949452-f347fe27-5005-48f2-9c9a-899bb7b8825e.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://api.msn.com/v1/News/Feed/Windows?%08x%04x%04x%02x%02x%02x%02x%02x%02x%02x%02xFeedsCNhttps://explorer.exe, 00000009.00000003.1773648082.0000000002EE4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.1771490317.0000000002EEE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1777857049.00000000027F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1849449600.000000000D44B000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949451-269d02a3-08cb-4237-9789-f1e60fdc723d.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949465-54dd31c6-7e3a-464a-8e64-8b54b6fb7a65.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949438-4e0c0e0d-67bc-4c76-b75e-e0ffcead3f48.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://raw.githubusercontent.com/valinet/ep_make/master/ep_make_safe.ps1SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753138409.000001B932081000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.google.com/search?hl=%s&q=weather%s%s%s%s%s%s%s%spCoreWebView2ExecuteScriptCompletedHandSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754001005.000001B932081000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949444-d3aea936-4c22-4f17-a201-02155396684d.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://objects.githubusercontent.com/github-production-release-asset-2e65be/394318710/d0ea7754-53d3explorer.exe, 0000000A.00000003.1912557909.000000000BACA000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949443-062a0fa9-88c1-4e07-b6b1-8e52ff64f4f3.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949461-1f058cf3-6fdd-4aeb-80b7-68fa27b02845.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.valinet.roSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753512064.000001B932081000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949449-9320c6f5-15ef-4c17-9e72-740708f4828c.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://github.com/valinet)SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1753512064.000001B932081000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://objects.githubusercontent.com/explorer.exe, 0000000A.00000003.1912234304.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.1863754048.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2040664141.000000000BAA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2044927276.000000000BAA9000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949458-dc66775d-8bb9-4d04-838e-7f550d305c26.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949462-f50c21dd-85dd-4d9c-a4eb-516e6cddfb1f.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949448-cd1b69af-4028-4153-8e40-288526577b58.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.winimage.com/zLibDllSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000002.1773069236.00007FF733126000.00000002.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949450-7e03a3f5-580e-4414-aaeb-3a0898afd1da.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949456-04a4bdbd-ff3b-4484-bb30-8909baff8aa8.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949460-7c132d89-efb7-457f-8810-9bf235f5737f.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949447-a6658710-567e-4977-9316-a80007df3076.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949463-a427edfb-3d7f-4167-bd6f-f5019c482ea1.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156950233-ccaadb4a-2e9a-4934-b41c-acd36a7f0d9c.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://user-images.githubusercontent.com/6503598/156949454-81d5d47d-1f33-4859-a112-5a64ceb549a1.pngSecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, 00000000.00000003.1754054332.000001B92F950000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://msn.comErrorexplorer.exe, 00000009.00000003.1772607654.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2045484810.00000000103C4000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        140.82.121.4
        		github.comUnited States
        		36459GITHUBUStrue
        185.199.110.133
        		objects.githubusercontent.comNetherlands
        		54113FASTLYUStrue

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1510261
        Start date and time:2024-09-12 18:40:45 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 9m 34s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Run name:Run with higher sleep bypass
        Number of analysed new started processes analysed:30
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
        Detection:MAL
        Classification:mal64.evad.winEXE@17/18@3/2
        EGA Information:
        • Successful, ratio: 50%
        HCA Information:
        • Successful, ratio: 69%
        • Number of executed functions: 43
        • Number of non-executed functions: 213
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, SIHClient.exe, backgroundTaskHost.exe, SearchApp.exe, ShellExperienceHost.exe, WMIADAP.exe, conhost.exe, svchost.exe, StartMenuExperienceHost.exe, TextInputHost.exe, mobsync.exe
        • Excluded IPs from analysis (whitelisted): 204.79.197.203, 204.79.197.219, 20.150.70.36, 20.150.79.68, 20.150.38.228
        • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, blob.sat09prdstrz08a.trafficmanager.net, slscr.update.microsoft.com, a-0003.a-msedge.net, msdl-microsoft-com.a-0016.a-msedge.net, ctldl.windowsupdate.com, vsblobprodscussu5shard6.blob.core.windows.net, msdl.microsoft.com, fe3cr.delivery.mp.microsoft.com, vsblobprodscussu5shard39.blob.core.windows.net, ocsp.digicert.com, a-0016.a-msedge.net, login.live.com, blob.sat09prdstrz08a.store.core.windows.net, r.bing.com, msdl.microsoft.akadns.net, api-msn-com.a-0003.a-msedge.net
        • Execution Graph export aborted for target SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, PID 6836 because there are no executed function
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtEnumerateKey calls found.
        • Report size getting too big, too many NtEnumerateValueKey calls found.
        • Report size getting too big, too many NtOpenKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtReadVirtualMemory calls found.
        • VT rate limit hit for: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe

        Simulations

        Behavior and APIs

        TimeTypeDescription
        17:41:47Task SchedulerRun new task: CreateExplorerShellUnelevatedTask path: C:\Windows\explorer.exe s>/NoUACCheck

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        140.82.121.4RfORrHIRNe.docGet hashmaliciousUnknownBrowse
        • github.com/ssbb36/stv/raw/main/5.mp3
        185.199.110.133vm AUDIO_QzOXYQIfIQZ VOICE September 11th, 2024 attachment.htmlGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
          https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exeGet hashmaliciousUnknownBrowse
            https://www.tiktok.com/link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%74%72%61%6E%63%61%73%2E%63%6C/.dev/0958DTU/LWVpUSQT/YXNobGV5QG9tbmlzdXJlLmNvbQ==$%E3%80%82Get hashmaliciousHTMLPhisherBrowse
              https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bc%C2%ADt%C2%ADh%E2%80%8B.%C2%ADv%C2%ADn/.dev/JCE6X4BH/cnVzc2VsbEBhZGtjcmVkaXR1bmlvbi5jb20==$%E3%80%82Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                https://e4x.heraybay.com/ze6t/#Dben.rigor@eclipsebank.comGet hashmaliciousHTMLPhisherBrowse
                  SecuriteInfo.com.Win64.MalwareX-gen.5183.18088.exeGet hashmalicious77Rootkit, AsyncRAT, DcRatBrowse
                    Play-Now.mp3-77a-208c7-a4528-77.htmlGet hashmaliciousHTMLPhisherBrowse
                      https://sinintermediarios.uy/bc/blockchain.com/email/Get hashmaliciousUnknownBrowse
                        http://anikettiwari47.github.io/NetflixGet hashmaliciousHTMLPhisherBrowse
                          VXLauncher.exeGet hashmaliciousEmpyrean, Discord Token StealerBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            github.comP09Qwe9fqsKdQIyTGnGxNs8xS[1]Get hashmaliciousTycoon2FABrowse
                            • 140.82.121.3
                            vm AUDIO_QzOXYQIfIQZ VOICE September 11th, 2024 attachment.htmlGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 140.82.121.4
                            https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exeGet hashmaliciousUnknownBrowse
                            • 140.82.121.3
                            Remittance AdviceNote c6b2e2a43485b7b75999a5332e86646fGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 140.82.121.4
                            https://www.google.com/url?q=//www.google.com.br/amp/s/iKL5afRe0S6hy3p0slRKsXiNT5VzWqeGhx.desarrollodigitales.com/xiwitytevd/sotutybgetd/qoguhtunh/I6Gu0C/cWEtc3FpQHF2Y2pwLmNvbQ==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 140.82.121.4
                            M 1votFC.emlGet hashmaliciousUnknownBrowse
                            • 140.82.121.4
                            https://www.tiktok.com/link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%74%72%61%6E%63%61%73%2E%63%6C/.dev/0958DTU/LWVpUSQT/YXNobGV5QG9tbmlzdXJlLmNvbQ==$%E3%80%82Get hashmaliciousHTMLPhisherBrowse
                            • 140.82.121.3
                            https://www.tiktok.com/link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bce%C2%ADsme%C2%ADdia%E2%80%8B.%C2%ADv%C2%ADn/.dev/tfbft0yf/ZGlhbmUuY3JhaWdAZ3JhY2VoZWFsdGhtaS5vcmc==$%E3%80%82Get hashmaliciousTycoon2FABrowse
                            • 140.82.121.4
                            https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bc%C2%ADt%C2%ADh%E2%80%8B.%C2%ADv%C2%ADn/.dev/b5EVLXJp/dGVyZXNhLmhhcnBlckBzb3V0aHNpZGUuY29t=$%E3%80%82Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 140.82.121.3
                            objects.githubusercontent.comP09Qwe9fqsKdQIyTGnGxNs8xS[1]Get hashmaliciousTycoon2FABrowse
                            • 185.199.109.133
                            vm AUDIO_QzOXYQIfIQZ VOICE September 11th, 2024 attachment.htmlGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 185.199.110.133
                            https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exeGet hashmaliciousUnknownBrowse
                            • 185.199.110.133
                            Remittance AdviceNote c6b2e2a43485b7b75999a5332e86646fGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 185.199.109.133
                            https://www.google.com/url?q=//www.google.com.br/amp/s/iKL5afRe0S6hy3p0slRKsXiNT5VzWqeGhx.desarrollodigitales.com/xiwitytevd/sotutybgetd/qoguhtunh/I6Gu0C/cWEtc3FpQHF2Y2pwLmNvbQ==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 185.199.109.133
                            M 1votFC.emlGet hashmaliciousUnknownBrowse
                            • 185.199.108.133
                            https://www.tiktok.com/link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%74%72%61%6E%63%61%73%2E%63%6C/.dev/0958DTU/LWVpUSQT/YXNobGV5QG9tbmlzdXJlLmNvbQ==$%E3%80%82Get hashmaliciousHTMLPhisherBrowse
                            • 185.199.109.133
                            https://www.tiktok.com/link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bce%C2%ADsme%C2%ADdia%E2%80%8B.%C2%ADv%C2%ADn/.dev/tfbft0yf/ZGlhbmUuY3JhaWdAZ3JhY2VoZWFsdGhtaS5vcmc==$%E3%80%82Get hashmaliciousTycoon2FABrowse
                            • 185.199.108.133
                            https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bc%C2%ADt%C2%ADh%E2%80%8B.%C2%ADv%C2%ADn/.dev/b5EVLXJp/dGVyZXNhLmhhcnBlckBzb3V0aHNpZGUuY29t=$%E3%80%82Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 185.199.109.133

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            FASTLYUSP09Qwe9fqsKdQIyTGnGxNs8xS[1]Get hashmaliciousTycoon2FABrowse
                            • 151.101.2.137
                            https://nmgovdot-my.sharepoint.com/:f:/g/personal/brian_filip_nmgov_co/EopUqBu8fqpOvw_R7W8qXnEBWw032PoWoE-pjka6mBLMVw?e=G3klTxGet hashmaliciousHtmlDropperBrowse
                            • 151.101.66.137
                            vm AUDIO_QzOXYQIfIQZ VOICE September 11th, 2024 attachment.htmlGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 151.101.2.137
                            https://sesworld.com.au:443/it/mount/Get hashmaliciousUnknownBrowse
                            • 151.101.194.137
                            https://oakvillemdcsignin.softr.app/Get hashmaliciousUnknownBrowse
                            • 151.101.65.229
                            https://gdzrdzrgysetgragfvasrtgfsarjk.bukuyass.com/XTutbHeMDeSMGoeITGUIniHvuWseZB&4ARJKwSLsix&135229/372/menwhssrzn.home.php?sq=1726-248&lk=267587-14&page=048Get hashmaliciousPhisherBrowse
                            • 151.101.129.44
                            https://bit.ly/4dU5cz3#CIgedJLuqmncgJYdTfeyaCNmWsrQtR&4sWlQeNzELg&135070/182/fldptionns.home.php?sq=1726-248&lk=267585-14&page=362Get hashmaliciousPhisherBrowse
                            • 151.101.65.44
                            http://tplshare.com/iVX5CrQGet hashmaliciousUnknownBrowse
                            • 199.232.192.134
                            https://url.uk.m.mimecastprotect.com/s/mPYbC6R8kf47GAUxtNC5T-0g?domain=tplshare.comGet hashmaliciousHTMLPhisherBrowse
                            • 151.101.66.137
                            GITHUBUSP09Qwe9fqsKdQIyTGnGxNs8xS[1]Get hashmaliciousTycoon2FABrowse
                            • 140.82.121.3
                            vm AUDIO_QzOXYQIfIQZ VOICE September 11th, 2024 attachment.htmlGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 140.82.121.4
                            https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exeGet hashmaliciousUnknownBrowse
                            • 140.82.121.3
                            Remittance AdviceNote c6b2e2a43485b7b75999a5332e86646fGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 140.82.121.4
                            https://www.google.com/url?q=//www.google.com.br/amp/s/iKL5afRe0S6hy3p0slRKsXiNT5VzWqeGhx.desarrollodigitales.com/xiwitytevd/sotutybgetd/qoguhtunh/I6Gu0C/cWEtc3FpQHF2Y2pwLmNvbQ==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 140.82.121.4
                            M 1votFC.emlGet hashmaliciousUnknownBrowse
                            • 140.82.121.4
                            https://www.tiktok.com/link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%74%72%61%6E%63%61%73%2E%63%6C/.dev/0958DTU/LWVpUSQT/YXNobGV5QG9tbmlzdXJlLmNvbQ==$%E3%80%82Get hashmaliciousHTMLPhisherBrowse
                            • 140.82.121.3
                            https://www.tiktok.com/link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bce%C2%ADsme%C2%ADdia%E2%80%8B.%C2%ADv%C2%ADn/.dev/tfbft0yf/ZGlhbmUuY3JhaWdAZ3JhY2VoZWFsdGhtaS5vcmc==$%E3%80%82Get hashmaliciousTycoon2FABrowse
                            • 140.82.121.4
                            https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bc%C2%ADt%C2%ADh%E2%80%8B.%C2%ADv%C2%ADn/.dev/b5EVLXJp/dGVyZXNhLmhhcnBlckBzb3V0aHNpZGUuY29t=$%E3%80%82Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                            • 140.82.121.3

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, StealcBrowse
                            • 185.199.110.133
                            • 140.82.121.4
                            file.dllGet hashmaliciousMatanbuchusBrowse
                            • 185.199.110.133
                            • 140.82.121.4
                            file.dllGet hashmaliciousMatanbuchusBrowse
                            • 185.199.110.133
                            • 140.82.121.4
                            file.dllGet hashmaliciousMatanbuchusBrowse
                            • 185.199.110.133
                            • 140.82.121.4
                            SecuriteInfo.com.Win32.SuspectCrc.25896.32261.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                            • 185.199.110.133
                            • 140.82.121.4
                            rfq_last_quater_product_purchase_order_import_list_12_06_2024_000000120924.batGet hashmaliciousGuLoader, RemcosBrowse
                            • 185.199.110.133
                            • 140.82.121.4
                            KeB00e9poi.msiGet hashmaliciousUnknownBrowse
                            • 185.199.110.133
                            • 140.82.121.4
                            4TLr2kKeuX.exeGet hashmaliciousUnknownBrowse
                            • 185.199.110.133
                            • 140.82.121.4
                            X6jV3f2RXz.msiGet hashmaliciousUnknownBrowse
                            • 185.199.110.133
                            • 140.82.121.4

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):156160
                            Entropy (8bit):6.375266888011147
                            Encrypted:false
                            SSDEEP:3072:0lIcmRRbHdf9AwLCwsOOU5/1uR9AsRAiwaCG27eMwtN:0lB2wwLCwsq5/URuaw4rN
                            MD5:5D1F22A4A8CB76C337FEC809463092E1
                            SHA1:B4F216C118FBF93C0B2FC9CFCD1D7BC981A2572F
                            SHA-256:6AFD7333E956C125C9D4D3E6F88C2ED27CC41E0AA9A4E0656BA17B87C655A306
                            SHA-512:B5FB3CFA44955DDA982AEF231C93F5F6D64CAE85325C616A54270B6E4E434CC3E3805AB8B5CD291310B3FE99137EFD5782D34EC3A0997A752FC4F2E75FF8304A
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S...2..2..2...J..2...J...2...J..2....2....2....2...J..2..2..>2.....2.....2...;.2..2S.2.....2..Rich.2..................PE..L..._..f...........!...).z...........J....................................................@.............................x...h........P...0..............................p........................... ...@...............H............................text....x.......z.................. ..`.rdata...............~..............@..@.data........0......................@....rsrc....0...P...2..................@..@.reloc...............L..............@..B........................................................................................................................................................................................................................................................................................

                            C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):716800
                            Entropy (8bit):6.219577157189828
                            Encrypted:false
                            SSDEEP:12288:3patAdcuir6DuAstdFwBgHaaRRZbv4XqTC6Ri3JRFrt6rd6F1tuuuuuuYGpK7bA+:Zat2cuir6K7tdFJlbv2qTD0bFrBFbuuD
                            MD5:57999FF1631929462DE24BA18F61AE1C
                            SHA1:2AAAE073E752D32C6FD08DAC578C040924FE4B59
                            SHA-256:B21C0ED7224784B642647A8EFAD45C634BF88646638823215818B25143FEE86E
                            SHA-512:0AD42CBE76CA39353FBFBDD95411DF7ED830C960ACF5D1B943ECC424972FB326B2C69CCE680EFD9003D9650D0E791120A91AC8F2BE1AF09404F3D1EC6C4553E7
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........y...............`.......`.......................`4.......Z..............................`.......`................................X.......0.............Rich....................PE..d......f.........." ...).....N......|........................................P............`......................................... V..H...hZ...........0.......I...........@.......|..p...............................@...............p............................text.............................. ..`.rdata..............................@..@.data...H...........................@....pdata...I.......J...f..............@..@.rsrc....0.......2..................@..@.reloc.......@......................@..B................................................................................................................................................................................................

                            C:\Program Files\ExplorerPatcher\WebView2Loader.dll

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):165336
                            Entropy (8bit):6.238659206665009
                            Encrypted:false
                            SSDEEP:3072:7evoTTlTRTyiuPThTNTKm81SbbMYSPLNsknZiZ2HZ5AaliiT88FEtJ57dXSvlCW:HTlTRTyiuPThTNTKmFQdhsknZiMHfEti
                            MD5:C5F0C46E91F354C58ECEC864614157D7
                            SHA1:CB6F85C0B716B4FC3810DEB3EB9053BEB07E803C
                            SHA-256:465A7DDFB3A0DA4C3965DAF2AD6AC7548513F42329B58AEBC337311C10EA0A6F
                            SHA-512:287756078AA08130907BD8601B957E9E006CEF9F5C6765DF25CFAA64DDD0FFF7D92FFA11F10A00A4028687F3220EFDA8C64008DBCF205BEDAE5DA296E3896E91
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....sgf.........." .....\..........@F....................................................`A........................................Y...0.......(............P.......^...'..............T...................P...(....q..@...........h...........`....................text...][.......\.................. ..`.rdata..|....p.......`..............@..@.data...D....0......................@....pdata.......P......."..............@..@.gxfg...p....p.......8..............@..@.retplne.............J...................tls.................L..............@..._RDATA...............N..............@..@.rsrc................P..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                            C:\Program Files\ExplorerPatcher\ep_dwm.exe

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):118272
                            Entropy (8bit):5.883056677379098
                            Encrypted:false
                            SSDEEP:3072:ZmxpiUI+RrEAqTZLO1bLBbbmRYOalQIO:Z+iD+TqTZyhvlQ
                            MD5:85FFBD19F247F682DF7CB348429BF563
                            SHA1:A3534A2C41B46EF253ABE52D4F00F98EEDE00020
                            SHA-256:770379D1A2DFF974D3A0D1D282B2BFD69E1C25CC2BB161C4DFB9B208330FBCB3
                            SHA-512:DD78C6D09CA5831D9E5E5146AF6F5537142EE4B5DFCC40AB34271B81FACBA1C1F285EAB84FCBB8180460408FF888588BAEB3DA95D385A167EF0828B37367E1B7
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........m.Lk..Lk..Lk......Ik.......k......Fk..\...Ek..\...\k..\...dk......Gk..Lk..4k......Mk......Mk..Lk..Mk......Mk..RichLk..........PE..d...r..f.........."....).............'.........@..........................................`....................................................x...............................h...0...p...............................@...............`............................text...`........................... ..`.rdata..Z...........................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................................

                            C:\Program Files\ExplorerPatcher\ep_gui.dll

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):721408
                            Entropy (8bit):5.53410489167774
                            Encrypted:false
                            SSDEEP:6144:czq5NAtIjhy7rsdQiwH94aG0b3Ssy23643TWlIksV+G:qqPA2jhyPdpt
                            MD5:C83153FFC63411AAF525CAA6C50C1FFC
                            SHA1:76EE60BBEE697882FE5390D0F50A9F521F281BDA
                            SHA-256:422D9784435C893B810DC8D02B8EAA713A030ECDDE0C29AE5A588C889CE6A7DF
                            SHA-512:363F259AA9FF47FE9D8F65A308EB3732581ECB703B827A773DD2C9AAA61BD90F89BFD1F8B1A1C5CAA86F213799FC4487053182425676ABAAA3A301453C4E8A0D
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{|..{|..{|..0...}|..0....|..r.=.y|..k...r|..k...k|..k...X|..0...t|..0...z|..0...f|..{|.._}..3...s|..3...z|..3.Q.z|..{|9.j|..3...z|..Rich{|..........PE..d......f.........." ...).....P......x........................................`............`.................................................<...,....P.......0...............P.........p...............................@............................................text... ........................... ..`.rdata..,...........................@..@.data...0#..........................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................

                            C:\Program Files\ExplorerPatcher\ep_setup.exe

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):10525696
                            Entropy (8bit):7.989219365061286
                            Encrypted:false
                            SSDEEP:196608:aZN5gB3uI0Bn+2N8cL0yiao2ItCC2bO+WxNtTYneFC5YbMvr5GM6BZ2r34:QzgN4Bz7ieTCIKNtUniYYAvE
                            MD5:45A5A443C01ABD7618EFEF4827241312
                            SHA1:5390D36A371F0598B86301961D5FDB329E368E7A
                            SHA-256:D7F98B8AF8A3BFE9D93CE31558A62E4D5D0CD425BC30BBC0D517901E5B82BF46
                            SHA-512:0DF6330A020CE3B52320F087F56023DB069B56D4579B43A9827B8158BE430585B88FB43D98004EAE4E7A05F85086F5762DA17F51AF95FDB302669AE1C581F734
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 5%
                            Preview:MZ......................@...............................................!..L.!22622.3880.66.6.57999ff163192946S mode....$........^uOY?..Y?..Y?...G..\?...G...?......_?..I...P?..I...I?..I...q?...G..V?...G..X?...G..L?..Y?...?......]?......X?..Y?..H?......X?..RichY?..................PE..d......f.........."....).P...\................@.........................................`..................................................K..........p...........................p(..p...........................0'..@............`...............................text...0O.......P.................. ..`.rdata.. ....`.......T..............@..@.data...T....`.......R..............@....pdata...............^..............@..@.rsrc...p............z..............@..@.reloc..............................@..B........................................................................................................................................................................................................................

                            C:\Program Files\ExplorerPatcher\ep_setup.exe:Zone.Identifier

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):26
                            Entropy (8bit):3.95006375643621
                            Encrypted:false
                            SSDEEP:3:ggPYV:rPYV
                            MD5:187F488E27DB4AF347237FE461A079AD
                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                            Malicious:false
                            Preview:[ZoneTransfer]....ZoneId=0

                            C:\Program Files\ExplorerPatcher\ep_weather_host.dll

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):244224
                            Entropy (8bit):5.982282823910593
                            Encrypted:false
                            SSDEEP:3072:AjW86bHWeRLwF/ov4P3dUXqu/FYu9L33+C+TS9eEXB9aosuWoU6P:AEbHWK0gv4GXZ/rpjWoh
                            MD5:F2920695EA15CC80E479D79F536437F1
                            SHA1:3B65E31BD40D371303FB8C82A712BC8E3CBDD451
                            SHA-256:350535396C011ED00753F6CD2D30FA1D38FD0F48077B1F9D461CB3DF1B1CF39D
                            SHA-512:16FBF89D7B14F1FE6F1A2BF80838BBB28B9DB9D79255EB194A0952097D63B29438B5D95B2E64B49293828E1932BF73F47780E90F06502EB32A9386E9A23DE407
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&.6vb.X%b.X%b.X%).[$g.X%).]$..X%ry[$k.X%ry\$m.X%ry]$B.X%).\$l.X%).Y$v.X%b.X%a.X%b.Y%..X%*xP$a.X%*xX$c.X%*x.%c.X%b..%c.X%*xZ$c.X%Richb.X%........PE..d...y..f.........." ...).............e....................................................`..........................................~......,.......................................@^..p............................]..@...............@............................text...0........................... ..`.rdata.............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                            C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):111616
                            Entropy (8bit):5.926324663614139
                            Encrypted:false
                            SSDEEP:1536:/w+B6bvTxS8Si7ixJSHQ8YmpqvA9uf+UfKzwzsW7dJ9dlPbUremU:I3TxMpxJuQ8bpwouf+f07hJcemU
                            MD5:AB6AA536FCAE0D915FC6856F66FF693C
                            SHA1:9B20EB39735C80A2EC5974F477CDDDF72796D0FA
                            SHA-256:0578867D07DF70F0080E5EB864F77C7356745347B1D9CDDD568F68E10FA8AA50
                            SHA-512:E9BC6F57120F484C8E64A86F623E6B029E32F14BA49B70146AD6C16A84740C12A954F78B564F5619F55908AF200CA2FAC21E9E5DC35B6219A0FE7A6590B66524
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 3%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l.z.(...(...(...c...-...c.......c..."...8...!...8...&...8.......c.../...(...]...`...+...`...)...`..)...`...)...Rich(...........................PE..d...t..f.........." ...)............p.....................................................`.................................................X...P...............................x.......p...........................P...@...............8............................text... ........................... ..`.orpc...,........................... ..`.rdata.............................@..@.data...h...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..x...........................@..B........................................................................................................................................................................................

                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnk

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=39, Archive, ctime=Thu Sep 8 02:06:01 2022, mtime=Wed Oct 4 11:00:15 2023, atime=Thu Sep 8 02:06:01 2022, length=71680, window=hide
                            Category:modified
                            Size (bytes):1960
                            Entropy (8bit):3.304595174795642
                            Encrypted:false
                            SSDEEP:24:8TGlce/4SdlTyAQVmeiUHh+/Clo+sd/UW+fwT4o0243qyFm:8alcGdltQtiAlo7d/9fMoxyF
                            MD5:9B5FC207D9D054D7E482AF015F5988AD
                            SHA1:699D52E955A9C060C26F76F3EF348474C5E2152F
                            SHA-256:BF8392F7D29297C46C8469B75B7858580C3339CA53CE51EE2314636CE4AC9208
                            SHA-512:83B9B22283EE60AF2DA5B7A370990DE987EA26D55FCE01FC92E98DF86242ECC48549783F3AF0B2BBCD69C8962C5CC59D030019FECD5BBF5748279A7BF782D192
                            Malicious:false
                            Preview:L..................F.@.. .....S./...J.gV......S./.......'...................E....P.O. .:i.....+00.../C:\...................V.1.....DWR`..Windows.@......OwH,Y4.....3.......................d.W.i.n.d.o.w.s.....Z.1.....,Y2...System32..B......OwH,Y4.............................-.S.y.s.t.e.m.3.2.....f.2.....(U.. .rundll32.exe..J......(U..DW.`.........................b...r.u.n.d.l.l.3.2...e.x.e.......O...............-.......N...........P..8.....C:\Windows\System32\rundll32.exe....E.x.p.l.o.r.e.r.P.a.t.c.h.e.r./.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.r.u.n.d.l.l.3.2...e.x.e...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.3.".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.E.x.p.l.o.r.e.r.P.a.t.c.h.e.r.\.e.p._.g.u.i...d.l.l.".,.Z.Z.G.U.I...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.........%SystemRoot%\system32\shell32.dll.............................................................................................................................................

                            C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000002d.db

                            Download File
                            Process:C:\Windows\explorer.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):109800
                            Entropy (8bit):4.005674358051179
                            Encrypted:false
                            SSDEEP:768:7E7FzoInjFjkDGsr81Zjk0DmkWYpVn31NyLyIAJjpBLx+buR1v9ntBN5mRypOp3t:7ixkPrt5sR3jfhgiaGkn4sFWKErpO
                            MD5:A064DB0E37E077C0305EA73F4734509D
                            SHA1:BFC91BB0C018542D1DDE2F72995C4BFA5142788A
                            SHA-256:6BB6279D2820E248E9149EC676ACB893C0C238D1A82E1BACD6277093696172F1
                            SHA-512:ACDF7290F790156898ABE659831B19F4EE144D1F5D5AD81BCE6071F769ADD4BB4FB09889F65BE489653F975B1C8A9979C26DA6C074F949BE04797887084002CE
                            Malicious:false
                            Preview:....h... ..............P...............Z......_...@..............p...X.......e.n.-.C.H.;.e.n.-.G.B...............`..............P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................. ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Windows[4].json

                            Download File
                            Process:C:\Windows\explorer.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):747
                            Entropy (8bit):5.119688425934912
                            Encrypted:false
                            SSDEEP:12:YWgc2TM2K8H+g2KQwEUmX9H+2yrZMAdrKC8K/y8kEhq1HLxycXNNZ/TCB893c3Z:Yzc2TBK8H2KFe9Ht0drc6hE14
                            MD5:3705CCFC0D0C4005B80A1211B8D7BF2F
                            SHA1:C807390634EBFBCFBDF6908A2832CC783F35CC15
                            SHA-256:F08FCE4E4B888BF7AC75746D05FEE547B46BF9790A045C1B4E04662E00092CDD
                            SHA-512:C87DFD03A4ADC625F597675EBAFDD09C6EDA48007E36D17DC7B33E02E8546FE288F54D17756D75976015A72843B1C770AC293894BA001A97B9AF2C587833C5DD
                            Malicious:false
                            Preview:{"serviceContext":{"serviceActivityId":"66e319d0-af9b-4bde-9301-9f940b36cc88","responseCreationDateTime":"0001-01-01T00:00:00","debugId":"66e319d0-af9b-4bde-9301-9f940b36cc88|2024-09-12T16:41:52.2180284Z|fabric_msn|ESU|News_100"},"expirationDateTime":"0001-01-01T00:00:00","showBadge":false,"settings":{"refreshIntervalMinutes":0,"feedEnabled":true,"evolvedNotificationLifecycleEnabled":false,"showBadgeOnRotationsForEvolvedNotificationLifecycle":false,"webView2Enabled":false,"webView2EnabledV1":false,"windowsSuppressClientRace":false,"flyoutV2EndpointEnabled":false,"showAnimation":false,"useTallerFlyoutSize":false,"useDynamicHeight":false,"useWiderFlyoutSize":false,"reclaimEnabled":false,"isPreviewDurationsEnabled":false},"isPartial":false}

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\C0866EA3E544525B84B4BD79EA00F871272358DC594A98F105A217AFB95AD63000[1].blob

                            Download File
                            Process:C:\Windows\explorer.exe
                            File Type:MSVC program database ver 7.00, 4096*9067 bytes
                            Category:dropped
                            Size (bytes):37138432
                            Entropy (8bit):5.6992441330393016
                            Encrypted:false
                            SSDEEP:196608:QU+lpXOVPmAUg3kCksUni4PqhapsuG/qMNP9T4frVOlnzToSgGoCgsqwq06kUQ4E:TVQu
                            MD5:6EC8937793ABCA33686E941850AC379C
                            SHA1:C33459B6BBAB2E5D0051557E0AA6E35266145CA1
                            SHA-256:05E269FF0DD07EBF0B82857327B060CD5AF27870B88219C9257510E0AF312B52
                            SHA-512:6FF4CBBA814245A5E3269191BB63E7A82DC40D7D7F862C17F6651F28CDB640023143057CAB4E54DCA20C77C5C515EA0EAC05883CE50CD4F1FB84F2DFB2B7CF51
                            Malicious:false
                            Preview:Microsoft C/C++ MSF 7.00...DS...........k#..$.......j#..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\39B7A829951E377CD5C4AA3BD72155D9808470F724602420910673D8D0CC60C600[1].blob

                            Download File
                            Process:C:\Windows\explorer.exe
                            File Type:MSVC program database ver 7.00, 1024*18363 bytes
                            Category:dropped
                            Size (bytes):18803712
                            Entropy (8bit):5.737102497890461
                            Encrypted:false
                            SSDEEP:49152:oOA4SzAnbR+FIRUS+XHaGMXy9jI7S7Ok4bYBBhUoNWSBjj3hIrHfwP6cYR+9JXZR:7Al/MgnOAGBJF+ZYautg
                            MD5:C84AE6411BAC88E3A562ECC3F5F80A1B
                            SHA1:22C2554E1143DF454DC48D055EB6F470603DBFB7
                            SHA-256:766ADFB1144334B173FB47BA0CEFD7358F6B9D14FA656A92842849207A290A36
                            SHA-512:7706D7BC50BF175267CF48CADA9C37132AED1F7FBC6E6C156A73391124C2E8E86E4D24348603655853A14195FE8DDD426A82CA773C49F15F076D302ADEE30737
                            Malicious:false
                            Preview:Microsoft C/C++ MSF 7.00...DS............G...".......G..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\ExplorerPatcher\StartUI.pdb

                            Download File
                            Process:C:\Windows\explorer.exe
                            File Type:MSVC program database ver 7.00, 4096*9067 bytes
                            Category:dropped
                            Size (bytes):37138432
                            Entropy (8bit):5.6992441330393016
                            Encrypted:false
                            SSDEEP:196608:QU+lpXOVPmAUg3kCksUni4PqhapsuG/qMNP9T4frVOlnzToSgGoCgsqwq06kUQ4E:TVQu
                            MD5:6EC8937793ABCA33686E941850AC379C
                            SHA1:C33459B6BBAB2E5D0051557E0AA6E35266145CA1
                            SHA-256:05E269FF0DD07EBF0B82857327B060CD5AF27870B88219C9257510E0AF312B52
                            SHA-512:6FF4CBBA814245A5E3269191BB63E7A82DC40D7D7F862C17F6651F28CDB640023143057CAB4E54DCA20C77C5C515EA0EAC05883CE50CD4F1FB84F2DFB2B7CF51
                            Malicious:false
                            Preview:Microsoft C/C++ MSF 7.00...DS...........k#..$.......j#..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb

                            Download File
                            Process:C:\Windows\explorer.exe
                            File Type:MSVC program database ver 7.00, 1024*18363 bytes
                            Category:dropped
                            Size (bytes):18803712
                            Entropy (8bit):5.737102497890461
                            Encrypted:false
                            SSDEEP:49152:oOA4SzAnbR+FIRUS+XHaGMXy9jI7S7Ok4bYBBhUoNWSBjj3hIrHfwP6cYR+9JXZR:7Al/MgnOAGBJF+ZYautg
                            MD5:C84AE6411BAC88E3A562ECC3F5F80A1B
                            SHA1:22C2554E1143DF454DC48D055EB6F470603DBFB7
                            SHA-256:766ADFB1144334B173FB47BA0CEFD7358F6B9D14FA656A92842849207A290A36
                            SHA-512:7706D7BC50BF175267CF48CADA9C37132AED1F7FBC6E6C156A73391124C2E8E86E4D24348603655853A14195FE8DDD426A82CA773C49F15F076D302ADEE30737
                            Malicious:false
                            Preview:Microsoft C/C++ MSF 7.00...DS............G...".......G..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):716800
                            Entropy (8bit):6.219577157189828
                            Encrypted:false
                            SSDEEP:12288:3patAdcuir6DuAstdFwBgHaaRRZbv4XqTC6Ri3JRFrt6rd6F1tuuuuuuYGpK7bA+:Zat2cuir6K7tdFJlbv2qTD0bFrBFbuuD
                            MD5:57999FF1631929462DE24BA18F61AE1C
                            SHA1:2AAAE073E752D32C6FD08DAC578C040924FE4B59
                            SHA-256:B21C0ED7224784B642647A8EFAD45C634BF88646638823215818B25143FEE86E
                            SHA-512:0AD42CBE76CA39353FBFBDD95411DF7ED830C960ACF5D1B943ECC424972FB326B2C69CCE680EFD9003D9650D0E791120A91AC8F2BE1AF09404F3D1EC6C4553E7
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........y...............`.......`.......................`4.......Z..............................`.......`................................X.......0.............Rich....................PE..d......f.........." ...).....N......|........................................P............`......................................... V..H...hZ...........0.......I...........@.......|..p...............................@...............p............................text.............................. ..`.rdata..............................@..@.data...H...........................@....pdata...I.......J...f..............@..@.rsrc....0.......2..................@..@.reloc.......@......................@..B................................................................................................................................................................................................

                            C:\Windows\dxgi.dll

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):716800
                            Entropy (8bit):6.219649477306373
                            Encrypted:false
                            SSDEEP:12288:PpatAdcuir6DuAstdFwBgHaaRRZbv4XqTC6Ri3JRFrt6rd6F1tuuuuuuYGpK7bA+:Bat2cuir6K7tdFJlbv2qTD0bFrBFbuuD
                            MD5:A3F150CEC06C4434460EF680417AF1AC
                            SHA1:A32958417D97509BE368CC48BAB8D9A1C8A9050D
                            SHA-256:F0D8FA3DB3127ABCDED89ABBF13F8D3C0071169618A0340570AA9B389034F176
                            SHA-512:B7354B772DBC6C137D35ACA2E9094E013D05A624A1A71F4B169EDFB07E4212369EF9FD78F23D996EC2C2B3A1E4A4FD158B5E60E347A9CCBA35E07CBA97E64C80
                            Malicious:false
                            Preview:MZ......................@...................................0...........!..L.!22622.3880.66.6.57999ff163192946S mode....$........y...............`.......`.......................`4.......Z..............................`.......`................................X.......0.............Rich....................PE..d......f.........." ...).....N......|........................................P............`......................................... V..H...hZ...........0.......I...........@.......|..p...............................@...............p............................text.............................. ..`.rdata..............................@..@.data...H...........................@....pdata...I.......J...f..............@..@.rsrc....0.......2..................@..@.reloc.......@......................@..B................................................................................................................................................................................................

                            Static File Info

                            General

                            File type:PE32+ executable (GUI) x86-64, for MS Windows
                            Entropy (8bit):7.989219365061286
                            TrID:
                            • Win64 Executable GUI (202006/5) 92.65%
                            • Win64 Executable (generic) (12005/4) 5.51%
                            • Generic Win/DOS Executable (2004/3) 0.92%
                            • DOS Executable Generic (2002/1) 0.92%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            File size:10'525'696 bytes
                            MD5:45a5a443c01abd7618efef4827241312
                            SHA1:5390d36a371f0598b86301961d5fdb329e368e7a
                            SHA256:d7f98b8af8a3bfe9d93ce31558a62e4d5d0cd425bc30bbc0d517901e5b82bf46
                            SHA512:0df6330a020ce3b52320f087f56023db069b56d4579b43a9827b8158be430585b88fb43d98004eae4e7a05f85086f5762da17f51af95fdb302669ae1c581f734
                            SSDEEP:196608:aZN5gB3uI0Bn+2N8cL0yiao2ItCC2bO+WxNtTYneFC5YbMvr5GM6BZ2r34:QzgN4Bz7ieTCIKNtUniYYAvE
                            TLSH:5AB63328B7E109CAF577D338C4B7584B52D97D0A1A30C87E9B60059E4D23BE1DA3877A
                            File Content Preview:MZ......................@...............................................!..L.!22622.3880.66.6.57999ff163192946S mode....$........^uOY?..Y?..Y?...G..\?...G...?......_?..I...P?..I...I?..I...q?...G..V?...G..X?...G..L?..Y?...?......]?......X?..Y?..H?......X?.

                            File Icon

                            Icon Hash:90cececece8e8eb0

                            Static PE Info

                            General

                            Entrypoint:0x140008bd8
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x140000000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66E2DBAB [Thu Sep 12 12:16:43 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:0
                            File Version Major:6
                            File Version Minor:0
                            Subsystem Version Major:6
                            Subsystem Version Minor:0
                            Import Hash:f1499aa854493f33c80eb31e0ab8ae92

                            Entrypoint Preview

                            Instruction
                            dec eax
                            sub esp, 28h
                            call 00007FAABD449520h
                            dec eax
                            add esp, 28h
                            jmp 00007FAABD44914Fh
                            int3
                            int3
                            dec eax
                            sub esp, 28h
                            call 00007FAABD449BB8h
                            test eax, eax
                            je 00007FAABD4492F3h
                            dec eax
                            mov eax, dword ptr [00000030h]
                            dec eax
                            mov ecx, dword ptr [eax+08h]
                            jmp 00007FAABD4492D7h
                            dec eax
                            cmp ecx, eax
                            je 00007FAABD4492E6h
                            xor eax, eax
                            dec eax
                            cmpxchg dword ptr [0002E460h], ecx
                            jne 00007FAABD4492C0h
                            xor al, al
                            dec eax
                            add esp, 28h
                            ret
                            mov al, 01h
                            jmp 00007FAABD4492C9h
                            int3
                            int3
                            int3
                            dec eax
                            sub esp, 28h
                            test ecx, ecx
                            jne 00007FAABD4492D9h
                            mov byte ptr [0002E449h], 00000001h
                            call 00007FAABD4498A5h
                            call 00007FAABD44CF30h
                            test al, al
                            jne 00007FAABD4492D6h
                            xor al, al
                            jmp 00007FAABD4492E6h
                            call 00007FAABD45870Fh
                            test al, al
                            jne 00007FAABD4492DBh
                            xor ecx, ecx
                            call 00007FAABD44CF40h
                            jmp 00007FAABD4492BCh
                            mov al, 01h
                            dec eax
                            add esp, 28h
                            ret
                            int3
                            int3
                            inc eax
                            push ebx
                            dec eax
                            sub esp, 20h
                            cmp byte ptr [0002E410h], 00000000h
                            mov ebx, ecx
                            jne 00007FAABD449339h
                            cmp ecx, 01h
                            jnbe 00007FAABD44933Ch
                            call 00007FAABD449B2Eh
                            test eax, eax
                            je 00007FAABD4492FAh
                            test ebx, ebx
                            jne 00007FAABD4492F6h
                            dec eax
                            lea ecx, dword ptr [0002E3FAh]
                            call 00007FAABD45852Eh
                            test eax, eax
                            jne 00007FAABD4492E2h
                            dec eax
                            lea ecx, dword ptr [0002E402h]
                            call 00007FAABD44931Eh

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x34bfc0xb4.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x3a0000x9d1870.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x380000x1aac.pdata
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0c0000x6a4.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x328700x70.rdata
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x327300x140.rdata
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x260000x508.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x24f300x25000173e7f97391bc8314dd470c483309938False0.5402040223817568data6.4691102710132915IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0x260000xfd200xfe009e2d4b48d9fe068301a1f9d10650bbc7False0.48297551673228345data5.364699069479192IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0x360000x1f540xc0070729d2ec4f7f720830ce88e7a8defb2False0.138671875data1.9570761316523926IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .pdata0x380000x1aac0x1c00f7c2ea792d907b5dce52bcd41206cef3False0.4693080357142857PEX Binary Archive5.278111274874002IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .rsrc0x3a0000x9d18700x9d1a00608280b907541a797dcf705572785f4eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xa0c0000x6a40x800ed65753989fd21fecc4c316e3fbbc451False0.51025390625data5.001370553375213IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_STRING0xa0b2380x13edataChineseTaiwan0.7327044025157232
                            RT_STRING0xa03d180x2aedataGermanGermany0.43731778425655976
                            RT_STRING0xa034980x2a2dataEnglishUnited States0.4169139465875371
                            RT_STRING0xa047880x2b8dataFrenchFrance0.43103448275862066
                            RT_STRING0xa051180x280dataHungarianHungary0.46875
                            RT_STRING0xa063180x1b2dataJapaneseJapan0.6428571428571429
                            RT_STRING0xa068700x170dataKoreanNorth Korea0.7010869565217391
                            RT_STRING0xa068700x170dataKoreanSouth Korea0.7010869565217391
                            RT_STRING0xa076600x294dataDutchNetherlands0.4393939393939394
                            RT_STRING0xa07f980x2acdataPolishPoland0.4473684210526316
                            RT_STRING0xa089200x294dataRomanianRomania0.4348484848484849
                            RT_STRING0xa092b00x2acdataRussianRussia0.4780701754385965
                            RT_STRING0xa09b900x2c4dataTurkishTurkey0.4477401129943503
                            RT_STRING0xa05a400x292dataIndonesianIndonesia0.4133738601823708
                            RT_STRING0xa0a5580x2d4dataUkrainianUkrain0.47790055248618785
                            RT_STRING0xa06d500x2c8dataLithuanianLithuania0.45365168539325845
                            RT_STRING0xa0aea80x132dataChineseChina0.7320261437908496
                            RT_STRING0xa0b3780x272dataChineseTaiwan0.6597444089456869
                            RT_STRING0xa03fc80x7bcdataGermanGermany0.33636363636363636
                            RT_STRING0xa037400x5d4dataEnglishUnited States0.36126005361930297
                            RT_STRING0xa04a400x6d2dataFrenchFrance0.35051546391752575
                            RT_STRING0xa053980x6a2dataHungarianHungary0.37809187279151946
                            RT_STRING0xa064d00x39cdataJapaneseJapan0.5703463203463204
                            RT_STRING0xa069e00x36cdataKoreanNorth Korea0.5753424657534246
                            RT_STRING0xa069e00x36cdataKoreanSouth Korea0.5753424657534246
                            RT_STRING0xa078f80x69adataDutchNetherlands0.3502958579881657
                            RT_STRING0xa082480x6d2dataPolishPoland0.3722794959908362
                            RT_STRING0xa08bb80x6f8dataRomanianRomania0.34697309417040356
                            RT_STRING0xa095600x62edataRussianRussia0.3950695322376738
                            RT_STRING0xa09e580x700dataTurkishTurkey0.34933035714285715
                            RT_STRING0xa05cd80x63cdataIndonesianIndonesia0.3533834586466165
                            RT_STRING0xa0a8300x678dataUkrainianUkrain0.39492753623188404
                            RT_STRING0xa070180x648dataLithuanianLithuania0.36691542288557216
                            RT_STRING0xa0afe00x258dataChineseChina0.66
                            RT_RCDATA0x3a7b00x9c8ce4Zip archive data, at least v2.0 to extract, compression method=deflateEnglishUnited States0.9992465972900391
                            RT_VERSION0x3a4300x380dataEnglishUnited States0.43526785714285715
                            RT_MANIFEST0xa0b5f00x27eXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5517241379310345

                            Imports

                            DLLImport
                            KERNEL32.dllTerminateProcess, RemoveDirectoryW, GetModuleFileNameW, FindClose, K32GetProcessImageFileNameW, GetUserPreferredUILanguages, OpenProcess, MultiByteToWideChar, CreateThread, K32EnumProcesses, GetCurrentDirectoryW, GetProcAddress, GetCurrentProcessId, GetModuleHandleW, FreeLibrary, CopyFileW, CreateSymbolicLinkW, lstrcmpW, MoveFileW, GetProcessTimes, LoadLibraryExW, WriteConsoleW, SetEndOfFile, WriteFile, HeapSize, FlushFileBuffers, GetProcessHeap, GetStringTypeW, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindFirstFileExW, ReadConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, FindNextFileW, SetLastError, FindFirstFileW, GetExitCodeProcess, MapViewOfFile, CreateFileMappingW, LocalFree, GetWindowsDirectoryW, FindResourceW, LoadResource, CloseHandle, DeleteFileW, LockResource, GetLastError, Sleep, CreateEventW, FreeResource, UnmapViewOfFile, GetSystemDirectoryW, CreateFileW, LocalAlloc, WaitForSingleObject, GetCurrentProcess, GetFileSizeEx, SizeofResource, ReadFile, HeapReAlloc, CreateDirectoryW, LCMapStringW, FlsFree, FlsSetValue, FlsGetValue, FlsAlloc, GetFileType, HeapFree, HeapAlloc, GetStdHandle, GetModuleHandleExW, ExitProcess, RtlPcToFileHeader, RaiseException, EncodePointer, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, RtlUnwindEx, GetStartupInfoW, IsDebuggerPresent, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead
                            USER32.dllExitWindowsEx, GetWindowThreadProcessId, SetProcessDpiAwarenessContext, SendMessageTimeoutW, MessageBoxW, SendMessageW, LoadStringW, FindWindowW
                            ADVAPI32.dllRevertToSelf, EqualSid, RegDeleteKeyW, AllocateAndInitializeSid, RegDeleteKeyValueW, RegCreateKeyExW, CreateProcessWithTokenW, ImpersonateLoggedOnUser, RegDeleteTreeW, RegSetValueExW, FreeSid, CheckTokenMembership, DuplicateTokenEx, RegOpenKeyW, RegQueryValueExW, GetTokenInformation, LookupPrivilegeValueW, AdjustTokenPrivileges, RegCloseKey, OpenProcessToken, RegOpenKeyExW, RegGetValueW
                            SHELL32.dllSHGetFolderPathW, ShellExecuteW, SHFileOperationW, CommandLineToArgvW, ShellExecuteExW
                            ole32.dllCoInitialize, CoUninitialize, CoCreateInstance
                            RstrtMgr.DLLRmRegisterResources, RmGetList, RmStartSession, RmShutdown
                            VERSION.dllVerQueryValueW
                            SHLWAPI.dllPathRemoveExtensionW, PathRemoveFileSpecW, PathStripPathW, PathFileExistsW

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            ChineseTaiwan
                            GermanGermany
                            EnglishUnited States
                            FrenchFrance
                            HungarianHungary
                            JapaneseJapan
                            KoreanNorth Korea
                            KoreanSouth Korea
                            DutchNetherlands
                            PolishPoland
                            RomanianRomania
                            RussianRussia
                            TurkishTurkey
                            IndonesianIndonesia
                            UkrainianUkrain
                            LithuanianLithuania
                            ChineseChina

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-09-12T18:41:55.035052+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449734140.82.121.4443TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 12, 2024 18:41:53.222222090 CEST49734443192.168.2.4140.82.121.4
                            Sep 12, 2024 18:41:53.222259045 CEST44349734140.82.121.4192.168.2.4
                            Sep 12, 2024 18:41:53.222361088 CEST49734443192.168.2.4140.82.121.4
                            Sep 12, 2024 18:41:53.222765923 CEST49734443192.168.2.4140.82.121.4
                            Sep 12, 2024 18:41:53.222780943 CEST44349734140.82.121.4192.168.2.4
                            Sep 12, 2024 18:41:54.731894970 CEST44349734140.82.121.4192.168.2.4
                            Sep 12, 2024 18:41:54.732007980 CEST49734443192.168.2.4140.82.121.4
                            Sep 12, 2024 18:41:54.851193905 CEST49734443192.168.2.4140.82.121.4
                            Sep 12, 2024 18:41:54.851238012 CEST44349734140.82.121.4192.168.2.4
                            Sep 12, 2024 18:41:54.851316929 CEST49734443192.168.2.4140.82.121.4
                            Sep 12, 2024 18:41:54.851326942 CEST44349734140.82.121.4192.168.2.4
                            Sep 12, 2024 18:41:54.851723909 CEST44349734140.82.121.4192.168.2.4
                            Sep 12, 2024 18:41:54.851773977 CEST49734443192.168.2.4140.82.121.4
                            Sep 12, 2024 18:41:55.035125017 CEST44349734140.82.121.4192.168.2.4
                            Sep 12, 2024 18:41:55.035191059 CEST49734443192.168.2.4140.82.121.4
                            Sep 12, 2024 18:41:55.035298109 CEST44349734140.82.121.4192.168.2.4
                            Sep 12, 2024 18:41:55.035352945 CEST49734443192.168.2.4140.82.121.4
                            Sep 12, 2024 18:41:55.035718918 CEST44349734140.82.121.4192.168.2.4
                            Sep 12, 2024 18:41:55.035824060 CEST44349734140.82.121.4192.168.2.4
                            Sep 12, 2024 18:41:55.035856962 CEST49734443192.168.2.4140.82.121.4
                            Sep 12, 2024 18:41:55.035902977 CEST49734443192.168.2.4140.82.121.4
                            Sep 12, 2024 18:41:55.043114901 CEST49734443192.168.2.4140.82.121.4
                            Sep 12, 2024 18:41:55.043184042 CEST44349734140.82.121.4192.168.2.4
                            Sep 12, 2024 18:41:55.044569969 CEST49735443192.168.2.4140.82.121.4
                            Sep 12, 2024 18:41:55.044626951 CEST44349735140.82.121.4192.168.2.4
                            Sep 12, 2024 18:41:55.044692993 CEST49735443192.168.2.4140.82.121.4
                            Sep 12, 2024 18:41:55.047247887 CEST49735443192.168.2.4140.82.121.4
                            Sep 12, 2024 18:41:55.047261953 CEST44349735140.82.121.4192.168.2.4
                            Sep 12, 2024 18:41:55.675834894 CEST44349735140.82.121.4192.168.2.4
                            Sep 12, 2024 18:41:55.675884962 CEST49735443192.168.2.4140.82.121.4
                            Sep 12, 2024 18:41:55.719876051 CEST49735443192.168.2.4140.82.121.4
                            Sep 12, 2024 18:41:55.719894886 CEST44349735140.82.121.4192.168.2.4
                            Sep 12, 2024 18:41:55.720033884 CEST49735443192.168.2.4140.82.121.4
                            Sep 12, 2024 18:41:55.720040083 CEST44349735140.82.121.4192.168.2.4
                            Sep 12, 2024 18:41:55.945800066 CEST44349735140.82.121.4192.168.2.4
                            Sep 12, 2024 18:41:55.945923090 CEST49735443192.168.2.4140.82.121.4
                            Sep 12, 2024 18:41:55.946322918 CEST44349735140.82.121.4192.168.2.4
                            Sep 12, 2024 18:41:55.946399927 CEST49735443192.168.2.4140.82.121.4
                            Sep 12, 2024 18:41:55.946413994 CEST44349735140.82.121.4192.168.2.4
                            Sep 12, 2024 18:41:55.946434975 CEST44349735140.82.121.4192.168.2.4
                            Sep 12, 2024 18:41:55.946456909 CEST49735443192.168.2.4140.82.121.4
                            Sep 12, 2024 18:41:55.946489096 CEST49735443192.168.2.4140.82.121.4
                            Sep 12, 2024 18:41:55.962356091 CEST49735443192.168.2.4140.82.121.4
                            Sep 12, 2024 18:41:55.962373972 CEST44349735140.82.121.4192.168.2.4
                            Sep 12, 2024 18:41:55.970649004 CEST49740443192.168.2.4185.199.110.133
                            Sep 12, 2024 18:41:55.970675945 CEST44349740185.199.110.133192.168.2.4
                            Sep 12, 2024 18:41:55.970783949 CEST49740443192.168.2.4185.199.110.133
                            Sep 12, 2024 18:41:55.971044064 CEST49740443192.168.2.4185.199.110.133
                            Sep 12, 2024 18:41:55.971055984 CEST44349740185.199.110.133192.168.2.4
                            Sep 12, 2024 18:41:56.452172041 CEST44349740185.199.110.133192.168.2.4
                            Sep 12, 2024 18:41:56.452239037 CEST49740443192.168.2.4185.199.110.133
                            Sep 12, 2024 18:41:56.503041029 CEST49740443192.168.2.4185.199.110.133
                            Sep 12, 2024 18:41:56.503067017 CEST44349740185.199.110.133192.168.2.4
                            Sep 12, 2024 18:41:56.503540039 CEST44349740185.199.110.133192.168.2.4
                            Sep 12, 2024 18:41:56.503606081 CEST49740443192.168.2.4185.199.110.133
                            Sep 12, 2024 18:41:56.537122965 CEST49740443192.168.2.4185.199.110.133
                            Sep 12, 2024 18:41:56.579412937 CEST44349740185.199.110.133192.168.2.4
                            Sep 12, 2024 18:41:56.672683001 CEST44349740185.199.110.133192.168.2.4
                            Sep 12, 2024 18:41:56.672830105 CEST49740443192.168.2.4185.199.110.133
                            Sep 12, 2024 18:41:56.672841072 CEST44349740185.199.110.133192.168.2.4
                            Sep 12, 2024 18:41:56.672883987 CEST49740443192.168.2.4185.199.110.133
                            Sep 12, 2024 18:41:56.672899008 CEST44349740185.199.110.133192.168.2.4
                            Sep 12, 2024 18:41:56.672944069 CEST49740443192.168.2.4185.199.110.133
                            Sep 12, 2024 18:41:56.672954082 CEST44349740185.199.110.133192.168.2.4
                            Sep 12, 2024 18:41:56.672996998 CEST44349740185.199.110.133192.168.2.4
                            Sep 12, 2024 18:41:56.673034906 CEST49740443192.168.2.4185.199.110.133
                            Sep 12, 2024 18:41:56.673034906 CEST49740443192.168.2.4185.199.110.133
                            Sep 12, 2024 18:41:56.673041105 CEST44349740185.199.110.133192.168.2.4
                            Sep 12, 2024 18:41:56.673240900 CEST49740443192.168.2.4185.199.110.133
                            Sep 12, 2024 18:41:56.673242092 CEST49740443192.168.2.4185.199.110.133

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 12, 2024 18:41:51.067257881 CEST5421453192.168.2.41.1.1.1
                            Sep 12, 2024 18:41:53.207820892 CEST5532753192.168.2.41.1.1.1
                            Sep 12, 2024 18:41:53.220938921 CEST53553271.1.1.1192.168.2.4
                            Sep 12, 2024 18:41:55.962944031 CEST5461253192.168.2.41.1.1.1
                            Sep 12, 2024 18:41:55.969882965 CEST53546121.1.1.1192.168.2.4

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Sep 12, 2024 18:41:51.067257881 CEST192.168.2.41.1.1.10xbd85Standard query (0)api.msn.comA (IP address)IN (0x0001)false
                            Sep 12, 2024 18:41:53.207820892 CEST192.168.2.41.1.1.10xac30Standard query (0)github.comA (IP address)IN (0x0001)false
                            Sep 12, 2024 18:41:55.962944031 CEST192.168.2.41.1.1.10x364cStandard query (0)objects.githubusercontent.comA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Sep 12, 2024 18:41:51.074956894 CEST1.1.1.1192.168.2.40xbd85No error (0)api.msn.comapi-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false
                            Sep 12, 2024 18:41:53.220938921 CEST1.1.1.1192.168.2.40xac30No error (0)github.com140.82.121.4A (IP address)IN (0x0001)false
                            Sep 12, 2024 18:41:55.969882965 CEST1.1.1.1192.168.2.40x364cNo error (0)objects.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                            Sep 12, 2024 18:41:55.969882965 CEST1.1.1.1192.168.2.40x364cNo error (0)objects.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                            Sep 12, 2024 18:41:55.969882965 CEST1.1.1.1192.168.2.40x364cNo error (0)objects.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                            Sep 12, 2024 18:41:55.969882965 CEST1.1.1.1192.168.2.40x364cNo error (0)objects.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • github.com
                            • objects.githubusercontent.com

                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.449734140.82.121.44436304C:\Windows\explorer.exe
                            TimestampBytes transferredDirectionData
                            2024-09-12 16:41:54 UTC126OUTGET /valinet/ExplorerPatcher/releases/latest/download/ep_setup.exe HTTP/1.1
                            User-Agent: ExplorerPatcher
                            Host: github.com
                            2024-09-12 16:41:55 UTC547INHTTP/1.1 302 Found
                            Server: GitHub.com
                            Date: Thu, 12 Sep 2024 16:39:54 GMT
                            Content-Type: text/html; charset=utf-8
                            Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                            Location: https://github.com/valinet/ExplorerPatcher/releases/download/22621.3880.66.5_5094108/ep_setup.exe
                            Cache-Control: no-cache
                            Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                            X-Frame-Options: deny
                            X-Content-Type-Options: nosniff
                            X-XSS-Protection: 0
                            Referrer-Policy: no-referrer-when-downgrade
                            2024-09-12 16:41:55 UTC3162INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f
                            Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co
                            2024-09-12 16:41:55 UTC777INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 67 68 5f 73 65 73 73 3d 51 58 72 5a 7a 6c 4b 31 35 78 62 78 4f 44 4c 77 6b 4a 6e 34 6d 33 48 71 77 25 32 42 46 63 74 64 4a 6f 7a 77 49 4d 76 35 79 56 57 6f 78 6c 62 58 64 47 56 72 4e 33 45 36 4b 77 48 30 50 72 38 35 43 73 48 6d 38 75 6d 4c 68 74 62 25 32 42 53 4c 37 42 25 32 42 4f 4d 34 47 71 43 51 41 6f 36 43 77 72 75 34 6e 66 79 79 61 5a 78 56 46 41 50 43 70 46 25 32 46 43 52 41 74 54 7a 44 25 32 42 25 32 42 74 43 55 72 52 59 4d 6c 5a 56 61 49 35 54 70 44 41 38 48 58 33 42 31 6f 68 50 38 49 7a 42 4c 37 4c 48 6f 45 36 66 65 43 47 25 32 46 79 4a 42 6b 62 44 51 68 63 5a 57 25 32 42 4a 34 42 64 37 69 38 68 45 57 25 32 42 7a 48 46 4c 78 78 54 67 64 68 59 48 45 36 7a 36 46 4f 4a 6c 31 57 4e 63 69 46 56 33 78 65 4f 5a 44
                            Data Ascii: Set-Cookie: _gh_sess=QXrZzlK15xbxODLwkJn4m3Hqw%2BFctdJozwIMv5yVWoxlbXdGVrN3E6KwH0Pr85CsHm8umLhtb%2BSL7B%2BOM4GqCQAo6Cwru4nfyyaZxVFAPCpF%2FCRAtTzD%2B%2BtCUrRYMlZVaI5TpDA8HX3B1ohP8IzBL7LHoE6feCG%2FyJBkbDQhcZW%2BJ4Bd7i8hEW%2BzHFLxxTgdhYHE6z6FOJl1WNciFV3xeOZD


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            1192.168.2.449735140.82.121.44436304C:\Windows\explorer.exe
                            TimestampBytes transferredDirectionData
                            2024-09-12 16:41:55 UTC167OUTGET /valinet/ExplorerPatcher/releases/download/22621.3880.66.5_5094108/ep_setup.exe HTTP/1.1
                            User-Agent: ExplorerPatcher
                            Host: github.com
                            Connection: Keep-Alive
                            2024-09-12 16:41:55 UTC997INHTTP/1.1 302 Found
                            Server: GitHub.com
                            Date: Thu, 12 Sep 2024 16:39:54 GMT
                            Content-Type: text/html; charset=utf-8
                            Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                            Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/394318710/d0ea7754-53d3-4f5a-b870-915f924fbb56?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240912%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240912T163954Z&X-Amz-Expires=300&X-Amz-Signature=8fed816d98f14b6776e39f90b7c0f1faf84d31bab0f7367704e2bf907b99482b&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=394318710&response-content-disposition=attachment%3B%20filename%3Dep_setup.exe&response-content-type=application%2Foctet-stream
                            Cache-Control: no-cache
                            Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                            X-Frame-Options: deny
                            X-Content-Type-Options: nosniff
                            X-XSS-Protection: 0
                            Referrer-Policy: no-referrer-when-downgrade
                            2024-09-12 16:41:55 UTC3259INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f
                            Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            2192.168.2.449740185.199.110.1334436304C:\Windows\explorer.exe
                            TimestampBytes transferredDirectionData
                            2024-09-12 16:41:56 UTC617OUTGET /github-production-release-asset-2e65be/394318710/d0ea7754-53d3-4f5a-b870-915f924fbb56?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240912%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240912T163954Z&X-Amz-Expires=300&X-Amz-Signature=8fed816d98f14b6776e39f90b7c0f1faf84d31bab0f7367704e2bf907b99482b&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=394318710&response-content-disposition=attachment%3B%20filename%3Dep_setup.exe&response-content-type=application%2Foctet-stream HTTP/1.1
                            User-Agent: ExplorerPatcher
                            Connection: Keep-Alive
                            Host: objects.githubusercontent.com
                            2024-09-12 16:41:56 UTC800INHTTP/1.1 200 OK
                            Connection: close
                            Content-Length: 10525184
                            Content-Type: application/octet-stream
                            Last-Modified: Tue, 03 Sep 2024 02:49:02 GMT
                            ETag: "0x8DCCBC2F824451F"
                            Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
                            x-ms-request-id: 3218f093-301e-0031-6aab-fd0046000000
                            x-ms-version: 2020-10-02
                            x-ms-creation-time: Tue, 03 Sep 2024 02:49:02 GMT
                            x-ms-lease-status: unlocked
                            x-ms-lease-state: available
                            x-ms-blob-type: BlockBlob
                            Content-Disposition: attachment; filename=ep_setup.exe
                            x-ms-server-encrypted: true
                            Via: 1.1 varnish, 1.1 varnish
                            Fastly-Restarts: 1
                            Accept-Ranges: bytes
                            Date: Thu, 12 Sep 2024 16:41:56 GMT
                            Age: 5886
                            X-Served-By: cache-iad-kcgs7200179-IAD, cache-ewr-kewr1740043-EWR
                            X-Cache: HIT, HIT
                            X-Cache-Hits: 4648, 1
                            X-Timer: S1726159317.586992,VS0,VE1
                            2024-09-12 16:41:56 UTC1378INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 32 32 36 32 32 2e 33 38 38 30 2e 36 36 2e 35 2e 33 32 30 63 34 62 62 36 66 38 38 36 65 63 61 62 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad a7 1e 97 e9 c6 70 c4 e9 c6 70 c4 e9 c6 70 c4 a2 be 73 c5 ec c6 70 c4 a2 be 75 c5 7e c6 70 c4 a1 43 74 c5 ef c6 70 c4 f9 42 73 c5 e0 c6 70 c4 f9 42 74 c5 fb c6 70 c4 f9 42 75 c5 c1 c6 70 c4 a2 be 74 c5 f9 c6 70 c4 a2 be 76 c5 e8 c6 70 c4 a2 be 71 c5 fc c6 70 c4 e9 c6 71 c4 33 c6 70 c4 a1 43 78 c5 ed c6 70 c4 a1 43 8f c4 e8 c6 70 c4 e9 c6 e7 c4 f8 c6 70 c4 a1 43 72 c5 e8 c6 70
                            Data Ascii: MZ@ !L!22622.3880.66.5.320c4bb6f886ecabS mode.$pppspu~pCtpBspBtpBuptpvpqpq3pCxpCppCrp
                            2024-09-12 16:41:56 UTC1378INData Raw: 8b 7c 9c 60 3b 7c 24 30 75 6c 44 8b c7 33 d2 b9 10 04 00 00 ff 15 0c 61 02 00 48 8b f0 48 85 c0 74 54 41 b8 04 01 00 00 48 8d 94 24 60 20 00 00 48 8b c8 ff 15 0d 61 02 00 48 8d 44 24 40 48 8b ce 4c 8d 4c 24 48 48 89 44 24 20 4c 8d 44 24 50 48 8d 54 24 38 ff 15 0b 5f 02 00 48 8b 44 24 38 41 3b 46 04 73 07 41 89 3e 49 89 46 04 48 8b ce ff 15 80 60 02 00 48 ff c3 48 3b dd 7c 82 48 8b bc 24 98 22 00 00 48 8b b4 24 90 22 00 00 49 8b c6 48 8b 8c 24 70 22 00 00 48 33 cc e8 0d 77 00 00 4c 8d 9c 24 80 22 00 00 49 8b 5b 20 49 8b 6b 28 49 8b e3 41 5e c3 cc cc cc cc cc cc cc b8 48 2a 00 00 e8 56 3e 02 00 48 2b e0 48 8b 05 cc 5d 03 00 48 33 c4 48 89 84 24 30 2a 00 00 4c 8d 05 9a 7b 03 00 33 d2 48 8d 0d 25 68 03 00 ff 15 db 61 02 00 85 c0 0f 85 8f 00 00 00 48 8d 4c 24
                            Data Ascii: |`;|$0ulD3aHHtTAH$` HaHD$@HLL$HHD$ LD$PHT$8_HD$8A;FsA>IFH`HH;|H$"H$"IH$p"H3wL$"I[ Ik(IA^H*V>H+H]H3H$0*L{3H%haHL$
                            2024-09-12 16:41:56 UTC1378INData Raw: 00 00 00 33 c0 c3 cc cc cc cc cc cc 33 c0 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 40 53 48 81 ec a0 08 00 00 48 8b 05 10 59 03 00 48 33 c4 48 89 84 24 90 08 00 00 48 8b 02 4c 8d 84 24 80 00 00 00 48 8b da 45 33 c9 33 d2 48 8b cb ff 50 20 48 8b 03 48 8d 54 24 30 48 8b cb 48 c7 44 24 30 00 00 00 00 ff 50 28 48 8b 03 48 8d 54 24 40 0f 57 c0 48 8b cb 0f 11 44 24 40 0f 11 44 24 50 0f 11 44 24 60 0f 11 44 24 70 ff 50 18 48 8b 44 24 30 48 8d 0d 58 07 03 00 44 8b 8c 24 80 00 00 00 48 8d 15 4d 07 03 00 4c 8b 44 24 48 48 85 c0 48 0f 45 c8 48 8b 44 24 50 48 89 4c 24 28 41 ff c1 48 8d 8c 24 90 00 00 00 48 89 44 24 20 ff 15 09 5d 02 00 48 8b 4c 24 30 ff 15 6e 5c 02 00 48 8b 4c 24 48 ff 15 63 5c 02 00 48 8b 4c 24 50 ff 15 58 5c 02 00 48 8b 4c 24 58 ff 15 4d 5c 02 00
                            Data Ascii: 33@SHHYH3H$HL$HE33HP HHT$0HHD$0P(HHT$@WHD$@D$PD$`D$pPHD$0HXD$HMLD$HHHEHD$PHL$(AH$HD$ ]HL$0n\HL$Hc\HL$PX\HL$XM\
                            2024-09-12 16:41:56 UTC1378INData Raw: 01 00 00 48 8d 8d 90 01 00 00 e8 df 36 01 00 33 c9 ff 15 cb 58 02 00 85 c0 0f 88 f5 00 00 00 48 8d 44 24 30 4c 89 7c 24 30 4c 8d 0d 9a 59 02 00 48 89 44 24 20 33 d2 48 8d 0d 9c 59 02 00 41 b8 03 00 00 00 ff 15 a0 58 02 00 85 c0 0f 88 bc 00 00 00 48 8b 4c 24 30 48 8b d6 48 8b 01 ff 90 a0 00 00 00 48 8b 4c 24 30 49 8b d6 48 8b 01 ff 50 58 48 8b 4c 24 30 48 8d 95 90 01 00 00 41 b8 27 00 00 00 48 8b 01 ff 90 88 00 00 00 48 8d 8d 90 01 00 00 ff 15 b9 57 02 00 48 8b 4c 24 30 48 8d 95 90 01 00 00 48 8b 01 ff 50 48 48 8b 4c 24 30 48 8d 15 13 02 03 00 48 8b 01 ff 50 38 48 8b 4c 24 30 4c 8d 44 24 38 4c 89 7c 24 38 48 8d 15 27 59 02 00 48 8b 01 ff 10 85 c0 78 27 48 8b 4c 24 38 48 8d 55 80 bf 01 00 00 00 44 8b c7 48 8b 01 ff 50 30 48 8b 4c 24 38 85 c0 0f 49 df 48 8b
                            Data Ascii: H63XHD$0L|$0LYHD$ 3HYAXHL$0HHHL$0IHPXHL$0HA'HHWHL$0HHPHHL$0HHP8HL$0LD$8L|$8H'YHx'HL$8HUDHP0HL$8IH
                            2024-09-12 16:41:56 UTC1378INData Raw: ff 15 b2 4e 02 00 8b d8 48 8b 4d cf ff 15 ee 4e 02 00 85 db 41 0f 94 c4 41 8b c4 48 8b 4d 2f 48 33 cc e8 61 67 00 00 48 81 c4 c8 00 00 00 41 5d 41 5c 5b 5d c3 cc cc cc 48 8b c1 c3 cc cc cc cc cc cc cc cc cc cc cc cc 48 89 74 24 10 57 48 83 ec 20 48 8b f2 41 8b f9 48 8b 52 10 4d 8b c8 48 8b 4e 08 48 8d 04 3a 48 3b c1 76 04 8b f9 2b fa 85 ff 74 1e 48 03 16 49 8b c9 48 89 5c 24 30 44 8b c7 8b df e8 cf 33 02 00 48 01 5e 10 48 8b 5c 24 30 48 8b 74 24 38 8b c7 48 83 c4 20 5f c3 cc cc cc cc cc cc cc cc cc 48 8b 42 10 c3 cc cc cc cc cc cc cc cc cc cc cc 45 85 c9 74 16 41 83 e9 01 74 0c 41 83 f9 01 75 10 4c 03 42 08 eb 04 4c 03 42 10 4c 3b 42 08 76 06 b8 ff ff ff ff c3 4c 89 42 10 33 c0 c3 cc cc 48 89 5c 24 08 48 89 6c 24 10 48 89 74 24 18 48 89 7c 24 20 41 56 48
                            Data Ascii: NHMNAAHM/H3agHA]A\[]HHt$WH HAHRMHNH:H;v+tHIH\$0D3H^H\$0Ht$8H _HBEtAtAuLBLBL;BvLB3H\$Hl$Ht$H|$ AVH
                            2024-09-12 16:41:56 UTC1378INData Raw: 00 00 8b f7 ff 15 44 4b 02 00 85 c0 0f 84 91 01 00 00 4c 8d 05 cd f2 02 00 ba 04 01 00 00 48 8d 8d f0 03 00 00 e8 00 2c 01 00 48 8d 95 f0 03 00 00 48 2b d3 66 90 0f b7 0b 0f b7 04 13 2b c8 75 08 48 83 c3 02 85 c0 75 ed 85 c9 0f 85 52 01 00 00 33 c9 ff 15 4d 4a 02 00 41 b8 04 01 00 00 48 8d 95 e0 01 00 00 48 8b c8 ff 15 a7 49 02 00 48 89 7c 24 30 48 8d 8d e0 01 00 00 c7 44 24 28 80 00 00 00 45 33 c9 ba 00 00 00 80 c7 44 24 20 03 00 00 00 41 b8 01 00 00 00 ff 15 2f 4b 02 00 48 8b d8 48 83 f8 ff 0f 84 b5 00 00 00 48 89 7c 24 28 45 33 c9 33 d2 89 7c 24 20 41 b8 02 00 00 00 48 8b c8 ff 15 05 49 02 00 48 8b f0 48 85 c0 75 0e 48 8b cb ff 15 94 4a 02 00 e9 82 00 00 00 45 33 c9 4c 89 ac 24 10 07 00 00 45 33 c0 48 89 7c 24 20 ba 04 00 00 00 48 8b ce ff 15 d6 48 02
                            Data Ascii: DKLH,HH+f+uHuR3MJAHHIH|$0HD$(E3D$ A/KHHH|$(E33|$ AHIHHuHJE3L$E3H|$ HH
                            2024-09-12 16:41:56 UTC1378INData Raw: a0 37 01 00 85 c0 0f 85 86 02 00 00 48 8d 75 c0 ba 2f 00 00 00 49 03 f4 48 8b ce e8 20 9b 00 00 48 85 c0 ba 2e 00 00 00 48 8d 58 01 48 0f 44 de 48 8b cb e8 08 9b 00 00 48 85 c0 4c 8b f0 48 8d 48 01 b8 00 00 00 00 48 0f 44 c8 8b 85 70 05 00 00 83 f8 01 75 34 48 85 c9 0f 84 97 00 00 00 48 8d 15 52 f8 02 00 e8 f5 37 01 00 85 c0 0f 85 83 00 00 00 ba 2f 00 00 00 48 8b ce e8 44 9a 00 00 2b c6 48 8b d6 44 8b c0 eb 5a 83 f8 02 75 67 48 85 c9 74 62 48 8d 15 21 f8 02 00 e8 c0 37 01 00 85 c0 75 52 ba 2d 00 00 00 48 8b cb e8 13 9a 00 00 48 85 c0 74 40 33 c0 8b d0 49 8d 46 ff 48 3b c3 72 13 90 80 38 2e 74 0a 48 ff c8 48 3b c3 73 f3 eb 03 48 8b d0 49 3b d6 74 1b 48 ff c2 44 2b f2 45 8b c6 48 8b 4c 24 50 e8 f6 fc ff ff 85 c0 0f 84 8b 01 00 00 48 8b cf e8 56 56 00 00 85
                            Data Ascii: 7Hu/IH H.HXHDHHLHHHDpu4HHR7/HD+HDZugHtbH!7uR-HHt@3IFH;r8.tHH;sHI;tHD+EHL$PHVV


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:12:41:41
                            Start date:12/09/2024
                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe"
                            Imagebase:0x7ff733100000
                            File size:10'525'696 bytes
                            MD5 hash:45A5A443C01ABD7618EFEF4827241312
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:12:41:42
                            Start date:12/09/2024
                            Path:C:\Windows\System32\taskkill.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\system32\taskkill.exe" /f /im explorer.exe
                            Imagebase:0x7ff7a4530000
                            File size:101'376 bytes
                            MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:2
                            Start time:12:41:42
                            Start date:12/09/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:3
                            Start time:12:41:42
                            Start date:12/09/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
                            Imagebase:0x7ff66f060000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:4
                            Start time:12:41:43
                            Start date:12/09/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:12:41:44
                            Start date:12/09/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
                            Imagebase:0x7ff66f060000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:6
                            Start time:12:41:44
                            Start date:12/09/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:7
                            Start time:12:41:44
                            Start date:12/09/2024
                            Path:C:\Windows\System32\regsvr32.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
                            Imagebase:0x7ff6d91c0000
                            File size:25'088 bytes
                            MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:8
                            Start time:12:41:44
                            Start date:12/09/2024
                            Path:C:\Windows\System32\regsvr32.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
                            Imagebase:0x7ff6d91c0000
                            File size:25'088 bytes
                            MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:9
                            Start time:12:41:46
                            Start date:12/09/2024
                            Path:C:\Windows\explorer.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\explorer.exe"
                            Imagebase:0x7ff72b770000
                            File size:5'141'208 bytes
                            MD5 hash:662F4F92FDE3557E86D110526BB578D5
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:10
                            Start time:12:41:46
                            Start date:12/09/2024
                            Path:C:\Windows\explorer.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\explorer.exe /NoUACCheck
                            Imagebase:0x7ff72b770000
                            File size:5'141'208 bytes
                            MD5 hash:662F4F92FDE3557E86D110526BB578D5
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            Disassembly

                            Reset < >

                              Non-executed Functions

                              Function 00007FF733108E2C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1773038677.00007FF733101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF733100000, based on PE: true
                              • Associated: 00000000.00000002.1773015629.00007FF733100000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1773069236.00007FF733126000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1773093512.00007FF733136000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1773111022.00007FF733138000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff733100000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                              • String ID:
                              • API String ID: 2933794660-0
                              • Opcode ID: d490c774242d86a4b319619409adf73b8d724b4892db60fa64681951350df607
                              • Instruction ID: 169466a57049a5b408ab977658da50b8b0a1308568233b265713b3836cae6c04
                              • Opcode Fuzzy Hash: d490c774242d86a4b319619409adf73b8d724b4892db60fa64681951350df607
                              • Instruction Fuzzy Hash: 8D11A022B24F059AEB90DF60F8556B873A0FB18728F800E31DA6D927A4DF7CD0548350

                              Execution Graph

                              Execution Coverage:5.5%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:55.8%
                              Total number of Nodes:1639
                              Total number of Limit Nodes:46
                              execution_graph 33241 7ffe1823e350 33242 7ffe1823e378 RegisterWindowMessageW 33241->33242 33245 7ffe1823e390 33241->33245 33243 7ffe1823e4d6 DefWindowProcW 33242->33243 33248 7ffe1823e4e7 33243->33248 33244 7ffe1823e3ae 33247 7ffe1823e3ea 33244->33247 33253 7ffe1823e3d1 SetTimer 33244->33253 33245->33244 33246 7ffe1823e3a2 33245->33246 33269 7ffe18243880 55 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 33246->33269 33247->33243 33254 7ffe1823e430 33247->33254 33255 7ffe1823e3fc 33247->33255 33281 7ffe182710b0 33248->33281 33252 7ffe1823e3a7 33252->33248 33253->33243 33256 7ffe1823e436 GetForegroundWindow GetClassWord RegisterWindowMessageW 33254->33256 33257 7ffe1823e4ab 33254->33257 33270 7ffe1823e230 9 API calls 33255->33270 33256->33252 33259 7ffe1823e45e RegSetKeyValueW KillTimer 33256->33259 33257->33243 33271 7ffe182709e0 RegOpenKeyExW 33257->33271 33259->33252 33260 7ffe1823e401 33262 7ffe1823e407 SetTimer 33260->33262 33263 7ffe1823e41d KillTimer 33260->33263 33262->33263 33263->33248 33265 7ffe1823e4ca 33277 7ffe182311b0 33265->33277 33266 7ffe1823e4ba 33276 7ffe18270a50 24 API calls 2 library calls 33266->33276 33269->33252 33270->33260 33272 7ffe18270a2c RegCloseKey 33271->33272 33273 7ffe18270a37 33271->33273 33272->33273 33274 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 33273->33274 33275 7ffe1823e4b6 33274->33275 33275->33265 33275->33266 33276->33265 33278 7ffe182311dd 33277->33278 33290 7ffe18286fdc 33278->33290 33282 7ffe182710b9 33281->33282 33283 7ffe1823e4f4 33282->33283 33284 7ffe18271104 IsProcessorFeaturePresent 33282->33284 33285 7ffe1827111c 33284->33285 33305 7ffe182712fc RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 33285->33305 33287 7ffe1827112f 33306 7ffe182710d0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 33287->33306 33291 7ffe18287006 33290->33291 33292 7ffe1828703e 33291->33292 33294 7ffe18287071 33291->33294 33301 7ffe1828be98 47 API calls 2 library calls 33292->33301 33302 7ffe1827e620 80 API calls 33294->33302 33295 7ffe18287067 33297 7ffe182870db 33295->33297 33303 7ffe18281e60 47 API calls 2 library calls 33295->33303 33298 7ffe182311fb 33297->33298 33304 7ffe18281e60 47 API calls 2 library calls 33297->33304 33298->33243 33301->33295 33302->33295 33303->33297 33304->33298 33305->33287 33307 7ffe1826f250 RoInitialize 33308 7ffe1826f3ac FindWindowExW 33307->33308 33309 7ffe1826f29d WindowsCreateStringReference 33307->33309 33312 7ffe1826f3c5 Sleep FindWindowExW 33308->33312 33313 7ffe1826f3e9 Sleep 33308->33313 33310 7ffe1826f2c3 RoGetActivationFactory 33309->33310 33311 7ffe1826f6ff 33309->33311 33310->33308 33316 7ffe1826f2e6 WindowsCreateStringReference 33310->33316 33356 7ffe1825c060 RaiseException 33311->33356 33312->33312 33312->33313 33314 7ffe182311b0 80 API calls 33313->33314 33317 7ffe1826f3fe 33314->33317 33318 7ffe1826f706 33316->33318 33319 7ffe1826f310 RoGetActivationFactory 33316->33319 33320 7ffe1826f437 33317->33320 33321 7ffe1826f406 WindowsCreateStringReference 33317->33321 33357 7ffe1825c060 RaiseException 33318->33357 33323 7ffe1826f330 33319->33323 33336 7ffe1826f377 33319->33336 33325 7ffe1826f452 WindowsCreateStringReference 33320->33325 33326 7ffe1826f491 CreateEventW CreateEventW CreateEventW 33320->33326 33321->33320 33324 7ffe1826f716 33321->33324 33332 7ffe1826f346 WindowsCreateStringReference 33323->33332 33323->33336 33359 7ffe1825c060 RaiseException 33324->33359 33329 7ffe1826f478 RoGetActivationFactory 33325->33329 33330 7ffe1826f6f7 33325->33330 33331 7ffe1826f4e4 33326->33331 33342 7ffe1826f690 33326->33342 33327 7ffe1826f70e 33358 7ffe1825c060 RaiseException 33327->33358 33329->33326 33355 7ffe1825c060 RaiseException 33330->33355 33340 7ffe1826f4f8 33331->33340 33331->33342 33332->33327 33332->33336 33336->33308 33352 7ffe18271370 49 API calls 33340->33352 33343 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 33342->33343 33344 7ffe1826f6da 33343->33344 33346 7ffe1826f640 WaitForMultipleObjects 33349 7ffe1826f612 33346->33349 33347 7ffe1826f514 33347->33349 33353 7ffe1826e520 77 API calls 3 library calls 33347->33353 33348 7ffe1826f589 RegCreateKeyExW 33348->33349 33350 7ffe1826f5d5 RegSetValueExW RegCloseKey 33348->33350 33349->33346 33354 7ffe1826e830 191 API calls 4 library calls 33349->33354 33350->33349 33352->33347 33353->33348 33354->33349 33360 7ffe1824c050 33361 7ffe1824c080 GetModuleHandleW GetProcAddress 33360->33361 33362 7ffe1824c0a7 33360->33362 33361->33362 33363 7ffe1824d550 SleepEx RegSetKeyValueW 33364 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 33363->33364 33365 7ffe1824d5b3 33364->33365 33366 7ffe182520d0 33369 7ffe18251870 33366->33369 33370 7ffe182518b7 33369->33370 33371 7ffe18252099 33369->33371 33454 7ffe18232890 GetModuleHandleW 33370->33454 33372 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 33371->33372 33374 7ffe182520ad 33372->33374 33375 7ffe182518c3 GetModuleFileNameW PathStripPathW 33466 7ffe18288004 33375->33466 33377 7ffe18251903 33377->33371 33378 7ffe1825190f GetCurrentProcessId OpenProcess 33377->33378 33378->33371 33379 7ffe18251931 QueryFullProcessImageNameW CloseHandle GetSystemDirectoryW 33378->33379 33483 7ffe18287e1c 33379->33483 33382 7ffe18288004 53 API calls 33383 7ffe18251992 33382->33383 33383->33371 33384 7ffe1825199a GetWindowsDirectoryW 33383->33384 33385 7ffe18287e1c 47 API calls 33384->33385 33386 7ffe182519c4 33385->33386 33387 7ffe18288004 53 API calls 33386->33387 33388 7ffe182519d5 GetWindowsDirectoryW 33387->33388 33389 7ffe18287e1c 47 API calls 33388->33389 33390 7ffe18251a0d 33389->33390 33391 7ffe18288004 53 API calls 33390->33391 33392 7ffe18251a1e GetWindowsDirectoryW 33391->33392 33393 7ffe18287e1c 47 API calls 33392->33393 33394 7ffe18251a4b 33393->33394 33395 7ffe18288004 53 API calls 33394->33395 33398 7ffe18251a5c 33395->33398 33396 7ffe18251c68 33400 7ffe18251f1d 33396->33400 33401 7ffe18251c78 GetSystemMetrics 33396->33401 33407 7ffe18251cf3 33396->33407 33397 7ffe18251a79 GetSystemDirectoryW 33399 7ffe18287e1c 47 API calls 33397->33399 33398->33371 33398->33396 33398->33397 33404 7ffe18251aa3 20 API calls 33399->33404 33402 7ffe18251f22 33400->33402 33403 7ffe18251f4e 33400->33403 33405 7ffe18251c8b RegGetValueW 33401->33405 33431 7ffe18251f13 33401->33431 33866 7ffe18250d10 212 API calls 2 library calls 33402->33866 33403->33407 33409 7ffe18251f57 33403->33409 33404->33396 33410 7ffe18251d3f RegGetValueW 33405->33410 33422 7ffe18251cda 33405->33422 33406 7ffe1825207d GetModuleHandleExW 33406->33371 33407->33371 33418 7ffe1824db90 609 API calls 33407->33418 33413 7ffe18232890 12 API calls 33409->33413 33416 7ffe18251f6d 33409->33416 33412 7ffe18251dc3 FindWindowExW 33410->33412 33424 7ffe18251d8e 33410->33424 33411 7ffe18251f27 33867 7ffe1823f230 RegGetValueW 33411->33867 33414 7ffe18251de0 FindWindowExW 33412->33414 33415 7ffe18251ea7 33412->33415 33413->33416 33414->33415 33419 7ffe18251dfd 33414->33419 33502 7ffe1824db90 33415->33502 33420 7ffe18252024 33416->33420 33421 7ffe18251f94 33416->33421 33418->33431 33492 7ffe1824cd30 RegGetValueW 33419->33492 33425 7ffe18252034 33420->33425 33430 7ffe18232890 12 API calls 33420->33430 33428 7ffe18251fa4 33421->33428 33435 7ffe18232890 12 API calls 33421->33435 33422->33410 33422->33431 33424->33412 33424->33431 33432 7ffe1825204c 33425->33432 33433 7ffe18252047 33425->33433 33428->33432 33440 7ffe18251fcb RegOpenKeyW 33428->33440 33429 7ffe18251f34 LoadLibraryW 33870 7ffe1823f170 12 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 33429->33870 33430->33425 33431->33406 33439 7ffe1823f230 9 API calls 33432->33439 33885 7ffe182514b0 13 API calls 2 library calls 33433->33885 33435->33428 33438 7ffe18251e11 GetAsyncKeyState 33442 7ffe18251e21 GetAsyncKeyState 33438->33442 33443 7ffe18251e46 33438->33443 33444 7ffe18252051 33439->33444 33440->33432 33445 7ffe18251fe8 RegCloseKey LoadLibraryW 33440->33445 33441 7ffe18251f49 33441->33431 33442->33443 33446 7ffe18251e31 GetAsyncKeyState 33442->33446 33450 7ffe18251eab RegSetKeyValueW SHCreateThread 33443->33450 33452 7ffe18251e56 RegSetKeyValueW SHCreateThread 33443->33452 33444->33431 33447 7ffe18252055 LoadLibraryW 33444->33447 33445->33432 33448 7ffe18252005 33445->33448 33446->33443 33886 7ffe1823f170 12 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 33447->33886 33871 7ffe1823d290 GetModuleHandleExW 33448->33871 33450->33406 33452->33415 33455 7ffe182328be GetProcAddress 33454->33455 33456 7ffe1823298c 33454->33456 33455->33456 33458 7ffe182328d7 33455->33458 33457 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 33456->33457 33459 7ffe1823299e 33457->33459 33458->33456 33460 7ffe182328ea 33458->33460 33459->33375 33461 7ffe18232921 RegOpenKeyExW 33460->33461 33462 7ffe18232975 33461->33462 33463 7ffe18232949 RegQueryValueExW 33461->33463 33464 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 33462->33464 33463->33462 33465 7ffe18232986 33464->33465 33465->33375 33467 7ffe18288011 33466->33467 33468 7ffe18288035 33466->33468 33467->33468 33469 7ffe18288016 33467->33469 33470 7ffe1828806f 33468->33470 33473 7ffe1828808e 33468->33473 33887 7ffe1828c0d0 11 API calls memcpy_s 33469->33887 33889 7ffe1828c0d0 11 API calls memcpy_s 33470->33889 33891 7ffe18287f28 47 API calls BuildCatchObjectHelperInternal 33473->33891 33474 7ffe1828801b 33888 7ffe1828bf64 47 API calls _invalid_parameter_noinfo 33474->33888 33475 7ffe18288074 33890 7ffe1828bf64 47 API calls _invalid_parameter_noinfo 33475->33890 33478 7ffe18288026 33478->33377 33480 7ffe1828807f 33480->33377 33481 7ffe18290718 53 API calls 33482 7ffe1828809b 33481->33482 33482->33480 33482->33481 33484 7ffe18287e36 33483->33484 33487 7ffe18287e2c 33483->33487 33892 7ffe1828c0d0 11 API calls memcpy_s 33484->33892 33486 7ffe18287e3e 33893 7ffe1828bf64 47 API calls _invalid_parameter_noinfo 33486->33893 33487->33484 33490 7ffe18287e67 33487->33490 33489 7ffe18251981 33489->33382 33490->33489 33894 7ffe1828c0d0 11 API calls memcpy_s 33490->33894 33493 7ffe1824cdb6 33492->33493 33494 7ffe1824cdb8 RegGetValueW 33492->33494 33493->33494 33495 7ffe1824cdfa 33494->33495 33496 7ffe1824cdfd RegGetValueW 33494->33496 33495->33496 33497 7ffe1824ce4c RegGetValueW 33496->33497 33498 7ffe1824ce46 33496->33498 33499 7ffe1824ce93 33497->33499 33498->33497 33500 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 33499->33500 33501 7ffe1824cea6 33500->33501 33501->33415 33501->33438 33503 7ffe1824dbce InitializeCriticalSection 33502->33503 33505 7ffe1824dbe5 33502->33505 33503->33505 33895 7ffe18246b70 RegCreateKeyExW 33505->33895 33509 7ffe1824dc21 33511 7ffe1824dc5a 33509->33511 33512 7ffe1824dc2c CreateEventW CreateEventW 33509->33512 33513 7ffe1824dc84 CreateEventW 33511->33513 33514 7ffe1824e075 __std_exception_destroy 33511->33514 33512->33511 33516 7ffe1824dcc1 memcpy_s 33513->33516 34091 7ffe1824c1f0 LoadLibraryW 33514->34091 34082 7ffe18287eb8 33516->34082 33518 7ffe1824e0cd 33524 7ffe1824f7cf 33518->33524 33525 7ffe1824e108 33518->33525 33529 7ffe18232890 12 API calls 33518->33529 33519 7ffe1824e088 33522 7ffe1824e0c1 33519->33522 33526 7ffe18272220 100 API calls 33519->33526 33527 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 33522->33527 33523 7ffe1824e017 33536 7ffe1824e063 33523->33536 33537 7ffe1824e039 CreateThread 33523->33537 34160 7ffe18231150 33525->34160 33530 7ffe1824e0a3 33526->33530 33531 7ffe1824f7ae 33527->33531 33528 7ffe18287eb8 47 API calls 33532 7ffe1824dd4f 33528->33532 33529->33525 33534 7ffe1824e0b5 33530->33534 33539 7ffe182311b0 80 API calls 33530->33539 33531->33431 33532->33523 33541 7ffe18287eb8 47 API calls 33532->33541 34433 7ffe18272110 33534->34433 33536->33514 33540 7ffe1824e06f CloseHandle 33536->33540 33537->33514 33539->33534 33540->33514 33543 7ffe1824dda5 33541->33543 33542 7ffe18287e1c 47 API calls 33544 7ffe1824e181 PathFileExistsW 33542->33544 33543->33523 33547 7ffe18287eb8 47 API calls 33543->33547 33545 7ffe1824e192 CreateDirectoryW 33544->33545 33546 7ffe1824e1a1 33544->33546 33545->33546 34164 7ffe1828c48c GetSystemTimeAsFileTime 33546->34164 33548 7ffe1824ddfb 33547->33548 33548->33523 33551 7ffe18287eb8 47 API calls 33548->33551 33553 7ffe1824de4e 33551->33553 33553->33523 33555 7ffe18287eb8 47 API calls 33553->33555 33554 7ffe1824e1c5 33559 7ffe1824e23c 33554->33559 34169 7ffe18288a30 33554->34169 33557 7ffe1824de9a 33555->33557 33557->33523 33558 7ffe18287eb8 47 API calls 33557->33558 33560 7ffe1824dee2 33558->33560 34172 7ffe182338f0 33559->34172 33560->33523 33563 7ffe18287eb8 47 API calls 33560->33563 33564 7ffe1824df2a 33563->33564 33564->33523 33567 7ffe18287eb8 47 API calls 33564->33567 33569 7ffe1824df80 33567->33569 33568 7ffe1824e377 LoadLibraryW GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33571 7ffe1824e3de 33568->33571 33572 7ffe1824e3ea 33568->33572 33569->33523 33576 7ffe18287eb8 47 API calls 33569->33576 33570 7ffe1824e329 33570->33568 33579 7ffe182311b0 80 API calls 33570->33579 33573 7ffe18232890 12 API calls 33571->33573 33575 7ffe1824e419 33572->33575 33577 7ffe1823d290 55 API calls 33572->33577 33573->33572 33578 7ffe182311b0 80 API calls 33575->33578 33580 7ffe1824dfd3 33576->33580 33577->33575 33582 7ffe1824e425 GetModuleHandleW GetCurrentProcess K32GetModuleInformation 33578->33582 33583 7ffe1824e33e 33579->33583 33580->33523 33587 7ffe18287eb8 47 API calls 33580->33587 33581 7ffe1824e31b 33584 7ffe182311b0 80 API calls 33581->33584 33585 7ffe1824e456 33582->33585 33586 7ffe1824e462 33582->33586 33590 7ffe1824e348 CreateThread 33583->33590 33588 7ffe1824e327 33584->33588 33589 7ffe18232890 12 API calls 33585->33589 33592 7ffe1824e485 33586->33592 34444 7ffe1824c910 80 API calls 33586->34444 33587->33523 33588->33568 33589->33586 33590->33568 33593 7ffe1824e49e 33592->33593 33594 7ffe18231150 80 API calls 33592->33594 33595 7ffe1824e4be GetModuleHandleW GetProcAddress 33593->33595 33596 7ffe1824e4af 33593->33596 33594->33593 33597 7ffe1824e67e 33595->33597 33598 7ffe1824e4ed 33595->33598 34445 7ffe1823dac0 50 API calls 2 library calls 33596->34445 33600 7ffe1823d290 55 API calls 33597->33600 33601 7ffe1823d290 55 API calls 33598->33601 33602 7ffe1824e69b 33600->33602 33603 7ffe1824e509 33601->33603 33604 7ffe1823d290 55 API calls 33602->33604 34266 7ffe1823d460 GetModuleHandleExW 33603->34266 33606 7ffe1824e6b8 33604->33606 33608 7ffe1823d290 55 API calls 33606->33608 33610 7ffe1824e6d5 33608->33610 33609 7ffe1823d290 55 API calls 33611 7ffe1824e543 33609->33611 33613 7ffe1823d290 55 API calls 33610->33613 33612 7ffe1823d290 55 API calls 33611->33612 33614 7ffe1824e560 33612->33614 33615 7ffe1824e6f1 33613->33615 33617 7ffe1823d290 55 API calls 33614->33617 33616 7ffe1823d290 55 API calls 33615->33616 33618 7ffe1824e70e GetCurrentProcess K32GetModuleInformation 33616->33618 33619 7ffe1824e57d 33617->33619 33620 7ffe1824e752 33618->33620 33621 7ffe1823d290 55 API calls 33619->33621 33623 7ffe1824e774 33620->33623 34276 7ffe18272760 33620->34276 33622 7ffe1824e59a 33621->33622 33624 7ffe1823d290 55 API calls 33622->33624 33626 7ffe1823d290 55 API calls 33623->33626 33627 7ffe1824e5b7 33624->33627 33628 7ffe1824e791 33626->33628 33629 7ffe1823d290 55 API calls 33627->33629 33630 7ffe1823d290 55 API calls 33628->33630 33631 7ffe1824e5d4 33629->33631 33632 7ffe1824e7ae 33630->33632 33633 7ffe1823d290 55 API calls 33631->33633 33634 7ffe1823d290 55 API calls 33632->33634 33635 7ffe1824e5f1 33633->33635 33636 7ffe1824e7cb 33634->33636 33637 7ffe1823d290 55 API calls 33635->33637 33638 7ffe1824e7e0 33636->33638 33642 7ffe18232890 12 API calls 33636->33642 33639 7ffe1824e60e IsOS 33637->33639 33640 7ffe1824e7f2 33638->33640 33641 7ffe1824e83e 33638->33641 33643 7ffe1824e63a 33639->33643 33644 7ffe1824e61d 33639->33644 33646 7ffe1823d290 55 API calls 33640->33646 33647 7ffe1824e8bb 33641->33647 33652 7ffe1823d290 55 API calls 33641->33652 33642->33638 33645 7ffe1824e64f 33643->33645 33650 7ffe18232890 12 API calls 33643->33650 33648 7ffe1823d290 55 API calls 33644->33648 33645->33597 33655 7ffe1823d460 52 API calls 33645->33655 33651 7ffe1824e80f 33646->33651 33649 7ffe1824e96e 33647->33649 33653 7ffe1823d290 55 API calls 33647->33653 33648->33643 33660 7ffe18232890 12 API calls 33649->33660 33670 7ffe1824e983 33649->33670 33650->33645 34446 7ffe1824cb00 122 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 33651->34446 33656 7ffe1824e864 33652->33656 33657 7ffe1824e8e5 33653->33657 33655->33597 33659 7ffe1823d290 55 API calls 33656->33659 33661 7ffe1823d290 55 API calls 33657->33661 33658 7ffe1824e814 LoadLibraryW 33662 7ffe1823d290 55 API calls 33658->33662 33663 7ffe1824e881 33659->33663 33660->33670 33664 7ffe1824e902 33661->33664 33662->33641 33665 7ffe1823d290 55 API calls 33663->33665 33666 7ffe1823d290 55 API calls 33664->33666 33667 7ffe1824e89e 33665->33667 33668 7ffe1824e91f 33666->33668 33669 7ffe1823d290 55 API calls 33667->33669 33668->33649 33671 7ffe1823d290 55 API calls 33668->33671 33669->33647 33672 7ffe1824ea10 33670->33672 33674 7ffe182311b0 80 API calls 33670->33674 33673 7ffe1824e948 33671->33673 33675 7ffe1824ea2b 33672->33675 33677 7ffe182311b0 80 API calls 33672->33677 33673->33649 33680 7ffe1823d290 55 API calls 33673->33680 33674->33672 33676 7ffe1824ea40 33675->33676 33678 7ffe18232890 12 API calls 33675->33678 33679 7ffe1824ea6d LoadLibraryW GetProcAddress 33676->33679 33681 7ffe1824ea5d 33676->33681 33677->33675 33678->33676 33682 7ffe182311b0 80 API calls 33679->33682 33680->33649 34447 7ffe18248700 14 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 33681->34447 33684 7ffe1824ea9b 33682->33684 33685 7ffe18272760 114 API calls 33684->33685 33686 7ffe1824eac3 33685->33686 33687 7ffe1824ead7 33686->33687 33688 7ffe1824eac7 FreeLibraryAndExitThread 33686->33688 33689 7ffe18272760 114 API calls 33687->33689 33688->33687 33690 7ffe1824eaff 33689->33690 33691 7ffe1824eb13 11 API calls 33690->33691 33692 7ffe1824eb03 FreeLibraryAndExitThread 33690->33692 33693 7ffe1824ebdb 33691->33693 33694 7ffe1824ebf7 33691->33694 33692->33691 33695 7ffe1823d290 55 API calls 33693->33695 33696 7ffe182311b0 80 API calls 33694->33696 33695->33694 33697 7ffe1824ec03 33696->33697 34283 7ffe1826b3c0 LoadLibraryExW GetCurrentProcess K32GetModuleInformation 33697->34283 33702 7ffe1824ec5a LoadLibraryW 33703 7ffe1824ec73 33702->33703 33708 7ffe1824ec7f 33702->33708 33705 7ffe18232890 12 API calls 33703->33705 33704 7ffe1823d290 55 API calls 33706 7ffe1824ec3d 33704->33706 33705->33708 33707 7ffe1823d290 55 API calls 33706->33707 33707->33702 33709 7ffe1824eca6 33708->33709 33710 7ffe1824ecd5 33708->33710 33713 7ffe18232890 12 API calls 33708->33713 33709->33710 33717 7ffe1823d290 55 API calls 33709->33717 33711 7ffe1824ecea 33710->33711 33714 7ffe18232890 12 API calls 33710->33714 33712 7ffe1824ed22 33711->33712 33715 7ffe1823f230 9 API calls 33711->33715 33716 7ffe182311b0 80 API calls 33712->33716 33713->33709 33714->33711 33718 7ffe1824ed01 33715->33718 33719 7ffe1824ed2e LoadLibraryExW 33716->33719 33717->33710 33718->33712 33722 7ffe1823d290 55 API calls 33718->33722 33720 7ffe1824ed47 33719->33720 33721 7ffe1824ed53 33719->33721 33723 7ffe18232890 12 API calls 33720->33723 33724 7ffe1824ed82 33721->33724 33726 7ffe1823d290 55 API calls 33721->33726 33722->33712 33723->33721 33725 7ffe1824eda8 33724->33725 33727 7ffe1823d290 55 API calls 33724->33727 33728 7ffe182311b0 80 API calls 33725->33728 33726->33724 33727->33725 33729 7ffe1824edb4 LoadLibraryExW 33728->33729 33730 7ffe1823d290 55 API calls 33729->33730 33731 7ffe1824ede1 33730->33731 33732 7ffe1823d290 55 API calls 33731->33732 33733 7ffe1824edfe 33732->33733 33734 7ffe1824ee13 33733->33734 33735 7ffe18232890 12 API calls 33733->33735 33736 7ffe1824ee61 33734->33736 33737 7ffe1824ee3d 33734->33737 33735->33734 33738 7ffe1823d290 55 API calls 33736->33738 33739 7ffe1823d460 52 API calls 33737->33739 33741 7ffe1824ee66 33738->33741 33740 7ffe1824ee42 33739->33740 33742 7ffe1823d460 52 API calls 33740->33742 33743 7ffe1823d290 55 API calls 33741->33743 33744 7ffe1824ee5f 33742->33744 33743->33744 33745 7ffe1824eea0 33744->33745 33746 7ffe1824ee98 33744->33746 33747 7ffe182311b0 80 API calls 33745->33747 34448 7ffe1824d800 84 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 33746->34448 33749 7ffe1824eeac LoadLibraryExW 33747->33749 33750 7ffe1823d290 55 API calls 33749->33750 33751 7ffe1824eed6 33750->33751 33752 7ffe182311b0 80 API calls 33751->33752 33753 7ffe1824eee2 33752->33753 33754 7ffe1824eeee LoadLibraryExW 33753->33754 33755 7ffe1824ef08 33753->33755 33754->33755 33756 7ffe1824ef00 33754->33756 33757 7ffe1824ef19 GetModuleHandleW 33755->33757 34408 7ffe18241df0 LoadLibraryExW 33755->34408 34394 7ffe1824da80 33756->34394 33760 7ffe1824f1be 33757->33760 33761 7ffe1824ef36 GetProcAddress 33757->33761 33762 7ffe182311b0 80 API calls 33760->33762 33763 7ffe1824f04e GetProcAddress 33761->33763 33764 7ffe1824ef4d SHELL32_Create_IEnumUICommand 33761->33764 33765 7ffe1824f1ca LoadLibraryW GetProcAddress 33762->33765 33766 7ffe1824f0df 33763->33766 33767 7ffe1824f06b 33763->33767 33764->33763 33781 7ffe1824ef8a 33764->33781 33768 7ffe1824f1fa 33765->33768 33769 7ffe1824f217 33765->33769 33770 7ffe1824f103 33766->33770 33773 7ffe1823d290 55 API calls 33766->33773 33767->33766 33776 7ffe1824f08f VirtualProtect 33767->33776 33771 7ffe1823d460 52 API calls 33768->33771 33772 7ffe182311b0 80 API calls 33769->33772 33775 7ffe1824f18a 33770->33775 33779 7ffe18232890 12 API calls 33770->33779 33771->33769 33774 7ffe1824f223 33772->33774 33777 7ffe1824f12d 33773->33777 33778 7ffe1824f238 33774->33778 33784 7ffe18232890 12 API calls 33774->33784 33775->33760 33782 7ffe1823d290 55 API calls 33775->33782 33776->33766 33780 7ffe1824f0b1 VirtualProtect 33776->33780 33783 7ffe1823d290 55 API calls 33777->33783 33785 7ffe1824f423 LoadLibraryExW 33778->33785 33786 7ffe1824f24e LoadLibraryW 33778->33786 33779->33775 33780->33766 33781->33763 33813 7ffe1824efe6 VirtualProtect 33781->33813 33782->33760 33789 7ffe1824f14e 33783->33789 33784->33778 33790 7ffe1824f48c 33785->33790 33791 7ffe1824f438 IsOS 33785->33791 33787 7ffe1824f32b 33786->33787 33788 7ffe1824f26b GetModuleHandleExW 33786->33788 33796 7ffe1824f3c3 LoadLibraryW 33787->33796 33802 7ffe1823d290 55 API calls 33787->33802 33792 7ffe1824f290 GetCurrentProcess K32GetModuleInformation 33788->33792 33793 7ffe1824f288 33788->33793 33795 7ffe1823d290 55 API calls 33789->33795 34426 7ffe18272220 33790->34426 33797 7ffe1824f463 33791->33797 33798 7ffe1824f447 33791->33798 33799 7ffe1824f2cf 33792->33799 33809 7ffe182311b0 80 API calls 33793->33809 33795->33770 33796->33785 33801 7ffe1824f3d8 LoadLibraryW 33796->33801 33804 7ffe1823d290 55 API calls 33797->33804 33803 7ffe1823d290 55 API calls 33798->33803 33799->33793 33812 7ffe1824f2d9 VirtualProtect 33799->33812 33801->33785 33808 7ffe1824f3ea GetProcAddress 33801->33808 33810 7ffe1824f351 GetCurrentProcess K32GetModuleInformation 33802->33810 33803->33797 33805 7ffe1824f480 33804->33805 33811 7ffe182311b0 80 API calls 33805->33811 33806 7ffe1824f4ae 33814 7ffe182311b0 80 API calls 33806->33814 33807 7ffe1824f49e FreeLibraryAndExitThread 33807->33806 33808->33785 33815 7ffe1824f406 33808->33815 33809->33787 33816 7ffe1824f395 33810->33816 33811->33790 33812->33793 33819 7ffe1824f2ff VirtualProtect 33812->33819 33817 7ffe1824f043 33813->33817 33818 7ffe1824f008 VirtualProtect 33813->33818 33820 7ffe1824f4ba 33814->33820 33821 7ffe1823d460 52 API calls 33815->33821 33822 7ffe1824f3b7 33816->33822 33824 7ffe18272760 114 API calls 33816->33824 33817->33763 33818->33817 33819->33793 33823 7ffe1824f4cf 33820->33823 33826 7ffe18232890 12 API calls 33820->33826 33821->33785 33825 7ffe182311b0 80 API calls 33822->33825 33827 7ffe1824f4e5 33823->33827 33828 7ffe1824f589 CreateThread 33823->33828 33824->33822 33825->33796 33826->33823 33830 7ffe1824f50e CreateThread 33827->33830 33831 7ffe1824f4ff CreateThread 33827->33831 33829 7ffe182311b0 80 API calls 33828->33829 33833 7ffe1824f5b3 CreateThread 33829->33833 33832 7ffe1824f524 33830->33832 33838 7ffe1824f530 33830->33838 33831->33828 33834 7ffe18232890 12 API calls 33832->33834 33835 7ffe182311b0 80 API calls 33833->33835 33834->33838 33836 7ffe1824f5e4 33835->33836 33839 7ffe1823d290 55 API calls 33836->33839 33837 7ffe1824f553 RegDeleteKeyValueW RegDeleteKeyValueW 33837->33828 33838->33828 33838->33837 33840 7ffe1824f601 33839->33840 33841 7ffe1824f60a 33840->33841 33842 7ffe1824f657 CreateThread GetWindowsDirectoryW 33840->33842 33845 7ffe1824f619 CreateThread 33841->33845 33843 7ffe1824f692 33842->33843 33844 7ffe1824f736 33842->33844 33846 7ffe18287e1c 47 API calls 33843->33846 33847 7ffe1823d460 52 API calls 33844->33847 33845->33842 33848 7ffe1824f6aa FindFirstFileW 33846->33848 33849 7ffe1824f753 33847->33849 33848->33844 33850 7ffe1824f6c1 FindClose LoadLibraryW 33848->33850 33851 7ffe1824f775 33849->33851 33854 7ffe1823d290 55 API calls 33849->33854 33852 7ffe1824f722 GetLastError 33850->33852 33853 7ffe1824f6df 33850->33853 33855 7ffe1823d290 55 API calls 33851->33855 33856 7ffe182311b0 80 API calls 33852->33856 33857 7ffe182311b0 80 API calls 33853->33857 33854->33851 33858 7ffe1824f791 33855->33858 33856->33844 33859 7ffe1824f6ee GetProcAddress 33857->33859 33860 7ffe182311b0 80 API calls 33858->33860 33859->33844 33861 7ffe1824f706 33859->33861 33860->33522 33862 7ffe182311b0 80 API calls 33861->33862 33863 7ffe1824f712 33862->33863 33864 7ffe182311b0 80 API calls 33863->33864 33865 7ffe1824f720 33864->33865 33865->33844 33866->33411 33868 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 33867->33868 33869 7ffe1823f2a3 33868->33869 33869->33429 33869->33431 33870->33441 33872 7ffe1823d2d4 ImageDirectoryEntryToDataEx 33871->33872 33879 7ffe1823d3c1 33871->33879 33874 7ffe1823d307 33872->33874 33875 7ffe1823d32a FreeLibrary 33872->33875 33873 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 33876 7ffe1823d3de 33873->33876 33874->33875 33877 7ffe1828a364 47 API calls 33874->33877 33880 7ffe1823d33c 33874->33880 33875->33879 33876->33432 33877->33874 33879->33873 33881 7ffe1828a364 47 API calls 33880->33881 33882 7ffe1823d3ea VirtualQuery VirtualProtect 33880->33882 33884 7ffe1823d3b6 FreeLibrary 33880->33884 33881->33880 33883 7ffe1823d424 VirtualProtect FreeLibrary 33882->33883 33882->33884 33883->33879 33884->33879 33885->33432 33886->33441 33887->33474 33888->33478 33889->33475 33890->33480 33891->33482 33892->33486 33893->33489 33894->33486 33896 7ffe18246c03 RegQueryValueExW 33895->33896 33897 7ffe18246bfa 33895->33897 33899 7ffe18246e78 RegQueryValueExW RegQueryValueExW 33896->33899 33900 7ffe18246c38 RegOpenKeyExW 33896->33900 33898 7ffe1824824e RegCreateKeyExW 33897->33898 33905 7ffe1824829e RegQueryValueExW RegCloseKey 33898->33905 33906 7ffe18248298 33898->33906 33903 7ffe18246ee4 RegSetValueExW 33899->33903 33904 7ffe18246f13 RegQueryValueExW 33899->33904 33901 7ffe18246c71 33900->33901 33902 7ffe18246c7a RegQueryValueExW RegQueryValueExW RegCopyTreeW 33900->33902 33907 7ffe18246e46 RegSetValueExW 33901->33907 33902->33907 33908 7ffe18246cfa 7 API calls 33902->33908 33903->33904 33909 7ffe18246f52 33904->33909 33910 7ffe18246f5d RegQueryValueExW 33904->33910 33911 7ffe182482d7 RegCreateKeyExW 33905->33911 33906->33911 33907->33899 33908->33907 33909->33910 33912 7ffe18246fa7 RegQueryValueExW RegQueryValueExW RegQueryValueExW RegQueryValueExW 33910->33912 33913 7ffe18246f9c 33910->33913 33914 7ffe18248321 33911->33914 33915 7ffe18248327 RegQueryValueExW RegQueryValueExW RegCloseKey 33911->33915 33917 7ffe18247083 33912->33917 33918 7ffe18247122 RegQueryValueExW RegQueryValueExW RegQueryValueExW 33912->33918 33913->33912 33916 7ffe18248393 RegCreateKeyExW 33914->33916 33915->33916 33921 7ffe182483e3 RegCloseKey 33916->33921 33922 7ffe182483dd 33916->33922 33923 7ffe18247098 33917->33923 33929 7ffe18232890 12 API calls 33917->33929 33919 7ffe182471c5 33918->33919 33920 7ffe182471d8 RegQueryValueExW 33918->33920 33919->33920 33927 7ffe1824724f RegQueryValueExW RegQueryValueExW RegQueryValueExW 33920->33927 33928 7ffe18247214 33920->33928 33924 7ffe182483e9 RegCreateKeyExW 33921->33924 33922->33924 33925 7ffe1824711b 33923->33925 33926 7ffe182470aa RegGetValueW RegSetValueExW 33923->33926 33930 7ffe18248433 33924->33930 33931 7ffe18248439 RegCloseKey 33924->33931 33925->33918 33926->33918 33934 7ffe182472f4 GetModuleHandleW 33927->33934 33935 7ffe18247332 RegQueryValueExW 33927->33935 33932 7ffe18247249 FreeConsole 33928->33932 33933 7ffe1824721d AllocConsole 33928->33933 33929->33923 33937 7ffe1824843f RegCreateKeyExW 33930->33937 33931->33937 33932->33927 33940 7ffe1824722d 33933->33940 33934->33935 33936 7ffe1824730c 33934->33936 33938 7ffe1824736e RegCloseKey 33935->33938 33939 7ffe18247379 RegQueryValueExW 33935->33939 33936->33935 33946 7ffe1823d460 52 API calls 33936->33946 33941 7ffe1824848f RegCloseKey 33937->33941 33942 7ffe18248489 33937->33942 33943 7ffe182486d6 33938->33943 33944 7ffe182473d5 13 API calls 33939->33944 33945 7ffe182473bd 33939->33945 34457 7ffe1828a598 108 API calls 33940->34457 33947 7ffe18248495 RegCreateKeyExW 33941->33947 33942->33947 33952 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 33943->33952 33949 7ffe1824767a RegQueryValueExW RegQueryValueExW RegQueryValueExW RegQueryValueExW RegQueryValueExW 33944->33949 33950 7ffe1824766e 33944->33950 34458 7ffe1823dac0 50 API calls 2 library calls 33945->34458 33946->33935 33954 7ffe182484e5 RegCloseKey 33947->33954 33955 7ffe182484df 33947->33955 33960 7ffe182477b7 33949->33960 33961 7ffe182477cb RegQueryValueExW RegQueryValueExW 33949->33961 33957 7ffe18232890 12 API calls 33950->33957 33953 7ffe182486e2 33952->33953 34041 7ffe18248800 33953->34041 33962 7ffe182484eb RegCreateKeyExW 33954->33962 33955->33962 33956 7ffe182473cb 33956->33944 33957->33949 33958 7ffe18247247 33958->33927 33960->33961 34449 7ffe1823d7c0 AllocateAndInitializeSid 33961->34449 33964 7ffe18248535 33962->33964 33965 7ffe1824853b RegCloseKey 33962->33965 33967 7ffe18248541 RegCreateKeyExW 33964->33967 33965->33967 33969 7ffe18248591 RegCloseKey 33967->33969 33977 7ffe1824858b 33967->33977 33968 7ffe18247846 7 API calls 33971 7ffe182479c9 RegQueryValueExW RegQueryValueExW 33968->33971 33972 7ffe182479b7 33968->33972 33969->33977 33970 7ffe18247841 34459 7ffe18270330 85 API calls 2 library calls 33970->34459 33973 7ffe18247a81 RegQueryValueExW 33971->33973 33974 7ffe18247a41 33971->33974 33976 7ffe182709e0 10 API calls 33972->33976 33979 7ffe18247ad1 RegQueryValueExW 33973->33979 33980 7ffe18247abe 33973->33980 33978 7ffe182709e0 10 API calls 33974->33978 33981 7ffe182479c2 33976->33981 33977->33943 33982 7ffe182485b6 33977->33982 33986 7ffe18248800 37 API calls 33977->33986 33983 7ffe18247a4c 33978->33983 33984 7ffe18247b10 33979->33984 33985 7ffe18247b19 RegQueryValueExW EnterCriticalSection RegQueryValueExW 33979->33985 33980->33979 33981->33971 33987 7ffe18248614 33982->33987 33988 7ffe182485bc SendNotifyMessageW 33982->33988 33983->33973 33997 7ffe18247a69 SetTimer 33983->33997 33998 7ffe18247a7b KillTimer 33983->33998 33984->33985 33989 7ffe18247be1 RegQueryValueExW 33985->33989 33990 7ffe18247b9c 33985->33990 33986->33982 33995 7ffe1824861f 33987->33995 33996 7ffe1824861a 33987->33996 33991 7ffe182485dc FindWindowW InvalidateRect 33988->33991 33992 7ffe182485f9 33988->33992 33993 7ffe18247c2e RegQueryValueExW 33989->33993 33994 7ffe18247c22 33989->33994 33990->33989 34010 7ffe18247bd0 SendMessageW 33990->34010 33991->33992 33992->33987 33999 7ffe182485ff InvalidateRect 33992->33999 34000 7ffe18247c71 33993->34000 34001 7ffe18247c8d RegQueryValueExW 33993->34001 33994->33993 33995->33943 34003 7ffe18248629 RegGetValueW RegSetKeyValueW SHFlushSFCache SHChangeNotify 33995->34003 34460 7ffe1823e230 9 API calls 33996->34460 33997->33973 33998->33973 33999->33987 34000->34001 34004 7ffe18247ccb 34001->34004 34003->33943 34005 7ffe18247ce2 RegQueryValueExW 34004->34005 34006 7ffe18287eb8 47 API calls 34004->34006 34008 7ffe18247d51 GetUserPreferredUILanguages 34005->34008 34009 7ffe18247d47 34005->34009 34006->34005 34012 7ffe18247dce __std_exception_destroy 34008->34012 34013 7ffe18247d7e 34008->34013 34009->34008 34011 7ffe18247df5 RegQueryValueExW 34009->34011 34010->33989 34016 7ffe18247e6e RegQueryValueExW 34011->34016 34017 7ffe18247e62 34011->34017 34012->34011 34014 7ffe18287eb8 47 API calls 34012->34014 34013->34012 34018 7ffe18247da4 GetUserPreferredUILanguages 34013->34018 34014->34011 34019 7ffe18247eb1 34016->34019 34020 7ffe18247ed5 RegQueryValueExW 34016->34020 34017->34016 34018->34012 34022 7ffe18247dbe 34018->34022 34019->34020 34021 7ffe18247f36 RegQueryValueExW 34020->34021 34025 7ffe18247f18 34020->34025 34023 7ffe18247f97 RegQueryValueExW 34021->34023 34026 7ffe18247f79 34021->34026 34024 7ffe18287eb8 47 API calls 34022->34024 34027 7ffe18247ffe RegQueryValueExW 34023->34027 34028 7ffe18247fda 34023->34028 34024->34012 34025->34021 34026->34023 34029 7ffe18248065 RegQueryValueExW 34027->34029 34030 7ffe18248041 34027->34030 34028->34027 34031 7ffe182480b2 RegQueryValueExW 34029->34031 34032 7ffe182480a6 34029->34032 34030->34029 34033 7ffe182480f3 34031->34033 34034 7ffe182480ff RegQueryValueExW 34031->34034 34032->34031 34033->34034 34035 7ffe1824816a LeaveCriticalSection RegQueryValueExW 34034->34035 34040 7ffe18248142 34034->34040 34036 7ffe182481de RegQueryValueExW 34035->34036 34037 7ffe182481c7 34035->34037 34038 7ffe1824823e RegCloseKey 34036->34038 34039 7ffe18248227 34036->34039 34037->34036 34038->33898 34039->34038 34040->34035 34042 7ffe18248844 RegCreateKeyExW 34041->34042 34043 7ffe1824883b 34041->34043 34044 7ffe18248971 34042->34044 34045 7ffe1824888f RegQueryValueExW 34042->34045 34043->34042 34043->34044 34046 7ffe18248983 RegCreateKeyExW 34044->34046 34047 7ffe18248a24 SendNotifyMessageW FindWindowExW 34044->34047 34048 7ffe182488d1 RegQueryValueExW 34045->34048 34049 7ffe182488c6 34045->34049 34052 7ffe182489ca RegQueryValueExW 34046->34052 34053 7ffe18248a17 34046->34053 34055 7ffe18248a5f FindWindowExW 34047->34055 34056 7ffe18248ad0 FindWindowExW 34047->34056 34050 7ffe1824890f 34048->34050 34051 7ffe1824891b RegQueryValueExW 34048->34051 34461 7ffe18248700 14 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 34049->34461 34050->34051 34058 7ffe18248965 RegCloseKey 34051->34058 34059 7ffe18248959 34051->34059 34052->34053 34061 7ffe18248a04 34052->34061 34053->34047 34064 7ffe18248b08 34053->34064 34055->34056 34057 7ffe18248a79 FindWindowExW 34055->34057 34056->34057 34060 7ffe18248af6 34056->34060 34057->34056 34066 7ffe18248a96 GetWindowLongPtrW 34057->34066 34058->34044 34059->34058 34063 7ffe18248b03 34060->34063 34060->34064 34462 7ffe18248700 14 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 34061->34462 34463 7ffe1823e230 9 API calls 34063->34463 34069 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34064->34069 34066->34056 34070 7ffe18248aa9 InvalidateRect 34066->34070 34068 7ffe18248a15 34068->34053 34071 7ffe18248b14 34069->34071 34070->34056 34071->33509 34073 7ffe18272080 34071->34073 34464 7ffe18272470 34073->34464 34075 7ffe18272094 34477 7ffe18272fa0 34075->34477 34077 7ffe18272099 34078 7ffe182720e9 34077->34078 34080 7ffe18272470 85 API calls 34077->34080 34079 7ffe18272550 85 API calls 34078->34079 34081 7ffe182720fb 34079->34081 34080->34078 34081->33509 34083 7ffe18287ecf 34082->34083 34084 7ffe18287ec5 34082->34084 34482 7ffe1828c0d0 11 API calls memcpy_s 34083->34482 34084->34083 34089 7ffe18287eeb 34084->34089 34086 7ffe18287ed7 34483 7ffe1828bf64 47 API calls _invalid_parameter_noinfo 34086->34483 34087 7ffe1824dd07 34087->33523 34087->33528 34089->34087 34484 7ffe1828c0d0 11 API calls memcpy_s 34089->34484 34092 7ffe1824c23d LoadLibraryW 34091->34092 34093 7ffe1824c226 GetProcAddress 34091->34093 34094 7ffe1824c397 LoadLibraryW 34092->34094 34099 7ffe1824c265 34092->34099 34093->34092 34095 7ffe1824c3be LoadLibraryExW 34094->34095 34096 7ffe1824c3a9 GetProcAddress 34094->34096 34097 7ffe1824c5bf LoadLibraryExW 34095->34097 34098 7ffe1824c3d7 34095->34098 34096->34095 34101 7ffe1824c670 RegGetValueW 34097->34101 34102 7ffe1824c5e0 34097->34102 34100 7ffe1823d290 55 API calls 34098->34100 34110 7ffe1823d290 55 API calls 34099->34110 34105 7ffe1824c3f0 34100->34105 34485 7ffe1823d920 34101->34485 34103 7ffe1823d460 52 API calls 34102->34103 34108 7ffe1824c5f9 34103->34108 34106 7ffe1824c45f 34105->34106 34107 7ffe1824c3f9 GetCurrentProcess K32GetModuleInformation 34105->34107 34113 7ffe1823d290 55 API calls 34106->34113 34111 7ffe1824c43d 34107->34111 34112 7ffe1823d460 52 API calls 34108->34112 34109 7ffe1824c6bd 34117 7ffe1824c6e4 GetModuleHandleW GetProcAddress 34109->34117 34118 7ffe1824c775 34109->34118 34114 7ffe1824c2b1 34110->34114 34111->34106 34128 7ffe18272760 114 API calls 34111->34128 34115 7ffe1824c616 34112->34115 34116 7ffe1824c47c 34113->34116 34119 7ffe1824c320 34114->34119 34120 7ffe1824c2ba GetCurrentProcess K32GetModuleInformation 34114->34120 34115->34101 34129 7ffe1823d290 55 API calls 34115->34129 34122 7ffe1823d290 55 API calls 34116->34122 34124 7ffe1824c72c 34117->34124 34125 7ffe1824c712 34117->34125 34123 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34118->34123 34121 7ffe1823d290 55 API calls 34119->34121 34126 7ffe1824c2fe 34120->34126 34130 7ffe1824c33d 34121->34130 34131 7ffe1824c498 34122->34131 34132 7ffe1824c784 34123->34132 34127 7ffe182311b0 80 API calls 34124->34127 34134 7ffe1824c73e 34124->34134 34133 7ffe18272760 114 API calls 34125->34133 34126->34119 34137 7ffe18272760 114 API calls 34126->34137 34127->34134 34128->34106 34135 7ffe1824c645 34129->34135 34130->34094 34139 7ffe1823d290 55 API calls 34130->34139 34136 7ffe1824c4f2 34131->34136 34140 7ffe1823d290 55 API calls 34131->34140 34132->33518 34132->33519 34133->34124 34134->34118 34143 7ffe1823f230 9 API calls 34134->34143 34138 7ffe1823d290 55 API calls 34135->34138 34141 7ffe1823d290 55 API calls 34136->34141 34137->34119 34138->34101 34144 7ffe1824c36c 34139->34144 34145 7ffe1824c4c7 34140->34145 34142 7ffe1824c50f 34141->34142 34146 7ffe1823d290 55 API calls 34142->34146 34147 7ffe1824c747 34143->34147 34148 7ffe1823d290 55 API calls 34144->34148 34149 7ffe1823d290 55 API calls 34145->34149 34150 7ffe1824c52c GetCurrentProcess K32GetModuleInformation 34146->34150 34147->34118 34151 7ffe1824c74b LoadLibraryW 34147->34151 34148->34094 34149->34136 34152 7ffe1824c5a2 34150->34152 34157 7ffe1824c552 34150->34157 34153 7ffe1823d290 55 API calls 34151->34153 34154 7ffe1823d290 55 API calls 34152->34154 34153->34118 34154->34097 34155 7ffe1824c598 34502 7ffe1824bc00 24 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 34155->34502 34156 7ffe1824c584 34156->34152 34156->34155 34157->34155 34157->34156 34158 7ffe18232890 12 API calls 34157->34158 34158->34156 34161 7ffe1823117d 34160->34161 34503 7ffe18287100 34161->34503 34165 7ffe1824e1be 34164->34165 34166 7ffe18288a5c 34165->34166 34525 7ffe18290290 GetLastError 34166->34525 34170 7ffe18290290 BuildCatchObjectHelperInternal 47 API calls 34169->34170 34171 7ffe18288a39 34170->34171 34171->33554 34173 7ffe18233915 34172->34173 34565 7ffe18287a78 34173->34565 34176 7ffe18265cf0 34177 7ffe18232890 12 API calls 34176->34177 34178 7ffe18265d31 34177->34178 34179 7ffe18265d75 34178->34179 34180 7ffe18232890 12 API calls 34178->34180 34181 7ffe18265d93 RegCreateKeyExW 34179->34181 34182 7ffe18266027 RegCreateKeyExW 34179->34182 34180->34179 34183 7ffe1826630a 34181->34183 34184 7ffe18265de8 GetWindowsDirectoryW 34181->34184 34182->34183 34185 7ffe18266079 GetSystemDirectoryW 34182->34185 34188 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34183->34188 34186 7ffe18287e1c 47 API calls 34184->34186 34187 7ffe18287e1c 47 API calls 34185->34187 34189 7ffe18265e12 34186->34189 34190 7ffe182660a3 34187->34190 34191 7ffe1824e301 34188->34191 34192 7ffe1826fe80 75 API calls 34189->34192 34579 7ffe1826fe80 CreateFileW 34190->34579 34191->33568 34191->33570 34191->33581 34195 7ffe18265e25 34192->34195 34198 7ffe18265e2d RegQueryValueExA 34195->34198 34216 7ffe18265ffa 34195->34216 34196 7ffe182660c3 RegQueryValueExA 34199 7ffe18266103 34196->34199 34200 7ffe18266312 34196->34200 34197 7ffe1826632d RegCloseKey RegDeleteTreeW 34203 7ffe18266347 34197->34203 34204 7ffe18265e6b 34198->34204 34205 7ffe18265fe7 34198->34205 34206 7ffe1828a364 47 API calls 34199->34206 34208 7ffe182311b0 80 API calls 34200->34208 34201 7ffe1826600f 34201->34182 34209 7ffe18266013 RegDeleteTreeW 34201->34209 34202 7ffe18266009 RegCloseKey 34202->34201 34210 7ffe1826635c 34203->34210 34218 7ffe18232890 12 API calls 34203->34218 34604 7ffe1828a364 34204->34604 34207 7ffe182311b0 80 API calls 34205->34207 34215 7ffe18266116 34206->34215 34207->34216 34217 7ffe18266325 34208->34217 34209->34182 34213 7ffe18266372 RegCreateKeyExW GetWindowsDirectoryW 34210->34213 34214 7ffe182665e4 34210->34214 34212 7ffe18265e7e 34212->34205 34219 7ffe18265e86 RegQueryValueExW 34212->34219 34220 7ffe18287e1c 47 API calls 34213->34220 34222 7ffe182665f2 RegCreateKeyExW GetWindowsDirectoryW 34214->34222 34223 7ffe182667ed RegCreateKeyExW 34214->34223 34215->34200 34221 7ffe1826611e RegQueryValueExW 34215->34221 34216->34201 34216->34202 34217->34197 34218->34210 34219->34205 34224 7ffe18265ec7 34219->34224 34225 7ffe182663e7 34220->34225 34221->34200 34226 7ffe1826615f 34221->34226 34227 7ffe18287e1c 47 API calls 34222->34227 34223->34183 34228 7ffe1826683c RegDeleteValueW RegCloseKey 34223->34228 34224->34205 34229 7ffe18265eda 6 API calls 34224->34229 34230 7ffe1826fe80 75 API calls 34225->34230 34226->34200 34231 7ffe18266172 10 API calls 34226->34231 34232 7ffe1826665f FindFirstFileW 34227->34232 34228->34183 34229->34216 34233 7ffe182663fa 34230->34233 34231->34203 34234 7ffe18266684 GetWindowsDirectoryW 34232->34234 34235 7ffe18266679 FindClose 34232->34235 34236 7ffe182665b0 34233->34236 34237 7ffe18266402 RegQueryValueExA 34233->34237 34239 7ffe18287e1c 47 API calls 34234->34239 34238 7ffe182666ae 34235->34238 34240 7ffe182665c3 34236->34240 34241 7ffe182665bd RegCloseKey 34236->34241 34242 7ffe1826659d 34237->34242 34243 7ffe18266447 34237->34243 34244 7ffe1826fe80 75 API calls 34238->34244 34239->34238 34240->34214 34245 7ffe182665d0 RegDeleteTreeW 34240->34245 34241->34240 34248 7ffe182311b0 80 API calls 34242->34248 34246 7ffe1828a364 47 API calls 34243->34246 34247 7ffe182666c1 34244->34247 34245->34214 34249 7ffe1826645a 34246->34249 34250 7ffe182666c9 RegQueryValueExA 34247->34250 34261 7ffe182667c2 34247->34261 34248->34236 34249->34242 34255 7ffe18266462 RegQueryValueExW 34249->34255 34251 7ffe182667af 34250->34251 34252 7ffe1826670e 34250->34252 34257 7ffe182311b0 80 API calls 34251->34257 34256 7ffe1828a364 47 API calls 34252->34256 34253 7ffe182667d5 34253->34223 34258 7ffe182667d9 RegDeleteTreeW 34253->34258 34254 7ffe182667cf RegCloseKey 34254->34253 34255->34242 34259 7ffe182664a3 34255->34259 34260 7ffe18266721 34256->34260 34257->34261 34258->34223 34259->34242 34262 7ffe182664b6 RegQueryValueExW RegQueryValueExW RegQueryValueExW RegQueryValueExW RegQueryValueExW 34259->34262 34260->34251 34263 7ffe18266729 RegQueryValueExW 34260->34263 34261->34253 34261->34254 34262->34236 34263->34251 34264 7ffe18266766 34263->34264 34264->34251 34265 7ffe18266775 RegQueryValueExW 34264->34265 34265->34261 34267 7ffe1823d5c3 34266->34267 34271 7ffe1823d4a2 34266->34271 34268 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34267->34268 34270 7ffe1823d5e4 34268->34270 34270->33609 34272 7ffe1828a364 47 API calls 34271->34272 34273 7ffe1823d525 VirtualProtect 34271->34273 34274 7ffe1823d5b8 FreeLibrary 34271->34274 34272->34271 34273->34274 34275 7ffe1823d546 VirtualProtect FreeLibrary 34273->34275 34274->34267 34275->34267 34277 7ffe18272470 85 API calls 34276->34277 34278 7ffe182727a2 34277->34278 34625 7ffe182727f0 34278->34625 34282 7ffe182727d0 34282->33623 34784 7ffe1826aeb0 GetSystemDirectoryW 34283->34784 34286 7ffe1826b4de 34288 7ffe182311b0 80 API calls 34286->34288 34289 7ffe1826b4f0 34286->34289 34287 7ffe18272760 114 API calls 34287->34286 34288->34289 34290 7ffe1826b505 34289->34290 34291 7ffe18232890 12 API calls 34289->34291 34292 7ffe1826b569 34290->34292 34294 7ffe18272760 114 API calls 34290->34294 34296 7ffe1826b557 34290->34296 34291->34290 34293 7ffe18232890 12 API calls 34292->34293 34298 7ffe1826b57e 34292->34298 34293->34298 34294->34296 34295 7ffe182311b0 80 API calls 34295->34292 34296->34292 34296->34295 34297 7ffe1826ba20 34299 7ffe1826ba87 34297->34299 34300 7ffe1824cd30 12 API calls 34297->34300 34298->34297 34305 7ffe182311b0 80 API calls 34298->34305 34312 7ffe1826b724 34298->34312 34301 7ffe1826ba9c 34299->34301 34304 7ffe18232890 12 API calls 34299->34304 34303 7ffe1826ba6f 34300->34303 34302 7ffe1826bac0 34301->34302 34824 7ffe1826ad00 114 API calls 34301->34824 34306 7ffe1823d290 55 API calls 34302->34306 34303->34299 34307 7ffe1826ba75 34303->34307 34304->34301 34308 7ffe1826b60c 34305->34308 34310 7ffe1826badd 34306->34310 34822 7ffe18269cf0 126 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 34307->34822 34314 7ffe18232890 12 API calls 34308->34314 34325 7ffe1826b621 34308->34325 34316 7ffe182311b0 80 API calls 34310->34316 34313 7ffe1826b878 34312->34313 34318 7ffe182311b0 80 API calls 34312->34318 34820 7ffe18268ef0 82 API calls 2 library calls 34313->34820 34314->34325 34319 7ffe1826bae9 34316->34319 34317 7ffe1826ba7e 34317->34299 34823 7ffe1823e860 94 API calls 2 library calls 34317->34823 34323 7ffe1826b763 34318->34323 34320 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34319->34320 34322 7ffe1824ec0c 34320->34322 34357 7ffe1824d5c0 34322->34357 34323->34313 34326 7ffe182311b0 80 API calls 34323->34326 34324 7ffe1826b881 34327 7ffe182311b0 80 API calls 34324->34327 34330 7ffe1826b976 LoadLibraryW GetCurrentProcess K32GetModuleInformation 34324->34330 34325->34312 34328 7ffe182311b0 80 API calls 34325->34328 34335 7ffe1826b79e 34326->34335 34329 7ffe1826b8f2 34327->34329 34334 7ffe1826b687 34328->34334 34331 7ffe182311b0 80 API calls 34329->34331 34821 7ffe182692d0 88 API calls 3 library calls 34330->34821 34333 7ffe1826b90a VirtualProtect 34331->34333 34333->34330 34336 7ffe1826b92f memcpy_s 34333->34336 34334->34312 34337 7ffe1826b6b0 34334->34337 34335->34313 34338 7ffe182311b0 80 API calls 34335->34338 34339 7ffe1826b956 VirtualProtect 34336->34339 34340 7ffe182311b0 80 API calls 34337->34340 34341 7ffe1826b7d9 34338->34341 34342 7ffe182311b0 80 API calls 34339->34342 34343 7ffe1826b6c3 VirtualProtect 34340->34343 34341->34313 34347 7ffe1826b7e5 34341->34347 34342->34330 34343->34312 34346 7ffe1826b6e3 VirtualProtect 34343->34346 34344 7ffe1826ba0a 34344->34297 34349 7ffe182311b0 80 API calls 34344->34349 34345 7ffe1826b9ab 34345->34344 34348 7ffe182311b0 80 API calls 34345->34348 34350 7ffe182311b0 80 API calls 34346->34350 34347->34313 34353 7ffe182311b0 80 API calls 34347->34353 34351 7ffe1826b9f0 34348->34351 34349->34297 34350->34312 34352 7ffe18272760 114 API calls 34351->34352 34352->34344 34354 7ffe1826b815 VirtualProtect 34353->34354 34354->34313 34355 7ffe1826b835 VirtualProtect 34354->34355 34356 7ffe182311b0 80 API calls 34355->34356 34356->34313 34358 7ffe1824d694 34357->34358 34360 7ffe1824d5f0 memcpy_s 34357->34360 34359 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34358->34359 34361 7ffe1824d7ae 34359->34361 34360->34358 34362 7ffe1824d614 SHGetFolderPathW 34360->34362 34361->33702 34361->33704 34363 7ffe18287e1c 47 API calls 34362->34363 34364 7ffe1824d647 34363->34364 34365 7ffe18287e1c 47 API calls 34364->34365 34366 7ffe1824d659 34365->34366 34367 7ffe1824d66f LoadLibraryExW 34366->34367 34368 7ffe1824d667 LoadLibraryW 34366->34368 34369 7ffe1824d67d 34367->34369 34368->34369 34370 7ffe1824d685 34369->34370 34371 7ffe1824d69b 34369->34371 34372 7ffe18231150 80 API calls 34370->34372 34371->34358 34373 7ffe1824d6ab GetProcAddress 34371->34373 34372->34358 34374 7ffe1824d7d2 34373->34374 34375 7ffe1824d6c4 34373->34375 34376 7ffe18231150 80 API calls 34374->34376 34375->34374 34378 7ffe1824d6cf GetProcAddress 34375->34378 34377 7ffe1824d7e4 FreeLibrary 34376->34377 34377->34358 34379 7ffe1824d6f3 34378->34379 34380 7ffe1824d6ff 34378->34380 34381 7ffe18232890 12 API calls 34379->34381 34382 7ffe1824d711 34380->34382 34384 7ffe1824d728 34380->34384 34385 7ffe1824d7b9 34380->34385 34381->34380 34383 7ffe1824d73e GetProcAddress 34382->34383 34387 7ffe1824d753 34383->34387 34388 7ffe1824d758 GetProcAddress 34383->34388 34386 7ffe18272760 114 API calls 34384->34386 34389 7ffe182311b0 80 API calls 34385->34389 34386->34383 34387->34388 34391 7ffe1824d76d 34388->34391 34390 7ffe1824d7c5 FreeLibrary 34389->34390 34392 7ffe1824d793 34390->34392 34393 7ffe18231150 80 API calls 34391->34393 34392->34358 34393->34392 34395 7ffe1823d290 55 API calls 34394->34395 34396 7ffe1824dab6 34395->34396 34397 7ffe1824dadf 34396->34397 34399 7ffe1823d290 55 API calls 34396->34399 34398 7ffe1823d290 55 API calls 34397->34398 34400 7ffe1824dafc GetCurrentProcess K32GetModuleInformation 34398->34400 34399->34397 34401 7ffe1824db40 34400->34401 34402 7ffe1824db62 34401->34402 34403 7ffe18272760 114 API calls 34401->34403 34404 7ffe182311b0 80 API calls 34402->34404 34403->34402 34405 7ffe1824db6e 34404->34405 34406 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34405->34406 34407 7ffe1824db7b 34406->34407 34407->33755 34409 7ffe1823d290 55 API calls 34408->34409 34410 7ffe18241e36 34409->34410 34411 7ffe18272080 87 API calls 34410->34411 34412 7ffe18241e3b GetCurrentProcess K32GetModuleInformation 34411->34412 34413 7ffe18241e7b 34412->34413 34414 7ffe18241e9d 34413->34414 34415 7ffe18272760 114 API calls 34413->34415 34416 7ffe18272220 100 API calls 34414->34416 34415->34414 34417 7ffe18241ea7 34416->34417 34418 7ffe18272110 93 API calls 34417->34418 34419 7ffe18241eaf 34418->34419 34420 7ffe1823d290 55 API calls 34419->34420 34421 7ffe18241ecc 34420->34421 34422 7ffe182311b0 80 API calls 34421->34422 34423 7ffe18241ed8 34422->34423 34424 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34423->34424 34425 7ffe18241ee5 34424->34425 34425->33757 34427 7ffe18272470 85 API calls 34426->34427 34428 7ffe18272241 34427->34428 34825 7ffe18272270 34428->34825 34431 7ffe18272550 85 API calls 34432 7ffe1824f49a 34431->34432 34432->33806 34432->33807 34434 7ffe18272470 85 API calls 34433->34434 34436 7ffe18272131 34434->34436 34435 7ffe18272550 85 API calls 34438 7ffe18272199 34435->34438 34437 7ffe18272166 34436->34437 34443 7ffe18272138 34436->34443 34871 7ffe18273280 92 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 34436->34871 34440 7ffe18272177 34437->34440 34872 7ffe18288c30 76 API calls _invalid_parameter_noinfo 34437->34872 34438->33522 34873 7ffe18273010 VirtualFree 34440->34873 34443->34435 34444->33592 34445->33595 34446->33658 34447->33679 34448->33745 34450 7ffe1823d833 CheckTokenMembership 34449->34450 34451 7ffe1823d849 GetLastError 34449->34451 34450->34451 34452 7ffe1823d851 34450->34452 34451->34452 34453 7ffe1823d861 34452->34453 34454 7ffe1823d85b FreeSid 34452->34454 34455 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34453->34455 34454->34453 34456 7ffe1823d877 34455->34456 34456->33968 34456->33970 34457->33958 34458->33956 34459->33968 34460->33995 34461->34048 34462->34068 34463->34064 34465 7ffe1827249e 34464->34465 34466 7ffe18272543 34464->34466 34467 7ffe18272520 34465->34467 34468 7ffe182724a8 34465->34468 34466->34075 34469 7ffe18286fdc 80 API calls 34467->34469 34468->34466 34472 7ffe18286fdc 80 API calls 34468->34472 34470 7ffe1827253b 34469->34470 34481 7ffe1828d714 75 API calls 34470->34481 34473 7ffe18272506 34472->34473 34473->34470 34474 7ffe1827250b 34473->34474 34480 7ffe18288c30 76 API calls _invalid_parameter_noinfo 34474->34480 34476 7ffe18272513 34476->34075 34478 7ffe18272fb0 GetSystemInfo 34477->34478 34479 7ffe18272fd1 VirtualAlloc 34477->34479 34478->34479 34480->34476 34481->34466 34482->34086 34483->34087 34484->34086 34486 7ffe1823d94e 34485->34486 34487 7ffe1823d942 34485->34487 34489 7ffe1823d960 GetWindowsDirectoryW 34486->34489 34490 7ffe1823d9ae 34486->34490 34488 7ffe18232890 12 API calls 34487->34488 34488->34486 34492 7ffe18287e1c 47 API calls 34489->34492 34491 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34490->34491 34493 7ffe1823d9c3 34491->34493 34494 7ffe1823d98c FindFirstFileW 34492->34494 34493->34109 34495 7ffe1823d9a5 FindClose 34494->34495 34496 7ffe1823d9cb GetWindowsDirectoryW 34494->34496 34495->34490 34497 7ffe18287e1c 47 API calls 34496->34497 34498 7ffe1823d9f7 FindFirstFileW 34497->34498 34498->34495 34499 7ffe1823da10 34498->34499 34500 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34499->34500 34501 7ffe1823da22 34500->34501 34501->34109 34502->34152 34504 7ffe1828712a 34503->34504 34505 7ffe18287162 34504->34505 34507 7ffe18287195 34504->34507 34521 7ffe1828be98 47 API calls 2 library calls 34505->34521 34514 7ffe1827e5e0 34507->34514 34509 7ffe1828718b 34510 7ffe182871ff 34509->34510 34522 7ffe18281e60 47 API calls 2 library calls 34509->34522 34511 7ffe1823119b SHGetFolderPathW 34510->34511 34523 7ffe18281e60 47 API calls 2 library calls 34510->34523 34511->33542 34524 7ffe1827e5c8 EnterCriticalSection 34514->34524 34516 7ffe1827e5fd 34517 7ffe18281ccc 78 API calls 34516->34517 34518 7ffe1827e606 34517->34518 34519 7ffe1827e5d4 LeaveCriticalSection 34518->34519 34520 7ffe1827e610 34519->34520 34520->34509 34521->34509 34522->34510 34523->34511 34526 7ffe182902d1 FlsSetValue 34525->34526 34527 7ffe182902b4 FlsGetValue 34525->34527 34529 7ffe182902e3 34526->34529 34544 7ffe182902c1 34526->34544 34528 7ffe182902cb 34527->34528 34527->34544 34528->34526 34547 7ffe1828dd74 34529->34547 34530 7ffe1829033d SetLastError 34533 7ffe18288a69 34530->34533 34534 7ffe1829035d 34530->34534 34533->33554 34561 7ffe1828c0f0 47 API calls 2 library calls 34534->34561 34535 7ffe18290310 FlsSetValue 34539 7ffe1829031c FlsSetValue 34535->34539 34540 7ffe1829032e 34535->34540 34536 7ffe18290300 FlsSetValue 34538 7ffe18290309 34536->34538 34554 7ffe1828ddec 34538->34554 34539->34538 34560 7ffe1828fffc 11 API calls memcpy_s 34540->34560 34544->34530 34545 7ffe18290336 34546 7ffe1828ddec __free_lconv_num 11 API calls 34545->34546 34546->34530 34553 7ffe1828dd85 memcpy_s 34547->34553 34548 7ffe1828ddd6 34563 7ffe1828c0d0 11 API calls memcpy_s 34548->34563 34549 7ffe1828ddba HeapAlloc 34551 7ffe1828ddd4 34549->34551 34549->34553 34551->34535 34551->34536 34553->34548 34553->34549 34562 7ffe1828c50c EnterCriticalSection LeaveCriticalSection memcpy_s 34553->34562 34555 7ffe1828de20 34554->34555 34556 7ffe1828ddf1 RtlFreeHeap 34554->34556 34555->34544 34556->34555 34557 7ffe1828de0c GetLastError 34556->34557 34558 7ffe1828de19 __free_lconv_num 34557->34558 34564 7ffe1828c0d0 11 API calls memcpy_s 34558->34564 34560->34545 34562->34553 34563->34551 34564->34555 34566 7ffe18287ab1 34565->34566 34567 7ffe18287af4 34566->34567 34575 7ffe1827e810 50 API calls 3 library calls 34566->34575 34570 7ffe18287b33 34567->34570 34576 7ffe1828be98 47 API calls 2 library calls 34567->34576 34571 7ffe18287b59 34570->34571 34577 7ffe18281e60 47 API calls 2 library calls 34570->34577 34573 7ffe18233934 CreateMutexExW CreateEventW CreateEventW CreateThread 34571->34573 34578 7ffe18281e60 47 API calls 2 library calls 34571->34578 34573->34176 34575->34567 34576->34570 34577->34571 34578->34573 34580 7ffe1826ff15 GetFileSizeEx 34579->34580 34581 7ffe1826ff0a GetLastError 34579->34581 34582 7ffe1826ff32 GetLastError CloseHandle 34580->34582 34583 7ffe1826ff4a 34580->34583 34588 7ffe18270068 __std_exception_destroy 34581->34588 34582->34588 34586 7ffe1826ff74 CryptAcquireContextW 34583->34586 34587 7ffe1826ff61 CloseHandle 34583->34587 34584 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34585 7ffe182660b6 34584->34585 34585->34196 34585->34197 34589 7ffe1826ff95 GetLastError 34586->34589 34590 7ffe1826ffa2 CryptCreateHash 34586->34590 34587->34588 34588->34584 34591 7ffe1827005f CloseHandle 34589->34591 34592 7ffe1826ffc4 GetLastError CloseHandle CryptReleaseContext 34590->34592 34593 7ffe1826ffe6 ReadFile 34590->34593 34591->34588 34592->34588 34594 7ffe18270003 34593->34594 34595 7ffe18270041 GetLastError CryptReleaseContext CryptDestroyHash 34593->34595 34596 7ffe18270094 CryptGetHashParam 34594->34596 34597 7ffe18270014 CryptHashData 34594->34597 34595->34591 34599 7ffe182700ff GetLastError 34596->34599 34602 7ffe182700b7 34596->34602 34597->34595 34598 7ffe18270024 ReadFile 34597->34598 34598->34594 34598->34595 34600 7ffe18270108 CryptDestroyHash CryptReleaseContext CloseHandle 34599->34600 34600->34588 34602->34600 34603 7ffe182700fd 34602->34603 34619 7ffe1823c640 51 API calls 34602->34619 34603->34600 34605 7ffe1828a371 34604->34605 34606 7ffe1828a39e 34604->34606 34616 7ffe1828a328 34605->34616 34620 7ffe1828c0d0 11 API calls memcpy_s 34605->34620 34608 7ffe1828a3c1 34606->34608 34609 7ffe1828a3dd 34606->34609 34622 7ffe1828c0d0 11 API calls memcpy_s 34608->34622 34624 7ffe18287f28 47 API calls BuildCatchObjectHelperInternal 34609->34624 34610 7ffe1828a37b 34621 7ffe1828bf64 47 API calls _invalid_parameter_noinfo 34610->34621 34614 7ffe1828a3c6 34623 7ffe1828bf64 47 API calls _invalid_parameter_noinfo 34614->34623 34615 7ffe1828a386 34615->34212 34616->34212 34618 7ffe1828a3d1 34618->34212 34619->34602 34620->34610 34621->34615 34622->34614 34623->34618 34624->34618 34626 7ffe18272833 34625->34626 34627 7ffe1827281d 34625->34627 34671 7ffe182735e0 34626->34671 34728 7ffe18272ab0 86 API calls 34627->34728 34632 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34635 7ffe182727b5 34632->34635 34634 7ffe18272873 34636 7ffe18272470 85 API calls 34634->34636 34656 7ffe18272550 34635->34656 34646 7ffe18272829 34636->34646 34637 7ffe182728e7 34713 7ffe18273030 34637->34713 34639 7ffe18272889 34639->34637 34647 7ffe1827295f 34639->34647 34729 7ffe18273fa0 85 API calls 34639->34729 34642 7ffe18272944 34643 7ffe18272470 85 API calls 34642->34643 34643->34646 34645 7ffe18272921 34645->34647 34648 7ffe18272925 34645->34648 34646->34632 34733 7ffe18273b00 85 API calls 34647->34733 34731 7ffe18272ab0 86 API calls 34648->34731 34651 7ffe18272937 34732 7ffe18273280 92 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 34651->34732 34652 7ffe18272a19 34734 7ffe18272650 86 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 34652->34734 34655 7ffe18272a29 GetCurrentProcess FlushInstructionCache GetCurrentProcess FlushInstructionCache 34655->34646 34657 7ffe1827257f 34656->34657 34658 7ffe1827261b 34656->34658 34660 7ffe182725f8 34657->34660 34663 7ffe18272584 34657->34663 34661 7ffe18272633 34658->34661 34783 7ffe18288c30 76 API calls _invalid_parameter_noinfo 34658->34783 34662 7ffe18286fdc 80 API calls 34660->34662 34661->34282 34664 7ffe18272613 34662->34664 34663->34658 34666 7ffe18286fdc 80 API calls 34663->34666 34782 7ffe1828d714 75 API calls 34664->34782 34667 7ffe182725e2 34666->34667 34667->34664 34668 7ffe182725e7 34667->34668 34781 7ffe18288c30 76 API calls _invalid_parameter_noinfo 34668->34781 34670 7ffe182725ef 34670->34282 34672 7ffe18273655 34671->34672 34673 7ffe18273616 GetCurrentProcess GetMappedFileNameA 34671->34673 34675 7ffe18273679 34672->34675 34677 7ffe18272470 85 API calls 34672->34677 34673->34672 34674 7ffe18273636 34673->34674 34676 7ffe18272470 85 API calls 34674->34676 34678 7ffe18273718 34675->34678 34680 7ffe18272470 85 API calls 34675->34680 34676->34672 34677->34675 34679 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34678->34679 34681 7ffe1827284b 34679->34681 34682 7ffe182736ab 34680->34682 34691 7ffe18273c70 34681->34691 34682->34678 34683 7ffe182736b0 GetModuleHandleExA 34682->34683 34683->34678 34684 7ffe182736c7 34683->34684 34684->34678 34685 7ffe1827374c GetCurrentProcess 34684->34685 34686 7ffe18273768 34685->34686 34687 7ffe18273790 34686->34687 34688 7ffe1827376f 34686->34688 34690 7ffe18272470 85 API calls 34687->34690 34689 7ffe18272470 85 API calls 34688->34689 34689->34678 34690->34678 34692 7ffe18273c8e 34691->34692 34735 7ffe18274080 34692->34735 34694 7ffe18273d06 34695 7ffe18272470 85 API calls 34694->34695 34698 7ffe18273e78 34694->34698 34707 7ffe18273d25 BuildCatchObjectHelperInternal 34695->34707 34696 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34697 7ffe1827286d 34696->34697 34697->34634 34697->34639 34698->34696 34700 7ffe18273e44 34700->34698 34748 7ffe18272ab0 86 API calls 34700->34748 34703 7ffe18273f3b 34747 7ffe18272ab0 86 API calls 34703->34747 34704 7ffe18273e7d 34743 7ffe18272ab0 86 API calls 34704->34743 34707->34700 34707->34703 34707->34704 34710 7ffe18273e9a 34707->34710 34741 7ffe18274100 85 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 34707->34741 34742 7ffe182741e0 85 API calls 34707->34742 34710->34700 34711 7ffe18273f25 34710->34711 34744 7ffe18274100 85 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 34710->34744 34745 7ffe182741e0 85 API calls 34710->34745 34746 7ffe18272ab0 86 API calls 34711->34746 34718 7ffe18273095 34713->34718 34724 7ffe18273102 34713->34724 34715 7ffe18273112 34716 7ffe1827312c VirtualAlloc 34715->34716 34725 7ffe18273208 34715->34725 34719 7ffe1827320f 34716->34719 34720 7ffe1827314a GetLastError FormatMessageA 34716->34720 34717 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34721 7ffe182728fc 34717->34721 34718->34724 34776 7ffe18273fa0 85 API calls 34718->34776 34723 7ffe18272470 85 API calls 34719->34723 34726 7ffe18273189 34720->34726 34721->34642 34730 7ffe18273fa0 85 API calls 34721->34730 34723->34725 34724->34715 34751 7ffe18272bc0 VirtualQuery 34724->34751 34725->34717 34777 7ffe18272ab0 86 API calls 34726->34777 34728->34646 34729->34639 34730->34645 34731->34651 34732->34642 34733->34652 34734->34655 34749 7ffe18274d60 8 API calls 34735->34749 34737 7ffe182740cb 34738 7ffe182740ed 34737->34738 34750 7ffe18272ab0 86 API calls 34737->34750 34738->34694 34740 7ffe182740e2 34740->34694 34741->34707 34742->34707 34743->34698 34744->34710 34745->34710 34746->34698 34747->34698 34748->34698 34749->34737 34750->34740 34752 7ffe18272ca4 GetLastError FormatMessageA 34751->34752 34756 7ffe18272c09 34751->34756 34753 7ffe18272ce7 34752->34753 34780 7ffe18272ab0 86 API calls 34753->34780 34754 7ffe18272470 85 API calls 34754->34756 34756->34754 34757 7ffe18272c83 VirtualQuery 34756->34757 34759 7ffe18272cf3 34756->34759 34757->34752 34757->34756 34758 7ffe18272dd7 34760 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34758->34760 34761 7ffe18272470 85 API calls 34759->34761 34762 7ffe18272f8c 34760->34762 34763 7ffe18272d08 VirtualAlloc 34761->34763 34762->34715 34764 7ffe18272d30 GetLastError FormatMessageA 34763->34764 34765 7ffe18272de1 34763->34765 34768 7ffe18272d6f 34764->34768 34766 7ffe18272470 85 API calls 34765->34766 34767 7ffe18272e02 VirtualAlloc 34766->34767 34770 7ffe18272edf 34767->34770 34771 7ffe18272e2a GetLastError FormatMessageA 34767->34771 34778 7ffe18272ab0 86 API calls 34768->34778 34772 7ffe18272470 85 API calls 34770->34772 34773 7ffe18272e69 34771->34773 34772->34758 34779 7ffe18272ab0 86 API calls 34773->34779 34775 7ffe18272ec9 VirtualFree 34775->34758 34776->34718 34777->34725 34778->34758 34779->34775 34780->34758 34781->34670 34782->34658 34783->34661 34785 7ffe18287e1c 47 API calls 34784->34785 34786 7ffe1826aef7 CreateFileW 34785->34786 34787 7ffe1826af30 34786->34787 34788 7ffe1826af41 GetFileSize 34786->34788 34789 7ffe182311b0 80 API calls 34787->34789 34790 7ffe18287ea8 34788->34790 34791 7ffe1826af3c 34789->34791 34792 7ffe1826af6e ReadFile 34790->34792 34797 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34791->34797 34793 7ffe1826b368 34792->34793 34794 7ffe1826af96 34792->34794 34796 7ffe182311b0 80 API calls 34793->34796 34794->34793 34795 7ffe1826afa1 34794->34795 34799 7ffe18232890 12 API calls 34795->34799 34802 7ffe1826afb5 34795->34802 34800 7ffe1826b366 __std_exception_destroy 34796->34800 34798 7ffe1826b3ad 34797->34798 34798->34286 34798->34287 34799->34802 34801 7ffe1826b37c CloseHandle 34800->34801 34801->34791 34802->34800 34805 7ffe182311b0 80 API calls 34802->34805 34806 7ffe1826b018 34802->34806 34803 7ffe1826b0b9 34807 7ffe1826b102 34803->34807 34811 7ffe182311b0 80 API calls 34803->34811 34804 7ffe1826b0a2 34804->34803 34810 7ffe182311b0 80 API calls 34804->34810 34805->34806 34806->34803 34806->34804 34808 7ffe182311b0 80 API calls 34806->34808 34809 7ffe1826b14b 34807->34809 34813 7ffe182311b0 80 API calls 34807->34813 34808->34804 34812 7ffe1826b19a 34809->34812 34814 7ffe182311b0 80 API calls 34809->34814 34810->34803 34811->34807 34815 7ffe182311b0 80 API calls 34812->34815 34816 7ffe1826b208 34812->34816 34813->34809 34814->34812 34815->34816 34817 7ffe182311b0 80 API calls 34816->34817 34818 7ffe1826b2b2 34816->34818 34817->34818 34818->34800 34819 7ffe182311b0 80 API calls 34818->34819 34819->34800 34820->34324 34821->34345 34822->34317 34823->34299 34824->34302 34827 7ffe1827227c BuildCatchObjectHelperInternal 34825->34827 34826 7ffe18272299 34828 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34826->34828 34827->34826 34833 7ffe18272352 GetCurrentProcess FlushInstructionCache 34827->34833 34834 7ffe18272470 85 API calls 34827->34834 34835 7ffe18274080 86 API calls 34827->34835 34837 7ffe182734a0 VirtualProtect 34827->34837 34847 7ffe182737b0 VirtualProtect 34827->34847 34857 7ffe18273930 VirtualProtect 34827->34857 34867 7ffe18274100 85 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 34827->34867 34829 7ffe1827224b 34828->34829 34829->34431 34833->34827 34834->34827 34835->34827 34838 7ffe18273504 GetLastError FormatMessageA 34837->34838 34839 7ffe182734e4 34837->34839 34841 7ffe1827354a GetLastError 34838->34841 34840 7ffe18272470 85 API calls 34839->34840 34842 7ffe182734fd 34840->34842 34868 7ffe18272ab0 86 API calls 34841->34868 34845 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34842->34845 34846 7ffe182735c6 34845->34846 34846->34827 34848 7ffe18273854 GetLastError FormatMessageA 34847->34848 34849 7ffe1827382d 34847->34849 34851 7ffe1827389a GetLastError 34848->34851 34850 7ffe18272470 85 API calls 34849->34850 34854 7ffe1827384d 34850->34854 34869 7ffe18272ab0 86 API calls 34851->34869 34855 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34854->34855 34856 7ffe1827391d 34855->34856 34856->34827 34858 7ffe1827396f 34857->34858 34859 7ffe1827398c GetLastError FormatMessageA 34857->34859 34860 7ffe18272470 85 API calls 34858->34860 34863 7ffe182739d2 GetLastError 34859->34863 34861 7ffe18273985 34860->34861 34865 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34861->34865 34870 7ffe18272ab0 86 API calls 34863->34870 34866 7ffe18273a51 34865->34866 34866->34827 34867->34827 34868->34842 34869->34854 34870->34861 34871->34436 34872->34440 34873->34443 34874 7ffe18248b30 34879 7ffe18248be8 memcpy_s 34874->34879 34889 7ffe18248d04 memcpy_s 34874->34889 34875 7ffe18248de7 CreateWindowExW 34876 7ffe18249025 34875->34876 34891 7ffe18248e52 34875->34891 34877 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34876->34877 34878 7ffe18249038 34877->34878 34885 7ffe18248ccd GetAncestor GetClassNameW 34879->34885 34879->34889 34880 7ffe18248fa6 34880->34876 34881 7ffe18248e92 34880->34881 34883 7ffe18288004 53 API calls 34880->34883 34882 7ffe18249019 #410 34881->34882 34882->34876 34886 7ffe18248ff5 34883->34886 34884 7ffe18248d95 GetClassNameW 34887 7ffe18248dc0 34884->34887 34885->34889 34886->34876 34888 7ffe18248ff9 FindWindowW 34886->34888 34887->34875 34888->34876 34890 7ffe1824900b 34888->34890 34889->34875 34889->34884 34890->34882 34891->34880 34891->34881 34892 7ffe18248f62 #410 GetCurrentThreadId SetWindowsHookExW 34891->34892 34892->34876 34893 7ffe1824a830 34894 7ffe1824a862 34893->34894 34895 7ffe1824a8fd 34893->34895 34894->34895 34897 7ffe1824a88c CoCreateInstance 34894->34897 34896 7ffe1824aa50 CoCreateInstance 34895->34896 34900 7ffe1824a95a 34895->34900 34910 7ffe1824a974 34896->34910 34901 7ffe1824a89f 34897->34901 34897->34910 34898 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34899 7ffe1824aa68 34898->34899 34913 7ffe18271370 49 API calls 34900->34913 34902 7ffe1824a8ce 34901->34902 34904 7ffe18232890 12 API calls 34901->34904 34901->34910 34905 7ffe1824a8f3 34902->34905 34906 7ffe1824a8e9 34902->34906 34904->34902 34912 7ffe18254710 49 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 34905->34912 34911 7ffe18254880 49 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 34906->34911 34909 7ffe1824a8ee 34909->34910 34910->34898 34911->34909 34912->34909 34913->34910 34914 7ffe1825a350 CreateEventW 34915 7ffe1825a39c WaitForSingleObject 34914->34915 34916 7ffe1825a37c 34914->34916 34918 7ffe182311b0 80 API calls 34915->34918 34917 7ffe182311b0 80 API calls 34916->34917 34919 7ffe1825a388 34917->34919 34920 7ffe1825a3bb 34918->34920 34921 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34919->34921 34922 7ffe1825a3c0 GetShellWindow 34920->34922 34923 7ffe1825a397 34921->34923 34924 7ffe1825a3ce SleepEx 34922->34924 34925 7ffe1825a3db 34922->34925 34924->34922 34926 7ffe182311b0 80 API calls 34925->34926 34927 7ffe1825a3ea GetWindowThreadProcessId SetWindowsHookExW 34926->34927 34928 7ffe182311b0 80 API calls 34927->34928 34929 7ffe1825a41c GetMessageW 34928->34929 34930 7ffe1825a44a 34929->34930 34931 7ffe1825a47d 34929->34931 34932 7ffe1825a450 TranslateMessage DispatchMessageW GetMessageW 34930->34932 34933 7ffe182311b0 80 API calls 34931->34933 34932->34931 34932->34932 34934 7ffe1825a489 34933->34934 34935 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34934->34935 34936 7ffe1825a496 34935->34936 34937 7ffe18259e43 34941 7ffe18259e84 __std_exception_destroy 34937->34941 34938 7ffe18259f83 WaitForMultipleObjects 34938->34941 34939 7ffe1825a07b __std_exception_destroy 34940 7ffe18259eca CreateEventW 34940->34939 34942 7ffe18259ef9 RegCreateKeyExW 34940->34942 34941->34938 34941->34939 34941->34940 34943 7ffe18259fd1 WaitForSingleObject 34941->34943 34945 7ffe1825a039 CloseHandle 34941->34945 34946 7ffe1825a04f RegCloseKey 34941->34946 34942->34939 34944 7ffe18259f45 RegNotifyChangeKeyValue 34942->34944 34943->34941 34944->34939 34944->34941 34945->34941 34946->34941 34947 7ffe18246900 34948 7ffe1824692e 34947->34948 34949 7ffe18246922 34947->34949 34951 7ffe18246940 WaitForSingleObject 34948->34951 34952 7ffe18246952 34948->34952 34950 7ffe18232890 12 API calls 34949->34950 34950->34948 34951->34952 34953 7ffe1824696d SleepEx 34952->34953 34954 7ffe1824695b WaitForSingleObject 34952->34954 34955 7ffe18246980 FindWindowExW 34953->34955 34954->34953 34956 7ffe182469d0 Sleep 34955->34956 34957 7ffe18246999 __std_exception_destroy 34955->34957 34977 7ffe18246350 163 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 34956->34977 34957->34955 34959 7ffe182311b0 80 API calls 34957->34959 34974 7ffe18246ac0 PeekMessageW 34957->34974 34976 7ffe18246af5 MsgWaitForMultipleObjectsEx 34957->34976 34982 7ffe18246350 163 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 34957->34982 34983 7ffe18234910 114 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 34957->34983 34984 7ffe182396f0 58 API calls 3 library calls 34957->34984 34960 7ffe182469ac Sleep FindWindowExW 34959->34960 34960->34956 34960->34957 34961 7ffe18246b3a WaitForSingleObject 34961->34955 34962 7ffe18246b51 __std_exception_destroy 34963 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34962->34963 34965 7ffe18246b68 34963->34965 34968 7ffe182469e2 34968->34961 34968->34962 34978 7ffe18246350 163 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 34968->34978 34979 7ffe18239aa0 222 API calls 2 library calls 34968->34979 34980 7ffe182314c0 96 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 34968->34980 34981 7ffe18234910 114 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 34968->34981 34970 7ffe18246a39 MsgWaitForMultipleObjectsEx 34970->34957 34975 7ffe18246adf TranslateMessage DispatchMessageW 34974->34975 34974->34976 34975->34976 34976->34957 34977->34968 34978->34968 34979->34968 34980->34968 34981->34970 34982->34957 34983->34957 34984->34957 34985 7ffe1823e500 6 API calls 34986 7ffe1823e5e1 34985->34986 34987 7ffe1823e72e SetEvent 34985->34987 34988 7ffe182709e0 10 API calls 34986->34988 34989 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 34987->34989 34990 7ffe1823e5e6 34988->34990 34991 7ffe1823e74b 34989->34991 34992 7ffe1823e610 34990->34992 34993 7ffe1823e5f4 SetTimer 34990->34993 34994 7ffe1823e618 RegisterHotKey 34992->34994 34995 7ffe1823e636 RegisterHotKey GetMessageW 34992->34995 34993->34992 34994->34995 34996 7ffe1823e721 DestroyWindow 34995->34996 34997 7ffe1823e672 34995->34997 34996->34987 34997->34996 34998 7ffe1823e6e7 TranslateMessage DispatchMessageW 34997->34998 34999 7ffe1823e703 GetMessageW 34997->34999 35000 7ffe1823e692 EnterCriticalSection 34997->35000 35001 7ffe1823e6d8 LeaveCriticalSection 34997->35001 35002 7ffe1823e6ca InvalidateRect 34997->35002 34998->34999 34999->34996 34999->34997 35000->34997 35000->35001 35001->34999 35002->35001 35003 7ffe1824adc0 35004 7ffe1824ade9 35003->35004 35010 7ffe1824adf5 35003->35010 35005 7ffe18232890 12 API calls 35004->35005 35005->35010 35006 7ffe1824ae66 35009 7ffe1824ae7b 35006->35009 35013 7ffe18232890 12 API calls 35006->35013 35007 7ffe1824ae07 lstrcmpW 35007->35006 35008 7ffe1824ae1b RegGetValueW 35007->35008 35011 7ffe1824ae5b 35008->35011 35012 7ffe1824af37 35008->35012 35014 7ffe1824af04 RegGetValueW 35009->35014 35015 7ffe1824ae8d lstrcmpW 35009->35015 35010->35006 35010->35007 35011->35012 35013->35009 35014->35012 35016 7ffe1824aeb5 RegGetValueW 35015->35016 35017 7ffe1824aea1 lstrcmpW 35015->35017 35016->35011 35016->35012 35017->35014 35017->35016 35018 7ffe1824ac20 lstrcmpiW 35019 7ffe1824ac62 VirtualProtect 35018->35019 35020 7ffe1824aca7 RegOpenKeyExW 35018->35020 35019->35020 35021 7ffe1824ac7f lstrcpyW VirtualProtect 35019->35021 35022 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 35020->35022 35021->35020 35023 7ffe1824accb 35022->35023 35024 7ffe18265620 35099 7ffe1829a140 35024->35099 35027 7ffe182311b0 80 API calls 35028 7ffe18265678 35027->35028 35101 7ffe182550c0 14 API calls 2 library calls 35028->35101 35030 7ffe1826567d memcpy_s 35031 7ffe18265691 SHGetFolderPathW 35030->35031 35032 7ffe18287e1c 47 API calls 35031->35032 35033 7ffe182656c8 LoadLibraryExW 35032->35033 35034 7ffe18232890 12 API calls 35033->35034 35035 7ffe182656e9 35034->35035 35036 7ffe182338f0 50 API calls 35035->35036 35037 7ffe18265717 RegCreateKeyExW RegQueryValueExW 35036->35037 35038 7ffe182657d0 35037->35038 35039 7ffe18265914 RegCloseKey 35038->35039 35040 7ffe1826580a LoadStringW 35038->35040 35041 7ffe18231150 80 API calls 35039->35041 35042 7ffe18265829 35040->35042 35043 7ffe18265848 LoadStringW 35040->35043 35044 7ffe18265932 memcpy_s 35041->35044 35045 7ffe182338f0 50 API calls 35042->35045 35046 7ffe182338f0 50 API calls 35043->35046 35048 7ffe18265946 SHGetFolderPathA 35044->35048 35045->35043 35047 7ffe1826589f 35046->35047 35102 7ffe182644e0 87 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 35047->35102 35104 7ffe1828a434 47 API calls 2 library calls 35048->35104 35051 7ffe1826597d CreateDirectoryA 35105 7ffe1828a434 47 API calls 2 library calls 35051->35105 35052 7ffe182658cb 35103 7ffe18264320 15 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 35052->35103 35054 7ffe182659a4 35056 7ffe182311b0 80 API calls 35054->35056 35058 7ffe182659b7 35056->35058 35057 7ffe182658d5 RegSetValueExW 35057->35039 35060 7ffe18232890 12 API calls 35058->35060 35063 7ffe182659f3 35058->35063 35069 7ffe18265a16 35058->35069 35060->35063 35062 7ffe18265a35 35064 7ffe18265a78 35062->35064 35067 7ffe18232890 12 API calls 35062->35067 35068 7ffe18265a56 35062->35068 35063->35069 35106 7ffe18264650 201 API calls 2 library calls 35063->35106 35065 7ffe18265a9d 35064->35065 35109 7ffe182652a0 201 API calls 2 library calls 35064->35109 35070 7ffe182311b0 80 API calls 35065->35070 35067->35068 35068->35064 35108 7ffe18264f10 200 API calls 2 library calls 35068->35108 35069->35062 35107 7ffe18264a00 210 API calls 2 library calls 35069->35107 35073 7ffe18265aad 35070->35073 35074 7ffe18265ad1 LoadStringW 35073->35074 35075 7ffe18265b40 35073->35075 35076 7ffe18265aff LoadStringW 35074->35076 35077 7ffe18265ae0 35074->35077 35078 7ffe18265bd9 LoadStringW 35075->35078 35079 7ffe18265b48 LoadStringW 35075->35079 35081 7ffe18265bb5 35076->35081 35080 7ffe182338f0 50 API calls 35077->35080 35084 7ffe18265c07 LoadStringW 35078->35084 35085 7ffe18265be8 35078->35085 35082 7ffe18265b57 35079->35082 35083 7ffe18265b76 LoadStringW 35079->35083 35080->35076 35088 7ffe182338f0 50 API calls 35081->35088 35087 7ffe182338f0 50 API calls 35082->35087 35083->35081 35086 7ffe182338f0 50 API calls 35084->35086 35089 7ffe182338f0 50 API calls 35085->35089 35092 7ffe18265bd4 35086->35092 35087->35083 35088->35092 35089->35084 35090 7ffe18265c9e FreeLibrary 35091 7ffe182311b0 80 API calls 35090->35091 35093 7ffe18265cb3 35091->35093 35092->35090 35110 7ffe182644e0 87 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 35092->35110 35095 7ffe182710b0 Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 8 API calls 35093->35095 35097 7ffe18265cc4 35095->35097 35096 7ffe18265c94 35111 7ffe18264320 15 API calls Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock 35096->35111 35100 7ffe1826564a SleepEx 35099->35100 35100->35027 35101->35030 35102->35052 35103->35057 35104->35051 35105->35054 35106->35069 35107->35062 35108->35064 35109->35065 35110->35096 35111->35090

                              Executed Functions

                              Function 00007FFE18246B70 Relevance: 370.7, APIs: 121, Strings: 90, Instructions: 1468registrywindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Value$Create$CloseQuery$InvalidateNotifyRect$CacheChangeFindFlushMessageOpenSendWindow
                              • String ID: AllocConsole$AltTabSettings$ArchiveMenu$Attributes$CONOUT$$CenterMenus$ClassicThemeMitigations$ClockFlyoutOnWinC$DisableAeroSnapQuadrants$DisableImmersiveContextMenu$DisableOfficeHotkeys$DisableWinFHotkey$DoNotRedirectDateAndTimeToSettingsApp$DoNotRedirectNotificationIconsToSettingsApp$DoNotRedirectProgramsAndFeaturesToSettingsApp$DoNotRedirectSystemToSettingsApp$DwmExtendFrameIntoClientArea$EnableSymbolDownload$ExplorerPatcher_GUI_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$FileExplorerCommandUI$FlyoutMenus$HideControlCenterButton$HideExplorerSearchBar$HideIconAndTitleInExplorer$HookStartMenu$IMEStyle$IsUpdatePending$LegacyFileTransferDialog$MMOldTaskbarAl$MMTaskbarGlomLevel$Memcheck$MicaEffectOnTitlebar$MigratedFromOldSettings$MonitorOverride$NoMenuAccelerator$NoPropertiesInContextMenu$OldTaskbar$OldTaskbarAl$OpenAtLogon$OpenPropertiesAtNextStart$OrbStyle$PinnedItemsActAsQuickLaunch$PropertiesInWinX$RemoveExtraGapAroundPinnedItems$ReplaceNetwork$SOFTWARE\Classes\CLSID\{d93ed569-3b3e-4bff-8355-3c44f6a52bb5}\InProcServer32$SOFTWARE\Microsoft\TabletTip\1.7$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView\AltTabViewHost$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage$SOFTWARE\Microsoft\Windows\CurrentVersion\Search$ShrinkExplorerAddressBar$SkinIcons$SkinMenus$SnapAssistSettings$Software\Classes\CLSID\{2cc5ca98-6485-489a-920e-b3e88a6ccce3}\ShellFolder$Software\ExplorerPatcher$Software\ExplorerPatcher\sws$Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher$SpotlightDesktopMenuMask$SpotlightDisableIcon$SpotlightUpdateSchedule$StartDocked$TaskbarAutohideOnDoubleClick$TaskbarGlomLevel$ToolbarSeparators$TraySettings$UndeadStartCorner$UpdatePolicy$UseClassicDriveGrouping$WeatherContentUpdateMode$WeatherContentsMode$WeatherDevMode$WeatherFixedSize$WeatherIconPack$WeatherLanguage$WeatherLocation$WeatherLocationType$WeatherTemperatureUnit$WeatherTheme$WeatherToLeft$WeatherViewMode$WeatherWindowCornerPreference$WeatherZoomFactor$dwmapi.dll$en-US$uxtheme.dll
                              • API String ID: 1717770317-297309502
                              • Opcode ID: 04d1e1573d1d58ed46e399be87d2d05e2029e0dde3753260f2fd2c8e127fafed
                              • Instruction ID: 341c31e4b2ebd251125f452e6171729cd8815c1814e05f35495be9a75f4d6030
                              • Opcode Fuzzy Hash: 04d1e1573d1d58ed46e399be87d2d05e2029e0dde3753260f2fd2c8e127fafed
                              • Instruction Fuzzy Hash: 13031B76B18F128AEB618B62E8506A937F5FB88368F405275DA4D13B74DF3CD205CB18
                              Function 00007FFE1824DB90 Relevance: 370.7, APIs: 86, Strings: 125, Instructions: 1437libraryloaderthreadCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: AddressProc$Library$Create$Load$Thread$Module$Virtual$Protect$Handle$Free$Event$CurrentInformationProcess$DirectoryExitValue$CloseDeleteFileFindPathQuery$CommandCreate_CriticalDataEntryEnumErrorExistsFirstFolderImageInitializeL32_LastMutexOpenSectionWindows_invalid_parameter_noinfo
                              • String ID: 0o$API-MS-WIN-CORE-REGISTRY-L1-1-0.DLL$API-MS-WIN-NTUSER-RECTANGLE-L1-1-0.DLL$API-MS-WIN-SHCORE-REGISTRY-L1-1-0.DLL$Attempting to download symbol data; for now, the program may have limited functionality.$CascadeWindows$CloseThemeData$CoCreateInstance$CreateWindowExW$CreateWindowInBand$DeleteMenu$DllGetClassObject$DrawThemeBackground$DrawThemeTextEx$DwmUpdateThumbnailProperties$EP Service Window thread$Failed to install hooks. rv = %d$GetClientRect$GetSystemMetrics$GetThemeMargins$GetThemeMetric$GetWindowBand$Global\EP_Weather_Killswitch_{A6EA9C2D-4982-4827-9204-0AC532959F6D}$ITrayUIHost = %llX$Initialized taskbar centering module.$InputSwitch.dll$Installed hooks.$IsOS$LoadLibraryExW$LoadMenuW$Loaded symbols$MMTaskbarGlomLevel$MulDiv$NtUserFindWindowEx$Open Start on monitor thread$OpenThemeDataForDpi$PeopleBand.dll$QISearch$RegCreateKeyExW$RegGetValueW$RegOpenKeyExW$RegSetValueExW$RegisterHotKey$RoGetActivationFactory$Running on Windows %d, OS Build %d.%d.%d.%d.$SHCORE.dll$SHELL32_CanDisplayWin8CopyDialog$SHGetValueW$SHLWAPI.dll$SLGetWindowsInformationDWORD$SOFTWARE\Microsoft\TabletTip\1.7$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView\AltTabViewHost$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage$SOFTWARE\Microsoft\Windows\CurrentVersion\Search$SendMessageW$SetRect$SetWindowBand$SetWindowCompositionAttribute$Setup bthprops functions done$Setup combase functions done$Setup explorer functions done$Setup inputswitch functions done$Setup peopleband functions done$Setup shell32 functions done$Setup stobject functions done$Setup twinui functions done$Setup user32 functions done$Setup uxtheme functions done$Setup windows.storage functions done$ShellExecuteExW$ShellExecuteW$Software\ExplorerPatcher$Software\ExplorerPatcher\sws$Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced$StartTileData.dll$TaskbarGlomLevel$TileWindows$TrackPopupMenu$TrackPopupMenuEx$USER32.DLL$USER32.dll$[Extra] Finished running entry point.$[Extra] Found library: %p.$[Extra] LoadLibraryW failed with 0x%x.$[Extra] Running entry point...$[IME] Context menu patch status: %d$[TB] Unsupported build$\ExplorerPatcher$\ep_extra.dll$api-ms-win-core-com-l1-1-0.dll$api-ms-win-core-largeinteger-l1-1-0.dll$api-ms-win-core-libraryloader-l1-2-0.dll$api-ms-win-core-registry-l1-1-0.dll$api-ms-win-core-shlwapi-obsolete-l1-1-0.dll$api-ms-win-core-winrt-l1-1-0.dll$api-ms-win-ntuser-sysparams-l1-1-0.dll$api-ms-win-shcore-sysinfo-l1-1-0.dll$bthprops.cpl$combase.dll$dwmapi.dll$ep_extra_EntryPoint$explorer.exe!TrayUI_CreateInstance() = %llX$ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll$ext-ms-win-security-slc-l1-1-0.dll$ext-ms-win-shell-exports-internal-l1-1-0.dll$pnidui.dll$shcore.dll$shell32.dll$shell32.dll$slc.dll$stobject.dll$twinui.dll$user32.dll$user32.dll$uxtheme.dll$uxtheme.dll$win32u.dll$windows.storage.dll$windowsudk.shellcommon.dll$xx??x??xxx????xx$xxx????xxx????x????xx$xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx
                              • API String ID: 4277971903-1751932486
                              • Opcode ID: 768ecd36219d624f998098e39a11166ad04735f677751716fb5435630ad4b4dc
                              • Instruction ID: c00e49060d470d7cebc1cff1618bafe092d0aa8395983e580a90fd349fbf07cb
                              • Opcode Fuzzy Hash: 768ecd36219d624f998098e39a11166ad04735f677751716fb5435630ad4b4dc
                              • Instruction Fuzzy Hash: 69032361A09E4791EB02DB62E8602F833A5FFC4764F8056B6E94E026B5DF3CE745C358
                              Function 00007FFE18265CF0 Relevance: 159.8, APIs: 52, Strings: 39, Instructions: 591registryfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 697 7ffe18265cf0-7ffe18265d67 call 7ffe18232890 700 7ffe18265d7b-7ffe18265d8d 697->700 701 7ffe18265d69-7ffe18265d75 call 7ffe18232890 697->701 703 7ffe18265d93-7ffe18265de2 RegCreateKeyExW 700->703 704 7ffe18266027-7ffe18266073 RegCreateKeyExW 700->704 701->700 706 7ffe1826630a-7ffe1826630d 703->706 707 7ffe18265de8-7ffe18265e27 GetWindowsDirectoryW call 7ffe18287e1c call 7ffe1826fe80 703->707 708 7ffe18266857 704->708 709 7ffe18266079-7ffe182660bd GetSystemDirectoryW call 7ffe18287e1c call 7ffe1826fe80 704->709 710 7ffe18266859-7ffe18266883 call 7ffe182710b0 706->710 723 7ffe18265fff-7ffe18266007 707->723 724 7ffe18265e2d-7ffe18265e65 RegQueryValueExA 707->724 708->710 721 7ffe182660c3-7ffe182660fd RegQueryValueExA 709->721 722 7ffe1826632d-7ffe18266341 RegCloseKey RegDeleteTreeW 709->722 725 7ffe18266103-7ffe18266118 call 7ffe1828a364 721->725 726 7ffe18266312-7ffe1826632a call 7ffe182311b0 721->726 729 7ffe18266347-7ffe1826634e 722->729 727 7ffe1826600f-7ffe18266011 723->727 728 7ffe18266009 RegCloseKey 723->728 730 7ffe18265e6b-7ffe18265e80 call 7ffe1828a364 724->730 731 7ffe18265fe7-7ffe18265ffa call 7ffe182311b0 724->731 725->726 749 7ffe1826611e-7ffe18266159 RegQueryValueExW 725->749 726->722 727->704 735 7ffe18266013-7ffe18266021 RegDeleteTreeW 727->735 728->727 736 7ffe18266362-7ffe1826636c 729->736 737 7ffe18266350-7ffe1826635c call 7ffe18232890 729->737 730->731 747 7ffe18265e86-7ffe18265ec1 RegQueryValueExW 730->747 731->723 735->704 740 7ffe18266372-7ffe182663fc RegCreateKeyExW GetWindowsDirectoryW call 7ffe18287e1c call 7ffe1826fe80 736->740 741 7ffe182665e4-7ffe182665ec 736->741 737->736 765 7ffe182665b3-7ffe182665bb 740->765 766 7ffe18266402-7ffe18266441 RegQueryValueExA 740->766 750 7ffe182665f2-7ffe18266677 RegCreateKeyExW GetWindowsDirectoryW call 7ffe18287e1c FindFirstFileW 741->750 751 7ffe182667ed-7ffe1826683a RegCreateKeyExW 741->751 747->731 752 7ffe18265ec7-7ffe18265ed4 747->752 749->726 754 7ffe1826615f-7ffe1826616c 749->754 763 7ffe18266684-7ffe182666a9 GetWindowsDirectoryW call 7ffe18287e1c 750->763 764 7ffe18266679-7ffe18266682 FindClose 750->764 756 7ffe18266854 751->756 757 7ffe1826683c-7ffe1826684e RegDeleteValueW RegCloseKey 751->757 752->731 758 7ffe18265eda-7ffe18265fe5 RegQueryValueExW * 6 752->758 754->726 760 7ffe18266172-7ffe18266308 RegQueryValueExW * 9 RegCloseKey 754->760 756->708 757->756 758->723 760->729 767 7ffe182666ae-7ffe182666c3 call 7ffe1826fe80 763->767 764->767 769 7ffe182665c3-7ffe182665ce 765->769 770 7ffe182665bd RegCloseKey 765->770 771 7ffe1826659d-7ffe182665b0 call 7ffe182311b0 766->771 772 7ffe18266447-7ffe1826645c call 7ffe1828a364 766->772 780 7ffe182667c5-7ffe182667cd 767->780 781 7ffe182666c9-7ffe18266708 RegQueryValueExA 767->781 769->741 774 7ffe182665d0-7ffe182665de RegDeleteTreeW 769->774 770->769 771->765 772->771 786 7ffe18266462-7ffe1826649d RegQueryValueExW 772->786 774->741 784 7ffe182667d5-7ffe182667d7 780->784 785 7ffe182667cf RegCloseKey 780->785 782 7ffe182667af-7ffe182667c2 call 7ffe182311b0 781->782 783 7ffe1826670e-7ffe18266723 call 7ffe1828a364 781->783 782->780 783->782 794 7ffe18266729-7ffe18266764 RegQueryValueExW 783->794 784->751 789 7ffe182667d9-7ffe182667e7 RegDeleteTreeW 784->789 785->784 786->771 790 7ffe182664a3-7ffe182664b0 786->790 789->751 790->771 793 7ffe182664b6-7ffe1826659b RegQueryValueExW * 5 790->793 793->765 794->782 795 7ffe18266766-7ffe18266773 794->795 795->782 796 7ffe18266775-7ffe182667ad RegQueryValueExW 795->796 796->780
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Value$Query$Close$CreateDirectory$DeleteWindows$Tree$Find$AddressFileFirstHandleModuleOpenProcSystem_invalid_parameter_noinfo
                              • String ID: !$CImmersiveContextMenuOwnerDrawHelper::s_ContextMenuWndProc$CLauncherTipContextMenu::GetMenuItemsAsync$CLauncherTipContextMenu::ShowLauncherTipContextMenu$CLauncherTipContextMenu::_ExecuteCommand$CLauncherTipContextMenu::_ExecuteShutdownCommand$CMultitaskingViewManager::_CreateDCompMTVHost$CMultitaskingViewManager::_CreateXamlMTVHost$CTaskBand_CreateInstance$HandleFirstTimeLegacy$Hash$ImmersiveContextMenuHelper::ApplyOwnerDrawToMenu$ImmersiveContextMenuHelper::RemoveOwnerDrawFromMenu$ImmersiveTray::AttachWindowToTray$ImmersiveTray::RaiseWindow$OSBuild$SetColorPreferenceForLogonUI$Software\ExplorerPatcher$Software\ExplorerPatcher\explorer$Software\ExplorerPatcher\twinui.pcshell$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartDocked$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartUI$StartDocked$StartDocked::LauncherFrame::OnVisibilityChanged$StartDocked::LauncherFrame::ShowAllApps$StartDocked::StartSizingFrame::StartSizingFrame$StartDocked::SystemListPolicyProvider::GetMaximumFrequentApps$StartUI$StartUI::SystemListPolicyProvider::GetMaximumFrequentApps$TrayUI::_UpdatePearlSize$Version$[Symbols] Symbols for "%s" are not available.$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartDocked.dll$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI.dll$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dll$\explorer.exe$\twinui.pcshell.dll$explorer$twinui.pcshell
                              • API String ID: 3716114926-1751072635
                              • Opcode ID: 0915bc5975aa555ecb55f6a31586fd3d7647d86dbf6714d8a19d5981ee61818e
                              • Instruction ID: f4abec1fd67b842ca879de60b48f92de2ea8f8c9393ebe938c2879fdd80e5d64
                              • Opcode Fuzzy Hash: 0915bc5975aa555ecb55f6a31586fd3d7647d86dbf6714d8a19d5981ee61818e
                              • Instruction Fuzzy Hash: 10624472A08E8296EB21CF51F8906AA73A4FBC4768F401171EA9D47A78DF7CD355CB04
                              Function 00007FFE18251870 Relevance: 152.7, APIs: 49, Strings: 38, Instructions: 444libraryloaderregistryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 797 7ffe18251870-7ffe182518b1 798 7ffe182518b7-7ffe18251905 call 7ffe18232890 GetModuleFileNameW PathStripPathW call 7ffe18288004 797->798 799 7ffe18252099-7ffe182520cd call 7ffe182710b0 797->799 806 7ffe1825190f-7ffe1825192b GetCurrentProcessId OpenProcess 798->806 807 7ffe18251907-7ffe18251909 798->807 806->799 808 7ffe18251931-7ffe18251994 QueryFullProcessImageNameW CloseHandle GetSystemDirectoryW call 7ffe18287e1c call 7ffe18288004 806->808 807->799 807->806 808->799 813 7ffe1825199a-7ffe18251a61 GetWindowsDirectoryW call 7ffe18287e1c call 7ffe18288004 GetWindowsDirectoryW call 7ffe18287e1c call 7ffe18288004 GetWindowsDirectoryW call 7ffe18287e1c call 7ffe18288004 808->813 826 7ffe18251cea-7ffe18251ced 813->826 827 7ffe18251a67-7ffe18251a6a 813->827 828 7ffe18251cf3-7ffe18251cf6 826->828 829 7ffe18251c68-7ffe18251c72 826->829 830 7ffe18251a6c-7ffe18251a6f 827->830 831 7ffe18251a79-7ffe18251c61 GetSystemDirectoryW call 7ffe18287e1c LoadLibraryExW GetProcAddress * 19 827->831 828->799 832 7ffe18251cfc-7ffe18251cff 828->832 835 7ffe18251f1d-7ffe18251f20 829->835 836 7ffe18251c78-7ffe18251c85 GetSystemMetrics 829->836 830->831 833 7ffe18251a71-7ffe18251a73 830->833 831->829 832->799 837 7ffe18251d05-7ffe18251d08 832->837 833->799 833->831 838 7ffe18251f22-7ffe18251f2e call 7ffe18250d10 call 7ffe1823f230 835->838 839 7ffe18251f4e-7ffe18251f51 835->839 841 7ffe18251c8b-7ffe18251cd8 RegGetValueW 836->841 842 7ffe18252078 836->842 837->799 844 7ffe18251d0e-7ffe18251d15 837->844 838->842 885 7ffe18251f34-7ffe18251f49 LoadLibraryW call 7ffe1823f170 838->885 846 7ffe1825206c-7ffe1825206f 839->846 847 7ffe18251f57-7ffe18251f5f 839->847 848 7ffe18251d3f-7ffe18251d8c RegGetValueW 841->848 849 7ffe18251cda-7ffe18251cdf 841->849 843 7ffe1825207d-7ffe1825208f GetModuleHandleExW 842->843 843->799 850 7ffe18252071-7ffe18252073 call 7ffe1824db90 844->850 846->799 846->850 854 7ffe18251f61-7ffe18251f7b call 7ffe18232890 847->854 855 7ffe18251f7d 847->855 852 7ffe18251dc3-7ffe18251dda FindWindowExW 848->852 853 7ffe18251d8e-7ffe18251d93 848->853 856 7ffe18251ce1-7ffe18251ce6 849->856 857 7ffe18251d1a-7ffe18251d1f 849->857 850->842 860 7ffe18251de0-7ffe18251df7 FindWindowExW 852->860 861 7ffe18251f01 852->861 865 7ffe18251d95-7ffe18251d9a 853->865 866 7ffe18251d9e-7ffe18251da3 853->866 862 7ffe18251f83-7ffe18251f8e 854->862 855->862 856->848 859 7ffe18251ce8 856->859 857->848 863 7ffe18251d21-7ffe18251d2c 857->863 869 7ffe18251d32-7ffe18251d39 859->869 860->861 871 7ffe18251dfd-7ffe18251e0b call 7ffe1824cd30 860->871 870 7ffe18251f06-7ffe18251f0e call 7ffe1824db90 861->870 872 7ffe18252024-7ffe18252026 862->872 873 7ffe18251f94-7ffe18251f96 862->873 863->848 874 7ffe18251d2e 863->874 865->852 876 7ffe18251d9c 865->876 866->852 877 7ffe18251da5-7ffe18251db0 866->877 869->842 869->848 888 7ffe18251f13-7ffe18251f18 870->888 897 7ffe18251e11-7ffe18251e1f GetAsyncKeyState 871->897 898 7ffe18251ea7-7ffe18251ea9 871->898 879 7ffe18252040-7ffe18252045 872->879 880 7ffe18252028-7ffe1825203a call 7ffe18232890 872->880 883 7ffe18251fb2-7ffe18251fb7 873->883 884 7ffe18251f98-7ffe18251fac call 7ffe18232890 873->884 874->869 886 7ffe18251db6-7ffe18251dbd 876->886 877->852 878 7ffe18251db2 877->878 878->886 889 7ffe1825204c-7ffe18252053 call 7ffe1823f230 879->889 890 7ffe18252047 call 7ffe182514b0 879->890 880->879 883->889 893 7ffe18251fbd 883->893 884->883 885->842 886->842 886->852 888->843 889->842 909 7ffe18252055-7ffe1825206a LoadLibraryW call 7ffe1823f170 889->909 890->889 901 7ffe18251fbf-7ffe18251fc5 893->901 902 7ffe18251fcb-7ffe18251fe6 RegOpenKeyW 893->902 904 7ffe18251e21-7ffe18251e2f GetAsyncKeyState 897->904 905 7ffe18251e46 897->905 898->870 901->889 901->902 902->889 907 7ffe18251fe8-7ffe18252003 RegCloseKey LoadLibraryW 902->907 904->905 908 7ffe18251e31-7ffe18251e44 GetAsyncKeyState 904->908 910 7ffe18251e48-7ffe18251e50 905->910 907->889 911 7ffe18252005-7ffe18252022 call 7ffe1823d290 907->911 908->905 908->910 909->842 913 7ffe18251e52-7ffe18251e54 910->913 914 7ffe18251eab-7ffe18251efc RegSetKeyValueW SHCreateThread 910->914 911->889 913->914 917 7ffe18251e56-7ffe18251ea1 RegSetKeyValueW SHCreateThread 913->917 914->843 917->898
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: AddressProc$DirectoryValue$LibraryLoad$AsyncHandleModuleOpenProcessStateSystemWindows$CloseCreateFindNamePathQueryThreadWindow$CurrentFileFullImageMetricsStrip_invalid_parameter_noinfo
                              • String ID: ApplyCompatResolutionQuirking$CompatString$CompatValue$Control Panel\Quick Actions\Control Center\QuickActionsStateCapture\ExplorerPatcher$CrashCounter$CreateDXGIFactory$CreateDXGIFactory1$CreateDXGIFactory2$DXGID3D10CreateDevice$DXGID3D10CreateLayeredDevice$DXGID3D10GetLayeredDeviceSize$DXGID3D10RegisterLayers$DXGIDeclareAdapterRemovalSupport$DXGIDumpJournal$DXGIGetDebugInterface1$DXGIReportAdapterConfiguration$GetProductInfo$LaunchCflScenario$LaunchUserOOBE$PIXBeginCapture$PIXEndCapture$PIXGetCaptureState$Progman$Proxy Desktop$SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\CFL\ExperienceManagerData$SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE$SetAppCompatStringPointer$Software\ExplorerPatcher$UpdateHMDEmulationStatus$Windows.UI.QuickActions.dll$Windows.UI.Xaml.dll$\SearchIndexer.exe$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe$\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe$\dxgi.dll$\explorer.exe$api-ms-win-core-sysinfo-l1-2-0.dll$dxgi.dll
                              • API String ID: 425412005-3433049922
                              • Opcode ID: 798e1f84800f1739faccf92fdac4689b62552e2fe804e265a2b973854b0a40d2
                              • Instruction ID: a6a2e26f51969a8a869956b28a18a76c25acd8cc33c630ffdba55568cd55bbaf
                              • Opcode Fuzzy Hash: 798e1f84800f1739faccf92fdac4689b62552e2fe804e265a2b973854b0a40d2
                              • Instruction Fuzzy Hash: AB3237B1E09E4392EB129B22E8502B523E1FFD5764F9005B6D94E426B4EF3CE749C748
                              Function 00007FFE18265620 Relevance: 58.1, APIs: 18, Strings: 15, Instructions: 354registrylibraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1163 7ffe18265620-7ffe18265673 call 7ffe1829a140 SleepEx call 7ffe182311b0 1167 7ffe18265678-7ffe182657ce call 7ffe182550c0 call 7ffe1829a9f0 SHGetFolderPathW call 7ffe18287e1c LoadLibraryExW call 7ffe18232890 call 7ffe182338f0 RegCreateKeyExW RegQueryValueExW 1163->1167 1178 7ffe182657d0-7ffe182657d7 1167->1178 1179 7ffe182657e7-7ffe182657ea 1178->1179 1180 7ffe182657d9-7ffe182657e0 1178->1180 1182 7ffe182657ee-7ffe18265804 1179->1182 1180->1178 1181 7ffe182657e2-7ffe182657e5 1180->1181 1181->1182 1183 7ffe18265914-7ffe182659dd RegCloseKey call 7ffe18231150 call 7ffe1829a9f0 SHGetFolderPathA call 7ffe1828a434 CreateDirectoryA call 7ffe1828a434 call 7ffe182311b0 1182->1183 1184 7ffe1826580a-7ffe18265827 LoadStringW 1182->1184 1207 7ffe182659df-7ffe182659e5 1183->1207 1208 7ffe18265a1d-7ffe18265a23 1183->1208 1186 7ffe18265829-7ffe18265843 call 7ffe182338f0 1184->1186 1187 7ffe18265848-7ffe182658ae LoadStringW call 7ffe182338f0 1184->1187 1186->1187 1193 7ffe182658b0-7ffe182658b8 1187->1193 1193->1193 1195 7ffe182658ba-7ffe182658df call 7ffe182644e0 call 7ffe18264320 1193->1195 1206 7ffe182658e0-7ffe182658e8 1195->1206 1206->1206 1209 7ffe182658ea-7ffe1826590e RegSetValueExW 1206->1209 1210 7ffe182659e7-7ffe182659f3 call 7ffe18232890 1207->1210 1211 7ffe182659f9-7ffe18265a03 1207->1211 1212 7ffe18265a25-7ffe18265a37 call 7ffe18264a00 1208->1212 1213 7ffe18265a39-7ffe18265a3f 1208->1213 1209->1183 1210->1211 1211->1208 1217 7ffe18265a05-7ffe18265a1a call 7ffe18264650 1211->1217 1212->1213 1214 7ffe18265a41-7ffe18265a48 1213->1214 1215 7ffe18265a7c-7ffe18265a82 1213->1215 1219 7ffe18265a4a-7ffe18265a56 call 7ffe18232890 1214->1219 1220 7ffe18265a5c-7ffe18265a66 1214->1220 1222 7ffe18265a84-7ffe18265a8b 1215->1222 1223 7ffe18265aa1-7ffe18265acf call 7ffe182311b0 1215->1223 1217->1208 1219->1220 1220->1215 1227 7ffe18265a68-7ffe18265a7a call 7ffe18264f10 1220->1227 1222->1223 1228 7ffe18265a8d-7ffe18265a9f call 7ffe182652a0 1222->1228 1235 7ffe18265ad1-7ffe18265ade LoadStringW 1223->1235 1236 7ffe18265b40-7ffe18265b42 1223->1236 1227->1215 1228->1223 1239 7ffe18265aff-7ffe18265b3e LoadStringW 1235->1239 1240 7ffe18265ae0-7ffe18265afa call 7ffe182338f0 1235->1240 1241 7ffe18265bd9-7ffe18265be6 LoadStringW 1236->1241 1242 7ffe18265b48-7ffe18265b55 LoadStringW 1236->1242 1244 7ffe18265bb5-7ffe18265bd4 call 7ffe182338f0 1239->1244 1240->1239 1247 7ffe18265c07-7ffe18265c68 LoadStringW call 7ffe182338f0 1241->1247 1248 7ffe18265be8-7ffe18265c02 call 7ffe182338f0 1241->1248 1245 7ffe18265b57-7ffe18265b71 call 7ffe182338f0 1242->1245 1246 7ffe18265b76-7ffe18265bb0 LoadStringW 1242->1246 1256 7ffe18265c6a-7ffe18265c6f 1244->1256 1245->1246 1246->1244 1255 7ffe18265c9e-7ffe18265ce4 FreeLibrary call 7ffe182311b0 call 7ffe182710b0 1247->1255 1247->1256 1248->1247 1257 7ffe18265c76-7ffe18265c7e 1256->1257 1257->1257 1259 7ffe18265c80-7ffe18265c99 call 7ffe182644e0 call 7ffe18264320 1257->1259 1259->1255
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Load$String$Value$CreateQuery$CloseFolderInfoLibraryLocalePath$AddressDirectoryFreeHandleLanguagesModuleOpenPreferredProcSleepThread_invalid_parameter_noinfo
                              • String ID: %d.%d.%d.%d$<toast scenario="reminder" activationType="protocol" launch="%s" duration="%s"><visual><binding template="ToastGeneric">$@$Software\ExplorerPatcher$SymbolsLastNotifiedOSBuild$[Symbols] Attempting to download symbols for OS version %s.$[Symbols] Downloading to "%s".$[Symbols] Finished "Download symbols" thread.$[Symbols] Finished gathering symbol data.$[Symbols] Started "Download symbols" thread.$\ExplorerPatcher$\ExplorerPatcher\ep_gui.dll$https://github.com/valinet/ExplorerPatcher/wiki/Symbols$long$short
                              • API String ID: 3080592855-3895060210
                              • Opcode ID: 34d25a3f4aa6707b3982fdc147fffaa473ee75d8c6b7f193c5967fb23cbaee08
                              • Instruction ID: 99d03f1605b092be35650f602c73a99a93205273e917dbca6e9fd426bd6a521e
                              • Opcode Fuzzy Hash: 34d25a3f4aa6707b3982fdc147fffaa473ee75d8c6b7f193c5967fb23cbaee08
                              • Instruction Fuzzy Hash: 9502A532A08F8296E722DF21E8506EA23A4FBC4358F904172E94D47AB8DF3CD749C744
                              Function 00007FFE1826F250 Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 315registrysleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1266 7ffe1826f250-7ffe1826f297 RoInitialize 1267 7ffe1826f3ac-7ffe1826f3c3 FindWindowExW 1266->1267 1268 7ffe1826f29d-7ffe1826f2bd WindowsCreateStringReference 1266->1268 1271 7ffe1826f3c5-7ffe1826f3e7 Sleep FindWindowExW 1267->1271 1272 7ffe1826f3e9-7ffe1826f404 Sleep call 7ffe182311b0 1267->1272 1269 7ffe1826f2c3-7ffe1826f2e0 RoGetActivationFactory 1268->1269 1270 7ffe1826f6ff-7ffe1826f706 call 7ffe1825c060 1268->1270 1269->1267 1275 7ffe1826f2e6-7ffe1826f30a WindowsCreateStringReference 1269->1275 1279 7ffe1826f707-7ffe1826f70e call 7ffe1825c060 1270->1279 1271->1271 1271->1272 1280 7ffe1826f44a-7ffe1826f450 1272->1280 1281 7ffe1826f406-7ffe1826f431 WindowsCreateStringReference 1272->1281 1278 7ffe1826f310-7ffe1826f32e RoGetActivationFactory 1275->1278 1275->1279 1283 7ffe1826f330-7ffe1826f344 1278->1283 1284 7ffe1826f398-7ffe1826f39f 1278->1284 1297 7ffe1826f70f-7ffe1826f716 call 7ffe1825c060 1279->1297 1287 7ffe1826f452-7ffe1826f472 WindowsCreateStringReference 1280->1287 1288 7ffe1826f491-7ffe1826f4de CreateEventW * 3 1280->1288 1285 7ffe1826f717-7ffe1826f724 call 7ffe1825c060 1281->1285 1286 7ffe1826f437-7ffe1826f446 1281->1286 1298 7ffe1826f384-7ffe1826f38b 1283->1298 1299 7ffe1826f346-7ffe1826f371 WindowsCreateStringReference 1283->1299 1284->1267 1289 7ffe1826f3a1-7ffe1826f3ab 1284->1289 1310 7ffe1826f731 1285->1310 1311 7ffe1826f726-7ffe1826f72a SwitchToThread 1285->1311 1286->1280 1293 7ffe1826f478-7ffe1826f48d RoGetActivationFactory 1287->1293 1294 7ffe1826f6f7-7ffe1826f6fe call 7ffe1825c060 1287->1294 1295 7ffe1826f4e4-7ffe1826f4e9 1288->1295 1296 7ffe1826f690-7ffe1826f697 1288->1296 1289->1267 1293->1288 1294->1270 1295->1296 1305 7ffe1826f4ef-7ffe1826f4f2 1295->1305 1303 7ffe1826f6a4-7ffe1826f6ab 1296->1303 1304 7ffe1826f699-7ffe1826f6a3 1296->1304 1297->1285 1298->1284 1312 7ffe1826f38d-7ffe1826f397 1298->1312 1299->1297 1309 7ffe1826f377-7ffe1826f37b 1299->1309 1314 7ffe1826f6ad-7ffe1826f6b7 1303->1314 1315 7ffe1826f6b8-7ffe1826f6bf 1303->1315 1304->1303 1305->1296 1316 7ffe1826f4f8-7ffe1826f51a call 7ffe18271370 1305->1316 1322 7ffe1826f380 1309->1322 1311->1310 1312->1284 1314->1315 1319 7ffe1826f6c1-7ffe1826f6cb 1315->1319 1320 7ffe1826f6cc-7ffe1826f6f6 call 7ffe182710b0 1315->1320 1326 7ffe1826f51c-7ffe1826f541 1316->1326 1327 7ffe1826f56d-7ffe1826f574 1316->1327 1319->1320 1322->1298 1330 7ffe1826f543-7ffe1826f549 1326->1330 1331 7ffe1826f54a-7ffe1826f56a 1326->1331 1332 7ffe1826f57a-7ffe1826f5d3 call 7ffe1826e520 RegCreateKeyExW 1327->1332 1333 7ffe1826f616-7ffe1826f61f 1327->1333 1330->1331 1331->1327 1344 7ffe1826f5d5-7ffe1826f610 RegSetValueExW RegCloseKey 1332->1344 1345 7ffe1826f612 1332->1345 1335 7ffe1826f640-7ffe1826f65a WaitForMultipleObjects 1333->1335 1336 7ffe1826f621 1333->1336 1337 7ffe1826f682-7ffe1826f68e 1335->1337 1338 7ffe1826f65c-7ffe1826f65f 1335->1338 1341 7ffe1826f624-7ffe1826f63e call 7ffe1826e830 1336->1341 1337->1341 1342 7ffe1826f674-7ffe1826f680 1338->1342 1343 7ffe1826f661-7ffe1826f664 1338->1343 1341->1335 1342->1341 1343->1335 1347 7ffe1826f666-7ffe1826f672 1343->1347 1344->1333 1345->1333 1347->1341
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Create$ReferenceStringWindows$ActivationEventFactory$FindSleepWindow$CloseInitializeMultipleObjectsValueWait
                              • String ID: EP_Ev_CheckForUpdates_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$EP_Ev_InstallUpdatesNoConfirm_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$EP_Ev_InstallUpdates_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$IsUpdatePending$Microsoft.Windows.Explorer$Shell_TrayWnd$Software\ExplorerPatcher$Windows.UI.Notifications.ToastNotification$Windows.UI.Notifications.ToastNotificationManager$[Updates] Starting daemon.$ep_updates
                              • API String ID: 515347756-3464217809
                              • Opcode ID: c18357ae3e18e56df48e9b90b3782d440a669a27c2374db1899b79d48f0226c5
                              • Instruction ID: 61f89e254a9abdb821a163cd0a34b47a835857e76bff35c746117c39ce0df8e0
                              • Opcode Fuzzy Hash: c18357ae3e18e56df48e9b90b3782d440a669a27c2374db1899b79d48f0226c5
                              • Instruction Fuzzy Hash: DBE17C32B09F4296EB02DF62E8506A933A5FB84B68F5045B5DE1D53AB4DF3CE615C308
                              Function 00007FFE18248800 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 190registrywindowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1470 7ffe18248800-7ffe18248839 1471 7ffe18248844-7ffe18248889 RegCreateKeyExW 1470->1471 1472 7ffe1824883b-7ffe1824883e 1470->1472 1474 7ffe1824888f-7ffe182488c4 RegQueryValueExW 1471->1474 1475 7ffe18248971 1471->1475 1472->1471 1473 7ffe1824897a-7ffe1824897d 1472->1473 1477 7ffe18248983-7ffe182489c8 RegCreateKeyExW 1473->1477 1478 7ffe18248a24-7ffe18248a5d SendNotifyMessageW FindWindowExW 1473->1478 1479 7ffe182488d1-7ffe1824890d RegQueryValueExW 1474->1479 1480 7ffe182488c6-7ffe182488cc call 7ffe18248700 1474->1480 1476 7ffe18248975-7ffe18248978 1475->1476 1476->1473 1476->1477 1483 7ffe182489ca-7ffe18248a02 RegQueryValueExW 1477->1483 1484 7ffe18248a17 1477->1484 1486 7ffe18248a5f-7ffe18248a77 FindWindowExW 1478->1486 1487 7ffe18248ad0-7ffe18248aeb FindWindowExW 1478->1487 1481 7ffe1824890f-7ffe18248915 1479->1481 1482 7ffe1824891b-7ffe18248957 RegQueryValueExW 1479->1482 1480->1479 1481->1482 1489 7ffe18248965-7ffe1824896f RegCloseKey 1482->1489 1490 7ffe18248959-7ffe1824895f 1482->1490 1493 7ffe18248a04-7ffe18248a15 call 7ffe18248700 1483->1493 1494 7ffe18248a1b-7ffe18248a1e 1483->1494 1484->1494 1486->1487 1488 7ffe18248a79 1486->1488 1491 7ffe18248aed-7ffe18248af4 1487->1491 1492 7ffe18248af6-7ffe18248b01 1487->1492 1495 7ffe18248a80-7ffe18248a94 FindWindowExW 1488->1495 1489->1476 1490->1489 1491->1495 1496 7ffe18248b03 call 7ffe1823e230 1492->1496 1497 7ffe18248b08-7ffe18248b29 call 7ffe182710b0 1492->1497 1493->1494 1494->1478 1494->1497 1495->1487 1499 7ffe18248a96-7ffe18248aa7 GetWindowLongPtrW 1495->1499 1496->1497 1499->1487 1503 7ffe18248aa9-7ffe18248aca InvalidateRect 1499->1503 1503->1487
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Window$FindQueryValue$Create$CloseInvalidateLongMessageNotifyRectSend
                              • String ID: ClockButton$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SOFTWARE\Microsoft\Windows\CurrentVersion\Search$SearchboxTaskbarMode$Shell_SecondaryTrayWnd$Shell_TrayWnd$ShowTaskViewButton$TaskbarDa$TaskbarSmallIcons$TrayClockWClass$TrayNotifyWnd$TraySettings
                              • API String ID: 3959271719-3714636963
                              • Opcode ID: 4ab373a0b3cc1fd82646b3130a35559c248819b11f2c73222ac6e96f04d1f03e
                              • Instruction ID: c31fe3f74a37f59d52b9826fd841485be02eab21764a2a5638788aa193c3dcb7
                              • Opcode Fuzzy Hash: 4ab373a0b3cc1fd82646b3130a35559c248819b11f2c73222ac6e96f04d1f03e
                              • Instruction Fuzzy Hash: 24919A32E18F528AEB52CF62E4506AD37A1FB88768F441675DA4D13BA4DF7CE204C718
                              Function 00007FFE1826FE80 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 172encryptionfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1506 7ffe1826fe80-7ffe1826ff08 CreateFileW 1507 7ffe1826ff15-7ffe1826ff30 GetFileSizeEx 1506->1507 1508 7ffe1826ff0a-7ffe1826ff10 GetLastError 1506->1508 1510 7ffe1826ff32-7ffe1826ff45 GetLastError CloseHandle 1507->1510 1511 7ffe1826ff4a-7ffe1826ff5f call 7ffe18287ea8 1507->1511 1509 7ffe1827007a-7ffe18270093 call 7ffe182710b0 1508->1509 1512 7ffe18270072 1510->1512 1517 7ffe1826ff74-7ffe1826ff93 CryptAcquireContextW 1511->1517 1518 7ffe1826ff61-7ffe1826ff6f CloseHandle 1511->1518 1512->1509 1520 7ffe1826ff95-7ffe1826ff9d GetLastError 1517->1520 1521 7ffe1826ffa2-7ffe1826ffc2 CryptCreateHash 1517->1521 1519 7ffe1827006a 1518->1519 1519->1512 1522 7ffe1827005f-7ffe18270062 CloseHandle 1520->1522 1523 7ffe1826ffc4-7ffe1826ffe1 GetLastError CloseHandle CryptReleaseContext 1521->1523 1524 7ffe1826ffe6-7ffe18270001 ReadFile 1521->1524 1525 7ffe18270068 1522->1525 1523->1525 1526 7ffe18270003-7ffe1827000e 1524->1526 1527 7ffe18270041-7ffe18270059 GetLastError CryptReleaseContext CryptDestroyHash 1524->1527 1525->1519 1528 7ffe18270094-7ffe182700b5 CryptGetHashParam 1526->1528 1529 7ffe18270014-7ffe18270022 CryptHashData 1526->1529 1527->1522 1531 7ffe182700ff-7ffe18270105 GetLastError 1528->1531 1532 7ffe182700b7-7ffe182700bd 1528->1532 1529->1527 1530 7ffe18270024-7ffe1827003f ReadFile 1529->1530 1530->1526 1530->1527 1533 7ffe18270108-7ffe1827012a CryptDestroyHash CryptReleaseContext CloseHandle call 7ffe18287e94 1531->1533 1532->1533 1534 7ffe182700bf 1532->1534 1537 7ffe1827012f-7ffe18270132 1533->1537 1536 7ffe182700c0-7ffe182700fb call 7ffe1823c640 1534->1536 1540 7ffe182700fd 1536->1540 1537->1519 1540->1533
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CryptErrorLast$CloseFileHandleHash$ContextCreateDestroyParamReleaseSize
                              • String ID: %c%c
                              • API String ID: 1362656601-3228636524
                              • Opcode ID: 77d5d62d28253998d5297f3ba17f17e65fe968dbcc5d046406cbe85a789ac6ad
                              • Instruction ID: 4a2fb7e39106d923c45f8b2653dd6cfee9fac51fa03127b59281045e9e30b3c0
                              • Opcode Fuzzy Hash: 77d5d62d28253998d5297f3ba17f17e65fe968dbcc5d046406cbe85a789ac6ad
                              • Instruction Fuzzy Hash: 2C716D25B18E5296EB118F73E5507BD23A0FBC8BA8F004575DD4E16AA4DF3CE249D708
                              Function 00007FFE1823E500 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 122windowregistrytimeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              • EP_Service_Window_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}, xrefs: 00007FFE1823E55D
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Message$Register$CriticalHandleModuleSectionWindow$ClassCloseCreateCursorDestroyDispatchEnterEventInvalidateLeaveLoadObjectOpenRectStockTimerTranslate
                              • String ID: EP_Service_Window_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}
                              • API String ID: 124686274-1881722731
                              • Opcode ID: b57f66ebaee192715d19923a7331629b467761d4b72bedacc28b2662b6677ca9
                              • Instruction ID: 9e6f84dd1653400c30062ed2f5fefdbc3ea76b5e9e1b9f12e865aa22fc061295
                              • Opcode Fuzzy Hash: b57f66ebaee192715d19923a7331629b467761d4b72bedacc28b2662b6677ca9
                              • Instruction Fuzzy Hash: CD511A35A08E5281EB228B26F86477A77E5FFD87A0F400575D94E42AB4DF3CE644CB08
                              Function 00007FFE1825A350 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 78windowsynchronizationthreadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Message$Window$CreateDispatchEventHookObjectProcessShellSingleSleepThreadTranslateWaitWindows
                              • String ID: Ended "Open Start on current monitor" thread.$Failed to start "Open Start on current monitor" thread.$Progman hook: %d$Progman: %d$ShellDesktopSwitchEvent$Started "Open Start on current monitor" thread.
                              • API String ID: 2718461970-1416847937
                              • Opcode ID: 18bf67a80918c840e866fcac94c4f4813b1a4977c1fff13bfa3f28c22d21dea2
                              • Instruction ID: 982d61923971c5dfa33617bffedd5e342b80b297a1563c68c480ccb4bf187ca4
                              • Opcode Fuzzy Hash: 18bf67a80918c840e866fcac94c4f4813b1a4977c1fff13bfa3f28c22d21dea2
                              • Instruction Fuzzy Hash: 39316621E1DE4282FB12DB27E8216B56361FFD9764F805571E94F42674EF2CE244C704
                              Function 00007FFE18246900 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 130synchronizationwindowsleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1757 7ffe18246900-7ffe18246920 1758 7ffe18246934-7ffe1824693e 1757->1758 1759 7ffe18246922-7ffe1824692e call 7ffe18232890 1757->1759 1761 7ffe18246940-7ffe1824694c WaitForSingleObject 1758->1761 1762 7ffe18246952-7ffe18246959 1758->1762 1759->1758 1761->1762 1764 7ffe1824696d-7ffe18246978 SleepEx 1762->1764 1765 7ffe1824695b-7ffe18246967 WaitForSingleObject 1762->1765 1766 7ffe18246980-7ffe18246997 FindWindowExW 1764->1766 1765->1764 1767 7ffe182469d0-7ffe182469e9 Sleep call 7ffe18246350 1766->1767 1768 7ffe18246999 1766->1768 1774 7ffe182469ef-7ffe18246a06 call 7ffe18287eb0 1767->1774 1775 7ffe18246b3a-7ffe18246b4c WaitForSingleObject 1767->1775 1769 7ffe182469a0-7ffe182469ce call 7ffe182311b0 Sleep FindWindowExW 1768->1769 1769->1767 1778 7ffe18246b56-7ffe18246b6f call 7ffe182710b0 1774->1778 1779 7ffe18246a0c-7ffe18246a2e call 7ffe18246350 call 7ffe18239aa0 call 7ffe182314c0 1774->1779 1775->1766 1788 7ffe18246b51 call 7ffe18287e94 1779->1788 1789 7ffe18246a34-7ffe18246a88 call 7ffe18234910 MsgWaitForMultipleObjectsEx 1779->1789 1788->1778 1793 7ffe18246b21-7ffe18246b35 call 7ffe182396f0 call 7ffe18287e94 1789->1793 1794 7ffe18246a8e 1789->1794 1793->1766 1796 7ffe18246a90-7ffe18246a93 1794->1796 1798 7ffe18246a95-7ffe18246aa6 call 7ffe18246350 1796->1798 1799 7ffe18246aaa-7ffe18246aad 1796->1799 1798->1793 1808 7ffe18246aa8 1798->1808 1802 7ffe18246aaf-7ffe18246ab9 call 7ffe18234910 1799->1802 1803 7ffe18246abb-7ffe18246abe 1799->1803 1811 7ffe18246af5-7ffe18246b1b MsgWaitForMultipleObjectsEx 1802->1811 1803->1793 1807 7ffe18246ac0-7ffe18246add PeekMessageW 1803->1807 1810 7ffe18246adf-7ffe18246aef TranslateMessage DispatchMessageW 1807->1810 1807->1811 1808->1811 1810->1811 1811->1793 1811->1796
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Wait$MessageObjectSingleSleep$FindMultipleObjectsWindow$AddressDispatchHandleModuleOpenPeekProcQueryTranslateValue
                              • String ID: Shell_TrayWnd$[sws] Waiting for taskbar...
                              • API String ID: 3550486598-3608668894
                              • Opcode ID: 600039695df5ff6d7ca5d1b02af2d7118869092b1ac80786cd8632f4e3149724
                              • Instruction ID: b43e30ca414c39798f950dc5144a3007a42a231d0b67d0b4a28769f0841e0131
                              • Opcode Fuzzy Hash: 600039695df5ff6d7ca5d1b02af2d7118869092b1ac80786cd8632f4e3149724
                              • Instruction Fuzzy Hash: 69517731E18E42C2FB629B22E86437A27A1AFD5774F0055B5E95E426F1CE3CE644C718
                              Function 00007FFE18273930 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68memorywindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ErrorLast$FormatMessageProtectVirtual
                              • String ID: protect memory %p (size=%llu)$Failed to protect memory %p (size=%llu, error=%lu(%s))$Unknown Error
                              • API String ID: 2888148163-2522531280
                              • Opcode ID: c5c763f95a8c7ad05ca221d15951da865442d1dedde559e9e1de8ae9c109cd39
                              • Instruction ID: 98f1d97d0e25b08b2dfa4b01ec610f35e995a1d077f34c95e6f4c04d0cf56509
                              • Opcode Fuzzy Hash: c5c763f95a8c7ad05ca221d15951da865442d1dedde559e9e1de8ae9c109cd39
                              • Instruction Fuzzy Hash: F2318131A0CE8282EB218B13E4153BA63A0FBD8B94F444576DACD57764DF7CD645C744
                              Function 00007FFE1823D7C0 Relevance: 6.0, APIs: 4, Instructions: 49memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: AllocateCheckErrorFreeInitializeLastMembershipToken
                              • String ID:
                              • API String ID: 3835361876-0
                              • Opcode ID: 9b719a42994329497dcb58755b7362de631d7cd6d6f1faceb73e96b81b9f4dc6
                              • Instruction ID: eb2fcb1a75774e179dd9951c19a9c8fad870b2366b2c9d324d88384325eaf038
                              • Opcode Fuzzy Hash: 9b719a42994329497dcb58755b7362de631d7cd6d6f1faceb73e96b81b9f4dc6
                              • Instruction Fuzzy Hash: 8411E472A08B4186E7108F2AF49036AF6E5FFD4790F10016AEA8983A79DF7CE105CF44
                              Function 00007FFE1824A830 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135comCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CreateInstance$AddressHandleModuleOpenProcQueryValue
                              • String ID: Taskbar10.cpp
                              • API String ID: 1469795854-890630466
                              • Opcode ID: df25f39e1184d1a9dd6e6054a88bc6abf9b079a85e52f217bd71ab1711fef8a9
                              • Instruction ID: 8eb03c5dd4e57eeae9c0ae882e3bbbc4e675b0255f35a6b3833433f6c6ed3791
                              • Opcode Fuzzy Hash: df25f39e1184d1a9dd6e6054a88bc6abf9b079a85e52f217bd71ab1711fef8a9
                              • Instruction Fuzzy Hash: A5513831B09E42C1EB529B17E59027963A4FBD4BA4F1060B2DA4E077B4DF7CEA45C718
                              Function 00007FFE18272FA0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                              Download Yara Rule
                              APIs
                              • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FFE18272099), ref: 00007FFE18272FB5
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: InfoSystem
                              • String ID:
                              • API String ID: 31276548-0
                              • Opcode ID: 2c7f24313fb382f4fdd3077e00c0e51945971d3bd079279820afc05c3462abc3
                              • Instruction ID: 642fdd3d46da3aed4a780583f23bfda431fb9aa98bd644f889e6ec27ae90e2cd
                              • Opcode Fuzzy Hash: 2c7f24313fb382f4fdd3077e00c0e51945971d3bd079279820afc05c3462abc3
                              • Instruction Fuzzy Hash: 7FF0F8B5F0ED5285EB168B02FC6066567E2EB99BA5F004275EA4E82774DE3CD680C704
                              Function 00007FFE1824C1F0 Relevance: 75.5, APIs: 17, Strings: 26, Instructions: 277libraryloaderregistryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 919 7ffe1824c1f0-7ffe1824c224 LoadLibraryW 920 7ffe1824c23d-7ffe1824c25f LoadLibraryW 919->920 921 7ffe1824c226-7ffe1824c236 GetProcAddress 919->921 922 7ffe1824c265-7ffe1824c270 920->922 923 7ffe1824c397-7ffe1824c3a7 LoadLibraryW 920->923 921->920 924 7ffe1824c272-7ffe1824c27c 922->924 925 7ffe1824c27e 922->925 926 7ffe1824c3be-7ffe1824c3d1 LoadLibraryExW 923->926 927 7ffe1824c3a9-7ffe1824c3b7 GetProcAddress 923->927 928 7ffe1824c283 924->928 925->928 929 7ffe1824c5bf-7ffe1824c5da LoadLibraryExW 926->929 930 7ffe1824c3d7-7ffe1824c3f7 call 7ffe1823d290 926->930 927->926 931 7ffe1824c285-7ffe1824c287 928->931 932 7ffe1824c289 928->932 934 7ffe1824c670-7ffe1824c6cf RegGetValueW call 7ffe1823d920 929->934 935 7ffe1824c5e0-7ffe1824c618 call 7ffe1823d460 * 2 929->935 940 7ffe1824c45f-7ffe1824c49a call 7ffe1823d290 * 2 930->940 941 7ffe1824c3f9-7ffe1824c438 GetCurrentProcess K32GetModuleInformation call 7ffe1823d890 930->941 938 7ffe1824c28e-7ffe1824c2b8 call 7ffe1823d290 931->938 932->938 948 7ffe1824c6d1 934->948 949 7ffe1824c6d7-7ffe1824c6de 934->949 935->934 959 7ffe1824c61a-7ffe1824c66b call 7ffe1823d290 * 2 935->959 956 7ffe1824c320-7ffe1824c338 call 7ffe1823d290 938->956 957 7ffe1824c2ba-7ffe1824c301 GetCurrentProcess K32GetModuleInformation call 7ffe1823d890 938->957 979 7ffe1824c4f2-7ffe1824c550 call 7ffe1823d290 * 2 GetCurrentProcess K32GetModuleInformation 940->979 980 7ffe1824c49c-7ffe1824c4ed call 7ffe1823d290 * 2 940->980 951 7ffe1824c43d-7ffe1824c440 941->951 948->949 954 7ffe1824c6e4-7ffe1824c710 GetModuleHandleW GetProcAddress 949->954 955 7ffe1824c775-7ffe1824c78c call 7ffe182710b0 949->955 951->940 958 7ffe1824c442-7ffe1824c45a call 7ffe18272760 951->958 963 7ffe1824c732-7ffe1824c739 call 7ffe182311b0 954->963 964 7ffe1824c712-7ffe1824c730 call 7ffe18272760 954->964 970 7ffe1824c33d-7ffe1824c33f 956->970 957->956 975 7ffe1824c303-7ffe1824c31b call 7ffe18272760 957->975 958->940 959->934 976 7ffe1824c73e-7ffe1824c740 963->976 964->963 964->976 970->923 978 7ffe1824c341-7ffe1824c392 call 7ffe1823d290 * 2 970->978 975->956 976->955 982 7ffe1824c742-7ffe1824c749 call 7ffe1823f230 976->982 978->923 997 7ffe1824c5a2-7ffe1824c5ba call 7ffe1823d290 979->997 998 7ffe1824c552-7ffe1824c561 979->998 980->979 982->955 996 7ffe1824c74b-7ffe1824c770 LoadLibraryW call 7ffe1823d290 982->996 996->955 997->929 1000 7ffe1824c563-7ffe1824c56d 998->1000 1001 7ffe1824c56f-7ffe1824c576 998->1001 1000->1001 1003 7ffe1824c598-7ffe1824c59d call 7ffe1824bc00 1000->1003 1004 7ffe1824c590-7ffe1824c596 1001->1004 1005 7ffe1824c578-7ffe1824c58a call 7ffe18232890 1001->1005 1003->997 1004->997 1004->1003 1005->1004
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Library$Load$Module$AddressCurrentFreeInformationProcProcessVirtual$HandleProtect$DataDirectoryEntryImageQueryValue
                              • String ID: API-MS-WIN-CORE-STRING-L1-1-0.DLL$CoCreateInstance$CompareStringOrdinal$CreateWindowExW$ExplorerFrame.dll$Failed to hook RtlQueryFeatureConfiguration(). rv = %d$GetSystemMetricsForDpi$LoadLibraryExW$RtlQueryFeatureConfiguration$SHRegGetValueFromHKCUHKLM$SetWindowLongPtrW$Shlwapi.dll$Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced$Start_ShowClassicMode$SystemParametersInfoW$TrackPopupMenu$Windows.UI.FileExplorer.dll$api-ms-win-core-com-l1-1-0.dll$api-ms-win-core-libraryloader-l1-2-0.dll$combase.dll$ntdll.dll$shcore.dll$shcore.dll$shell32.dll$user32.dll$xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx
                              • API String ID: 404060323-2645642614
                              • Opcode ID: 8204712967c14f2333cada05f56065dc7651385fb447decf93a637baf5b20ddc
                              • Instruction ID: fecad9afb60a0aa1cb5da8e72de61148f573165f62dbff14c1b0f9deb348fa8f
                              • Opcode Fuzzy Hash: 8204712967c14f2333cada05f56065dc7651385fb447decf93a637baf5b20ddc
                              • Instruction Fuzzy Hash: 53F1F660A09E47A5EB02DB57E8506F423E1AFC87A4F8411B2D80E536B5EF7CE749C358
                              Function 00007FFE1826B3C0 Relevance: 68.7, APIs: 12, Strings: 27, Instructions: 421memorylibraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1009 7ffe1826b3c0-7ffe1826b42b LoadLibraryExW GetCurrentProcess K32GetModuleInformation call 7ffe1826aeb0 1012 7ffe1826b42d-7ffe1826b430 1009->1012 1013 7ffe1826b437-7ffe1826b440 1009->1013 1012->1013 1014 7ffe1826b442-7ffe1826b446 1013->1014 1015 7ffe1826b44d-7ffe1826b456 1013->1015 1014->1015 1016 7ffe1826b463-7ffe1826b46c 1015->1016 1017 7ffe1826b458-7ffe1826b45c 1015->1017 1018 7ffe1826b46e-7ffe1826b472 1016->1018 1019 7ffe1826b479-7ffe1826b482 1016->1019 1017->1016 1018->1019 1020 7ffe1826b484-7ffe1826b488 1019->1020 1021 7ffe1826b48f-7ffe1826b498 1019->1021 1020->1021 1022 7ffe1826b4a5-7ffe1826b4b7 1021->1022 1023 7ffe1826b49a-7ffe1826b49e 1021->1023 1024 7ffe1826b4e4-7ffe1826b4eb call 7ffe182311b0 1022->1024 1025 7ffe1826b4b9-7ffe1826b4e2 call 7ffe18272760 1022->1025 1023->1022 1029 7ffe1826b4f0-7ffe1826b4f7 1024->1029 1025->1024 1025->1029 1030 7ffe1826b50b-7ffe1826b515 1029->1030 1031 7ffe1826b4f9-7ffe1826b505 call 7ffe18232890 1029->1031 1033 7ffe1826b569-7ffe1826b570 1030->1033 1034 7ffe1826b517-7ffe1826b523 1030->1034 1031->1030 1035 7ffe1826b584-7ffe1826b591 1033->1035 1036 7ffe1826b572-7ffe1826b57e call 7ffe18232890 1033->1036 1038 7ffe1826b525-7ffe1826b55b call 7ffe18272760 1034->1038 1039 7ffe1826b55d-7ffe1826b564 call 7ffe182311b0 1034->1039 1041 7ffe1826b593-7ffe1826b598 1035->1041 1042 7ffe1826b59a 1035->1042 1036->1035 1038->1033 1038->1039 1039->1033 1046 7ffe1826b5b0-7ffe1826b5bd 1041->1046 1047 7ffe1826b59c-7ffe1826b5ab 1042->1047 1048 7ffe1826b5ad 1042->1048 1050 7ffe1826b5c3-7ffe1826b5f4 call 7ffe1823d890 1046->1050 1051 7ffe1826ba20-7ffe1826ba47 1046->1051 1047->1046 1047->1048 1048->1046 1063 7ffe1826b5fa-7ffe1826b613 call 7ffe182311b0 1050->1063 1064 7ffe1826b728-7ffe1826b74b call 7ffe1823d890 1050->1064 1052 7ffe1826ba54-7ffe1826ba5b 1051->1052 1053 7ffe1826ba49 1051->1053 1057 7ffe1826ba5d-7ffe1826ba64 1052->1057 1058 7ffe1826ba66-7ffe1826ba73 call 7ffe1824cd30 1052->1058 1055 7ffe1826ba4b-7ffe1826ba52 1053->1055 1056 7ffe1826ba87-7ffe1826ba8e 1053->1056 1055->1052 1055->1056 1061 7ffe1826baa2-7ffe1826baac 1056->1061 1062 7ffe1826ba90-7ffe1826ba9c call 7ffe18232890 1056->1062 1057->1056 1057->1058 1058->1056 1073 7ffe1826ba75-7ffe1826ba80 call 7ffe18269cf0 1058->1073 1065 7ffe1826bac0-7ffe1826bafb call 7ffe1823d290 call 7ffe182311b0 call 7ffe182710b0 1061->1065 1066 7ffe1826baae-7ffe1826bab5 1061->1066 1062->1061 1077 7ffe1826b615-7ffe1826b627 call 7ffe18232890 1063->1077 1078 7ffe1826b629 1063->1078 1082 7ffe1826b751-7ffe1826b785 call 7ffe182311b0 call 7ffe1823d890 1064->1082 1083 7ffe1826b878-7ffe1826b8af call 7ffe18268ef0 call 7ffe1823d890 1064->1083 1066->1065 1071 7ffe1826bab7-7ffe1826babb call 7ffe1826ad00 1066->1071 1071->1065 1073->1056 1095 7ffe1826ba82 call 7ffe1823e860 1073->1095 1086 7ffe1826b62f-7ffe1826b639 1077->1086 1078->1086 1082->1083 1108 7ffe1826b78b-7ffe1826b7c0 call 7ffe182311b0 call 7ffe1823d890 1082->1108 1109 7ffe1826b8b1-7ffe1826b8d7 call 7ffe1823d890 1083->1109 1110 7ffe1826b8dd-7ffe1826b92d call 7ffe182311b0 * 2 VirtualProtect 1083->1110 1092 7ffe1826b64c-7ffe1826b66e call 7ffe1823d890 1086->1092 1093 7ffe1826b63b 1086->1093 1098 7ffe1826b724 1092->1098 1111 7ffe1826b674-7ffe1826b68b call 7ffe182311b0 1092->1111 1093->1098 1099 7ffe1826b641-7ffe1826b646 1093->1099 1095->1056 1098->1064 1099->1092 1099->1098 1108->1083 1131 7ffe1826b7c6-7ffe1826b7dd call 7ffe182311b0 1108->1131 1109->1110 1121 7ffe1826b976-7ffe1826b9d5 LoadLibraryW GetCurrentProcess K32GetModuleInformation call 7ffe182692d0 call 7ffe1823d890 1109->1121 1110->1121 1133 7ffe1826b92f-7ffe1826b971 call 7ffe1829a9f0 VirtualProtect call 7ffe182311b0 1110->1133 1123 7ffe1826b68d-7ffe1826b691 1111->1123 1124 7ffe1826b699-7ffe1826b69d 1111->1124 1146 7ffe1826ba11-7ffe1826ba1b call 7ffe182311b0 1121->1146 1147 7ffe1826b9d7-7ffe1826ba0f call 7ffe182311b0 call 7ffe18272760 1121->1147 1123->1124 1129 7ffe1826b693-7ffe1826b697 1123->1129 1124->1098 1125 7ffe1826b6a3 1124->1125 1130 7ffe1826b6a8-7ffe1826b6ae 1125->1130 1129->1130 1130->1098 1135 7ffe1826b6b0-7ffe1826b6e1 call 7ffe182311b0 VirtualProtect 1130->1135 1144 7ffe1826b7df-7ffe1826b7e3 1131->1144 1145 7ffe1826b7eb-7ffe1826b7ef 1131->1145 1133->1121 1135->1098 1148 7ffe1826b6e3-7ffe1826b71f VirtualProtect call 7ffe182311b0 1135->1148 1144->1145 1149 7ffe1826b7e5-7ffe1826b7e9 1144->1149 1145->1083 1151 7ffe1826b7f5 1145->1151 1146->1051 1147->1051 1147->1146 1148->1098 1154 7ffe1826b7fa-7ffe1826b800 1149->1154 1151->1154 1154->1083 1157 7ffe1826b802-7ffe1826b833 call 7ffe182311b0 VirtualProtect 1154->1157 1157->1083 1161 7ffe1826b835-7ffe1826b873 VirtualProtect call 7ffe182311b0 1157->1161 1161->1083
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ProtectVirtual$CurrentInformationLibraryLoadModuleProcess$CreateDirectoryFileSystem
                              • String ID: API-MS-WIN-CORE-REGISTRY-L1-1-0.DLL$Failed to hook CLauncherTipContextMenu::ShowLauncherTipContextMenu(). rv = %d$Failed to hook CMultitaskingViewManager::_CreateXamlMTVHost(). rv = %d$Failed to hook PenMenuSystemTrayManager::GetDynamicSystemTrayHeightForMonitor(). rv = %d$PenMenuSystemTrayManager::GetDynamicSystemTrayHeightForMonitor() = %llX$RegGetValueW$Setup twinui.pcshell functions done$Windows.Internal.HardwareConfirmator.dll$[AC] Patched!$[AC] blockBegin = %llX$[AC] blockEnd = %llX$[AC] rcMonitorAssignment = %llX$[CC] Patched!$[CC] blockBegin = %llX$[CC] blockEnd = %llX$[CC] rcMonitorAssignment = %llX$[CC] rcWorkAssignment = %llX$[TV] Patched!$[TV] firstCallCall = %llX$[TV] firstCallPrep = %llX$twinui.pcshell.dll$x?xxx?xx?x????xxxx$x?xxxx?xx?x????xxxx$xxx?xxx?x???xxx$xxx?xxxxx?x$xxxx?xxxx?xxxxxxx?xxx$xxxx?xxxxx?x
                              • API String ID: 823495189-2224694150
                              • Opcode ID: f35abde22c9935764e93c521ba84352feb8975aa70a4de967b27ab6393e7c52d
                              • Instruction ID: ec5d7abfd61cb9fd82ece77d2509c078d3d7261f4a6b0ad1b70cd912e26266a4
                              • Opcode Fuzzy Hash: f35abde22c9935764e93c521ba84352feb8975aa70a4de967b27ab6393e7c52d
                              • Instruction Fuzzy Hash: DE22AD21F09E4296FB12DB22E8542B933E5BF847A4FA041B6DA1D476B5DF3CE645C308
                              Function 00007FFE1826AEB0 Relevance: 45.8, APIs: 5, Strings: 21, Instructions: 333fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1349 7ffe1826aeb0-7ffe1826af2e GetSystemDirectoryW call 7ffe18287e1c CreateFileW 1352 7ffe1826af30-7ffe1826af3c call 7ffe182311b0 1349->1352 1353 7ffe1826af41-7ffe1826af90 GetFileSize call 7ffe18287ea8 ReadFile 1349->1353 1360 7ffe1826b39d-7ffe1826b3b8 call 7ffe182710b0 1352->1360 1358 7ffe1826b368-7ffe1826b36f call 7ffe182311b0 1353->1358 1359 7ffe1826af96-7ffe1826af9b 1353->1359 1366 7ffe1826b374-7ffe1826b395 call 7ffe18287e94 CloseHandle 1358->1366 1359->1358 1361 7ffe1826afa1-7ffe1826afa7 1359->1361 1364 7ffe1826afbb-7ffe1826afc5 1361->1364 1365 7ffe1826afa9-7ffe1826afb5 call 7ffe18232890 1361->1365 1364->1366 1369 7ffe1826afcb-7ffe1826afd5 1364->1369 1365->1364 1366->1360 1372 7ffe1826b018-7ffe1826b021 1369->1372 1373 7ffe1826afd7-7ffe1826aff4 call 7ffe1823d890 1369->1373 1376 7ffe1826b033-7ffe1826b050 call 7ffe1823d890 1372->1376 1377 7ffe1826b023-7ffe1826b02d 1372->1377 1382 7ffe1826b002-7ffe1826b008 1373->1382 1383 7ffe1826aff6-7ffe1826b000 1373->1383 1387 7ffe1826b052-7ffe1826b05d 1376->1387 1388 7ffe1826b08b-7ffe1826b094 1376->1388 1377->1376 1378 7ffe1826b0b9-7ffe1826b0c4 1377->1378 1384 7ffe1826b102-7ffe1826b10d 1378->1384 1385 7ffe1826b0c6-7ffe1826b0e3 call 7ffe1823d890 1378->1385 1382->1372 1391 7ffe1826b00a-7ffe1826b013 call 7ffe182311b0 1382->1391 1383->1382 1389 7ffe1826b10f-7ffe1826b12c call 7ffe1823d890 1384->1389 1390 7ffe1826b14b-7ffe1826b156 1384->1390 1401 7ffe1826b0e5-7ffe1826b0e9 1385->1401 1402 7ffe1826b0ec-7ffe1826b0f2 1385->1402 1387->1388 1393 7ffe1826b05f-7ffe1826b069 1387->1393 1395 7ffe1826b0a2-7ffe1826b0ab 1388->1395 1396 7ffe1826b096-7ffe1826b09d call 7ffe182311b0 1388->1396 1416 7ffe1826b135-7ffe1826b13b 1389->1416 1417 7ffe1826b12e-7ffe1826b132 1389->1417 1398 7ffe1826b19a-7ffe1826b1a5 1390->1398 1399 7ffe1826b158-7ffe1826b175 call 7ffe1823d890 1390->1399 1391->1372 1403 7ffe1826b06b-7ffe1826b073 1393->1403 1404 7ffe1826b076-7ffe1826b07e 1393->1404 1395->1378 1409 7ffe1826b0ad-7ffe1826b0b4 call 7ffe182311b0 1395->1409 1396->1395 1405 7ffe1826b208-7ffe1826b212 1398->1405 1406 7ffe1826b1a7-7ffe1826b1c4 call 7ffe1823d890 1398->1406 1419 7ffe1826b184-7ffe1826b18a 1399->1419 1420 7ffe1826b177-7ffe1826b181 1399->1420 1401->1402 1402->1384 1413 7ffe1826b0f4-7ffe1826b0fd call 7ffe182311b0 1402->1413 1403->1404 1404->1388 1414 7ffe1826b080-7ffe1826b088 1404->1414 1411 7ffe1826b2b2-7ffe1826b2bc 1405->1411 1412 7ffe1826b218-7ffe1826b238 call 7ffe1823d890 1405->1412 1429 7ffe1826b1e5-7ffe1826b1ef 1406->1429 1430 7ffe1826b1c6-7ffe1826b1e3 call 7ffe1823d890 1406->1430 1409->1378 1411->1366 1422 7ffe1826b2c2-7ffe1826b2df call 7ffe1823d890 1411->1422 1433 7ffe1826b23a-7ffe1826b245 1412->1433 1434 7ffe1826b247-7ffe1826b264 call 7ffe1823d890 1412->1434 1413->1384 1414->1388 1416->1390 1425 7ffe1826b13d-7ffe1826b146 call 7ffe182311b0 1416->1425 1417->1416 1419->1398 1426 7ffe1826b18c-7ffe1826b195 call 7ffe182311b0 1419->1426 1420->1419 1440 7ffe1826b2e1-7ffe1826b2eb 1422->1440 1441 7ffe1826b2ed-7ffe1826b30d call 7ffe1823d890 1422->1441 1425->1390 1426->1398 1437 7ffe1826b1f2-7ffe1826b1f8 1429->1437 1430->1429 1430->1437 1438 7ffe1826b298 1433->1438 1445 7ffe1826b29b-7ffe1826b2a4 1434->1445 1451 7ffe1826b266-7ffe1826b26d 1434->1451 1437->1405 1443 7ffe1826b1fa-7ffe1826b203 call 7ffe182311b0 1437->1443 1438->1445 1447 7ffe1826b34c 1440->1447 1450 7ffe1826b34f-7ffe1826b358 1441->1450 1457 7ffe1826b30f-7ffe1826b315 1441->1457 1443->1405 1445->1411 1449 7ffe1826b2a6-7ffe1826b2ad call 7ffe182311b0 1445->1449 1447->1450 1449->1411 1450->1366 1454 7ffe1826b35a-7ffe1826b366 call 7ffe182311b0 1450->1454 1455 7ffe1826b26f-7ffe1826b273 1451->1455 1456 7ffe1826b27c-7ffe1826b27f 1451->1456 1454->1366 1455->1445 1459 7ffe1826b275-7ffe1826b27a 1455->1459 1456->1445 1460 7ffe1826b281 1456->1460 1461 7ffe1826b328-7ffe1826b32a 1457->1461 1462 7ffe1826b317-7ffe1826b31c 1457->1462 1465 7ffe1826b286-7ffe1826b28c 1459->1465 1460->1465 1461->1450 1463 7ffe1826b32c-7ffe1826b331 1461->1463 1462->1450 1466 7ffe1826b31e-7ffe1826b326 1462->1466 1467 7ffe1826b335-7ffe1826b340 1463->1467 1465->1445 1468 7ffe1826b28e-7ffe1826b296 1465->1468 1466->1467 1467->1450 1469 7ffe1826b342-7ffe1826b34a 1467->1469 1468->1438 1469->1447
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: File$CreateDirectoryReadSizeSystem_invalid_parameter_noinfo
                              • String ID: CImmersiveContextMenuOwnerDrawHelper::s_ContextMenuWndProc() = %lX$CLauncherTipContextMenu::GetMenuItemsAsync() = %lX$CLauncherTipContextMenu::ShowLauncherTipContextMenu() = %lX$CLauncherTipContextMenu::_ExecuteCommand() = %lX$CLauncherTipContextMenu::_ExecuteShutdownCommand() = %lX$CMultitaskingViewManager::_CreateDCompMTVHost() = %lX$CMultitaskingViewManager::_CreateXamlMTVHost() = %lX$Failed to open twinui.pcshell.dll$Failed to read twinui.pcshell.dll$ImmersiveContextMenuHelper::ApplyOwnerDrawToMenu() = %lX$ImmersiveContextMenuHelper::RemoveOwnerDrawFromMenu() = %lX$\twinui.pcshell.dll$xx?x????xx?xx?xxxx????x$xx?x????xxxxxxx????xxxx????x$xx?x????xxxxxxx????xxxx?xxx$xxx?????x?x??x??x?xxxxxxxx$xxx????xxxxxxxxx????xxxxxxx????xxxxxxx????xxxxxxx????xxxx$xxxx??x??x?xxxxxx????x$xxxx?xxxx?xxxxxxxxxxxxxxx$xxxxx????x????xxx$xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx
                              • API String ID: 1602095072-3745368841
                              • Opcode ID: 0f79a02194c1dc2b0fbc5a6c57317385cdea49789669f95b675b4a620d0e3d88
                              • Instruction ID: a680fe5bc654a410bf2d09d645a9e4dae0e3ca084918a7973d0d074ef5017ece
                              • Opcode Fuzzy Hash: 0f79a02194c1dc2b0fbc5a6c57317385cdea49789669f95b675b4a620d0e3d88
                              • Instruction Fuzzy Hash: 6BF16062A09D4286EB26DB26D8501B933A5BFC4774F5442B2DA6D832F4DF3CEB05C748
                              Function 00007FFE18272BC0 Relevance: 37.0, APIs: 11, Strings: 10, Instructions: 226windowmemoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1541 7ffe18272bc0-7ffe18272c03 VirtualQuery 1542 7ffe18272ca4-7ffe18272ce1 GetLastError FormatMessageA 1541->1542 1543 7ffe18272c09 1541->1543 1544 7ffe18272f2b-7ffe18272f3b 1542->1544 1545 7ffe18272ce7-7ffe18272cee 1542->1545 1546 7ffe18272c10-7ffe18272c56 call 7ffe18272470 1543->1546 1547 7ffe18272f40-7ffe18272f47 1544->1547 1548 7ffe18272f5d-7ffe18272f72 call 7ffe18272ab0 1545->1548 1554 7ffe18272c83-7ffe18272c9e VirtualQuery 1546->1554 1555 7ffe18272c58-7ffe18272c76 1546->1555 1550 7ffe18272f4d-7ffe18272f51 1547->1550 1551 7ffe18272f49-7ffe18272f4b 1547->1551 1557 7ffe18272f77 1548->1557 1550->1547 1556 7ffe18272f53-7ffe18272f58 1550->1556 1551->1550 1551->1556 1554->1542 1554->1546 1555->1554 1558 7ffe18272c78-7ffe18272c81 1555->1558 1556->1548 1559 7ffe18272f7c-7ffe18272f99 call 7ffe182710b0 1557->1559 1558->1554 1560 7ffe18272cf3-7ffe18272d2a call 7ffe18272470 VirtualAlloc 1558->1560 1565 7ffe18272d30-7ffe18272d6d GetLastError FormatMessageA 1560->1565 1566 7ffe18272de1-7ffe18272e24 call 7ffe18272470 VirtualAlloc 1560->1566 1568 7ffe18272d6f-7ffe18272d76 1565->1568 1569 7ffe18272d78-7ffe18272d88 1565->1569 1574 7ffe18272edf-7ffe18272f29 call 7ffe18272470 1566->1574 1575 7ffe18272e2a-7ffe18272e67 GetLastError FormatMessageA 1566->1575 1571 7ffe18272dad-7ffe18272ddc call 7ffe18272ab0 1568->1571 1572 7ffe18272d90-7ffe18272d97 1569->1572 1571->1559 1576 7ffe18272d9d-7ffe18272da1 1572->1576 1577 7ffe18272d99-7ffe18272d9b 1572->1577 1574->1559 1580 7ffe18272e72-7ffe18272e7e 1575->1580 1581 7ffe18272e69-7ffe18272e70 1575->1581 1576->1572 1582 7ffe18272da3-7ffe18272da8 1576->1582 1577->1576 1577->1582 1585 7ffe18272e82-7ffe18272e89 1580->1585 1584 7ffe18272e9f-7ffe18272eda call 7ffe18272ab0 VirtualFree 1581->1584 1582->1571 1584->1557 1586 7ffe18272e8f-7ffe18272e93 1585->1586 1587 7ffe18272e8b-7ffe18272e8d 1585->1587 1586->1585 1589 7ffe18272e95-7ffe18272e9a 1586->1589 1587->1586 1587->1589 1589->1584
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Virtual$ErrorFormatLastMessage$AllocQuery$Free
                              • String ID: change hint address from %p to %p$ commit memory %p for read-write (hint=%p, size=%llu)$ process map: %08llx-%08llx %s$ reserve memory %p (hint=%p, size=%llu)$Failed to commit memory %p for read-write (hint=%p, size=%llu, error=%lu(%s))$Failed to execute VirtualQuery (addr=%p, error=%lu(%s))$Failed to reserve memory %p (hint=%p, size=%llu, errro=%lu(%s))$Unknown Error$free$used
                              • API String ID: 2999834170-966645287
                              • Opcode ID: ac436147e9372ba52faa06f986f0cedc3b6d744b3a35cd07e7307206f472d4b0
                              • Instruction ID: 35aeaeddd6be95e0a6ccec53f5cce617b4da1434351afb6f32985b5615eeb7d2
                              • Opcode Fuzzy Hash: ac436147e9372ba52faa06f986f0cedc3b6d744b3a35cd07e7307206f472d4b0
                              • Instruction Fuzzy Hash: 8FA18031B19E5286EB628B17E4103B567A1FBD9BA4F400175E98E43BB4EF3CE605C709
                              Function 00007FFE18248B30 Relevance: 35.3, APIs: 9, Strings: 11, Instructions: 301threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1591 7ffe18248b30-7ffe18248be2 1592 7ffe18248d2a-7ffe18248d40 1591->1592 1593 7ffe18248be8-7ffe18248beb 1591->1593 1594 7ffe18248d46-7ffe18248d4c 1592->1594 1595 7ffe18248de7-7ffe18248e4c CreateWindowExW 1592->1595 1596 7ffe18248c4a-7ffe18248c54 1593->1596 1597 7ffe18248bed-7ffe18248bf4 1593->1597 1594->1595 1601 7ffe18248d52-7ffe18248d56 1594->1601 1598 7ffe18248e52-7ffe18248e56 1595->1598 1599 7ffe18249025-7ffe1824904b call 7ffe182710b0 1595->1599 1596->1592 1600 7ffe18248c5a-7ffe18248c61 1596->1600 1602 7ffe18248bf6-7ffe18248bfe 1597->1602 1603 7ffe18248e5c-7ffe18248e66 1598->1603 1604 7ffe18248fa6 1598->1604 1605 7ffe18248c64-7ffe18248c6c 1600->1605 1601->1595 1606 7ffe18248d5c-7ffe18248d5f 1601->1606 1608 7ffe18248c00-7ffe18248c0a 1602->1608 1609 7ffe18248c1a-7ffe18248c21 1602->1609 1610 7ffe18248e70-7ffe18248e79 1603->1610 1615 7ffe18248fad-7ffe18248fb1 1604->1615 1611 7ffe18248c6e-7ffe18248c78 1605->1611 1612 7ffe18248c86-7ffe18248c8d 1605->1612 1613 7ffe18248d60-7ffe18248d68 1606->1613 1608->1609 1616 7ffe18248c0c-7ffe18248c14 1608->1616 1617 7ffe18248c24-7ffe18248c2e 1609->1617 1618 7ffe18248ea5-7ffe18248eaf 1610->1618 1619 7ffe18248e7b-7ffe18248e86 1610->1619 1611->1612 1620 7ffe18248c7a-7ffe18248c82 1611->1620 1622 7ffe18248c90-7ffe18248c98 1612->1622 1613->1595 1621 7ffe18248d6a-7ffe18248d74 1613->1621 1615->1599 1623 7ffe18248fb3-7ffe18248fba 1615->1623 1616->1602 1624 7ffe18248c16 1616->1624 1617->1596 1625 7ffe18248c30-7ffe18248c38 1617->1625 1628 7ffe18248eb0-7ffe18248eb8 1618->1628 1619->1618 1626 7ffe18248e88-7ffe18248e90 1619->1626 1620->1605 1627 7ffe18248c84 1620->1627 1621->1595 1629 7ffe18248d76-7ffe18248d7e 1621->1629 1622->1592 1630 7ffe18248c9e-7ffe18248ca8 1622->1630 1631 7ffe18248fc0-7ffe18248fca 1623->1631 1624->1609 1632 7ffe18248c3a-7ffe18248c42 1625->1632 1633 7ffe18248c46 1625->1633 1626->1610 1634 7ffe18248e92-7ffe18248ea0 1626->1634 1635 7ffe18248cb8-7ffe18248cfd call 7ffe1829a9f0 GetAncestor GetClassNameW 1627->1635 1636 7ffe18248ee3-7ffe18248ee7 1628->1636 1637 7ffe18248eba-7ffe18248ec4 1628->1637 1629->1613 1638 7ffe18248d80-7ffe18248db9 call 7ffe1829a9f0 GetClassNameW 1629->1638 1630->1592 1639 7ffe18248cae-7ffe18248cb6 1630->1639 1640 7ffe18248fe0-7ffe18248fe4 1631->1640 1641 7ffe18248fcc-7ffe18248fd4 1631->1641 1632->1617 1642 7ffe18248c44 1632->1642 1633->1596 1643 7ffe18249019-7ffe1824901f #410 1634->1643 1658 7ffe18248d04-7ffe18248d0d 1635->1658 1636->1604 1647 7ffe18248eed-7ffe18248ef7 1636->1647 1637->1636 1644 7ffe18248ec6-7ffe18248ece 1637->1644 1657 7ffe18248dc0-7ffe18248dc9 1638->1657 1639->1622 1639->1635 1640->1599 1650 7ffe18248fe6-7ffe18248ff7 call 7ffe18288004 1640->1650 1648 7ffe1824904c-7ffe1824905a 1641->1648 1649 7ffe18248fd6-7ffe18248fde 1641->1649 1642->1596 1643->1599 1644->1628 1652 7ffe18248ed0-7ffe18248ede 1644->1652 1655 7ffe18248f00-7ffe18248f08 1647->1655 1648->1643 1649->1631 1649->1640 1650->1599 1662 7ffe18248ff9-7ffe18249009 FindWindowW 1650->1662 1652->1643 1659 7ffe18248f33-7ffe18248f37 1655->1659 1660 7ffe18248f0a-7ffe18248f14 1655->1660 1657->1595 1664 7ffe18248dcb-7ffe18248dd6 1657->1664 1658->1592 1665 7ffe18248d0f-7ffe18248d1a 1658->1665 1659->1604 1663 7ffe18248f39 1659->1663 1660->1659 1661 7ffe18248f16-7ffe18248f1e 1660->1661 1661->1655 1667 7ffe18248f20-7ffe18248f2e 1661->1667 1662->1599 1668 7ffe1824900b-7ffe18249012 1662->1668 1669 7ffe18248f40-7ffe18248f49 1663->1669 1664->1595 1670 7ffe18248dd8-7ffe18248de0 1664->1670 1665->1592 1666 7ffe18248d1c-7ffe18248d24 1665->1666 1666->1658 1671 7ffe18248d26 1666->1671 1667->1643 1668->1643 1669->1615 1672 7ffe18248f4b-7ffe18248f56 1669->1672 1670->1657 1673 7ffe18248de2 1670->1673 1671->1592 1672->1615 1674 7ffe18248f58-7ffe18248f60 1672->1674 1673->1595 1674->1669 1675 7ffe18248f62-7ffe18248fa4 #410 GetCurrentThreadId SetWindowsHookExW 1674->1675 1675->1599
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: #410ClassNameWindow$AncestorCreateCurrentFindHookThreadWindows
                              • String ID: CabinetWClass$ClockButton$NotifyIconOverflowWindow$ReBarWindow32$Shell_SecondaryTrayWnd$Shell_TrayWnd$SysListView32$SysTreeView32$TrayClockWClass$TrayNotifyWnd$TrayShowDesktopButtonWClass
                              • API String ID: 2746137922-373551488
                              • Opcode ID: e27cfe17aae0ae7c93bef44b9aaa07cf2fe1a1013142067cdfbd1078846d3aa7
                              • Instruction ID: 5684d4318734a82a03c46a826bfaa8f63aee76a2bbdca4d0c7dc99853bf9b4b8
                              • Opcode Fuzzy Hash: e27cfe17aae0ae7c93bef44b9aaa07cf2fe1a1013142067cdfbd1078846d3aa7
                              • Instruction Fuzzy Hash: 7AE1A762A18E42C1EB669B16E41057973A1FBD4F70F805171EE4E426B8EF7CEA81C718
                              Function 00007FFE1823E350 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 106registrywindowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Window$MessageProcRegister
                              • String ID: Refreshed Spotlight$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$TaskbarAl$TaskbarCreated$Windows.UI.Core.CoreWindow$d
                              • API String ID: 136062168-2101710627
                              • Opcode ID: 3b09d4f9d53760f7fe3767ce1d9f3c804247ff1e6b53c71246f0daace642527b
                              • Instruction ID: 6438ce56d031065227a55cc2673efdbfe776ace9e5ae843864459a5a1822e873
                              • Opcode Fuzzy Hash: 3b09d4f9d53760f7fe3767ce1d9f3c804247ff1e6b53c71246f0daace642527b
                              • Instruction Fuzzy Hash: 34419565E0CD0285FB625723E9646B96291AFED7B0F4005B2DD0E02AF1DF2CA788C718
                              Function 00007FFE1824ADC0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 87registrystringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Value$lstrcmp$AddressHandleModuleOpenProcQuery
                              • String ID: MMTaskbarGlomLevel$ShowCortanaButton$Software\ExplorerPatcher$TaskbarDa$TaskbarGlomLevel
                              • API String ID: 2197982753-1130954207
                              • Opcode ID: ccc2ca4e74b17a36a43283d739d8dac745e48fda075f5d23cd91208d1d9f59e7
                              • Instruction ID: 96b1ab9a4146522f835aee7f64844d7144fd62b4d5b26d9f0ad1415e8f06751b
                              • Opcode Fuzzy Hash: ccc2ca4e74b17a36a43283d739d8dac745e48fda075f5d23cd91208d1d9f59e7
                              • Instruction Fuzzy Hash: 04412871A08F42C2EB118B13E85426AB7E5FB94BA4F445175EA8E43BB4DF3CD644CB08
                              Function 00007FFE18241DF0 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 54libraryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: LibraryModule$CurrentDataDirectoryEntryFreeHandleImageInformationLoadProcess
                              • String ID: RegGetValueW$Setup sndvolsso functions done$TrackPopupMenuEx$api-ms-win-core-registry-l1-1-0.dll$sndvolsso.dll$user32.dll$xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx
                              • API String ID: 2511907732-965438320
                              • Opcode ID: ef2ca411c2b3ba6ff856c568af048161e506a4bba90352afeeac9c5a25eb13aa
                              • Instruction ID: 3d2cae9169651cbeecbafb0014cb2469b85b0459ac8654b3a78c81483c22c0cf
                              • Opcode Fuzzy Hash: ef2ca411c2b3ba6ff856c568af048161e506a4bba90352afeeac9c5a25eb13aa
                              • Instruction Fuzzy Hash: 62210761A09E4790EB129B63E9510F963A1BFD87A0F8451B2E94E03776DE3CE345C788
                              Function 00007FFE1824DA80 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 52COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FFE1823D290: GetModuleHandleExW.KERNEL32 ref: 00007FFE1823D2C6
                                • Part of subcall function 00007FFE1823D290: ImageDirectoryEntryToDataEx.DBGHELP ref: 00007FFE1823D2F9
                                • Part of subcall function 00007FFE1823D290: FreeLibrary.KERNEL32 ref: 00007FFE1823D32F
                              • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00007FFE182430C8), ref: 00007FFE1824DB03
                              • K32GetModuleInformation.KERNEL32(?,?,?,?,?,?,?,00007FFE182430C8), ref: 00007FFE1824DB1A
                                • Part of subcall function 00007FFE1823D290: FreeLibrary.KERNEL32 ref: 00007FFE1823D3B9
                                • Part of subcall function 00007FFE1823D290: VirtualQuery.KERNEL32 ref: 00007FFE1823D3F8
                                • Part of subcall function 00007FFE1823D290: VirtualProtect.KERNEL32 ref: 00007FFE1823D413
                                • Part of subcall function 00007FFE1823D290: VirtualProtect.KERNEL32 ref: 00007FFE1823D43B
                                • Part of subcall function 00007FFE1823D290: FreeLibrary.KERNEL32 ref: 00007FFE1823D446
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: FreeLibraryVirtual$ModuleProtect$CurrentDataDirectoryEntryHandleImageInformationProcessQuery
                              • String ID: CoCreateInstance$RegGetValueW$Setup pnidui functions done$TrackPopupMenu$api-ms-win-core-com-l1-1-0.dll$api-ms-win-core-registry-l1-1-0.dll$user32.dll$xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx
                              • API String ID: 430087472-2450567920
                              • Opcode ID: 1c6d1bec2769f8452125949e07645355221ca93bc92dbe72f1efc7fbb528b6cc
                              • Instruction ID: f0a78e6de26c68c237e6582c734465e67d88c3c161b0a644a3a96e31c79a0de8
                              • Opcode Fuzzy Hash: 1c6d1bec2769f8452125949e07645355221ca93bc92dbe72f1efc7fbb528b6cc
                              • Instruction Fuzzy Hash: 68215761A08E4690EB12DF13E9500F523A1BFC87A4F8451B3E94E03A75DE3CE349C788
                              Function 00007FFE1824CD30 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 84registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Value
                              • String ID: CrashCounter$CrashCounterDisabled$CrashCounterThreshold$CrashThresholdTime$Software\ExplorerPatcher
                              • API String ID: 3702945584-694238707
                              • Opcode ID: b5187abff7cff12360a2aadd25fd6aa9536eda466c1bd5ed562ffc37d15f0430
                              • Instruction ID: 1a9e777a9aae5c2ffdfd35a805c7d78de94ab019cb9c703d5665722dc037037d
                              • Opcode Fuzzy Hash: b5187abff7cff12360a2aadd25fd6aa9536eda466c1bd5ed562ffc37d15f0430
                              • Instruction Fuzzy Hash: 324139B2508F40CAE7218F16F44029977B0FB84764F904626EB9D07BA8DF3ED245CB48
                              Function 00007FFE182727F0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 161COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID: failed to get page$ failed to make trampoline$Could not allocate memory near address %p$Could not modify already-installed funchook handle.
                              • API String ID: 0-2189554615
                              • Opcode ID: 8698435a8b958e4643bd2e633bbc31b9c9ec2b6ca923fe9917008f672881973e
                              • Instruction ID: 3e765adc226447b85b318472fc45e6c525fcb4b470e207aa386f8b8c41d067d1
                              • Opcode Fuzzy Hash: 8698435a8b958e4643bd2e633bbc31b9c9ec2b6ca923fe9917008f672881973e
                              • Instruction Fuzzy Hash: 13713D26A19F8286EB61DB17E4402AA73A0FB99B90F445035EFCE47765EF3CE640C704
                              Function 00007FFE18232890 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64registrylibraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: AddressHandleModuleOpenProcQueryValue
                              • String ID: RtlGetVersion$UBR$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion$ntdll.dll
                              • API String ID: 3749297518-2374052841
                              • Opcode ID: 138d03d2620e87957fa60c226b165fc95dbeabef36849e6ed6bd8574009bb8fd
                              • Instruction ID: 86cb4949dc373167ed16efc39305296207f9df76d4ddf921147bea2ca3d472f0
                              • Opcode Fuzzy Hash: 138d03d2620e87957fa60c226b165fc95dbeabef36849e6ed6bd8574009bb8fd
                              • Instruction Fuzzy Hash: 96218071A18E4286EB529B16E45127973A0FFD8760F441171EA9E477A4EF3CD205CB08
                              Function 00007FFE182737B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92memorywindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ErrorLast$FormatMessageProtectVirtual
                              • String ID: unprotect memory %p (size=%llu) <- %p (size=%llu)$Failed to unprotect memory %p (size=%llu) <- %p (size=%llu, error=%lu(%s))$Unknown Error
                              • API String ID: 2888148163-2742179861
                              • Opcode ID: 77621f6088311bb16b2a1a1736ac767bba04458eefaa33bc65850d377d01560e
                              • Instruction ID: 3c2016c5029a2826a78fee6c9071aa84b3a471367c6fb0a2ee093b6b8835fe14
                              • Opcode Fuzzy Hash: 77621f6088311bb16b2a1a1736ac767bba04458eefaa33bc65850d377d01560e
                              • Instruction Fuzzy Hash: 7141BF22A09F8281FB218B13F8543B9B7A0FB98B94F444176EA8D57768DF3CD645C708
                              Function 00007FFE182734A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 67memorywindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ErrorLast$FormatMessageProtectVirtual
                              • String ID: protect page %p (size=%llu, prot=read,exec)$Failed to protect page %p (size=%llu, prot=read,exec, error=%lu(%s))$Unknown Error
                              • API String ID: 2888148163-3855186111
                              • Opcode ID: 06213efa1661eafe047554ef56b97f22fd05762a321bc7c6cdb9fcd96fde09df
                              • Instruction ID: d253b56bd3606ba40ae045532d6297242a52a56d0a78d80b63796b47688b25b7
                              • Opcode Fuzzy Hash: 06213efa1661eafe047554ef56b97f22fd05762a321bc7c6cdb9fcd96fde09df
                              • Instruction Fuzzy Hash: 21315021A0CE9281EB228B53F8153BA67A0FB987A4F440576DACD43BA5DF7CD644C708
                              Function 00007FFE1824AC20 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 50memorystringregistryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB, xrefs: 00007FFE1824AC7F
                              • Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify, xrefs: 00007FFE1824AC48
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ProtectVirtual$Openlstrcmpilstrcpy
                              • String ID: Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB$Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify
                              • API String ID: 3588037206-2075971939
                              • Opcode ID: e99585d31a0eb10509ab71d1ff8db9e99c385f03bc4c8402c0fab63be74c322f
                              • Instruction ID: a829e098d13cd4dd6870cea8b5e96f597c8f5354acb0d66f689e29f1ad4ef0a9
                              • Opcode Fuzzy Hash: e99585d31a0eb10509ab71d1ff8db9e99c385f03bc4c8402c0fab63be74c322f
                              • Instruction Fuzzy Hash: CA117061B19E5282E7518B17BC40A766360BFC9BE0F445075ED0F47B64EE3CD546C708
                              Function 00007FFE1827176C Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                              • String ID:
                              • API String ID: 190073905-0
                              • Opcode ID: db39cd3f2f16f5343a8e4e09a2e3fed93350a9b5ce6b027fd328810dc9bbf990
                              • Instruction ID: d109ffcb169f10e0403e2a21cc63510ef78fc4a9369d6d159aa833e7a48d5b86
                              • Opcode Fuzzy Hash: db39cd3f2f16f5343a8e4e09a2e3fed93350a9b5ce6b027fd328810dc9bbf990
                              • Instruction Fuzzy Hash: E381C221E0CE4386FB569B6794412B922D2AFE17A0F2445B5DA8D437B2DF7CEB45C308
                              Function 00007FFE1823D290 Relevance: 12.1, APIs: 8, Instructions: 118memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: FreeLibraryVirtual$Protect$DataDirectoryEntryHandleImageModuleQuery_invalid_parameter_noinfo
                              • String ID:
                              • API String ID: 3041990818-0
                              • Opcode ID: 682e78e4db77ee8b47885a981a1b213cddc3e3f46b588dca37eddaf2f5718b7c
                              • Instruction ID: 69e5954579ec80b1568014087bb1dbbc222bc7ee7e4f8b99fb1a9e950fa11902
                              • Opcode Fuzzy Hash: 682e78e4db77ee8b47885a981a1b213cddc3e3f46b588dca37eddaf2f5718b7c
                              • Instruction Fuzzy Hash: 37515262B1CE4282FB518B27E55037A63A0FBD8BA4F405071EE4E87768DE3CDA44CB04
                              Function 00007FFE18259E43 Relevance: 10.7, APIs: 7, Instructions: 165registrysynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CloseCreateWait$ChangeEventHandleMultipleNotifyObjectObjectsSingleValue
                              • String ID:
                              • API String ID: 3111792343-0
                              • Opcode ID: 5b4d1c15e37573e744f75b7da5b79e841706f6e1931d46b2824f519ace19b172
                              • Instruction ID: eb0750f1eaa1a56a1be4f690f23a40c8067a076ba7fa04eddb50d52117b33ada
                              • Opcode Fuzzy Hash: 5b4d1c15e37573e744f75b7da5b79e841706f6e1931d46b2824f519ace19b172
                              • Instruction Fuzzy Hash: 24619072B54E4186EB15CB26E4947B963A1FBC5BA4F088176CE4E477A4EE3CD942C304
                              Function 00007FFE18273030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146memorywindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: AllocErrorFormatLastMessageVirtual
                              • String ID: commit page %p (base=%p(used=%d), idx=%llu, size=%llu)$Failed to commit page %p (base=%p(used=%d), idx=%llu, size=%llu, error=%lu(%s))$Unknown Error
                              • API String ID: 1689221563-3447313879
                              • Opcode ID: 59323bae295cc87d067fa3d69b427ca384efa90ba0425ecc8e87ce7c99d47a62
                              • Instruction ID: 60884ee28847916a54f7f202555c31998bb22440c24484b54d03d4edb3e9bd9d
                              • Opcode Fuzzy Hash: 59323bae295cc87d067fa3d69b427ca384efa90ba0425ecc8e87ce7c99d47a62
                              • Instruction Fuzzy Hash: B551AE71B09A9286EB228B13E85476567A5FBD8BA4F400171EE8D43B64DF3CD642C708
                              Function 00007FFE1823D460 Relevance: 7.6, APIs: 5, Instructions: 105memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: FreeLibraryProtectVirtual$HandleModule_invalid_parameter_noinfo
                              • String ID:
                              • API String ID: 172810297-0
                              • Opcode ID: ce3db9a925f55ecbca5daaa1c5a6bf37ef528cf5e4f8c2f8d563e78c92f4414f
                              • Instruction ID: 64916ca3d3bf3db89584eb462e263366f0d453aca64704ec5a3023877f6aeef9
                              • Opcode Fuzzy Hash: ce3db9a925f55ecbca5daaa1c5a6bf37ef528cf5e4f8c2f8d563e78c92f4414f
                              • Instruction Fuzzy Hash: 8A414F62B09A4183EB25CF12E55067A67A1FB9DBE8F044075EE8E47B68DE3CE640C704
                              Function 00007FFE1824C050 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: NtUserFindWindowEx$win32u.dll
                              • API String ID: 1646373207-2703420062
                              • Opcode ID: e4bd7934b399dbc79271bff89f1285f6fc833ff83cee651dc7fb117a3296fabf
                              • Instruction ID: 2626155a7d1549d77cbda521006edd527a36bc242fb132bbd6a3baecf3e1723c
                              • Opcode Fuzzy Hash: e4bd7934b399dbc79271bff89f1285f6fc833ff83cee651dc7fb117a3296fabf
                              • Instruction Fuzzy Hash: F4017525A08F5185E702CB07A84012AA7E0BB98BE0F401675EE8E43B75DE3CE602C748
                              Function 00007FFE1824D550 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: SleepValue
                              • String ID: CrashCounter$Software\ExplorerPatcher
                              • API String ID: 1540188156-2892006628
                              • Opcode ID: 8932f61db9e237cb56b2e6419a0636596f1e2fb8941f83692bf55bde4ec60dd6
                              • Instruction ID: d14011a27f429a99f861c298b3364b70516677dbfe3ed7ecc26926b2ff31e741
                              • Opcode Fuzzy Hash: 8932f61db9e237cb56b2e6419a0636596f1e2fb8941f83692bf55bde4ec60dd6
                              • Instruction Fuzzy Hash: BBF05EB5A28F8185EB51DB12F85075933A0FF887A4F801661EA4E067B4DF3CD245CB08
                              Function 00007FFE18272270 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(?,00007FFE1827224B,?,?,00000000,00007FFE18241EA7), ref: 00007FFE18272355
                              • FlushInstructionCache.KERNEL32(?,00007FFE1827224B,?,?,00000000,00007FFE18241EA7), ref: 00007FFE18272364
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CacheCurrentFlushInstructionProcess
                              • String ID: Patched Instructions:
                              • API String ID: 2564211676-4020029282
                              • Opcode ID: ed4c4f6c62a2f8c717e28cde53f487d8b1a712bfc88bbde7716ad91db4ce9ee1
                              • Instruction ID: 350fb7b27e187ad08e9780501aaeeeb115cac770e0425fe81009a540628e4145
                              • Opcode Fuzzy Hash: ed4c4f6c62a2f8c717e28cde53f487d8b1a712bfc88bbde7716ad91db4ce9ee1
                              • Instruction Fuzzy Hash: 92418F62A18E8281EB21DB13E4507AA77A4FBD5B94F405071DF8E53BA9EF7CD604C708
                              Function 00007FFE182709E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • Software\Classes\CLSID\{2CC5CA98-6485-489A-920E-B3E88A6CCCE3}, xrefs: 00007FFE18270A0F
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CloseOpen
                              • String ID: Software\Classes\CLSID\{2CC5CA98-6485-489A-920E-B3E88A6CCCE3}
                              • API String ID: 47109696-1447196730
                              • Opcode ID: 63e2e3eee6d020e2cd3f80c23a1dc357a0f66dbddb58984caf15a9489333853d
                              • Instruction ID: 5d0e0d8c8a78da12ae2d9e7c78c6e9b7bc99d43fc510c80b00b7067883738025
                              • Opcode Fuzzy Hash: 63e2e3eee6d020e2cd3f80c23a1dc357a0f66dbddb58984caf15a9489333853d
                              • Instruction Fuzzy Hash: DDF09071B28F8182EB518B23F891A26B3A4FFC87A4F801175F98F46764EF2CD115CA04
                              Function 00007FFE1823F230 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Value
                              • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher$XamlSounds
                              • API String ID: 3702945584-1822384862
                              • Opcode ID: 97a367034ec62005128dc975c952e63d6e4a6bcd7d34eb2bbcb373900e4ece20
                              • Instruction ID: 2002938fa7cabde114848aa4a7ae8d2e02e444733e1fdf4c44d4da27b4f4288f
                              • Opcode Fuzzy Hash: 97a367034ec62005128dc975c952e63d6e4a6bcd7d34eb2bbcb373900e4ece20
                              • Instruction Fuzzy Hash: C1F03C72618F4182EB118F15F48019A73B4FB99754F90023AEB8D07B68EF3ED654CB04
                              Function 00007FFE1828DDEC Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RtlFreeHeap.NTDLL(?,?,834800000B7CE800,00007FFE1829764A,?,?,?,00007FFE18297687,?,?,00000000,00007FFE18295669,?,?,00007FFE1828D14A,00007FFE1829559B), ref: 00007FFE1828DE02
                              • GetLastError.KERNEL32(?,?,834800000B7CE800,00007FFE1829764A,?,?,?,00007FFE18297687,?,?,00000000,00007FFE18295669,?,?,00007FFE1828D14A,00007FFE1829559B), ref: 00007FFE1828DE0C
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 485612231-0
                              • Opcode ID: a6678511dc5ac773f7913335461e1c2c7be48ef586cd0cba9a917b621943f4cf
                              • Instruction ID: cd147becc75b1bcde7e8133c9e32644abc7cb4123e38313ecb77bb450d1d05b4
                              • Opcode Fuzzy Hash: a6678511dc5ac773f7913335461e1c2c7be48ef586cd0cba9a917b621943f4cf
                              • Instruction Fuzzy Hash: 4CE08650F49D0243FF166BF3645417511D1AFE5760F4044B4E90D47271DE2C6689C208
                              Function 00007FFE1828DD74 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • HeapAlloc.KERNEL32(?,?,00000000,00007FFE1829046A,?,?,0000B68C1EAB45C8,00007FFE1828C0D9,?,?,?,?,00007FFE182906D2,?,?,00000000), ref: 00007FFE1828DDC9
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: AllocHeap
                              • String ID:
                              • API String ID: 4292702814-0
                              • Opcode ID: e578c43444c32e6720132160586d7cc94147cb681874c574235c8713629e0420
                              • Instruction ID: 58d145c49fa3a7a61687ba90ec565a1b539d26699b691d73e3837faa8dcc30e5
                              • Opcode Fuzzy Hash: e578c43444c32e6720132160586d7cc94147cb681874c574235c8713629e0420
                              • Instruction Fuzzy Hash: B7F04F02B09A0642FF9656A395113B552C15FD77A0F0C54B1D90E872A2DE5CE6C4C618
                              Function 00007FFE1828E630 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMON
                              Download Yara Rule
                              APIs
                              • HeapAlloc.KERNEL32(?,?,?,00007FFE182906B9,?,?,00000000,00007FFE182950A7,?,?,?,00007FFE1828CE73,?,?,?,00007FFE1828CD69), ref: 00007FFE1828E66E
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: AllocHeap
                              • String ID:
                              • API String ID: 4292702814-0
                              • Opcode ID: 32244fcb8596d69c427d8a13f20aa17588a93e41e7ee2a9feca6fe38006fab21
                              • Instruction ID: 8884dc7cf1086426891720a985e9fe17bd4f4e893bfa809bc7bbbd3891ed0592
                              • Opcode Fuzzy Hash: 32244fcb8596d69c427d8a13f20aa17588a93e41e7ee2a9feca6fe38006fab21
                              • Instruction Fuzzy Hash: CDF05804F09A2681FF961AE3595227562C15FC67B4F0C07B4DC2E862F2DE2CB6C0C518

                              Non-executed Functions

                              Function 00007FFE18237B50 Relevance: 180.1, APIs: 97, Strings: 5, Instructions: 1573timewindowkeyboardCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Window$Timer$KillSystemTime$#339FileInfoMessageParametersStateThreadVisible$ForegroundLongPostPropRedrawShow$#328#329#334ActiveAsyncCompareCreateCurrentDesktopDestroyEnumEventHungLastOrdinalPopupProcQuitSendStringTaskWindows
                              • String ID: &$ImmersiveColorSet$Microsoft.Windows.ShellManagedWindowAsNormalWindow$\rundll32.exe$valinet.ExplorerPatcher.ShellManagedWindow
                              • API String ID: 1047848470-551150430
                              • Opcode ID: af8e75a4474e3abeb3173e9c29d8bca1cf76029523bad85ec92e9eb458ecb17c
                              • Instruction ID: b0f74d6700707128a7ba61ce866961775e6ccebff51ec4ccfe69a8458f3a0e91
                              • Opcode Fuzzy Hash: af8e75a4474e3abeb3173e9c29d8bca1cf76029523bad85ec92e9eb458ecb17c
                              • Instruction Fuzzy Hash: BAE2A371B08E4686EB668B22D56437863A0FBE9B60F040575DE4E477B0CF7CEA91C748
                              Function 00007FFE18267010 Relevance: 149.6, APIs: 75, Strings: 10, Instructions: 867windowregistryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Window$Rect$Client$Find$Message$Send$Invalidate$ClassVisibleWord$Move$ParentPropRegister$Monitor$FromInfoLongNotifyRemove
                              • String ID: !@$EPTBLEN$MSTaskListWClass$MSTaskSwWClass$PeopleBand$ReBarWindow32$Start$TrayButton$TrayDummySearchControl$TraySettings
                              • API String ID: 2509908205-217918233
                              • Opcode ID: df11b95f88c1c0d937a37726a203e0aab8b3c820706bcc3d3b8b3aecafb5995a
                              • Instruction ID: 8d138a3cf207bbb94fc23703ba08bf33920e3ff6ac7ab527c66cd205a183110c
                              • Opcode Fuzzy Hash: df11b95f88c1c0d937a37726a203e0aab8b3c820706bcc3d3b8b3aecafb5995a
                              • Instruction Fuzzy Hash: 1D829F32E08A528BE711CF26E9505A977A1FBC8BA8F144675DE1E13B68DF3CE644C704
                              Function 00007FFE18236F20 Relevance: 117.9, APIs: 64, Strings: 3, Instructions: 685windowtimeregistryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: PerformanceQuery$Window$CounterFrequency$CountTick$RectTimeVisible$#339EnumFileSystem$AttributeBufferedEventForegroundMessagePaintProcessShowTimerWindows$#328#329#338#386BeginCallbackClassCloseCursorDirectoryDisplayErrorFromHandleHungInvalidateLastModuleMonitorMonitorsNameOpenPointPropertiesRegisterReleaseSendThreadThumbnailUpdateWord_invalid_parameter_noinfo
                              • String ID: WorkerW$[sws] WindowSwitcher::Show %x [[ %lld + %lld + %lld + %lld = %lld ]]$\rundll32.exe
                              • API String ID: 3472475047-3998000322
                              • Opcode ID: 58a3ec3213baacb0ca30d41b4a49fa32e4b50fc9d73abe6cb550400bccd7c8e7
                              • Instruction ID: 0f5a856f041bff1dd460cfc5ebf36621e83d2fec8ea7bd319db6592366ad24cc
                              • Opcode Fuzzy Hash: 58a3ec3213baacb0ca30d41b4a49fa32e4b50fc9d73abe6cb550400bccd7c8e7
                              • Instruction Fuzzy Hash: C7724932A08E528AEB52CF26E45426D63A0FBD8BA4F140575DE4E477B8DF3CE644C704
                              Function 00007FFE1826DF40 Relevance: 98.2, APIs: 7, Strings: 49, Instructions: 183registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: QueryValue$CreateStringWindows$InternetOpen$BufferCloseDeleteEvent_invalid_parameter_noinfo
                              • String ID: /download/$/update_silent$CheckElevationEnabled$ConsentPromptBehaviorAdmin$ExplorerPatcher$ExplorerPatcher$ExplorerPatcher_GUI_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$FilterAdministratorToken$S-1-5-$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System$Software\ExplorerPatcher$UpdateAllowDowngrades$UpdatePreferStaging$UpdateTimeout$UpdateURL$UpdateURLStaging$UpdateUseLocal$Windows.Data.Json.JsonArray$[Updates] Checking against hash "%s"$[Updates] Download path is "%s".$[Updates] Downloaded finished.$[Updates] Failed. Read %d bytes.$[Updates] Hash of remote file is "%s" (%s).$[Updates] In order to install this update for the product "ExplorerPatcher", please allow the request.$[Updates] Local version obtained from hash is %d.%d.%d.%d.$[Updates] Prerelease update URL: "%s"$[Updates] Release notes URL: "%s"$[Updates] Update URL: %s$[Updates] Update failed because the following error has occured: %d.$[Updates] Update failed because the request was denied.$[Updates] Update successful, File Explorer will probably restart momentarily.$\ExplorerPatcher$\ExplorerPatcher\ep_gui.dll$\Update for ExplorerPatcher from $\WindowsPowerShell\v1.0\powershell.exe$assets$browser_download_url$ep_setup.exe$html_url$https://api.github.com/repos/valinet/ExplorerPatcher/releases?per_page=1$https://github.com/valinet/ExplorerPatcher/releases/latest$iex (irm 'https://raw.githubusercontent.com/valinet/ep_make/master/ep_make_safe.ps1')$invalid$kernel32.dll$name$open$runas$updates.cpp$valid
                              • API String ID: 1866200-3143775457
                              • Opcode ID: 268f780f28a63c793481272ef0ec147d23ab0144538bf4aee570c2c6e3da9319
                              • Instruction ID: 83486b098155f5c476290f98d4c7df070de2da6e5fc671a8063a5133fbb04a9c
                              • Opcode Fuzzy Hash: 268f780f28a63c793481272ef0ec147d23ab0144538bf4aee570c2c6e3da9319
                              • Instruction Fuzzy Hash: 6F913C32A08E518AFB618B65E8446EE77B4FB84368F600176DE9D53A78DF3CC645CB04
                              Function 00007FFE18239AA0 Relevance: 89.8, APIs: 43, Strings: 8, Instructions: 577registrycomsleepCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CreateErrorLast$Window$BrushEventSolid$Register$EnumHandleHookInitializeInstanceModuleSleepThreadWindows$#328AttributeBufferedClassCursorDataInitLoadLongMessageOpenPaintRectShellTheme
                              • String ID: $ControlPanelStyle$Grid_backgroundPercent$SHELLHOOK$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView\AltTabViewHost$SimpleWindowSwitcher_{BEA057BB-66C7-4758-A610-FAE6013E9F98}$Static$[sws] Wallpaper RECT %d %d %d %d
                              • API String ID: 2117921315-4056204263
                              • Opcode ID: 01f81328e5cc08a3d9e02699a306adf88ef2065c7c3387e189e575b97b569eca
                              • Instruction ID: 79e2384b939275f3f59ccf3d9620c51d9a1953e67459d45eed2087b97f2a368f
                              • Opcode Fuzzy Hash: 01f81328e5cc08a3d9e02699a306adf88ef2065c7c3387e189e575b97b569eca
                              • Instruction Fuzzy Hash: F7428F31B08F4296E7169B62A8643B972E4FF99364F000579DE4E877A4EF3CE650C708
                              Function 00007FFE18243880 Relevance: 89.6, APIs: 45, Strings: 6, Instructions: 320windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Window$Find$Monitor$From$Cursor$MessagePointPost$Info$Rect
                              • String ID: ClockButton$ClockFlyoutWindow$Shell_SecondaryTrayWnd$Shell_TrayWnd$TrayClockWClass$TrayNotifyWnd
                              • API String ID: 3707082976-1578901108
                              • Opcode ID: 16f2e63d218c669eabb7d4e0ce2db9eb8d8b2f3126ba723a3e0b36579a2d8633
                              • Instruction ID: 13ac43f694a58f633eb59ec5258fa03a685e2af474873362802bd4ce73360593
                              • Opcode Fuzzy Hash: 16f2e63d218c669eabb7d4e0ce2db9eb8d8b2f3126ba723a3e0b36579a2d8633
                              • Instruction Fuzzy Hash: 5FE17D75F09E5286F7569B22E914AB923A1EFC8BA4F0054B5CD0E13B74DE3CE645C308
                              Function 00007FFE18250D10 Relevance: 87.9, APIs: 24, Strings: 26, Instructions: 393librarythreadloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Library$Free$Load$Module$Thread$ExitHandleResource$Virtual$AddressCreateCurrentInformationProcProcessProtectQuery$DataDirectoryEntryEventFindImageLockOpenSizeofValue
                              • String ID: RegCloseKey$RegOpenKeyExW$RegQueryValueExW$SHRegGetValueFromHKCUHKLM$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer$SOFTWARE\Policies\Microsoft\Windows\Explorer$SetWindowRgn$Shlwapi.dll$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartDocked$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartUI$StartDocked.dll$StartDocked::LauncherFrame::OnVisibilityChanged$StartDocked::LauncherFrame::ShowAllApps$StartDocked::SystemListPolicyProvider::GetMaximumFrequentApps$StartUI.dll$StartUI::SystemListPolicyProvider::GetMaximumFrequentApps$StartUI_.dll$Windows.CloudStore.dll$Windows.UI.Xaml.dll$api-ms-win-core-registry-l1-1-0.dll$ext-ms-win-ntuser-draw-l1-1-0.dll$xxxxx????xx$xxxxxxxxx?xxxxxx
                              • API String ID: 1727790171-714608195
                              • Opcode ID: a6a8e9e0ed9c3afc02866caab4abf3c3015786b25fcdec02e7b448e601d15f35
                              • Instruction ID: 33549ebe062a847dc7720249aa841033611def26f7a9f8bd4e1597e49dd2157f
                              • Opcode Fuzzy Hash: a6a8e9e0ed9c3afc02866caab4abf3c3015786b25fcdec02e7b448e601d15f35
                              • Instruction Fuzzy Hash: 34225571A09F4295EB02CB62E8502E833E5FF887A8F9405B6D94D476B4EF3CE645C358
                              Function 00007FFE182401B0 Relevance: 77.4, APIs: 39, Strings: 5, Instructions: 375windowkeyboardregistryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Menu$Load$DeleteHandleModule$AsyncStateString$#413MessageModifyRegisterWindow
                              • String ID: %SystemRoot%\system32\taskmgr.exe$ExplorerFrame.dll$P$Windows11ContextMenu_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$c
                              • API String ID: 2510583281-2371452002
                              • Opcode ID: 48d0bbb1bba19aa20d5e793ebe14566c003055557181659adac81ee91c1a03d4
                              • Instruction ID: d1fbbd2f818377111d2db01e0fb70975098dbc04a23afbded8dcf56106b0545e
                              • Opcode Fuzzy Hash: 48d0bbb1bba19aa20d5e793ebe14566c003055557181659adac81ee91c1a03d4
                              • Instruction Fuzzy Hash: 0CF19E71F18E5286FB528B23E8147B932A1EFC5B64F405475D90E47AA4DF3CA685CB08
                              Function 00007FFE18246350 Relevance: 77.3, APIs: 23, Strings: 21, Instructions: 289registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: QueryValue$Unregister$Register$ErrorLast$AttributeWindow$CloseCreate$AreaClientExtendFrameIntoVirtual
                              • String ID: AltTabSettings$AlwaysUseWindowTitleAndIcon$ColorScheme$CornerPreference$IncludeWallpaper$MasterPadding$MaxHeight$MaxHeightAbs$MaxWidth$MaxWidthAbs$NoPerApplicationList$PerMonitor$PrimaryOnly$RowHeight$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer$ScrollWheelBehavior$ScrollWheelInvert$ShowDelay$Software\ExplorerPatcher\sws$SwitcherIsPerApplication$Theme
                              • API String ID: 120246194-1466656710
                              • Opcode ID: 92166e8fb2e0309ab6f3b86868d8cda29db1fa67f6672a3701c29ebffe42d898
                              • Instruction ID: 4ae4988ff120b11ce742cddfa28f32d6109768e815eeb4ef358e398d6de00b4d
                              • Opcode Fuzzy Hash: 92166e8fb2e0309ab6f3b86868d8cda29db1fa67f6672a3701c29ebffe42d898
                              • Instruction Fuzzy Hash: C0F10A76A14F528AEB218F61E444B9D37B4FB88768F441225DA8D13B28DF3CC259CB18
                              Function 00007FFE18264A00 Relevance: 68.5, APIs: 18, Strings: 21, Instructions: 256registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Value$Create$CloseDirectoryFileProtectSystemVirtual_invalid_parameter_noinfo$AddressErrorHandleLastModuleOpenProcQuery
                              • String ID: .dll$CImmersiveContextMenuOwnerDrawHelper::s_ContextMenuWndProc$CLauncherTipContextMenu::GetMenuItemsAsync$CLauncherTipContextMenu::ShowLauncherTipContextMenu$CLauncherTipContextMenu::_ExecuteCommand$CLauncherTipContextMenu::_ExecuteShutdownCommand$CMultitaskingViewManager::_CreateDCompMTVHost$CMultitaskingViewManager::_CreateXamlMTVHost$Hash$ImmersiveContextMenuHelper::ApplyOwnerDrawToMenu$ImmersiveContextMenuHelper::RemoveOwnerDrawFromMenu$Software\ExplorerPatcher\twinui.pcshell$Version$[Symbols] Downloading symbols for "%s" ("%s")...$[Symbols] Failure in reading symbols for "%s".$[Symbols] Please refer to "https://github.com/valinet/ExplorerPatcher/wiki/Symbols" for more information.$[Symbols] Reading symbols...$[Symbols] Symbols for "%s" are not available - unable to download.$[Symbols] Unable to create registry key.$\twinui.pcshell.dll$twinui.pcshell
                              • API String ID: 2736650789-497210955
                              • Opcode ID: d2eded9bea240c23229c6d6daf0ae46f4a5e364e9b9afbb5f1bf80403a5de6f0
                              • Instruction ID: 0fdf28819330069b80d4172382d17d6df51e0785183aa5e71ddf4b88f29bd768
                              • Opcode Fuzzy Hash: d2eded9bea240c23229c6d6daf0ae46f4a5e364e9b9afbb5f1bf80403a5de6f0
                              • Instruction Fuzzy Hash: 2BD1A372A18E5286EB11DF56E8902A977A1FBC4764F804172EE8D43AB4DF7CD345CB08
                              Function 00007FFE18245B40 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 332memorylibraryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ProtectVirtual$Window$LibraryLoadLong$ClassCodeFreeNameStringText
                              • String ID: ControlCenterButton$CortanaButton$MultitaskingButton$PeopleBand.dll$PeopleButton$TrayButton$pnidui.dll
                              • API String ID: 3103532507-4160915873
                              • Opcode ID: 0b8ff82605c69ba0c3d38aee6c3473ef8eddac725c7215f224437a09d2157849
                              • Instruction ID: 787a9a43cb143aa5ba42bde5d249d207c78d4461134b60e6a46232a831860e7a
                              • Opcode Fuzzy Hash: 0b8ff82605c69ba0c3d38aee6c3473ef8eddac725c7215f224437a09d2157849
                              • Instruction Fuzzy Hash: E2027561E19E42C2EB52CB12E8503B933A1FBC5B64F805576EA8E43A74DF3CE685C714
                              Function 00007FFE1826BF10 Relevance: 54.8, APIs: 21, Strings: 10, Instructions: 574libraryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: String$Windows$CreateReference$ByteDeleteFormatLibraryLoadSize$ActivateCounterFolderFreeInstancePathPerformanceQuery_invalid_parameter_noinfo
                              • String ID: %s / %s$EP_Ev_InstallUpdatesNoConfirm_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$Windows.UI.Notifications.NotificationData$\ExplorerPatcher\ep_gui.dll$action=update$ep_updates$indeterminate$progressStatus$progressValue$updates.cpp
                              • API String ID: 2375332063-2428038664
                              • Opcode ID: 3e038110ad303b7245781c35bcd8e09fa420e93852786730b7b4aea4bf3d7499
                              • Instruction ID: ffec804fec5c150c8c30b6c9b6544c5864aa3be0ff96914cbdb11d518845e4c9
                              • Opcode Fuzzy Hash: 3e038110ad303b7245781c35bcd8e09fa420e93852786730b7b4aea4bf3d7499
                              • Instruction Fuzzy Hash: 93327E32B09F4282EB12DB66E4506AE63A4FBC4BA4F504572DE5E53B64DF3CE644C708
                              Function 00007FFE18243350 Relevance: 51.0, APIs: 19, Strings: 10, Instructions: 297synchronizationregistrythreadCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Create$CloseHandleObjectSingleWait$ExecuteInstanceQueryShellStringThreadWindows$AddressDeleteModuleOpenProcReferenceServiceSleepUnknown_Value
                              • String ID: Control Panel\Quick Actions\Control Center\QuickActionsStateCapture\ExplorerPatcher$ReplaceVan$SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Network$ShowVAN$ms-availablenetworks:$ms-settings:network$open$shell:::{7007ACC7-3202-11D1-AAD2-00805FC1270E}$shell:::{8E908FC9-BECC-40f6-915B-F4CA0E70D03D}$van.dll
                              • API String ID: 1920378819-2880650144
                              • Opcode ID: c719e62806b6b4991e19c005a3d577afb2d79437815fdd7d67bba10ea95cf55e
                              • Instruction ID: 1601c691a8c8274914912c39c2032a80ecd8b6318acb27f7f8b29074be6f045d
                              • Opcode Fuzzy Hash: c719e62806b6b4991e19c005a3d577afb2d79437815fdd7d67bba10ea95cf55e
                              • Instruction Fuzzy Hash: B6E15C71F18E02C5FB56CB23E854AB927A1BFC8374F5055BAE90E026B4DF3CA644C618
                              Function 00007FFE1823CE30 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 248fileCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CreateFile$CloseHandleMapping_invalid_parameter_noinfo
                              • String ID: %08lX%04hX%04hX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX$%x/$/download/symbols/$RSDS
                              • API String ID: 1983873661-2402091955
                              • Opcode ID: 638dfb43851133801f2dc14af45ed182553db894b6b77104bbaf18ad00394b01
                              • Instruction ID: 75ca0717012dd88b012aa5aab11fe212566c947be9492569917251a84f25e9a5
                              • Opcode Fuzzy Hash: 638dfb43851133801f2dc14af45ed182553db894b6b77104bbaf18ad00394b01
                              • Instruction Fuzzy Hash: 96B1F371A08ED286EB268B12E4247B977A0FBC9B64F404572DE5E03BA0CF3CE641C704
                              Function 00007FFE18264F10 Relevance: 50.9, APIs: 12, Strings: 17, Instructions: 182registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Value$Create$CloseDirectoryFileWindows_invalid_parameter_noinfo$ErrorLast
                              • String ID: .dll$Hash$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartDocked$StartDocked$StartDocked::LauncherFrame::OnVisibilityChanged$StartDocked::LauncherFrame::ShowAllApps$StartDocked::StartSizingFrame::StartSizingFrame$StartDocked::SystemListPolicyProvider::GetMaximumFrequentApps$Version$[Symbols] Downloading symbols for "%s" ("%s")...$[Symbols] Failure in reading symbols for "%s".$[Symbols] Please refer to "https://github.com/valinet/ExplorerPatcher/wiki/Symbols" for more information.$[Symbols] Reading symbols...$[Symbols] Symbols for "%s" are not available - unable to download.$[Symbols] Unable to create registry key.$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartDocked.dll
                              • API String ID: 3922731654-50308056
                              • Opcode ID: ca77b8ddde9d7b1228341580207da3b5d40f45053d1f3dabb358db633d20350a
                              • Instruction ID: 180f61ed7eb995bcc55a9bb1ddf7d9d7cc9ed49dfd08734262f823d9ec0b88b3
                              • Opcode Fuzzy Hash: ca77b8ddde9d7b1228341580207da3b5d40f45053d1f3dabb358db633d20350a
                              • Instruction Fuzzy Hash: E191A572A18E4286EB11DB66E8502E97360FBC8364F904272EA5D43AB9DF7CD345C748
                              Function 00007FFE182652A0 Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 174registryfileCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CloseFind$DirectoryValueWindows$FileFirstOptions$CreateInfoInitializeSystem_invalid_parameter_noinfo
                              • String ID: Hash$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartUI$StartUI.dll$StartUI::SystemListPolicyProvider::GetMaximumFrequentApps$StartUI_.dll$Version$[Symbols] Downloading symbols for "%s" ("%s")...$[Symbols] Failure in reading symbols for "%s".$[Symbols] Please refer to "https://github.com/valinet/ExplorerPatcher/wiki/Symbols" for more information.$[Symbols] Reading symbols...$[Symbols] Symbols for "%s" are not available - unable to download.$[Symbols] Unable to create registry key.$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI.dll$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dll
                              • API String ID: 1213659724-3422473855
                              • Opcode ID: a7ceaea5e5ddfe340e18a285eaff7c431f960804a3bf60dcc1c965c773813a2d
                              • Instruction ID: f7801115f7424b119046299f6fb13341b71f16ca99da953cfb9aeac3d9e91cc1
                              • Opcode Fuzzy Hash: a7ceaea5e5ddfe340e18a285eaff7c431f960804a3bf60dcc1c965c773813a2d
                              • Instruction Fuzzy Hash: AA918521A18E8286EB22DF26E8942E92360FBC4764F900272EA5D47AF5DF7CD345C744
                              Function 00007FFE18231B20 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 331windowthreadtimeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: IconImageList_ProcessWindow$Destroy$CreateCurrentFile$CharCopyDeleteFolderHungInfoItemKillKnownLongLowerMessageModuleNameObjectOpenPropertySendStoreThreadTimer
                              • String ID: \imageres.dll
                              • API String ID: 2056515760-856694671
                              • Opcode ID: f5c8a6de47b8b456e4055ed69da31c1c0194e37af20958e6535de1986b9af3b3
                              • Instruction ID: 3ccfa0b8e1d03c399ddf29ec5063df37155dfc989828871878fda5edbc1ed557
                              • Opcode Fuzzy Hash: f5c8a6de47b8b456e4055ed69da31c1c0194e37af20958e6535de1986b9af3b3
                              • Instruction Fuzzy Hash: FFF1BD32B08F4186EB25CB26E49427963A0FBE8BA5F104576DE4E47AB4DF3CE645C704
                              Function 00007FFE1824D190 Relevance: 43.9, APIs: 13, Strings: 12, Instructions: 197libraryloaderwindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Load$StringValue$FolderInfoLibraryLocalePath$AddressCloseCreateExecuteFreeHandleLanguagesMessageModulePreferredProcQueryShellThread_invalid_parameter_noinfo
                              • String ID: Would you like to open the ExplorerPatcher status web page on GitHub in your default browser?$Comctl32.dll$ExplorerPatcher$TaskDialogIndirect$\ExplorerPatcher\ep_gui.dll$\ExplorerPatcher\ep_setup.exe' /uninstall$eplink://update$https://github.com/valinet/ExplorerPatcher/discussions$https://github.com/valinet/ExplorerPatcher/discussions/1102$https://github.com/valinet/ExplorerPatcher/issues$https://github.com/valinet/ExplorerPatcher/releases$open
                              • API String ID: 2492175686-1032208078
                              • Opcode ID: 5086c7fffe5bbea00b6c7dda9a96dd9f20050a7283a99f9b72da5e1338f698fa
                              • Instruction ID: e59a8920448af944abd49c09fe1ffa9cf107682e87b7c80e6e718bbb31147c3d
                              • Opcode Fuzzy Hash: 5086c7fffe5bbea00b6c7dda9a96dd9f20050a7283a99f9b72da5e1338f698fa
                              • Instruction Fuzzy Hash: 9DA15E32A08F819AE721CF26E8106E933A5FB89758F800576EA4D47BA9DF3CD745C704
                              Function 00007FFE1823C200 Relevance: 43.9, APIs: 21, Strings: 4, Instructions: 195windowprocessCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Path$Menu$Window$Foregroundwsprintf$CloseCreateExtensionHandleInsertPopupRemoveSpacesUnquote$CursorDestroyProcessShowStripTrack
                              • String ID: "C:\Program Files\7-Zip\7zFM.exe" %s$"C:\Program Files\7-Zip\7zG.exe" x -o"%s" -spe %s$&Extract to "%s\"$&Open archive
                              • API String ID: 369530117-1140292191
                              • Opcode ID: a8dadeb2f56bf4e176e500106e8422d358ce8bc90782e3af2e61c1bc3d108cbb
                              • Instruction ID: 418e531a624f051ba21df59ac3934f92a6ecbb6ea04c2b79d3cc4143ed520af6
                              • Opcode Fuzzy Hash: a8dadeb2f56bf4e176e500106e8422d358ce8bc90782e3af2e61c1bc3d108cbb
                              • Instruction Fuzzy Hash: DF919F32E18F9285EB21DB22E8442ED27A0FBD5BA8F404531DE5E17AA5DF3CD285C704
                              Function 00007FFE1823B150 Relevance: 42.8, APIs: 20, Strings: 4, Instructions: 773COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Monitor$Window$From$Prop$ErrorLast$CreateFontIndirect$#334AttributeDirectoryFreeInfoSystemTask
                              • String ID: Microsoft.Windows.ShellManagedWindowAsNormalWindow$Segoe UI$\rundll32.exe$valinet.ExplorerPatcher.ShellManagedWindow
                              • API String ID: 3197630062-846598209
                              • Opcode ID: b9ee6f1d63079fda2ee6cdc40752355717990f962db974a4c07319cdd06af195
                              • Instruction ID: 91aa6c8b7a0716e66f39ec24cfd10566db965a7478fd37e179de32a78d61e8d5
                              • Opcode Fuzzy Hash: b9ee6f1d63079fda2ee6cdc40752355717990f962db974a4c07319cdd06af195
                              • Instruction Fuzzy Hash: 5772C272A15B418AE752CF36D06476973A5FF99798F148276EE0E93660EF38E580CB00
                              Function 00007FFE18250070 Relevance: 40.6, APIs: 18, Strings: 5, Instructions: 349COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Window$Monitor$From$FindStringWindows$ActivationCloseCreateCursorDeleteDisplayEnumFactoryHandleInfoMonitorsMutexOpenPointRectReferenceShow
                              • String ID: !@$EPStart10_AnimationsPatched_{A6EA9C2D-4982-4827-9204-0AC532959F6D}$Shell_SecondaryTrayWnd$Shell_TrayWnd$Windows.UI.Xaml.Window
                              • API String ID: 3798604058-3529946197
                              • Opcode ID: 0f513eaa7f73277ef6b48cb12073e55777ed10a0057a6baea20248ddc4b15518
                              • Instruction ID: 9808bf3b4bdff83a2b4fcf4244171aaf27d3edf44ed58eddf697958a45593baf
                              • Opcode Fuzzy Hash: 0f513eaa7f73277ef6b48cb12073e55777ed10a0057a6baea20248ddc4b15518
                              • Instruction Fuzzy Hash: BEF14E76F48E028AF712CB66D9506BD37B1BB84768F1045B6CE0D53A64EF3CAA45C708
                              Function 00007FFE1824CEC0 Relevance: 40.4, APIs: 15, Strings: 8, Instructions: 163sleepregistryprocessCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CreateErrorEventLast$CloseHandle$ExecuteProcessShellSleepThreadValue
                              • String ID: EP_Ev_InstallUpdates_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$Software\ExplorerPatcher$UpdatePreferStaging$eplink://update$eplink://update/stable$eplink://update/staging$h$open
                              • API String ID: 2028834884-198725195
                              • Opcode ID: ee5818e020c4af8db8580b810069c4b8851a4d8c5bc1e6f6e8260e125535d6e4
                              • Instruction ID: 6edf305796e3c901e1f7be5ab75cf505731ea93541b2b18016acbb49bf61090c
                              • Opcode Fuzzy Hash: ee5818e020c4af8db8580b810069c4b8851a4d8c5bc1e6f6e8260e125535d6e4
                              • Instruction Fuzzy Hash: B0716121E0CF8282E7218F26E51027963A0FFD87A4F501575DA8E42AB4DF7CE241C708
                              Function 00007FFE18244270 Relevance: 38.8, APIs: 18, Strings: 4, Instructions: 305threadwindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Thread$MessageMonitorPost$CriticalSectionWindow$EnterFindFromInfoLeave
                              • String ID: 0o$SOFTWARE\Microsoft\Accessibility$Shell_TrayWnd$TextScaleFactor
                              • API String ID: 2849209329-338394982
                              • Opcode ID: 498b73fe0d18d64f26cd4d9331fd6beb21dd5bec765080295290ff5059bf10d7
                              • Instruction ID: 4d46fe06744eaa295ab624a0ae28123de0790416a6b75935039a244f74506959
                              • Opcode Fuzzy Hash: 498b73fe0d18d64f26cd4d9331fd6beb21dd5bec765080295290ff5059bf10d7
                              • Instruction Fuzzy Hash: 65F16C36B08A42C6E7118F62E8506A93BE2FBC8B68F104275DE4D57B64DF3DE614CB04
                              Function 00007FFE1823FBE0 Relevance: 38.8, APIs: 17, Strings: 5, Instructions: 274comCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Window$FindFreeString$AddressAncestorClassCreateHandleInstanceModuleNameOpenProcQueryValue
                              • String ID: MSTaskListWClass$Taskbar.TaskbarFrameAutomationPeer$Windows.UI.Composition.DesktopWindowContentBridge$Windows.UI.Input.InputSite.WindowClass$WorkerW
                              • API String ID: 1963979031-3829649249
                              • Opcode ID: 9e5275f37192f1391db39e812f76c8c139cb4a3ffb25ebe2e100728ab920f0e6
                              • Instruction ID: b17a5d879128a027fcaf91cc23efd945aeb2139daa27214c97d2e7d2ecb47490
                              • Opcode Fuzzy Hash: 9e5275f37192f1391db39e812f76c8c139cb4a3ffb25ebe2e100728ab920f0e6
                              • Instruction Fuzzy Hash: 56D14A76B08E4282EB518B16E46467A77A1FBD9FA0F444472EE8E43AB8DF3CD544C704
                              Function 00007FFE18270A50 Relevance: 37.1, APIs: 16, Strings: 5, Instructions: 327windowregistryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Menu$PopupQueryValue$BindCreateDestroyDisplayFreeInsertItemNameParentParseTaskTrack
                              • String ID: ::{2CC5CA98-6485-489A-920E-B3E88A6CCCE3}$InfoTip$P$Software\Classes\CLSID\{2cc5ca98-6485-489a-920e-b3e88a6ccce3}$c
                              • API String ID: 3796425743-3612032762
                              • Opcode ID: 4dc48d3cfb74b294b6564113dcbb9b71d2774c6145032d8c731db216beda057b
                              • Instruction ID: 470ba71593c320c5cc603834d4475704c8b89103f722a08bf1eeff13b375880d
                              • Opcode Fuzzy Hash: 4dc48d3cfb74b294b6564113dcbb9b71d2774c6145032d8c731db216beda057b
                              • Instruction Fuzzy Hash: F8E16136A18B5186E711CF66E8403AD77A4FB94B68F104235EE8D47BA8DF7CD648CB04
                              Function 00007FFE1823CAC0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 206COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Options$CleanupInfoInitializeLoadModuleSystem
                              • String ID: Failed to open pool-size guide file.
                              • API String ID: 4119312768-3392875237
                              • Opcode ID: 683703a3d9c3a6bfb52f6d538efb8f5971c80577f3ec9791ce6834ea93cee3c5
                              • Instruction ID: 5fb55ce6f2ee6747be21a3fb30c4e7e377008672f5a370d4db43cce4d5ba2ba8
                              • Opcode Fuzzy Hash: 683703a3d9c3a6bfb52f6d538efb8f5971c80577f3ec9791ce6834ea93cee3c5
                              • Instruction Fuzzy Hash: 9891BF71E0CE4286E7219B27A8643697692FFD9760F4445B5EA4E437F4DE3CE600CB08
                              Function 00007FFE1823EF90 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 94windowsleepregistryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Message$HandleModuleWindow$ClassCreateCursorDestroyDispatchEventLoadObjectRegisterSleepStockTranslate
                              • String ID: 0$FixTaskbarAutohide_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}
                              • API String ID: 2692392126-3745785993
                              • Opcode ID: 7414187e4b0defae1d7e8932077febe665ab2e6b2044caf150748a7d02bb3947
                              • Instruction ID: 24f0887366fd2f141cadc0e817aeb88abb9aaee766b24ed57a03081b6ac9030b
                              • Opcode Fuzzy Hash: 7414187e4b0defae1d7e8932077febe665ab2e6b2044caf150748a7d02bb3947
                              • Instruction Fuzzy Hash: 09414232A08F8282E7219B26F95436AB3E5FFD8754F404575DA8E42AB8DF7CD149CB04
                              Function 00007FFE18267FB0 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 244windowsleepregistryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Menu$HandleModule$ItemLoadWindow$BandClassCountCreateCursorForegroundInsertMessageObjectPopupRegisterRemoveSendSleepStockStringTrack
                              • String ID: ExplorerFrame.dll$LauncherTipWnd
                              • API String ID: 1231917228-1828045394
                              • Opcode ID: 328baaa2e5cb64ec3691065845a36d37fea0e53739ef7d8d60abbb73d79cda20
                              • Instruction ID: 3191b5ddfffee38bc7b35422b9532a344bd7017cf04ce171de10b78f8dbbea31
                              • Opcode Fuzzy Hash: 328baaa2e5cb64ec3691065845a36d37fea0e53739ef7d8d60abbb73d79cda20
                              • Instruction Fuzzy Hash: A2C16972A08F428AEB518F66E8446A937E5FB887A4F104579DE5E03BA4CF7CD650C708
                              Function 00007FFE18268A50 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 179comwindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Window$FindMonitor$From$CreateCursorInfoInstanceMessagePointRectSend
                              • String ID: Shell_SecondaryTrayWnd$Shell_TrayWnd$Start
                              • API String ID: 3957573836-2175658619
                              • Opcode ID: 573fc64ee00478b95f05a34165616ccb99621e87a27078ec0dff16ef2da4c20c
                              • Instruction ID: 1dabd365f899b8bb40a5a9c20484a4d5bbee099dbf650a2c7b52425009f3eeb7
                              • Opcode Fuzzy Hash: 573fc64ee00478b95f05a34165616ccb99621e87a27078ec0dff16ef2da4c20c
                              • Instruction Fuzzy Hash: 10815076B09E428AFB05DF62E4146AD23B1FB88BA8B144475CD0E53B64DF7CE609C348
                              Function 00007FFE1823E860 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 173synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy, xrefs: 00007FFE1823E97F
                              • EPStart10_AnimationsPatched_{A6EA9C2D-4982-4827-9204-0AC532959F6D}, xrefs: 00007FFE1823EA95
                              • [SMA] Advertising successful animations patching., xrefs: 00007FFE1823EABD
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Token$ContainerDescriptorFreeInformationProcessSecurity$CopyCreateCurrentDaclDeriveEntriesErrorFromInitializeLastLengthLocalMutexNameOpen
                              • String ID: EPStart10_AnimationsPatched_{A6EA9C2D-4982-4827-9204-0AC532959F6D}$Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy$[SMA] Advertising successful animations patching.
                              • API String ID: 2912553727-3824306247
                              • Opcode ID: 0fc7c607e527f80dde4c1c09c3f746fb42ee1aa51c36ed3816218c40995607af
                              • Instruction ID: 5491472ebb0ee7706c66854a2dce6ce3d83ecb0aabd8f54dc9ea3894cb11a410
                              • Opcode Fuzzy Hash: 0fc7c607e527f80dde4c1c09c3f746fb42ee1aa51c36ed3816218c40995607af
                              • Instruction Fuzzy Hash: 8C714126F08E4286FB518FA2D4103BD23A1BB98BA8F044575DE4D27BA9DF3CE655C344
                              Function 00007FFE18242FD0 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 193registrylibrarysynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Create$CloseObjectSingleWait$AddressCurrentFolderHandleInformationInstanceLibraryLoadModulePathProcProcessSleepThread_invalid_parameter_noinfo
                              • String ID: Control Panel\Quick Actions\Control Center\QuickActionsStateCapture\ExplorerPatcher$DllGetClassObject$SOFTWARE\Microsoft\Windows\CurrentVersion\ImmersiveShell$UseWin32BatteryFlyout$\ExplorerPatcher\pnidui.dll
                              • API String ID: 1967696875-3120677660
                              • Opcode ID: b4d2901775edde8740790da01ae64864a5c2c28576789770ea07ca6d84a64e8e
                              • Instruction ID: 9fa9ef10c6fd50d2504cef86123e119e36776fe01339d16b29abf6ab22400b82
                              • Opcode Fuzzy Hash: b4d2901775edde8740790da01ae64864a5c2c28576789770ea07ca6d84a64e8e
                              • Instruction Fuzzy Hash: 63916B31B08E4282EB528B13E8546B977A1FFC4BA0F5055B6E94E43AB4DF7CE644C718
                              Function 00007FFE18233EF0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 147registrywindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CloseEnumFindInfoKeyboardLayoutLoadMessageOpenPostQueryValueWindow
                              • String ID: %04x$%08x$Layout Id$SYSTEM\CurrentControlSet\Control\Keyboard Layouts$SimpleWindowSwitcher_{BEA057BB-66C7-4758-A610-FAE6013E9F98}
                              • API String ID: 3475777497-1477449099
                              • Opcode ID: 9132b0ccc15526fe416643b61408110445139b31093ed296b2f54ec961a5aa36
                              • Instruction ID: 59acc994581a692e67a9e8eb0a3c094ee9ead79fb10cc7bd234475fb0dabd8a4
                              • Opcode Fuzzy Hash: 9132b0ccc15526fe416643b61408110445139b31093ed296b2f54ec961a5aa36
                              • Instruction Fuzzy Hash: B1615B32B18F4199E721CBA6E8503AD73B1FB987A8F400175DE8E52AA8DF3CD645C744
                              Function 00007FFE1826E280 Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 144registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: QueryValue$CloseCreate_invalid_parameter_noinfo
                              • String ID: /download/$Software\ExplorerPatcher$UpdatePreferStaging$UpdateTimeout$UpdateURL$UpdateURLStaging$[Updates] Update URL: %s$ep_setup.exe$https://api.github.com/repos/valinet/ExplorerPatcher/releases?per_page=1$https://github.com/valinet/ExplorerPatcher/releases/latest
                              • API String ID: 2821414459-3346571005
                              • Opcode ID: d1b2fc9fac1103e6a212c5680ff7da9032f1d2036010b66f6612dc6ca88777d8
                              • Instruction ID: a8e7c532d3246abead793c23983211a0a0cbf53614f8dec9abfd70e216a66872
                              • Opcode Fuzzy Hash: d1b2fc9fac1103e6a212c5680ff7da9032f1d2036010b66f6612dc6ca88777d8
                              • Instruction Fuzzy Hash: 16712D32A18E529BE711CB65E8406AA77A4FBC4364FA00176DB8D13A78DF3CD656CF04
                              Function 00007FFE1823DEA0 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 127sleepregistryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ClassForegroundNameWindow$Sleep$DeleteTree
                              • String ID: Control Panel\Quick Actions\Control Center\QuickActionsStateCapture\ExplorerPatcher$Ended "Check foreground window" thread.$Started "Check foreground window" thread.$Windows.UI.Core.CoreWindow
                              • API String ID: 2021506011-749137266
                              • Opcode ID: 1808324265e1b4f00a334f618b225b2f6f3dd276802baf1ad187983293bd0fd5
                              • Instruction ID: 174cb74ab30eb075fce0e4c871b63621643d0c968b055471572e2f329f55e7e2
                              • Opcode Fuzzy Hash: 1808324265e1b4f00a334f618b225b2f6f3dd276802baf1ad187983293bd0fd5
                              • Instruction Fuzzy Hash: 2F518325A08E5281E7269B16A0102B933A1FFD8B70F844771EE9F026F4DF3CE695C708
                              Function 00007FFE1823BFA0 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 124windowsleepcomCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Message$HandleModule$ClassCreateCursorDispatchInitializeInstanceLoadObjectRegisterShowSleepStockTranslateWindow
                              • String ID: ArchiveMenuWindowExplorer$Ended "Archive menu" thread.$Started "Archive menu" thread.
                              • API String ID: 3032281874-998171920
                              • Opcode ID: 4d74fd6a2cf0da61cd4a5a624b44ad2ef64646f31e6ffc1b7f6495a8bcd5a8a7
                              • Instruction ID: b77928997d72b48ae331377e338f033b5e643faf2fd2aa963fd38f1275e9295d
                              • Opcode Fuzzy Hash: 4d74fd6a2cf0da61cd4a5a624b44ad2ef64646f31e6ffc1b7f6495a8bcd5a8a7
                              • Instruction Fuzzy Hash: 8B516032A1CF9582E7218F26F8503AA73A4FBD8B54F004176DA8E43A68DF3CD155DB04
                              Function 00007FFE182322F0 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 297COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID: SHRegGetValueFromHKCUHKLM$Shlwapi.dll
                              • API String ID: 0-2208286396
                              • Opcode ID: 01856ffe7580609e7b58a0724b513bb79cb575442ca385205c3e79c671d32f71
                              • Instruction ID: b2debebf0c9bf42159ce27aa398f47e79f5d44a7ab954a0f78e0433fe9262b65
                              • Opcode Fuzzy Hash: 01856ffe7580609e7b58a0724b513bb79cb575442ca385205c3e79c671d32f71
                              • Instruction Fuzzy Hash: B1C1B621A14F5242EB629B23A46037A63E0FFA97A5F005174DE8E877B5EF3CE641C354
                              Function 00007FFE18242C20 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 177registrylibraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: #410$CloseOpenQueryValue$AddressAttributeLibraryLoadProcWindow
                              • String ID: %x %x$SOFTWARE\Classes\CLSID\{056440FD-8568-48e7-A632-72157243B55B}\InProcServer32$uxtheme.dll
                              • API String ID: 632063587-1665220535
                              • Opcode ID: f23c619880a94d786a443a6706b9ccf44eb5095bf7d5839934417dc0c839f19e
                              • Instruction ID: 00b1d59776a8d81bf0e5a5ca81e631fe62f8ad83349a44b90cd21cdc57c50687
                              • Opcode Fuzzy Hash: f23c619880a94d786a443a6706b9ccf44eb5095bf7d5839934417dc0c839f19e
                              • Instruction Fuzzy Hash: 34814C31A18E42C6EB629B13E85067567A1FFC57A4F8021B6ED4E03AB4DF3CE245C718
                              Function 00007FFE18295E9C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                              • API String ID: 808467561-2761157908
                              • Opcode ID: f88eb4196e8c090f5eb5e315b2a1c7141e7dd7be7d0b1abaa8dd61c5c7a18be6
                              • Instruction ID: 9ce11016483b4fd3e74434ce66f2f6248f01785a88750aabadeb9d04f23000a4
                              • Opcode Fuzzy Hash: f88eb4196e8c090f5eb5e315b2a1c7141e7dd7be7d0b1abaa8dd61c5c7a18be6
                              • Instruction Fuzzy Hash: 4BB20672E18AA28BE7768F66D5407FC37E1FB84394F401575DA0F57A94DB38AA00CB44
                              Function 00007FFE1823E230 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 72windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Window$Find$InvalidateRect$MessagePost
                              • String ID: !@$Shell_SecondaryTrayWnd$Shell_TrayWnd$Start
                              • API String ID: 492091407-2979015546
                              • Opcode ID: b7f4b415b47fa93cbbd1615b73cd027e58da503caed699ab6cd86744afcc110a
                              • Instruction ID: e90555435f3a984228c7eba964c772185c32d101a138040289ca27b7cf1a0790
                              • Opcode Fuzzy Hash: b7f4b415b47fa93cbbd1615b73cd027e58da503caed699ab6cd86744afcc110a
                              • Instruction Fuzzy Hash: DB317E61E08A5242E751CB23B924A66A691BFD8BA4F085075DD0E07F64CE7CD244C744
                              Function 00007FFE18232F60 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 135COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ObjectSelect$ColorCreateText$CompatibleDeleteDrawModeSection
                              • String ID: (
                              • API String ID: 2711897886-3887548279
                              • Opcode ID: d5834477a4f53630a89a527a8ccb016ae9399af608a247e866421f7ec8bb69b7
                              • Instruction ID: 99d7c9a1fe13bb2ade6b63f485571243f5fc0d70dd0a805d6e271bdd2578a754
                              • Opcode Fuzzy Hash: d5834477a4f53630a89a527a8ccb016ae9399af608a247e866421f7ec8bb69b7
                              • Instruction Fuzzy Hash: A851E672A19A9146E7158F16B45473AB7A1FBD9BA0F404135EE8B07B74DE3CD544CB00
                              Function 00007FFE1823DCF0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 87processCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Process$CloseHandleProcess32$CreateDirectoryFirstFullImageNameNextOpenQuerySnapshotTerminateToolhelp32Windows_invalid_parameter_noinfo
                              • String ID: ShellExperienceHost.exe$\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
                              • API String ID: 2097983625-1597348990
                              • Opcode ID: e77504712daa658222e008976812c4fb319a79a22b6bac21e37dec3d71f4fc77
                              • Instruction ID: 4f006755bb970fde5f4f120b3add224fa33f02e4d933c855edc6f9eadad56675
                              • Opcode Fuzzy Hash: e77504712daa658222e008976812c4fb319a79a22b6bac21e37dec3d71f4fc77
                              • Instruction Fuzzy Hash: CB41AF71A08E9282FB619B16E4543BA73A1FFD8B54F844071CA8E43B68DF3CD645C704
                              Function 00007FFE1823E100 Relevance: 19.3, APIs: 4, Strings: 7, Instructions: 76COMMON
                              Download Yara Rule
                              APIs
                              • ShellExecuteW.SHELL32 ref: 00007FFE1823E1FF
                                • Part of subcall function 00007FFE182524A0: CoCreateInstance.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE1823E130), ref: 00007FFE182524EE
                                • Part of subcall function 00007FFE182524A0: IUnknown_QueryService.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE1823E130), ref: 00007FFE18252521
                                • Part of subcall function 00007FFE182524A0: WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE1823E130), ref: 00007FFE18252594
                                • Part of subcall function 00007FFE182524A0: WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE1823E130), ref: 00007FFE18252658
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CreateStringWindows$DeleteExecuteInstanceQueryReferenceServiceShellUnknown_
                              • String ID: ShowVAN$ms-availablenetworks:$ms-settings:network$open$shell:::{7007ACC7-3202-11D1-AAD2-00805FC1270E}$shell:::{8E908FC9-BECC-40f6-915B-F4CA0E70D03D}$van.dll
                              • API String ID: 3979293583-2514944852
                              • Opcode ID: 092b5b30f98034e5b6e7a3008d3334e842b59c950182b245c3f394abf7e90a6a
                              • Instruction ID: 4d919ce047aeff9a43bfa98adec1f3266bb53cbfb9b8c135896be878ee19c743
                              • Opcode Fuzzy Hash: 092b5b30f98034e5b6e7a3008d3334e842b59c950182b245c3f394abf7e90a6a
                              • Instruction Fuzzy Hash: DB316534E1CE8241FB67D713A4611B923A1BFDD764F9001B6DD4E02A65EF2CE748C608
                              Function 00007FFE182320D0 Relevance: 16.6, APIs: 11, Instructions: 131registrywindowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Value$ErrorLastMessage$ChangeNotifyQuery$DispatchMultipleObjectsPeekTranslateWait
                              • String ID:
                              • API String ID: 2018483580-0
                              • Opcode ID: 5ed66558bf058ff837d0e89b5ba0056c682b7bb908da017999200782fc814397
                              • Instruction ID: 083040075682faf676b1e56384023eb706f15510116a051507a335f7dd785d7f
                              • Opcode Fuzzy Hash: 5ed66558bf058ff837d0e89b5ba0056c682b7bb908da017999200782fc814397
                              • Instruction Fuzzy Hash: 76518E31A18E5282EB619F37D82073923A0FBD9B65F104476DE8E876B4DE3CD604C758
                              Function 00007FFE1826FCC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50sleepprocessCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Process$ConsoleCreateCurrentDirectoryFreeOpenSleepTerminateWindows_invalid_parameter_noinfo
                              • String ID: \explorer.exe$h
                              • API String ID: 3466857667-2845133803
                              • Opcode ID: cda5308915a13d06574020189d6d7aaf6b8acdb0efb87abf90eed449b8d0d85b
                              • Instruction ID: 5675783cda74515b4eea0f3d5e681a968bc09108d4456236f7fedb0dfcccd3d5
                              • Opcode Fuzzy Hash: cda5308915a13d06574020189d6d7aaf6b8acdb0efb87abf90eed449b8d0d85b
                              • Instruction Fuzzy Hash: 8321A622D18FC286E320CB21F8543AA73A1FBD8344F505535E68E42A38EF7CD194CB04
                              Function 00007FFE182550C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 107registrythreadCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: InfoLocale$CloseCreateLanguagesPreferredQueryThreadValue
                              • String ID: Language$Software\ExplorerPatcher
                              • API String ID: 3850668847-1772575399
                              • Opcode ID: ea0f2633b2db62804292e248124bc3add90470c825c55f2f621eeaab03a689b2
                              • Instruction ID: 4d8d82f31a9a4288ee0a2842f08c4062b205af28dfa014ad4ebc68c3a4402498
                              • Opcode Fuzzy Hash: ea0f2633b2db62804292e248124bc3add90470c825c55f2f621eeaab03a689b2
                              • Instruction Fuzzy Hash: 7C513E62E18FC182E7218B29E5553ED7360F7D9B54F41A225DB8D13A66EF38E2D8C700
                              Function 00007FFE18243DA0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 50windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: FindWindow$MessageSend
                              • String ID: MSTaskSwWClass$RebarWindow32$Shell_TrayWnd
                              • API String ID: 1134572027-589293716
                              • Opcode ID: 041a2b3641cbbbdc03d7a3709040c67ee58bbf39816446afd8bc18b7eef93851
                              • Instruction ID: a9bb74ba74d4479dbc51235ec0963151c0e48de845cbfdead707b581f622c2f0
                              • Opcode Fuzzy Hash: 041a2b3641cbbbdc03d7a3709040c67ee58bbf39816446afd8bc18b7eef93851
                              • Instruction Fuzzy Hash: 9411C122F09F4281FB16CB23B5049755290BFD8BB0F985975DD1E17BA4CE3CE601C208
                              Function 00007FFE1823D920 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49fileCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • \SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI.dll, xrefs: 00007FFE1823D973
                              • \SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dll, xrefs: 00007FFE1823D9DE
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Find$DirectoryFileFirstWindows$AddressCloseHandleModuleOpenProcQueryValue_invalid_parameter_noinfo
                              • String ID: \SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI.dll$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dll
                              • API String ID: 658624814-2596525942
                              • Opcode ID: 1f25ec4c7c4d95d0ea9fb9ed29039a79ca31eb48983a5d77072dfc3ea1783fd4
                              • Instruction ID: 23cb81e767051be890f9ec3149881ae2e0ac69c0947b46142b384fa34dd84d73
                              • Opcode Fuzzy Hash: 1f25ec4c7c4d95d0ea9fb9ed29039a79ca31eb48983a5d77072dfc3ea1783fd4
                              • Instruction Fuzzy Hash: 58211061A18D8282EB61EB26E8653BA23A1FFD5334FC00672D56E425F5DF3CD649C708
                              Function 00007FFE18271DC0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                              • String ID:
                              • API String ID: 3140674995-0
                              • Opcode ID: 0ff271a4c701bbf6033e5704cb7c6d0518fb9b611d7ee93b3fd0d8e4a3c14bc8
                              • Instruction ID: ad1df23064950fe2372735f3fcac96e01ca963de01474d5bfcce48704c82d7ae
                              • Opcode Fuzzy Hash: 0ff271a4c701bbf6033e5704cb7c6d0518fb9b611d7ee93b3fd0d8e4a3c14bc8
                              • Instruction Fuzzy Hash: 8A318172A09F8186EB618F62E8403ED7365FB84714F44447ADA4E47BA5EF3CD648C714
                              Function 00007FFE1828BC98 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                              • String ID:
                              • API String ID: 1239891234-0
                              • Opcode ID: 0d78a5eae3021c1939b228a5a7ab56fae872cbbac2d3b6b93bf4593b7becebcd
                              • Instruction ID: b316f9495443cf9470fd7135d4bad97197be056ab1e693e127b4d6c71d5ade13
                              • Opcode Fuzzy Hash: 0d78a5eae3021c1939b228a5a7ab56fae872cbbac2d3b6b93bf4593b7becebcd
                              • Instruction Fuzzy Hash: E6318336A08F8186EB21CF26E8402AE73A4FBC5764F540575EA8E43BA5DF3CD645CB04
                              Function 00007FFE1823DAC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56fileCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Find$CloseFileFirstFolderPath_invalid_parameter_noinfo
                              • String ID: \ExplorerPatcher\
                              • API String ID: 409097378-431723071
                              • Opcode ID: 8fc8b2df31c4937a697d720ca40b4ab76ec30407b439dca915a33157f5641370
                              • Instruction ID: 8807cb2ea4ddb786337dd8dcf27239e880efa8b3c543577e9debd46fce65ea7a
                              • Opcode Fuzzy Hash: 8fc8b2df31c4937a697d720ca40b4ab76ec30407b439dca915a33157f5641370
                              • Instruction Fuzzy Hash: 8C21B4B0A19E8296EB619B12E4557A623A1FFC9334F804771C96D426F4DF3CE605CB08
                              Function 00007FFE18295A00 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: memcpy_s
                              • String ID:
                              • API String ID: 1502251526-0
                              • Opcode ID: 6ece3bf2e3de7ac94e8577948797fb429e9ad7f61c3a20ff0b65188140a0a1e3
                              • Instruction ID: 36684cca9e7940c3f6c040782425aaef1f14f58037cd677231def6b487d317a1
                              • Opcode Fuzzy Hash: 6ece3bf2e3de7ac94e8577948797fb429e9ad7f61c3a20ff0b65188140a0a1e3
                              • Instruction Fuzzy Hash: 5EC15672F18A9687EB25CF1AA14466AB791F7C8B94F408534EB4F43794DB3DEA00CB04
                              Function 00007FFE18254C20 Relevance: 4.7, APIs: 3, Instructions: 222threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: ea42b46a72928e2e673ef83fae2765d8a88be208983df9a3966efbef2b951f1f
                              • Instruction ID: aee4ba48d58c03402c22465e5c5942221ae1ecf0e58122e768834c4c22a069ea
                              • Opcode Fuzzy Hash: ea42b46a72928e2e673ef83fae2765d8a88be208983df9a3966efbef2b951f1f
                              • Instruction Fuzzy Hash: 5B9163B2A19F8185E7628B26F8403E9B7E4FBC4754F440176EA8D46AB8EF3CD641C704
                              Function 00007FFE18299CA8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ExceptionRaise_clrfp
                              • String ID:
                              • API String ID: 15204871-0
                              • Opcode ID: 33b5f88446811188be24c7ee3ece16ab8b6728ac5aa6439a19ff987fd023b6f6
                              • Instruction ID: dd1dbbb9d361ea3a26c73c7a8b942d4a62f3f6a2a54f8a8ce0e814661a4bbc01
                              • Opcode Fuzzy Hash: 33b5f88446811188be24c7ee3ece16ab8b6728ac5aa6439a19ff987fd023b6f6
                              • Instruction Fuzzy Hash: 96B15E73A04B96CBEB16CF2AC48636877A0F784B68F148962DA5E837B4CB39D551C704
                              Function 00007FFE1825A9E0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 74memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(?,?,?,?,?,?,00000000,00007FFE1825B2DF,?,?,?,?,?,00000000,?,00007FFE1825BADB), ref: 00007FFE1825AA03
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: HeapProcess
                              • String ID: length
                              • API String ID: 54951025-25009842
                              • Opcode ID: b4d73071024a45b0dbddebffbbaa72ce6022f811c89eff3966128bd69a27e402
                              • Instruction ID: bf12bee1a74055e50548dfc145de92fdda52fa2247b5620291c9a2b296328e93
                              • Opcode Fuzzy Hash: b4d73071024a45b0dbddebffbbaa72ce6022f811c89eff3966128bd69a27e402
                              • Instruction Fuzzy Hash: CB315AB2A09F4681EB12DB1AE4411A863B0FBD4BA0F944572D64D47775EF7CEA42C308
                              Function 00007FFE18284D94 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID: $
                              • API String ID: 0-227171996
                              • Opcode ID: 7f7f0f120929ccdea9899b2c338e7cbab634a7cd6eadc8fc6190f4c66d452753
                              • Instruction ID: 222a7e16898ae42d49ff66ade64833e47ace4dfd185940114a7678e2d52b1111
                              • Opcode Fuzzy Hash: 7f7f0f120929ccdea9899b2c338e7cbab634a7cd6eadc8fc6190f4c66d452753
                              • Instruction Fuzzy Hash: 68E1A732A08E4687EF668B56819013D23E0FF86B68F545179DA0E076B4DF29EAD1C748
                              Function 00007FFE1828EF24 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID: e+000$gfff
                              • API String ID: 0-3030954782
                              • Opcode ID: 330854c9a08150cabfdab81a219396c3ebe50cfdec1984435696eeed99272720
                              • Instruction ID: 32f74ba5f906fd09db86e7189a13fb0938fb72dee0d44a9500194ab328f65806
                              • Opcode Fuzzy Hash: 330854c9a08150cabfdab81a219396c3ebe50cfdec1984435696eeed99272720
                              • Instruction Fuzzy Hash: 77519C62B18BC146EB228A76D800B697BD1E785BA4F48C271CB984BAE5CF3DD184C704
                              Function 00007FFE18293B58 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cd777866753e34e22dcedcdbd75a9b7fdb15135f11843b75a15ca25610a2f0e0
                              • Instruction ID: 5a74cfdb06ec14a2ee159651cc146d35eff062ef1513e97ef38fe120ae65afce
                              • Opcode Fuzzy Hash: cd777866753e34e22dcedcdbd75a9b7fdb15135f11843b75a15ca25610a2f0e0
                              • Instruction Fuzzy Hash: 29512822F08A9184FB219B77A8442AE7BA1FB817E4F046574EE5D27BA9CF3CD541C704
                              Function 00007FFE182851F8 Relevance: 1.6, Strings: 1, Instructions: 357COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: 4e2300d6b29197cd04577ad6b0142574c994ac5f3e0f17fda29de5b8657e92dc
                              • Instruction ID: 585fb4b3d4ee831c8b3d47cb0a067cab754a12ebf1017a00a7b907ea00f6891c
                              • Opcode Fuzzy Hash: 4e2300d6b29197cd04577ad6b0142574c994ac5f3e0f17fda29de5b8657e92dc
                              • Instruction Fuzzy Hash: 24E1A862A08E0682EF6A8F67825053D23E1FF86B64F145175EA0D076B8DF3DDAD1C748
                              Function 00007FFE1828EA90 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID: gfffffff
                              • API String ID: 0-1523873471
                              • Opcode ID: 979d1181f7594ebf822099a0a5612bbac61939aaab7f8b04981634fabc0f27c1
                              • Instruction ID: 28415dfd78be06ecd1528bc508e58fb0945e4d982732076a6503d2702ee0eecd
                              • Opcode Fuzzy Hash: 979d1181f7594ebf822099a0a5612bbac61939aaab7f8b04981634fabc0f27c1
                              • Instruction Fuzzy Hash: B4A16766B08BC686EF22CB26E0007AD7BD5EBA27A4F048171DE4D477A1DE3DE645C700
                              Function 00007FFE182821EC Relevance: 1.5, Strings: 1, Instructions: 250COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: 4b035eaf3ef911e11d8db63d3c5834c19ba34b667c37c06f2dc8755a46854a46
                              • Instruction ID: 65b514547762ec893b9a364e8d0cb710c004c7bf1fff62472230b9bc54d3c918
                              • Opcode Fuzzy Hash: 4b035eaf3ef911e11d8db63d3c5834c19ba34b667c37c06f2dc8755a46854a46
                              • Instruction Fuzzy Hash: 5CB18072A08A4185EB668F7AC05423D3BE0EB8BB68F144176CF4D577A9CF39D680C758
                              Function 00007FFE182848D0 Relevance: .4, Instructions: 374COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e2178eea6b8680db749bb71d76538e559eb16e91ce432e8ec1b5271ec405486a
                              • Instruction ID: 38920d121d979031cd02b1ba9831f5e2e2bf3b1837c5039aaf5c72fa51f56912
                              • Opcode Fuzzy Hash: e2178eea6b8680db749bb71d76538e559eb16e91ce432e8ec1b5271ec405486a
                              • Instruction Fuzzy Hash: FFE1C526908A4287EF668A97C19023D67E1FFC6B64F148179CE0D176B5CF39EA91C70C
                              Function 00007FFE18284094 Relevance: .4, Instructions: 351COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 340e75f0266e0d378c05b22f1ee62917085b474022d0ce01ce1f1d12fdc76c93
                              • Instruction ID: 673ab885cfeb162b1b4850509af8a3b1fdc0bd64ee21d8ea571f666005f21638
                              • Opcode Fuzzy Hash: 340e75f0266e0d378c05b22f1ee62917085b474022d0ce01ce1f1d12fdc76c93
                              • Instruction Fuzzy Hash: 03E1C632908A4247EF668AAAC59437D27D1ABD7B64F144279CE4D076E9CF38EAC1C704
                              Function 00007FFE18282908 Relevance: .2, Instructions: 241COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 345ccf8cd4252f3a55f576e31a2e5bc1095e2b1d812b81be06e85700c894eb1b
                              • Instruction ID: ba8a55618ea272a8482497afcc93a8e74d4b5498995807826d767b758655bbe6
                              • Opcode Fuzzy Hash: 345ccf8cd4252f3a55f576e31a2e5bc1095e2b1d812b81be06e85700c894eb1b
                              • Instruction Fuzzy Hash: A3B18072509B4589EB668F7AC05027C3BE0EB8BB68F244175CA4E473A5CF39E691C748
                              Function 00007FFE1828AE7C Relevance: .2, Instructions: 183COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID:
                              • API String ID: 3215553584-0
                              • Opcode ID: 52bbc561e8fe88e190a298857a924aceae854a114574bbb2491837d3f5a802fc
                              • Instruction ID: b2a4185479321c600c08c6093adf273a7a7cbf072c12b6c782c59ddb2fbd7d60
                              • Opcode Fuzzy Hash: 52bbc561e8fe88e190a298857a924aceae854a114574bbb2491837d3f5a802fc
                              • Instruction Fuzzy Hash: 2C611D22E0895243FF7685AA805033D66C1AFD2370F1446B9D72E43AF5DE7EEA84C709
                              Function 00007FFE18280C24 Relevance: .2, Instructions: 157COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2f485472bae5642d5470b27c5e078dd4e8eb73021fab2440680da5292189602a
                              • Instruction ID: 8d5d7b01236c858dbc079dfa2cffd4d3f36c2aeec41ee3bb000356c19eaf0dce
                              • Opcode Fuzzy Hash: 2f485472bae5642d5470b27c5e078dd4e8eb73021fab2440680da5292189602a
                              • Instruction Fuzzy Hash: 0051723292895286EB668EAAC00477833D0EF96778F144171DE8D166E5CF7DF682CB08
                              Function 00007FFE18281268 Relevance: .2, Instructions: 157COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ef072612ce365ffd25acda4fefde1393a0a08fa52472c7be9ab5a5997a4fe3e9
                              • Instruction ID: 502caafffd91c823cb7ff63097503efb940a146a214991fd2fd5e260734ee928
                              • Opcode Fuzzy Hash: ef072612ce365ffd25acda4fefde1393a0a08fa52472c7be9ab5a5997a4fe3e9
                              • Instruction Fuzzy Hash: 6651A632928D52C6FB668F6BD00477823D0EB92778F244171EA8D56AE5CF39E681C708
                              Function 00007FFE18280A18 Relevance: .1, Instructions: 146COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 16c516e3a0276565f87fe481db8a8bcb5e444f78a4791365d5a28fcd3f107c61
                              • Instruction ID: 68d39a53812a5922220cb6898a8a4a9c469bbe64e2375e254602944c514c6a42
                              • Opcode Fuzzy Hash: 16c516e3a0276565f87fe481db8a8bcb5e444f78a4791365d5a28fcd3f107c61
                              • Instruction Fuzzy Hash: 44519476A18E5186EB258B6AC04063933E0EB96B7CF244171CE4D177F4DB3EEA82C744
                              Function 00007FFE1828105C Relevance: .1, Instructions: 146COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 12618e01884bb422ffe44993d2c0e325e5b76a32ee4f8b2e108ee2c27f4fb0fd
                              • Instruction ID: 0e18bdfb318416dfc44235249a3f74235e89085f3be8e324f8d6d2eeb6b96325
                              • Opcode Fuzzy Hash: 12618e01884bb422ffe44993d2c0e325e5b76a32ee4f8b2e108ee2c27f4fb0fd
                              • Instruction Fuzzy Hash: A8518436A18E5186EB258B6AC45023837E0EB86B78F344271CE4D577F4DB3AE983C744
                              Function 00007FFE18280E58 Relevance: .1, Instructions: 145COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e3b021623e9cd736667b84619bb56e45e40fad27f771f98220594c04ecd20f52
                              • Instruction ID: 496762f33f6d8d4f69648874b08447ff5822daebc98342f9bd0eef2fc98449fb
                              • Opcode Fuzzy Hash: e3b021623e9cd736667b84619bb56e45e40fad27f771f98220594c04ecd20f52
                              • Instruction Fuzzy Hash: 9051A936A18E5186EB268B5AC04073937E0EB96B68F644171DE4C577F4CF3EE982C744
                              Function 00007FFE182801D0 Relevance: .1, Instructions: 145COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 70c1f2ceff106e180440d7d831610cf6ce68b6c5d30e104b7258f0539058df31
                              • Instruction ID: 29760a9fbe1c2cd2e3cb7f0d45dea973bf228fee44c09ab2036807949561f3d6
                              • Opcode Fuzzy Hash: 70c1f2ceff106e180440d7d831610cf6ce68b6c5d30e104b7258f0539058df31
                              • Instruction Fuzzy Hash: 23517736A18E5186EF668B5AC04023C37E0EB86B68F244171CE4D177B9CB7EE9D2C744
                              Function 00007FFE1828CDBC Relevance: .1, Instructions: 126COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 485612231-0
                              • Opcode ID: 4558579b3b747d72a223f50ebb4469eec35441a5fc377fded0730746195cd657
                              • Instruction ID: c545b83b398569186fe122964b91a2e826e39fa93b4996cc3ffae0e6b5ce1731
                              • Opcode Fuzzy Hash: 4558579b3b747d72a223f50ebb4469eec35441a5fc377fded0730746195cd657
                              • Instruction Fuzzy Hash: E641B072714E5582EF45CF6AD91426963E1BB88FE0B499032EE0D97B68DF3CD242C344
                              Function 00007FFE1827ECF0 Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0be54d3e76ecebf5695559a9301ce031daf8649420322fd1321f7c4f9ba610e9
                              • Instruction ID: d4c34586807b73f174e5c8ac788e24a5c75c34c3d443b4c975c21e12d76c265d
                              • Opcode Fuzzy Hash: 0be54d3e76ecebf5695559a9301ce031daf8649420322fd1321f7c4f9ba610e9
                              • Instruction Fuzzy Hash: 6E31C172608A8186DB218F2AD0402AD7BA4E799F5CF244175DB8C0B365CF3AC192CB08
                              Function 00007FFE1827EDFC Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2cea8fc9d3c35b4ba6e35f22513a86051617c937147c9f35d60e5822ca5229d8
                              • Instruction ID: fcae7ef7645315ac397edb5516d830cb45e7255604e2c208194861b625b48642
                              • Opcode Fuzzy Hash: 2cea8fc9d3c35b4ba6e35f22513a86051617c937147c9f35d60e5822ca5229d8
                              • Instruction Fuzzy Hash: AB319276508A81C6DB618F2AE0402BD77A0E799F68F644179DBCC07761CF3AD192C718
                              Function 00007FFE1827EF08 Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a81995dc725e745c91ef68e5add537126b3069e5817d0a70891599fc14a6951d
                              • Instruction ID: c6c4fc7196381b77f170bb41aca5068501ce35a6ac9e2f368752340f83df4c04
                              • Opcode Fuzzy Hash: a81995dc725e745c91ef68e5add537126b3069e5817d0a70891599fc14a6951d
                              • Instruction Fuzzy Hash: DD319072618A81C6DB218F2AD0406BD77A0F799F5CF644175DB8C4BBA1DF3AD192C708
                              Function 00007FFE1827F014 Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2dd18c2af8978401385c3a4d18cc3c4cea6f6c2de30805c37561c0fbe2471736
                              • Instruction ID: 8207ab993f7aac8af9319ae88bf7d915d6e657bb231eec36fe89ce4676f94637
                              • Opcode Fuzzy Hash: 2dd18c2af8978401385c3a4d18cc3c4cea6f6c2de30805c37561c0fbe2471736
                              • Instruction Fuzzy Hash: 2931BE73608A4186EB218F2AE4406BC77A0F798B5CF244179DB8C0B765DF3AC192D708
                              Function 00007FFE1827F120 Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 31ccecc71070cc14715429f8e7223a718524ce6fa26fcc918487281457b7642b
                              • Instruction ID: 062b6e9d5379b6ce5c73d2d0c58c39ef5dc11f6ecbc82996deebfdf2753773b2
                              • Opcode Fuzzy Hash: 31ccecc71070cc14715429f8e7223a718524ce6fa26fcc918487281457b7642b
                              • Instruction Fuzzy Hash: 4431A173608A81C6DB618F2AE4406BD77A0F799B58F644176CB8C4B765CF3AD192C708
                              Function 00007FFE1827F22C Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 278fe365c858ff99949403c195d27c57a5d22d36bc9c8edbcf4e63079c5c0eda
                              • Instruction ID: 3d81899ec8f5f2f3633586a25fb19e02dce7e07a133f49f98fab7e4885d09210
                              • Opcode Fuzzy Hash: 278fe365c858ff99949403c195d27c57a5d22d36bc9c8edbcf4e63079c5c0eda
                              • Instruction Fuzzy Hash: 3131B573608B81C6EB618F6AE0406AD77A0F798B5CF644176DB8C47761CF3AD192C708
                              Function 00007FFE1827F334 Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 02b7a2496c7568684aa243f87f5578d0fba0b47c0b8864685c6256374f78d05f
                              • Instruction ID: 4c67a2a304622bbe0dfcb9be3a1e91fe4d32938c912b6bbac3b595017187aa3f
                              • Opcode Fuzzy Hash: 02b7a2496c7568684aa243f87f5578d0fba0b47c0b8864685c6256374f78d05f
                              • Instruction Fuzzy Hash: 84319E73608A85C6EB218F2BE05066D77A0FB98B58F644175DB8C4B760CF3AC292C708
                              Function 00007FFE18299AF0 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6e6cd7a5ca9aa2f8d717932288529d01fc50208ed9f3249ca50f6731b483e81c
                              • Instruction ID: d467a6e125dcd956566097ed4935acb72fa28921cead88bf77e69de5178ae460
                              • Opcode Fuzzy Hash: 6e6cd7a5ca9aa2f8d717932288529d01fc50208ed9f3249ca50f6731b483e81c
                              • Instruction Fuzzy Hash: 1FF06871B186558ADB95CF29A4126297BD1F748390F50817AE58D83B14DA3D9151CF08
                              Function 00007FFE18233170 Relevance: 82.7, APIs: 29, Strings: 18, Instructions: 413COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID:
                              • String ID: Comctl32.dll$CreateWindowInBand$GetWindowBand$GhostWindowFromHungWindow$HungWindowFromGhostWindow$InternalGetWindowIcon$InternalGetWindowText$IsTopLevelWindow$LoadIconWithScaleDown$NtUserBuildHwndList$SHRegGetValueFromHKCUHKLM$SetWindowBand$SetWindowCompositionAttribute$Shlwapi.dll$shcore.dll$user32.dll$uxtheme.dll$win32u.dll
                              • API String ID: 0-385217830
                              • Opcode ID: 25d24d3557ee879812ad9f64e17810f062fb7e7942be1572ce1e7e528aebdc5b
                              • Instruction ID: 3d3cb6011ed979457e707b431aff31da36c54e3e0c403da50fd62ad88ad0f9de
                              • Opcode Fuzzy Hash: 25d24d3557ee879812ad9f64e17810f062fb7e7942be1572ce1e7e528aebdc5b
                              • Instruction Fuzzy Hash: 8722F620E09F0391FB539757A87837522E1AFE8364F4046B9E94E463B5EF6CEB44C258
                              Function 00007FFE18269CF0 Relevance: 56.4, APIs: 12, Strings: 20, Instructions: 369memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID: Failed to hook CStartExperienceManager::GetMonitorInformation(). rv = %d$[SMA] CExperienceManagerAnimationHelper::Begin() = %llX$[SMA] CExperienceManagerAnimationHelper::End() = %llX$[SMA] CStartExperienceManager::GetMonitorInformation() = %llX$[SMA] Not all offsets were found, cannot perform patch$[SMA] matchAnimationHelperFields = %llX, +0x%X, +0x%X$[SMA] matchHideA in CStartExperienceManager::Hide() = %llX$[SMA] matchHideB in CStartExperienceManager::Hide() = %llX$[SMA] matchSingleViewShellExperienceFields = %llX$[SMA] matchTransitioningToCortanaField = %llX, +0x%X$[SMA] matchVtable = %llX$x??xxxxxx$xx????xx?xxxx$xx?x????x?xxxx????xxx?x$xxx????xx????xxxx$xxx????xxxxxxxxx$xxxx????xxxx$xxxxxx????x????xxxx$xxxxxxx????xxxxxxxxx$xxxxxxxxxx
                              • API String ID: 544645111-3813412712
                              • Opcode ID: bfbe6d3a2b5f35864e2d75ec228fa074fe9e2d189d154e2579f181d018820d96
                              • Instruction ID: bddb0281b86e4bcca4bcef3da3c90e678fbcf13782f5b111c522a5870f1f9a79
                              • Opcode Fuzzy Hash: bfbe6d3a2b5f35864e2d75ec228fa074fe9e2d189d154e2579f181d018820d96
                              • Instruction Fuzzy Hash: F6026D21B19E4282EB52CF17E8506A623A1FF847A4F944176EE5E077B4DF3CE659C308
                              Function 00007FFE1825DE10 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 291COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: StringWindows$CreateDelete
                              • String ID: Segoe Fluent Icons$StartMenuSettings.cpp$StartPin$StartTileData.dll$StartUnpin
                              • API String ID: 2860812039-2445808327
                              • Opcode ID: daadf6d07ec153a719abb3e733125f686cc5486d9d144e8a72000cd9387bcf49
                              • Instruction ID: 7e8960f1c6dcd3ee5b8fbd5fc1dc4897832fcd50313469bddcb179e68ac4517e
                              • Opcode Fuzzy Hash: daadf6d07ec153a719abb3e733125f686cc5486d9d144e8a72000cd9387bcf49
                              • Instruction Fuzzy Hash: FAD14F7AB08E4292E7569B26E8802E96364FBD4B64F404173CE4E837B4EF3CE655C305
                              Function 00007FFE18249360 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 260COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Color$BitsStretchText$Object$DrawFromModeMonitorSelectWindow$BackgroundCreateDeleteFontIndirectInfoParametersSystemTheme
                              • String ID: $%
                              • API String ID: 4081638245-2111875603
                              • Opcode ID: 6738ed1f0ab4d8958bb4e55c266b304b618ce7a882fea35c7788092431124213
                              • Instruction ID: 57e072af1ff802eab15e6b14817e933afdd15fc49f3594293c746185539b6766
                              • Opcode Fuzzy Hash: 6738ed1f0ab4d8958bb4e55c266b304b618ce7a882fea35c7788092431124213
                              • Instruction Fuzzy Hash: E1C19072A18A918BD711CF26E84856EBBA8FBC87A4F104635EE4A53B34DF3CD545CB04
                              Function 00007FFE1824BC00 Relevance: 37.0, APIs: 12, Strings: 9, Instructions: 208memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ProtectVirtual$AddressHandleModuleOpenProcQueryValue
                              • String ID: xx??xx??x$xx??xxx????xxxxxx????xx??x$xx??xxxxxxxx????x????xx??x$xx?xx?xx?x$xx?xxx??x$xx?xxx??xx$xx?xxxx?xxxx$xxxxxxx????x$xxxxxxxxxx
                              • API String ID: 1029361184-2251541617
                              • Opcode ID: 14b30f32ef6f3ee3e57dbedc44f2eaae5f5f1b699a094cd2f09bb0b96e474c2d
                              • Instruction ID: 08ae4e86382a5fcf78ec103ff9b4a1470fbc2b28117834f095461362ab724246
                              • Opcode Fuzzy Hash: 14b30f32ef6f3ee3e57dbedc44f2eaae5f5f1b699a094cd2f09bb0b96e474c2d
                              • Instruction Fuzzy Hash: 73A15E21A08F8691EB12DB63E4106A963A0EFC4B64F4444B6DE4D07BB5DF3CE749C758
                              Function 00007FFE182339F0 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 265COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: TextWindow$EventHandleLoadModuleNotifyString
                              • String ID: %s - %d running windows$%s - 1 running window$%s: %d of %d$Desktop$ExplorerFrame.dll$\rundll32.exe
                              • API String ID: 686194620-3935714908
                              • Opcode ID: 83b225e071095df5bde25635167391e81d8112e19932fd42b0c9defca7b3e116
                              • Instruction ID: a4bdc72efd1f24331726b830e580fa3722114c2f74ba4a293d5a456064bd25f3
                              • Opcode Fuzzy Hash: 83b225e071095df5bde25635167391e81d8112e19932fd42b0c9defca7b3e116
                              • Instruction Fuzzy Hash: 50D15022A08E8296EB65DB12E4982B923A0FFD4B64F404476DE4E477B4DF3CD789C744
                              Function 00007FFE18250B00 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 107registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: DeleteTree$CloseModuleOpen$ExtensionFileNamePathRemove$AwarenessContextCurrentDirectoryErrorHandleLastProcess
                              • String ID: .IA-32.dll$SOFTWARE\Classes\CLSID\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$SOFTWARE\Classes\Drive\shellex\FolderExtensions\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$SOFTWARE\WOW6432Node\Classes\CLSID\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}
                              • API String ID: 3360383582-326433317
                              • Opcode ID: f64e4be203137b9e086229eeb70c6ba62c2093a0a25a6fe8a7ec120515eced2d
                              • Instruction ID: e144f5da182ec6b9033240040c0e5e70eb7d0257fc0660b2a426cbf773d20b34
                              • Opcode Fuzzy Hash: f64e4be203137b9e086229eeb70c6ba62c2093a0a25a6fe8a7ec120515eced2d
                              • Instruction Fuzzy Hash: 565141A1A18F4282EB218B62E89437573A1FFC4774F4047B6DA5E426F4EF7CD609D608
                              Function 00007FFE18234910 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 219COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Window$Attribute$BrushCreateDeleteLongObjectSolid$AreaClientExtendFrameInto
                              • String ID: $&$Grid_backgroundPercent$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView\AltTabViewHost$[sws] Refreshing theme: %d$_
                              • API String ID: 97799080-1950453067
                              • Opcode ID: 38758d1363722085ab87a860847773ebfe20ec0e6ebcd4ad5f343bfe9f13825c
                              • Instruction ID: 60549cab5622924e3bc94c31ec9a4c28ca42d733ba3e0603de432cc53f13a50f
                              • Opcode Fuzzy Hash: 38758d1363722085ab87a860847773ebfe20ec0e6ebcd4ad5f343bfe9f13825c
                              • Instruction Fuzzy Hash: 3DB18B76B04E5289EB12CF62E8906AC33A1FB98B68F140575DE0E577A8DF3CD644C748
                              Function 00007FFE18231210 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 137threadCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CurrentFromModuleProcessStackWalk64$AddrAddr64Base64CaptureCleanupCloseContextFileHandleInitializeLineNameOpenOptionsThread
                              • String ID: %d in file "%s"$%s:$($[%3d] = [0x%p] ::
                              • API String ID: 4210550807-1010961775
                              • Opcode ID: 20d1d0cc9f592fe44db8d0749058d002ca7b15dc3f7cb39802b5a57e6022395e
                              • Instruction ID: 7fa656366f36dc9e0c9ec33b694bc057f4f6a34e60334959edda186c909d567a
                              • Opcode Fuzzy Hash: 20d1d0cc9f592fe44db8d0749058d002ca7b15dc3f7cb39802b5a57e6022395e
                              • Instruction Fuzzy Hash: 18611A32A08F9685E7218F62E8542E973B4FB88B94F544175DE8E17BA8DF3CD205CB44
                              Function 00007FFE1823F2B0 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 126COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • [EnsureXAML] RoGetActivationFactory(ICoreWindow5) failed. 0x%lX, xrefs: 00007FFE1823F400
                              • [EnsureXAML] WindowsCreateStringReference(WindowsXamlManager) failed. 0x%lX, xrefs: 00007FFE1823F3D0
                              • [EnsureXAML] ICoreWindow5::get_DispatcherQueue() failed. 0x%lX, xrefs: 00007FFE1823F42B
                              • Windows.Internal.Shell.XamlExplorerHost.XamlApplication, xrefs: 00007FFE1823F305
                              • [EnsureXAML] RoGetActivationFactory(IXamlApplicationStatics) failed. 0x%lX, xrefs: 00007FFE1823F364
                              • [EnsureXAML] WindowsCreateStringReference(XamlApplication) failed. 0x%lX, xrefs: 00007FFE1823F31B
                              • [EnsureXAML] %lld ms., xrefs: 00007FFE1823F442
                              • [EnsureXAML] IXamlApplicationStatics::get_Current() failed. 0x%lX, xrefs: 00007FFE1823F391
                              • Windows.UI.Xaml.Hosting.WindowsXamlManager, xrefs: 00007FFE1823F3BD
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ActivationFactoryStringWindows$Count64CreateDeleteReferenceTick
                              • String ID: Windows.Internal.Shell.XamlExplorerHost.XamlApplication$Windows.UI.Xaml.Hosting.WindowsXamlManager$[EnsureXAML] %lld ms.$[EnsureXAML] ICoreWindow5::get_DispatcherQueue() failed. 0x%lX$[EnsureXAML] IXamlApplicationStatics::get_Current() failed. 0x%lX$[EnsureXAML] RoGetActivationFactory(ICoreWindow5) failed. 0x%lX$[EnsureXAML] RoGetActivationFactory(IXamlApplicationStatics) failed. 0x%lX$[EnsureXAML] WindowsCreateStringReference(WindowsXamlManager) failed. 0x%lX$[EnsureXAML] WindowsCreateStringReference(XamlApplication) failed. 0x%lX
                              • API String ID: 1384349799-1320486068
                              • Opcode ID: 309e9b39bc423b7c80d81a2b9883f54dd10212cfc9784977b302ee2192c4f7f7
                              • Instruction ID: 688a339491b3aa9bb90780f7adef1a5d43a450bfc5b7a6729d878d7e1ca95370
                              • Opcode Fuzzy Hash: 309e9b39bc423b7c80d81a2b9883f54dd10212cfc9784977b302ee2192c4f7f7
                              • Instruction Fuzzy Hash: B1510022B08E4295FB029F66E4602B92375BFD4BA8F5045B2CE4E57A74EF3DE605C344
                              Function 00007FFE18232A90 Relevance: 30.1, APIs: 20, Instructions: 145windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Window$Long$Rect$Visible$Empty
                              • String ID:
                              • API String ID: 2906060442-0
                              • Opcode ID: 66cc9ca4c79e996306753c0dd50f51a4686b0854f08af43f0c4547588e5d6ee5
                              • Instruction ID: fe1e9f978d9b4b9769521ebac183053dabc012861f30d5d8c0f0715492bb925c
                              • Opcode Fuzzy Hash: 66cc9ca4c79e996306753c0dd50f51a4686b0854f08af43f0c4547588e5d6ee5
                              • Instruction Fuzzy Hash: C9511C54B08E1282FB569B27A8243396395AFEABB1F4548B0DD0F477B4DE3CE645D208
                              Function 00007FFE182528F0 Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 174windowthreadCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CurrentFormatMessageThread
                              • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$LogNt$Msg:[%ws] $ReturnHr$ReturnNt$[%hs(%hs)]$[%hs]
                              • API String ID: 2411632146-1363043106
                              • Opcode ID: 36d649823e87f82759339c66bbeb98b13633b0336a965d9817c984a93a51ef7b
                              • Instruction ID: 97d575e83e8b07bfd728bcc5dc7afe98612e6080200b275b297565ad2858a509
                              • Opcode Fuzzy Hash: 36d649823e87f82759339c66bbeb98b13633b0336a965d9817c984a93a51ef7b
                              • Instruction Fuzzy Hash: 4C718DA1A19F4280EB26CF52A4006E563A4FF86BA4F444577EE4D077B9EF3CE641C308
                              Function 00007FFE182350A0 Relevance: 27.1, APIs: 18, Instructions: 148registrykeyboardCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ErrorLastRegister$Virtual
                              • String ID:
                              • API String ID: 270683995-0
                              • Opcode ID: f250d1fb01da1be5f6057db7c8c30dccb8d4b538fcd040e7f71cd891657f74d4
                              • Instruction ID: 7c22820b5bbdd1a1510a8a0c3039b51af5611a07fbd5b5c034dcbeff4c5ba483
                              • Opcode Fuzzy Hash: f250d1fb01da1be5f6057db7c8c30dccb8d4b538fcd040e7f71cd891657f74d4
                              • Instruction Fuzzy Hash: 5C517F64F08F5386F7665B6796903362294BFA8BA4F004175EE4D872A0EF6CEA14D318
                              Function 00007FFE182342C0 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 282windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: PerformanceQuery$Window$CountCounterFrequencyTickVisible$Foreground
                              • String ID: [sws] CalculateHelper %d [[ %lld + %lld = %lld ]].
                              • API String ID: 488077963-247053615
                              • Opcode ID: be44bb33da6e713c059a78ef7b1cbefdda88148570a47e354c117598d2bba7c8
                              • Instruction ID: 9f1a9f48d8f9dbad67b23ab1c188735e95092dbb960349dd3a32827a929283ac
                              • Opcode Fuzzy Hash: be44bb33da6e713c059a78ef7b1cbefdda88148570a47e354c117598d2bba7c8
                              • Instruction Fuzzy Hash: C2C1B136A08E4286EB228F26E4942B973A0FBF87A4F5441B5DE0D477A4DF3DE641C744
                              Function 00007FFE18249CC0 Relevance: 25.6, APIs: 17, Instructions: 134COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ColorText$Object$DrawModeSelectWindow$CreateDeleteFontForegroundIndirectInfoParametersSystemTheme
                              • String ID:
                              • API String ID: 112896650-0
                              • Opcode ID: 28ea8d5eae088f08772c9eeea65bd47154936fb48cf4d2d88fb7ccf376b3ff1c
                              • Instruction ID: 271d267bf82f2a796fab0429986d3a2134364d2f544e246f43348e1dd4809109
                              • Opcode Fuzzy Hash: 28ea8d5eae088f08772c9eeea65bd47154936fb48cf4d2d88fb7ccf376b3ff1c
                              • Instruction Fuzzy Hash: 79515B76A08A91C6EB619B12A5443BAB3A0FBC4BA4F404475DE8A03B78DF7CD545CA18
                              Function 00007FFE1824AF50 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 112registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Rect$MetricsSystem$Monitor$FromInfoValue
                              • String ID: ($0$0$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StuckRectsLegacy$Settings
                              • API String ID: 2079259257-2463101083
                              • Opcode ID: e3ba2d1712aa69b05d0cc4412f6e31071aec3149e790a87a1d63a65abc919344
                              • Instruction ID: 2c78e7ea2032fed03ab12c59940f0cf790d7da63cef94f2469432ace796eaa4b
                              • Opcode Fuzzy Hash: e3ba2d1712aa69b05d0cc4412f6e31071aec3149e790a87a1d63a65abc919344
                              • Instruction Fuzzy Hash: 94519231E0CE41C6E7228B16E45037A72A0FFC4764F502275EA8E52AB4DF7DE684CB14
                              Function 00007FFE18242990 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 97COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Window$#412#413AncestorFindParentPropText
                              • String ID: FloatingWindow$ReBarWindow32$Windows.UI.Composition.DesktopWindowContentBridge
                              • API String ID: 2039485610-463711336
                              • Opcode ID: 369f8016e642424fef891f88ad728505f4c3c86f333c5f316952f8b682ccd038
                              • Instruction ID: 48a635b51fca1960943f6b4338981069ccc47a69c2763e10e0aa662d956cc2bd
                              • Opcode Fuzzy Hash: 369f8016e642424fef891f88ad728505f4c3c86f333c5f316952f8b682ccd038
                              • Instruction Fuzzy Hash: 94414C22E08E9381FB76DB17A8447B91391EFC6BB4F5510B1CD0E076B4DEBCA645D218
                              Function 00007FFE18260250 Relevance: 24.1, APIs: 16, Instructions: 146memorysynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ErrorLast$CloseHandle$HeapMutexRelease$FreeObjectProcessSingleWait
                              • String ID:
                              • API String ID: 3542600547-0
                              • Opcode ID: bba2a210e03e9550ade5e37eb4663465d5d889140892d9334bae6f2e2938b2ca
                              • Instruction ID: e50a320100783f80c3871d1b0a2a978f719ca38796f316772486c2bb534a3e10
                              • Opcode Fuzzy Hash: bba2a210e03e9550ade5e37eb4663465d5d889140892d9334bae6f2e2938b2ca
                              • Instruction Fuzzy Hash: 9A514F21A08E1283FB669F23E55077D33A0EFC4BA4F1815B5DD1E536A9DF2CEA41D248
                              Function 00007FFE182581D0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 216COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: StringWindows$Delete$ActivationCreateFactoryReference$Buffer
                              • String ID: StartDocked.StartSizingFrame$Windows.UI.Xaml.Media.VisualTreeHelper$Windows.UI.Xaml.Window
                              • API String ID: 2896072117-1951327480
                              • Opcode ID: a7a691d5624b654de686003e8703b99b4ad3296760c0e45c858a6f6689de50bf
                              • Instruction ID: 0221a7015d6495b87fbd2c5573eda4eb279ba904a2222879c4ba022bb247d898
                              • Opcode Fuzzy Hash: a7a691d5624b654de686003e8703b99b4ad3296760c0e45c858a6f6689de50bf
                              • Instruction Fuzzy Hash: 6DB14872B04F5685EB01CBA6D8902AD37B5FB84BA8F5440B6CE0E57B68DF78E545C304
                              Function 00007FFE182692D0 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 202memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ProtectVirtual$AddressHandleModuleOpenProcQueryValue
                              • String ID: [HC] Patched!$[HC] cleanup = %llX-%llX$[HC] match1 = %llX$[HC] match2 = %llX$[HC] writeAt = %llX$xxx????xx$xxx?x$xxx?xxxx
                              • API String ID: 1029361184-3401359449
                              • Opcode ID: b338aba2122b48794a8110356ae721c3632cd2eaf9cd82f17bc1b20e65d17e5d
                              • Instruction ID: fd12bd4e9b2fce874ca29081d5fe956816d117f20bd59c330d09b294a9492af3
                              • Opcode Fuzzy Hash: b338aba2122b48794a8110356ae721c3632cd2eaf9cd82f17bc1b20e65d17e5d
                              • Instruction Fuzzy Hash: 0291F171B19E528AEB02CF72D8501B977A4BB847A0F508076EE1D57BA4DF3CD601C348
                              Function 00007FFE18266910 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 191registrylibraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Value$ActivationAddressCreateFactoryHandleModuleProcReferenceStringWindows
                              • String ID: ColorPrevalence$EnableTransparency$SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize$Taskbar10.cpp$WindowsUdk.UI.Themes.SystemVisualTheme$dcomp.dll
                              • API String ID: 342590677-1899219526
                              • Opcode ID: eee946c798044d8251f7ca42235a50e41222e666ccdf69a85a8b8b51cb7d667b
                              • Instruction ID: 7f36f40d87262bad76e130ca793d3c732abd33fb43194811dc64e22ce5f7a046
                              • Opcode Fuzzy Hash: eee946c798044d8251f7ca42235a50e41222e666ccdf69a85a8b8b51cb7d667b
                              • Instruction Fuzzy Hash: 8B919B72B08E02CAEB228F62D4502B933A5FB84768F5485B6DE1D577A4DF3CE644C348
                              Function 00007FFE18249060 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 175COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ClassName$AncestorParent
                              • String ID: CabinetWClass$NotifyIconOverflowWindow$ReBarWindow32$Shell_TrayWnd$SysListView32$SysTreeView32$TrayNotifyWnd
                              • API String ID: 1386181033-4244482235
                              • Opcode ID: ca88c2902e2076327cf4a345692ff7557c46ff9891392714a1ec89a9b70076fd
                              • Instruction ID: 0d4d7bd47e174d6649c6e386d568a6913ae9977baa8cd6587d98a1b090b23b91
                              • Opcode Fuzzy Hash: ca88c2902e2076327cf4a345692ff7557c46ff9891392714a1ec89a9b70076fd
                              • Instruction Fuzzy Hash: A4717052B08952C2EB769B0690112B973A1FFD5F70FC45172EE4E122F8EF3C9A85C218
                              Function 00007FFE1823FA30 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 96windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Menu$HandleItemLoadModule$CountInsertString
                              • String ID: D/$ExplorerFrame.dll$P$b
                              • API String ID: 1491413557-2753148976
                              • Opcode ID: 8da2e0ef13cb1ac62032a24ed978333d563a1b7812b734e6865a6b43ed5f8496
                              • Instruction ID: d6f35ae2fe797adcac347de1677e79e12610ed4ec2b7ee93b84dccca96e4b4d1
                              • Opcode Fuzzy Hash: 8da2e0ef13cb1ac62032a24ed978333d563a1b7812b734e6865a6b43ed5f8496
                              • Instruction Fuzzy Hash: 96417DA2A09F4586EB218F16F464769B3E1FBD8B60F444179DA8D437A4DF3CE605CB08
                              Function 00007FFE1824B990 Relevance: 19.3, APIs: 4, Strings: 7, Instructions: 62registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: System$MetricsValue
                              • String ID: &$'$9$Control Panel\Desktop\WindowMetrics$IconSpacing$IconVerticalSpacing$MinWidth
                              • API String ID: 1597967150-2735893900
                              • Opcode ID: 191fad97566844dbb047568bc1ee29499f238f3586eeef47a5e0cc9316608776
                              • Instruction ID: ac64c51a38ec7f2e0ef5770fcab5728adf2cfe16e83677d9c72c772e045acee9
                              • Opcode Fuzzy Hash: 191fad97566844dbb047568bc1ee29499f238f3586eeef47a5e0cc9316608776
                              • Instruction Fuzzy Hash: BD217131A0CF82C2EB228B52E4943BA73A0BFC4760F900575D54E42AB5DF7DEA49C708
                              Function 00007FFE18273280 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 126windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ErrorFreeLastVirtual$FormatMessage
                              • String ID: decommit page %p (base=%p(used=%d), idx=%llu, size=%llu)$ release memory %p (size=%llu)$Failed to decommit page %p (base=%p(used=%d), idx=%llu, size=%llu, error=%lu(%s))$Failed to release memory %p (size=%llu, error=%lu(%s))$Unknown Error
                              • API String ID: 2809503268-3332624631
                              • Opcode ID: a84e9b69010ae3545a9c4240a7ef9bfa70e2e90ef1e9aebecad056ebe32e2764
                              • Instruction ID: 7089190aded9f9dd9838a0d78b6da8cdc0cdff2eba387cbd764a162da5190ff3
                              • Opcode Fuzzy Hash: a84e9b69010ae3545a9c4240a7ef9bfa70e2e90ef1e9aebecad056ebe32e2764
                              • Instruction Fuzzy Hash: DE517E31A08F8286EB218B17E9543A977A4FB98BE4F404575DA8D43774DF3CE254C708
                              Function 00007FFE18249AC0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Window$Long$Find$MarginsTheme
                              • String ID: Shell_SecondaryTrayWnd$Shell_TrayWnd
                              • API String ID: 3366318519-1433838494
                              • Opcode ID: 82b878cdfae58637eeee74e4c7c7519577973b9c5241908f0a99c884d6322e1b
                              • Instruction ID: 27b97f8f8113edf60dcccec552b0a5470c88a2202a61f84c8af0f9afa5705e44
                              • Opcode Fuzzy Hash: 82b878cdfae58637eeee74e4c7c7519577973b9c5241908f0a99c884d6322e1b
                              • Instruction Fuzzy Hash: 815180B2E09B91C6EB22CF26E9003397691AB847B8F049175DA4A077B4DF3DD949C714
                              Function 00007FFE18268EF0 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 121memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID: [TC] Patched!$[TC] blockBegin = %llX$[TC] blockEnd = %llX$[TC] rcMonitorAssignment = %llX$xxx??xxx?xx$xxx??xxx?xxx$xxx??xxxx?xx$xxx??xxxx?xxx
                              • API String ID: 544645111-3560911239
                              • Opcode ID: 8536186f3ccecee405d877c6a376b0fd8946795391bdb4ec87c6d0f1bbc39c2e
                              • Instruction ID: b28ad824aea51079b3e81e92e2eae4c98236ae159d5a72f74b454ece8ef025eb
                              • Opcode Fuzzy Hash: 8536186f3ccecee405d877c6a376b0fd8946795391bdb4ec87c6d0f1bbc39c2e
                              • Instruction Fuzzy Hash: 8F51BE21B0AE4285EB12DB27E5002F963A0BF88BA4F544072EE4C0B3B5EF3CE645C344
                              Function 00007FFE18264320 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 110COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CreateInitializeReferenceStringWindows
                              • String ID: Microsoft.Windows.Explorer$Windows.UI.Notifications.ToastNotification$Windows.UI.Notifications.ToastNotificationManager
                              • API String ID: 3973075819-205246331
                              • Opcode ID: bad3cb61ad32a0b5546914f8a6ca0e8b2114f70bdd3b9801e6c1c526c0c049c0
                              • Instruction ID: 8c0a02a45797391593b370bb7f1c896fefb662fb693e4211bffdbc3029372f78
                              • Opcode Fuzzy Hash: bad3cb61ad32a0b5546914f8a6ca0e8b2114f70bdd3b9801e6c1c526c0c049c0
                              • Instruction Fuzzy Hash: F251E966B04E1686EB01CBA6D4903AD23B5FB88B98F500472CE4E53B68DF3DD609C355
                              Function 00007FFE18270330 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 82processCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CloseHandle$CreateDirectoryFolderPathProcessSystem_invalid_parameter_noinfo
                              • String ID: ",ZZGUI$Launching : %s$\ExplorerPatcher\ep_gui.dll$\rundll32.exe" "$h
                              • API String ID: 3541607598-809932297
                              • Opcode ID: dae89c6e8fb67ccc0a2a771165ebcd34f4d653328516a224a32998d4eea3249a
                              • Instruction ID: 1e1fd2fc2f5b487efb727f6d10342b6732a5618839f41da7fc69e1cfc4dc98a1
                              • Opcode Fuzzy Hash: dae89c6e8fb67ccc0a2a771165ebcd34f4d653328516a224a32998d4eea3249a
                              • Instruction Fuzzy Hash: B1416322E14E8186EB11CB65E8503EE73B0F7D8318F505635EA4D52AB5EF3CD285CB04
                              Function 00007FFE18240C20 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 74windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: FindWindow$#412#413MessagePost
                              • String ID: ClockFlyoutWindow$Shell_TrayWnd$Windows.UI.Core.CoreWindow
                              • API String ID: 103836485-3485964848
                              • Opcode ID: a6c6a04033c7e958279a47df002b68a3db58ae581525e2c789887de8148ae2af
                              • Instruction ID: 2fdfa98c1a38f1859abbbe73a92fb59ee48df918871d5078aeb3fa7dfe194f67
                              • Opcode Fuzzy Hash: a6c6a04033c7e958279a47df002b68a3db58ae581525e2c789887de8148ae2af
                              • Instruction Fuzzy Hash: 51318B21E0CE12C5FBA29B13E8502793691AFD8BB0F5454B6DC0E02AB4CE2CE7C5C318
                              Function 00007FFE18249F10 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CompareOrdinalString
                              • String ID: ::{17CD9488-1228-4B2F-88CE-4298E93E0966}$::{7007ACC7-3202-11D1-AAD2-00805FC1270E}$::{7B81BE6A-CE2B-4676-A29E-EB907A5126C5}$::{8E908FC9-BECC-40F6-915B-F4CA0E70D03D}$::{A8A91A66-3A7D-4424-8D24-04E180695C7A}$::{BB06C0E4-D293-4F75-8A90-CB05B6477EEE}$::{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}$Advanced
                              • API String ID: 2409332303-3644713213
                              • Opcode ID: 3a128c15991b5f54e83503e02f1281c5f4841b565b0b582a6547265550964596
                              • Instruction ID: c667a93b54cf72f646c8855a6afa9dd34c343839397a1fa6fdd20cccd5811db6
                              • Opcode Fuzzy Hash: 3a128c15991b5f54e83503e02f1281c5f4841b565b0b582a6547265550964596
                              • Instruction Fuzzy Hash: 72314B36A08F81C5E7628F02E4443A933A9FB887A0F550676DA9D17B70DF39EA12C744
                              Function 00007FFE18246290 Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 46sleepwindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Window$FindSleep$EventVisible
                              • String ID: Ended "Signal shell ready" thread.$Shell_TrayWnd$Start$Started "Signal shell ready" thread.
                              • API String ID: 3652910701-782476775
                              • Opcode ID: 9e371b1cac127683378b7f05a61d209a54c7322e49b2931183ec5ecf6d25c07d
                              • Instruction ID: 4d0d604e52611cdb4be1fd6c9a2e2a33af200456309ff2a23a44c69de69b1e9c
                              • Opcode Fuzzy Hash: 9e371b1cac127683378b7f05a61d209a54c7322e49b2931183ec5ecf6d25c07d
                              • Instruction Fuzzy Hash: 01118260E09E03C1FB2B9B67A8242B526A1AFD8724F0454B5D90F426F1DF3C6648D618
                              Function 00007FFE18266BD0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 272keyboardCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Window$AccessibleForegroundPropState$ChildrenFromObject
                              • String ID: EPTBLEN
                              • API String ID: 242652104-515233689
                              • Opcode ID: 19cb3f8b9309dde4596a65705deaba03d942f6790faeb5ebccd69a687ac3a77b
                              • Instruction ID: f7b35aac9122e87d2e1b803897ce3494a64fa875cb3fcd9fa29b712b28a746a4
                              • Opcode Fuzzy Hash: 19cb3f8b9309dde4596a65705deaba03d942f6790faeb5ebccd69a687ac3a77b
                              • Instruction Fuzzy Hash: 89D18D32A08B418BE725CF7AD4402AD77B1FB847A8F604265DE5E57AA8DF38E545CB00
                              Function 00007FFE1825CB70 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 237COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CloseHandle$OpenSemaphore$ErrorLastObjectSingleWait
                              • String ID: _p0$wil
                              • API String ID: 2347786691-1814513734
                              • Opcode ID: 658d5da5be2d65d0a64760a8879232775a89bfe2652ae95c89e781813dd5dcb1
                              • Instruction ID: e852beaf7d80017470fd26feae9e941c91e69414f41b7ef61962b03060fcf7e1
                              • Opcode Fuzzy Hash: 658d5da5be2d65d0a64760a8879232775a89bfe2652ae95c89e781813dd5dcb1
                              • Instruction Fuzzy Hash: 569195A2B49E4281EF269F56A4542F963A0FFC4BA0F544672DA4D477A4FE3CD601C704
                              Function 00007FFE18270140 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 120memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Resource$FreeLocal$AllocFindLoadLockQuerySizeofValue
                              • String ID: %d.%d.%d.%d.
                              • API String ID: 4087920139-3513003344
                              • Opcode ID: 9166ffdc856bbef8424a145c71a5893b331e23ef1c59d65e7caede70a4f1fa78
                              • Instruction ID: 1069bba51c218d55ff5e7e58733fd9e7a7cadeb476f0fb1b9f80b97c3dd08fa6
                              • Opcode Fuzzy Hash: 9166ffdc856bbef8424a145c71a5893b331e23ef1c59d65e7caede70a4f1fa78
                              • Instruction Fuzzy Hash: 7241E022E08A8286FB119F63E804379A790EBD4BF0F548472DD8E477A5DE3CD645C704
                              Function 00007FFE1825C9C0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ObjectSingleWait
                              • String ID: wil
                              • API String ID: 24740636-1589926490
                              • Opcode ID: 9a694e2a68fb19814e29b835e14bc2a27ed7f3b8424e4511df6a7ded76c7c385
                              • Instruction ID: 038101866a989acafd1459b53e469fe0a544ecf1fb9b0848b58973ace677169d
                              • Opcode Fuzzy Hash: 9a694e2a68fb19814e29b835e14bc2a27ed7f3b8424e4511df6a7ded76c7c385
                              • Instruction Fuzzy Hash: 0E4145A1A4CE4342F7628B23A8442FA6391AFC47A4F505273D94E436B9FE3CE745C709
                              Function 00007FFE1824CC00 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 65libraryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: LibraryModule$CurrentDataDirectoryEntryFreeHandleImageInformationLoadProcess
                              • String ID: Failed to hook UnifiedTilePinUnpinVerbProvider::GetVerbs(). rv = %d$RoGetActivationFactory$StartMenuSettings.cpp$StartTileData.dll$api-ms-win-core-winrt-l1-1-0.dll$xxxxxxxxxxxxxxxxx?xxx????xxx????xxxxxxxxx?xx?xx?xx?xxx
                              • API String ID: 2511907732-536516541
                              • Opcode ID: 2e3461ecfe016d5d5b2f9acd4f60da46329bc1c1f509410da8317c139dfdebf9
                              • Instruction ID: 7cbd63e5e3e1bdcf6983c7ec3fe9ec56fe2e7360001e4aaf9ea8ac72d184b097
                              • Opcode Fuzzy Hash: 2e3461ecfe016d5d5b2f9acd4f60da46329bc1c1f509410da8317c139dfdebf9
                              • Instruction Fuzzy Hash: 2D316760A09E4791EB129B57E8905B623A1BFC87B4F5042B2E94E437B4EE3CE745C748
                              Function 00007FFE182341E0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 57windowregistryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Window$Message$FindRegister$Post
                              • String ID: SHELLHOOK$SimpleWindowSwitcher_{BEA057BB-66C7-4758-A610-FAE6013E9F98}
                              • API String ID: 806771716-2759489877
                              • Opcode ID: 68a3bd36437ffc33ebbd2ae93e113efe7c739191a7ec1c4a17dc2ef03b46f732
                              • Instruction ID: bb1c5c13c7e0b9badbcb70363ecb48445f6d9f98411d65e3ff83ae7fd66a0c4a
                              • Opcode Fuzzy Hash: 68a3bd36437ffc33ebbd2ae93e113efe7c739191a7ec1c4a17dc2ef03b46f732
                              • Instruction Fuzzy Hash: DC21C024F1CE0255FB968B63EB946781291AFF8771F4440F2CC1F629B49E6DA684C308
                              Function 00007FFE1824CB00 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 56libraryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: LibraryModuleProtectVirtual$CurrentFreeHandleInformationLoadProcess
                              • String ID: AppResolver.dll$CAppResolverCacheBuilder::_AddUserPinnedShortcutToStart() = %llX$Failed to hook CAppResolverCacheBuilder::_AddUserPinnedShortcutToStart(). rv = %d$RoGetActivationFactory$api-ms-win-core-winrt-l1-1-0.dll$x?xxxx????xxx
                              • API String ID: 1174645330-3507426587
                              • Opcode ID: 3b0ec707502f2bc565e868b63ffa9f593c75a3cf4edca9b5088aa68c956b8623
                              • Instruction ID: 6871584fabe738be8106e1498ebfd351e6ebe02564d7e647a386a88f8d9b92ac
                              • Opcode Fuzzy Hash: 3b0ec707502f2bc565e868b63ffa9f593c75a3cf4edca9b5088aa68c956b8623
                              • Instruction Fuzzy Hash: 55216DA0E09E0791FB129B27E8506F523A0AFC47A4F4441B2D94E477B1EE3CE34AC348
                              Function 00007FFE18288FB8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID: -$:$f$p$p
                              • API String ID: 3215553584-2013873522
                              • Opcode ID: fe036fb941fb11473cd2be1db92a5320d12a8278ca9cccc6ab9bb90505469060
                              • Instruction ID: fb7aa41106a47fc774275c0ea9ddbcbcab658c3a6271df47b87462e19ababae9
                              • Opcode Fuzzy Hash: fe036fb941fb11473cd2be1db92a5320d12a8278ca9cccc6ab9bb90505469060
                              • Instruction Fuzzy Hash: C412B461F1C98396FF265B96D05427A72E1FBC2760F844175D68A066E8DF3DEAC0CB08
                              Function 00007FFE1827FA58 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID: f$f$p$p$f
                              • API String ID: 3215553584-1325933183
                              • Opcode ID: 5aec86bda318b381c8cda5d7efe2f57a5f961980edc2432a172610ea84918a7a
                              • Instruction ID: c268332e9ae1800a81af3c08805153794b266be50b039d373b9eda4453639c3a
                              • Opcode Fuzzy Hash: 5aec86bda318b381c8cda5d7efe2f57a5f961980edc2432a172610ea84918a7a
                              • Instruction Fuzzy Hash: 5812B232A0C94386FF229A57D054AB972E1FBD1774F944075E6D9466E8DF3CE680CB08
                              Function 00007FFE18234CF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 214COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: BitsStretch
                              • String ID:
                              • API String ID: 350495539-3916222277
                              • Opcode ID: 88013bc2f38c8630722a96bcdcbf496357a59567b54d77f66b0e4f362f12a11e
                              • Instruction ID: 71542eef61ae1f4f6af0bc9b566e518b0dc28a32bbe0c0e680af26fc1baecc9b
                              • Opcode Fuzzy Hash: 88013bc2f38c8630722a96bcdcbf496357a59567b54d77f66b0e4f362f12a11e
                              • Instruction Fuzzy Hash: 7BA153B2A18BC08ED7118F65F48065EBBB4F789398F201329EA8953B69DB7DD145CF00
                              Function 00007FFE18260040 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 125synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Mutex$CloseCreateCurrentErrorHandleLastObjectProcessReleaseSingleWait
                              • String ID: Local\SM0:%lu:%lu:%hs$wil$x
                              • API String ID: 908355122-984673096
                              • Opcode ID: 0eed1a0e6b6fa06b2c0e89e7213f101d1d7421deb94518413f30a7118700e111
                              • Instruction ID: e274b2bf732f69a8814c4cfde5b1c1a0bf88787ba1affc449aeaa415a4fbe971
                              • Opcode Fuzzy Hash: 0eed1a0e6b6fa06b2c0e89e7213f101d1d7421deb94518413f30a7118700e111
                              • Instruction Fuzzy Hash: 8E518071A09E8282EB629B16E8547BA63A0FFC47A0F504172DE5E937B5EE3CD601D704
                              Function 00007FFE1824B320 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 108registrywindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Window$ClassMessageRegisterWord$AttributeComposition
                              • String ID: Shell_SecondaryTrayWnd$Shell_TrayWnd
                              • API String ID: 2307794763-1433838494
                              • Opcode ID: 3ce8fc805291dc452b58b9c60b418c4dffd9b2a3de205beb9481227af4334021
                              • Instruction ID: 1dc17a844d247d69ce6e9f5da53a9ea54df4b7fcbe7064e173653aa8191b3098
                              • Opcode Fuzzy Hash: 3ce8fc805291dc452b58b9c60b418c4dffd9b2a3de205beb9481227af4334021
                              • Instruction Fuzzy Hash: 7A418021E0CE42C6FB628B52A8243396292EFC5774F1451B5DA4E076F5CF3CE644DB18
                              Function 00007FFE1826FA80 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73threadtimeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Process$Window$CloseEnumFileFindHandleImageNameOpenProcessesThreadTimes
                              • String ID: Shell_TrayWnd
                              • API String ID: 205820467-2988720461
                              • Opcode ID: f023992688c57101c561ed79959dc3c03ba5d458641acb0f4f1228131208a279
                              • Instruction ID: 11f15f28283e2ac49ce718ba64361be7d6c34d20b113fd65c7a266f4183022ec
                              • Opcode Fuzzy Hash: f023992688c57101c561ed79959dc3c03ba5d458641acb0f4f1228131208a279
                              • Instruction Fuzzy Hash: BC31A232608F8196EB11CF52E4444AA73A1FBC8BA0F844171EE9E03B64DF3CD646CB04
                              Function 00007FFE18241330 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 163windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ClassEnumMenuNamePopupPropsTrack
                              • String ID: SHELLDLL_DefView$Shell_SecondaryTrayWnd$Shell_TrayWnd$SysTreeView32
                              • API String ID: 3301139559-1312006807
                              • Opcode ID: 28a955afaa9e39d9a45105df2af7524090ebd910936a3e4e4d7474214dfd473f
                              • Instruction ID: 635733ac59b482418b6e845a3b650fdebebf66d50f977bbba1d1dfae5cd39ee2
                              • Opcode Fuzzy Hash: 28a955afaa9e39d9a45105df2af7524090ebd910936a3e4e4d7474214dfd473f
                              • Instruction Fuzzy Hash: A061AE62B08D42C2EB668B0794102B977A1FBC4FB4F945171ED4E026B8DF7CEA85C718
                              Function 00007FFE1826BB60 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 157COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Initialize$ActivateCreateInstanceReferenceStringWindows
                              • String ID: Windows.Data.Xml.Dom.XmlDocument$updates.cpp
                              • API String ID: 2774375269-421020656
                              • Opcode ID: c17de4a74663ae1334d4dc68cb615cf5464bcc9af81c3d8218caca80331b9e32
                              • Instruction ID: fb790bbf8594ca8e6e37b033d091bcccf7438dcb0731c4b3ac6062f4239e3fc5
                              • Opcode Fuzzy Hash: c17de4a74663ae1334d4dc68cb615cf5464bcc9af81c3d8218caca80331b9e32
                              • Instruction Fuzzy Hash: 57614C72B04F5686EB028FB2D4501AD37B0BB88BA8B504572CE1EA7B64DF38D645C348
                              Function 00007FFE18254320 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 127COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Window$Monitor$FindFromRect
                              • String ID: Shell_TrayWnd$`$`
                              • API String ID: 1754679160-909703354
                              • Opcode ID: 835322f2132c82607c418faf5b6853fbc57d6ad72e999e60f27b04ef33754118
                              • Instruction ID: 7f17abeaa0e6f7417f7b668904098fd03595df5748888784dbb3d6eabb59595f
                              • Opcode Fuzzy Hash: 835322f2132c82607c418faf5b6853fbc57d6ad72e999e60f27b04ef33754118
                              • Instruction Fuzzy Hash: FE519371A1CE418AE753CB3AE45017AB3A1FF993A4F148372E54E52A74DF3CE591CA04
                              Function 00007FFE1828DE28 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: AddressFreeLibraryProc
                              • String ID: api-ms-$ext-ms-
                              • API String ID: 3013587201-537541572
                              • Opcode ID: d4e28a9fedf3677cfce40951c100994421983aba29285a1f03a61ac34610fe8e
                              • Instruction ID: 2b332254ca9c9515f2b692b933303a937fb5964a0c6f1cb6b9320bdedb3861cf
                              • Opcode Fuzzy Hash: d4e28a9fedf3677cfce40951c100994421983aba29285a1f03a61ac34610fe8e
                              • Instruction Fuzzy Hash: 3B41E021B19E1292EF178B57A80067563D0BF9ABF0F484575DD0E477A8EE3CE689D308
                              Function 00007FFE1824B120 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 100registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Register$ErrorLast
                              • String ID: D$Registered Win+A, Win+B, and Win+N
                              • API String ID: 2374893891-229114993
                              • Opcode ID: 3c2239d56e060330bc98f685eaa343f05600b0d946932a09b3d6035dfb083b58
                              • Instruction ID: 84c9857c8027aec3e67563c488f1e37c827470f4aad47bda562a66af58c66404
                              • Opcode Fuzzy Hash: 3c2239d56e060330bc98f685eaa343f05600b0d946932a09b3d6035dfb083b58
                              • Instruction Fuzzy Hash: C0414A20F0CD0386FB62DB53E85433926D1AFC6760F9055B6E90E46AB4CE6CEA45C718
                              Function 00007FFE18240060 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 81windowregistrytimeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Window$Message$CallClassClickCreateDoubleFindHookInstanceNameNextPostRegisterTime
                              • String ID: Shell_TrayWnd$Windows11ContextMenu_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}
                              • API String ID: 1587758685-4164012455
                              • Opcode ID: 4a94d0f5b2144612d70103909825023d10e6d7e11548533633b21430fc8d6477
                              • Instruction ID: c41e4d2ec0621c9afa2915ae41d63ae429711f6c5f31fede6b8307f082dfb010
                              • Opcode Fuzzy Hash: 4a94d0f5b2144612d70103909825023d10e6d7e11548533633b21430fc8d6477
                              • Instruction Fuzzy Hash: C2313C25E0CE43D5FB929B63A82433536D1AFD47B0F0421B5E94E426B1DF7CA681C618
                              Function 00007FFE1825A220 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 75windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CallDisplayEnumFromHookMessageMetricsMonitorMonitorsNextPointSystem
                              • String ID: !! %d %d$Position Start
                              • API String ID: 2363114125-3643933998
                              • Opcode ID: 7e5a79f82ab04b53e15163cc3553cdc7000e1e6604b3de0e563b74dfe4f5b862
                              • Instruction ID: 7d56a2917d46248b4e93301b7f0c6a1895ced285963f068571aca36605c4a5be
                              • Opcode Fuzzy Hash: 7e5a79f82ab04b53e15163cc3553cdc7000e1e6604b3de0e563b74dfe4f5b862
                              • Instruction Fuzzy Hash: CA317271E08F4286FB268F26E4512BA72A0FFD47A4F544576E94E826B4EF3CD641CA04
                              Function 00007FFE182428A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: #412AncestorFindPropWindow
                              • String ID: DarkMode$NavbarComposited$Windows.UI.Composition.DesktopWindowContentBridge
                              • API String ID: 341881220-2358444603
                              • Opcode ID: b92026126a59136a9fa017cb57680c02266db8fe866fa5fef45f75a8e4542f46
                              • Instruction ID: e667e62ab95737e2eaa9edb7406cc3d4f0274f304133a2e87707635706532f3e
                              • Opcode Fuzzy Hash: b92026126a59136a9fa017cb57680c02266db8fe866fa5fef45f75a8e4542f46
                              • Instruction Fuzzy Hash: 01214C22B08F4285EB119B13A8401796395EFC6BA0F5850B1DE4E47B75DE3CD646C318
                              Function 00007FFE1824AB70 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46memorystringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ProtectVirtual$OpenStreamlstrcmpilstrcpy
                              • String ID: TaskbarWinEP$TaskbarWinXP
                              • API String ID: 3070759360-188097361
                              • Opcode ID: 885aa519be0ac16dc9c4f2ce9ba4c8813ddacbb61ad6c77d6aca215c77959592
                              • Instruction ID: 3142203e7286d69853cf0672f5df0c9364664a1ff25c0f90d58260f9b4f56297
                              • Opcode Fuzzy Hash: 885aa519be0ac16dc9c4f2ce9ba4c8813ddacbb61ad6c77d6aca215c77959592
                              • Instruction Fuzzy Hash: C4016155B09E9681FB229B13BC105756360BFC9BE4F844171DE0E47B64DE3CE649C704
                              Function 00007FFE1825E8C0 Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: DeleteStringWindows
                              • String ID:
                              • API String ID: 3152741638-0
                              • Opcode ID: 67f1ce15685d295fff3aeada26a4c3f3d4cb06d9198a5746176b713a9cdb96ef
                              • Instruction ID: 02738a808d5462406e20ca9837a5033e5a7d28443d5dcbe2c84467668eadd2dd
                              • Opcode Fuzzy Hash: 67f1ce15685d295fff3aeada26a4c3f3d4cb06d9198a5746176b713a9cdb96ef
                              • Instruction Fuzzy Hash: 84310536A14F5686EB01AF36E8902693364FF84FA4F884472DE8E47B69DF38D546C304
                              Function 00007FFE18290FD8 Relevance: 10.8, APIs: 7, Instructions: 290COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID:
                              • API String ID: 3215553584-0
                              • Opcode ID: f072498c211261467f2fcff91edb9a4deb4565e341766cefce39c519e066a899
                              • Instruction ID: f1ec874b205387806e3e13a290563d0b927723f1029acf2502539a1e75b07849
                              • Opcode Fuzzy Hash: f072498c211261467f2fcff91edb9a4deb4565e341766cefce39c519e066a899
                              • Instruction Fuzzy Hash: AFC10522D0CFA641EB529B5790002BE37A1FBC1BA0F6509B9DA4E437B1DE7DE645C308
                              Function 00007FFE1825ACC0 Relevance: 10.7, APIs: 7, Instructions: 203memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Heap$Process$Free$_invalid_parameter_noinfo
                              • String ID:
                              • API String ID: 1838106010-0
                              • Opcode ID: b594837bcafa6114a58da30faa14e04c973ed6eea13c8fea0de63908e2e9a346
                              • Instruction ID: 1ab1b0ae8ceba50b3a2c1237ecd4ebd0fc7c559116308c8d4b04bf01cd96d794
                              • Opcode Fuzzy Hash: b594837bcafa6114a58da30faa14e04c973ed6eea13c8fea0de63908e2e9a346
                              • Instruction Fuzzy Hash: 1F81AFB2A49F0286EB569B17D4411B963A0FFC4BA0F5540B6DA4E077B5EF3DEA41C308
                              Function 00007FFE1825B150 Relevance: 10.7, APIs: 7, Instructions: 178memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: FreeHeapString$Process$ErrorInfo_invalid_parameter_noinfo
                              • String ID:
                              • API String ID: 3392872171-0
                              • Opcode ID: e97b377cdc069f91b7cc0168dbd4eb8219cca70e6def0d44c9d2d6879679c4d4
                              • Instruction ID: 068d8425960c43899c669f2767bbbf875dbd8c16c637cf76da1ac1aaffeb827a
                              • Opcode Fuzzy Hash: e97b377cdc069f91b7cc0168dbd4eb8219cca70e6def0d44c9d2d6879679c4d4
                              • Instruction Fuzzy Hash: 88618C62B49E1285EF129F6784511FC23A0BF84BA4F488872CE5DA77A5EF38E641C744
                              Function 00007FFE18244090 Relevance: 10.6, APIs: 7, Instructions: 142COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: MonitorWindow$From$InfoPointRect$Find
                              • String ID:
                              • API String ID: 2969468792-0
                              • Opcode ID: e990e4b1540854c73ea75753fca5cebc977366d4440490979d1a3de8ce620f80
                              • Instruction ID: b609ac6046a28ccfc77f920ff1a106ae0dfe781d81af0db6594258d40d85b040
                              • Opcode Fuzzy Hash: e990e4b1540854c73ea75753fca5cebc977366d4440490979d1a3de8ce620f80
                              • Instruction Fuzzy Hash: 09516632B09912DEE710CF7AD8806AC37B1FB88758B055575DE09A7B68DE38EA05CB44
                              Function 00007FFE1827E02C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNEL32(?,?,00000000,00007FFE1827E233,?,?,?,00007FFE1827AD46,?,?,?,00007FFE1827AD01), ref: 00007FFE1827E0B1
                              • GetLastError.KERNEL32(?,?,00000000,00007FFE1827E233,?,?,?,00007FFE1827AD46,?,?,?,00007FFE1827AD01), ref: 00007FFE1827E0BF
                              • LoadLibraryExW.KERNEL32(?,?,00000000,00007FFE1827E233,?,?,?,00007FFE1827AD46,?,?,?,00007FFE1827AD01), ref: 00007FFE1827E0E9
                              • FreeLibrary.KERNEL32(?,?,00000000,00007FFE1827E233,?,?,?,00007FFE1827AD46,?,?,?,00007FFE1827AD01), ref: 00007FFE1827E157
                              • GetProcAddress.KERNEL32(?,?,00000000,00007FFE1827E233,?,?,?,00007FFE1827AD46,?,?,?,00007FFE1827AD01), ref: 00007FFE1827E163
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Library$Load$AddressErrorFreeLastProc
                              • String ID: api-ms-
                              • API String ID: 2559590344-2084034818
                              • Opcode ID: 599aa7cf843937970ddcceeced45eda2783968fedc2164453d608f002cc62442
                              • Instruction ID: d112a6275bfb698ec3618df7f5b3b2b3d0430ffad89089267d5ba8f3d152a7b2
                              • Opcode Fuzzy Hash: 599aa7cf843937970ddcceeced45eda2783968fedc2164453d608f002cc62442
                              • Instruction Fuzzy Hash: 2431F025A1AE1291EF539B03A80157923D4FF99FB0F594975DD9D073A0EE3CEA40C328
                              Function 00007FFE18252BE0 Relevance: 10.6, APIs: 7, Instructions: 74memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Heap$Process$Free$Alloc_invalid_parameter_noinfo
                              • String ID:
                              • API String ID: 823393853-0
                              • Opcode ID: 8c144cb2418d10e68452f3e411d94cff025c7d322b2be66c77ccad39f53e557e
                              • Instruction ID: 250f5a1ef48bf7d51208dcd5ba62342f5e2555934dffb28ebb6fdd79f24ea9c9
                              • Opcode Fuzzy Hash: 8c144cb2418d10e68452f3e411d94cff025c7d322b2be66c77ccad39f53e557e
                              • Instruction Fuzzy Hash: 82318171A09F4182EB168F53D6503A963A0FF86BA1F148571EE1E077A2DF3DE611C344
                              Function 00007FFE18246190 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: #413$#412MessagePost
                              • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$TaskbarSd
                              • API String ID: 691879527-1316455474
                              • Opcode ID: fe1fd73aae1ea85ea7e3645d6f0fcdb6d1f4d04831def016d3668d1233b37eed
                              • Instruction ID: 2772dbbfc0d6abbddd6cd78945d24bd02ac3f100bab7a0a75f65ae5fec4f4272
                              • Opcode Fuzzy Hash: fe1fd73aae1ea85ea7e3645d6f0fcdb6d1f4d04831def016d3668d1233b37eed
                              • Instruction Fuzzy Hash: C321A321B19F02D5FBA28B56E8907792290AFC87A4F442076EE4E03B75EF3CE644C704
                              Function 00007FFE18232E80 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: PropTime$#334FileSystem
                              • String ID: Microsoft.Windows.ShellManagedWindowAsNormalWindow$valinet.ExplorerPatcher.ShellManagedWindow
                              • API String ID: 1774183415-1567022081
                              • Opcode ID: 97238d729015d8dfd2b804d1bb3dafc32e9bfbc5c4abc83e114f203b59bb176e
                              • Instruction ID: 59a634bb8756951f32b6e65061916884dbd9190f0c51f883da1b4c797244dd16
                              • Opcode Fuzzy Hash: 97238d729015d8dfd2b804d1bb3dafc32e9bfbc5c4abc83e114f203b59bb176e
                              • Instruction Fuzzy Hash: 05213E21B09F4286EB569B13A86027963E0EFD9BA1F4855B4DD0E477A4EF3CE650C308
                              Function 00007FFE18290290 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Value$ErrorLast
                              • String ID:
                              • API String ID: 2506987500-0
                              • Opcode ID: afa680444ff38d791336758a7ac440b02a830f88c5224646dddc7f8507a9553c
                              • Instruction ID: 8e620d938cf60e6706876c06fcf721f7cc642fd3b63ef6c24a050427b70f6cc4
                              • Opcode Fuzzy Hash: afa680444ff38d791336758a7ac440b02a830f88c5224646dddc7f8507a9553c
                              • Instruction Fuzzy Hash: ED219A20F08E5642FB5A67B3655113D62D24FD67B0F200BB5D82E17AF6DE2CA681C208
                              Function 00007FFE1825C2E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40memorylibraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Heap$AddressAllocHandleModuleProcProcess
                              • String ID: RtlDisownModuleHeapAllocation$ntdll.dll
                              • API String ID: 3242894177-704576883
                              • Opcode ID: f90a51104d6f7e9680a66c2fddb06dc2e1d530d117e95f3f8cccb79bfc0f5d09
                              • Instruction ID: 7b1055a435e0b47b6cd29254a1ee205dda429b75a3d417fd4c1af48833e3f40b
                              • Opcode Fuzzy Hash: f90a51104d6f7e9680a66c2fddb06dc2e1d530d117e95f3f8cccb79bfc0f5d09
                              • Instruction Fuzzy Hash: 22013C60F49F8691FB469B17B84417426D1AFC8FA0F4846B6D91E43374EE3CE681D308
                              Function 00007FFE182352E0 Relevance: 10.5, APIs: 7, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Unregister
                              • String ID:
                              • API String ID: 315482161-0
                              • Opcode ID: 700ca2f5b889357700303b1d6931b710bc076b59a5e018d0ef2fe211a09a4cac
                              • Instruction ID: 3cfb561629a59d93bb03a3ff37bb6ecdbe6d741244d086f2be7ebcb59361f56d
                              • Opcode Fuzzy Hash: 700ca2f5b889357700303b1d6931b710bc076b59a5e018d0ef2fe211a09a4cac
                              • Instruction Fuzzy Hash: 4101E566E04E1182E7058B66D8553292321EFD8BB9F200670CE2E433E8CF79D9D6D2A4
                              Function 00007FFE18267E90 Relevance: 9.1, APIs: 6, Instructions: 79COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Window$MenuPath$Foreground$InsertPopupProc$CreateCursorExtensionLongRemoveSpacesStripTrackUnquotewsprintf
                              • String ID:
                              • API String ID: 1129523998-0
                              • Opcode ID: 78930651f6e0dbf70c0a968884cc5667dec9041b8e6a20be2af9615704dcd25d
                              • Instruction ID: 672d7f786a2a08c5df1eaebf504d60fd73f0ab9340f921676109bd05d9b525cb
                              • Opcode Fuzzy Hash: 78930651f6e0dbf70c0a968884cc5667dec9041b8e6a20be2af9615704dcd25d
                              • Instruction Fuzzy Hash: 42318121A08F5686FB128B17B4105696394AFC5FE0F684571EE5E137B4EE3CE641C304
                              Function 00007FFE1823B020 Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: DeleteObject$#329DestroyFreeIconTaskThumbnailUnregister
                              • String ID:
                              • API String ID: 3142863258-0
                              • Opcode ID: 13f7968a46facd6ed2549252c079c56ea2b5ae9df1ae9bf670fdd253cac59144
                              • Instruction ID: f836716eb4e708a3f6f66776cc61814db5d583ccd466e770f2ef82c7dbfa0bce
                              • Opcode Fuzzy Hash: 13f7968a46facd6ed2549252c079c56ea2b5ae9df1ae9bf670fdd253cac59144
                              • Instruction Fuzzy Hash: F8312821B19E4282EF569F63E4A427863A0EF98B60F080575DE5E17660CF3CE690C608
                              Function 00007FFE182459B0 Relevance: 9.1, APIs: 6, Instructions: 58windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Window$CriticalSection$LeaveMonitorRect$EnterForegroundFromInfoPointSwitchThisVisible
                              • String ID:
                              • API String ID: 16346285-0
                              • Opcode ID: 3c5a7ed137fe8480b21572e18efabc9944883a76212bb524bd53722323f22adc
                              • Instruction ID: 95e0b06f7e1315a22906443b7996adfb7ed2aa5239a8dbf075bb32d1a1221fac
                              • Opcode Fuzzy Hash: 3c5a7ed137fe8480b21572e18efabc9944883a76212bb524bd53722323f22adc
                              • Instruction Fuzzy Hash: 0F211D21B08E12C1EF468B57E9A417427E1AFC4FA0B4815B2ED5E43670DE6CE654C718
                              Function 00007FFE18237A80 Relevance: 9.1, APIs: 6, Instructions: 52threadtimewindowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Time$#339DesktopFileHungMessagePostSystemTaskThreadWindow
                              • String ID:
                              • API String ID: 68357764-0
                              • Opcode ID: 6d4c6fe84bfa3402f38e0462956fd6ea485584dbd77fb3b073c5038f49a05cb3
                              • Instruction ID: fb07a6c53e9a29afa82266878ceb5ca90813e4b8d53cca45b2cc39ab21f8d000
                              • Opcode Fuzzy Hash: 6d4c6fe84bfa3402f38e0462956fd6ea485584dbd77fb3b073c5038f49a05cb3
                              • Instruction Fuzzy Hash: 67119D22A18E0186EB12CF36E96427933A1FBC9BA4B444571CE0E87BB0DF3CD651C304
                              Function 00007FFE1824AA70 Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 31stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: lstrcmp
                              • String ID: MMStuckRects3$MMStuckRectsLegacy$StuckRects3$StuckRectsLegacy
                              • API String ID: 1534048567-4175609545
                              • Opcode ID: bdb7a762ec4028ff19773bdbe32e6051e40cddc4f4050542620de6a89180ad4a
                              • Instruction ID: fcd307094e24e205340cbad3ca28bfd20785557921ddedb04474735b0b887626
                              • Opcode Fuzzy Hash: bdb7a762ec4028ff19773bdbe32e6051e40cddc4f4050542620de6a89180ad4a
                              • Instruction Fuzzy Hash: 51F04B31B08F91C1E7018B17A8500697361EF84BE0F484472EA4E47B79DE6CE241C744
                              Function 00007FFE1824AAF0 Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 31stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: lstrcmp
                              • String ID: MMStuckRects3$MMStuckRectsLegacy$StuckRects3$StuckRectsLegacy
                              • API String ID: 1534048567-4175609545
                              • Opcode ID: 8f35bc77936d02bd8bfb90192c4675876bf8a2cd4dcf7b6fb2d72930b64a54d9
                              • Instruction ID: 7afcd2793b62b7b7315b35fa66a07eb2f17bc723f65b9e4e12313f631f9be927
                              • Opcode Fuzzy Hash: 8f35bc77936d02bd8bfb90192c4675876bf8a2cd4dcf7b6fb2d72930b64a54d9
                              • Instruction Fuzzy Hash: FDF01D65B08E91C1E7018B07E850065B761EF94BE0F4844B6DE4E47B79DF6CD645C708
                              Function 00007FFE1823C8E0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 131memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Addr64AllocFromLineVirtual
                              • String ID: ($Allocation too large!$Memory pool exhausted.
                              • API String ID: 3708110707-2461089917
                              • Opcode ID: 82671644744429d4bb92d67069d6a7788f83aa68fdde564f51c0551beeb17465
                              • Instruction ID: fbb33d50a5b4c2127d0a3e2af4c1c71986f245b8a1c210b0e35799d1b761fc92
                              • Opcode Fuzzy Hash: 82671644744429d4bb92d67069d6a7788f83aa68fdde564f51c0551beeb17465
                              • Instruction Fuzzy Hash: 2551E172A08E8186EB06DF27E45027937A0FBD8BA4F044275DA5D477AADF3CD681C744
                              Function 00007FFE182698F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ProtectVirtual$CreateInstance
                              • String ID: xxxx
                              • API String ID: 1177339427-1813341303
                              • Opcode ID: b5191f9778e8723cfa23f8a8210c8aed8ac3987907ab5605c0ec9587bdf6d9f1
                              • Instruction ID: 7cf49579f06645cbe7c84084af99f736c064b2fea2d090af83ae9c15523bfbe8
                              • Opcode Fuzzy Hash: b5191f9778e8723cfa23f8a8210c8aed8ac3987907ab5605c0ec9587bdf6d9f1
                              • Instruction Fuzzy Hash: A6519121B19E5285EB128F13E4406A967E5EBC5BB0F640276EE6C477E0CE3DDA05C708
                              Function 00007FFE1823ED40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: DisplayEnumInitializeMonitorsUninitialize
                              • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$TaskbarAl
                              • API String ID: 3377822461-945323219
                              • Opcode ID: b2532f4d77b0dfdbd43d4c7a74ebef4ee03557c86b55352911c67f019bd3c841
                              • Instruction ID: 613555cf888963fe9c0903ae9f5636b16ba90b3c624bbf5b495aa5cb2fd36efb
                              • Opcode Fuzzy Hash: b2532f4d77b0dfdbd43d4c7a74ebef4ee03557c86b55352911c67f019bd3c841
                              • Instruction Fuzzy Hash: 80419336A08F4286E7528F56E4502AAB7E0FBD8760F940575EA8D43AA4CF7CE604CB44
                              Function 00007FFE1823F920 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72registrywindowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: #412#413ClassMessageRegisterWindowWord
                              • String ID: PeopleBand
                              • API String ID: 1253488571-1317317948
                              • Opcode ID: 00bf1fe5e74ed78e86a5325a78d99c602c0b160c2fae4a4883b20bc22997a9d9
                              • Instruction ID: 2c241154a989ec7486dd6f49bdbaec701daf661c54e6996b66b90bbd6fdc40a3
                              • Opcode Fuzzy Hash: 00bf1fe5e74ed78e86a5325a78d99c602c0b160c2fae4a4883b20bc22997a9d9
                              • Instruction Fuzzy Hash: 53319021E18F52A6E7558B1BA55097962A0FFEC7B0F040071DE9E53AB4CF3CEA91C748
                              Function 00007FFE18252370 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69comserviceCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE1823E15D), ref: 00007FFE182523AF
                              • IUnknown_QueryService.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE1823E15D), ref: 00007FFE182523DA
                              • WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE1823E15D), ref: 00007FFE18252406
                              • WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE1823E15D), ref: 00007FFE1825246D
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CreateStringWindows$DeleteInstanceQueryReferenceServiceUnknown_
                              • String ID: Windows.Internal.ShellExperience.ControlCenter
                              • API String ID: 3704749038-1077972374
                              • Opcode ID: 52d7d5b374eb35bb82591a12fc83737a0fc60fa1db6f902db006cc446b5d75f2
                              • Instruction ID: c03941bcf4896f8d6bdba02a3ece924b7090c689e8ec572114cf3f0af0f4eeb2
                              • Opcode Fuzzy Hash: 52d7d5b374eb35bb82591a12fc83737a0fc60fa1db6f902db006cc446b5d75f2
                              • Instruction Fuzzy Hash: 38311976619E8182EB41CF66E4802AAB370FBC4B90F544472EA8E03B34DF3DD608C704
                              Function 00007FFE18240DB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ItemMenu$Info$Count
                              • String ID: P$[ROD]: Level %d Position %d/%d Status %d
                              • API String ID: 4286743509-735391699
                              • Opcode ID: e1e17733d45c5082e7cf109f97440a1acaccddaaf4d58eb13d68cb5c7e8099bd
                              • Instruction ID: 50cf14cb32bbff9f5e692f923bd59f5fe6214d3eb2b018e6f0eb1b32c14e584e
                              • Opcode Fuzzy Hash: e1e17733d45c5082e7cf109f97440a1acaccddaaf4d58eb13d68cb5c7e8099bd
                              • Instruction Fuzzy Hash: 7D219031B18E8186E7518F27E480B6A77A0FBC9B94F405075EE4E83765DE3DE145CB44
                              Function 00007FFE18268CF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47registrystringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CloseEventHandleValuelstrcmp
                              • String ID: AltTabSettings
                              • API String ID: 3692967019-1137623902
                              • Opcode ID: 0afcefe90346c281578279029c8a8ded8b7faa482209d6a9f591e38616476c66
                              • Instruction ID: d114775a44458856bef55d0433ff9c7a239c8863431fe9fd687b143ed3aceaa6
                              • Opcode Fuzzy Hash: 0afcefe90346c281578279029c8a8ded8b7faa482209d6a9f591e38616476c66
                              • Instruction Fuzzy Hash: C9113A75A08F4282EB518F22F450229A7A0FBD4BA4F1446B5DE9D43B74DF7CD654CB08
                              Function 00007FFE1823F170 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ProtectVirtual$CurrentInformationModuleProcess
                              • String ID: x?xx?x?x????xxx
                              • API String ID: 2643150895-841012870
                              • Opcode ID: 7b3db4e3d034a4df6730ed77b808246809e7360e47de4bf98198f4a7475633e1
                              • Instruction ID: 6eb68c9c731c82d3b8a6e231c29217a7961815221c5bb93577e1952b45b3fb89
                              • Opcode Fuzzy Hash: 7b3db4e3d034a4df6730ed77b808246809e7360e47de4bf98198f4a7475633e1
                              • Instruction Fuzzy Hash: B1119435B19E4282EB528F62B4106A66760EFD8BA4F440071EE8E57B74DE3DE245CB04
                              Function 00007FFE182329E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 42libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: )J$RtlGetVersion$ntdll.dll
                              • API String ID: 1646373207-687753697
                              • Opcode ID: 40be109ccd2fee6e5b842ad493b5d4303245f2623818bb1acce2d90060769a0a
                              • Instruction ID: c2b043d5fb60ae28a597f533383b601c0d68092cb9b6200fd1a041f8b2029b35
                              • Opcode Fuzzy Hash: 40be109ccd2fee6e5b842ad493b5d4303245f2623818bb1acce2d90060769a0a
                              • Instruction Fuzzy Hash: 2E110A61A08A4286FB339B12A4253752390AFEDB65F0400B5CD4E463A4EF3CE745C619
                              Function 00007FFE18288988 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: AddressFreeHandleLibraryModuleProc
                              • String ID: CorExitProcess$mscoree.dll
                              • API String ID: 4061214504-1276376045
                              • Opcode ID: 80209b7930936a9e189f19b39c85d751dd38e10808ff28b9e7b9a83a32d31e9a
                              • Instruction ID: 6f8304807d5950187a72cefdf8c04f2843ff856707934e12513d9a8c7a906bc4
                              • Opcode Fuzzy Hash: 80209b7930936a9e189f19b39c85d751dd38e10808ff28b9e7b9a83a32d31e9a
                              • Instruction Fuzzy Hash: 5DF0C261A18E0291EF128B26E44537963A0EFC5770F4407B5C56E456F4CF6CD288C348
                              Function 00007FFE1827B044 Relevance: 7.8, APIs: 5, Instructions: 290COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: AdjustPointer
                              • String ID:
                              • API String ID: 1740715915-0
                              • Opcode ID: e528e13f9be41aad643f060d0d1199269f21a2fdd535f9fe7f289e6188888710
                              • Instruction ID: 2f2d3dc1e225a340c2a990c6bafad98c37f1b7d6db10f1142d485c935ae2a80d
                              • Opcode Fuzzy Hash: e528e13f9be41aad643f060d0d1199269f21a2fdd535f9fe7f289e6188888710
                              • Instruction Fuzzy Hash: 02B1C421E0AE4281EB679B53949427D6290AFE4BB4F0584B6DFCD077B9DE2CE641C308
                              Function 00007FFE18260A10 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Heap$Handle$CloseProcess$AddressAllocCreateFreeModuleMutexProcReleaseSemaphore
                              • String ID: wil
                              • API String ID: 3215620834-1589926490
                              • Opcode ID: 306703ea24084b581afddb5be4ed49465bea48b5cf6833c6ccc62fdb9fb647b1
                              • Instruction ID: 613375d96465b80f061960bdfc841e070b6ae17ec7c8c37714f17c68fab61ac3
                              • Opcode Fuzzy Hash: 306703ea24084b581afddb5be4ed49465bea48b5cf6833c6ccc62fdb9fb647b1
                              • Instruction Fuzzy Hash: 16517362E18B8186E7218F2299412B973B0FBD8794F145275DF4D53B65EF3CE6A0C704
                              Function 00007FFE18232D20 Relevance: 7.6, APIs: 5, Instructions: 73windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: MessageSendTimeout$ShellWindow
                              • String ID:
                              • API String ID: 1795729329-0
                              • Opcode ID: df9fee810fcfd716007199a647c37334879f3c85e0c05d576c8dc6250f3d142f
                              • Instruction ID: 78bf19578877620d995e110688cb35fa5b775f25419972617ed7aada73af375d
                              • Opcode Fuzzy Hash: df9fee810fcfd716007199a647c37334879f3c85e0c05d576c8dc6250f3d142f
                              • Instruction Fuzzy Hash: D6313A32A18B9183E7618F15B45061EB7A5FBC9B74F640325EAAD46AE8CF7CD601CB04
                              Function 00007FFE182998E8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: _set_statfp
                              • String ID:
                              • API String ID: 1156100317-0
                              • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                              • Instruction ID: 0ca9fcdaf9b346bfd4958511edaf07ed93928e5ec0444dd6352b047184aec0b6
                              • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                              • Instruction Fuzzy Hash: 47117326F5CE2352F7661127D45637911806FD9378F084EF4E9AF062FACE2CAB81C109
                              Function 00007FFE18253C10 Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Heap$FreeProcess$__std_exception_destroy
                              • String ID:
                              • API String ID: 107506009-0
                              • Opcode ID: 508a8f8c128779259fad8302647ce02a2afb58cfb7573152f94ff8ca8ed7eebd
                              • Instruction ID: 3078d7efb7a099bca061edc349a3ad284c67571c86aa68e05a1067b14db85ddf
                              • Opcode Fuzzy Hash: 508a8f8c128779259fad8302647ce02a2afb58cfb7573152f94ff8ca8ed7eebd
                              • Instruction Fuzzy Hash: A9217132A09F8182EB498B67E6443A9B361FB85BA0F144135DF5E07B61DF3DE561C304
                              Function 00007FFE18290364 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Value
                              • String ID:
                              • API String ID: 3702945584-0
                              • Opcode ID: 80bd6ba7fe5f0611627502d92631c38ffea94133ffd684fd3618097e116a59b6
                              • Instruction ID: dc3f78bfe4af6f3fabf5f4e07a0f960b84ee7fbcceaf3463be55de8503ea3dcb
                              • Opcode Fuzzy Hash: 80bd6ba7fe5f0611627502d92631c38ffea94133ffd684fd3618097e116a59b6
                              • Instruction Fuzzy Hash: CA113610E09E1642FF6A67B7446157922C14FD2370F281FB4D93E1A6F2DD2CB681C20C
                              Function 00007FFE18252200 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: MessageSend$FindWindow$Parent
                              • String ID:
                              • API String ID: 2087735068-0
                              • Opcode ID: f427bd5b1727360ab36f5367fc1f8e68bd9f285ef3cc767bdcca458b35169acb
                              • Instruction ID: 5d733d5e1338066cfd7754675885bdb555dccc91b08b7be7dfc3d3291eeec2eb
                              • Opcode Fuzzy Hash: f427bd5b1727360ab36f5367fc1f8e68bd9f285ef3cc767bdcca458b35169acb
                              • Instruction Fuzzy Hash: A2018060F59A5282FB654B53BD10BA61650AFC9B98F085472DE0E4BFA1EE3CD201C70C
                              Function 00007FFE18233950 Relevance: 7.5, APIs: 5, Instructions: 42timesynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CloseHandleTimerWaitable$CreateObjectSingleWait
                              • String ID:
                              • API String ID: 2007961542-0
                              • Opcode ID: f35fe9c5397126d8a8b6cc2eeadd2e7ad3a421f9d1d1043d657964b9880001d4
                              • Instruction ID: 8ce87f049496b33b16eeebf96a7aab18107df561eb03ab748cad517af739561e
                              • Opcode Fuzzy Hash: f35fe9c5397126d8a8b6cc2eeadd2e7ad3a421f9d1d1043d657964b9880001d4
                              • Instruction Fuzzy Hash: 14018422A18F9282EB514B26B81566A73A0FFC87E0F541575ED5F06764DE3CD240CA04
                              Function 00007FFE1827BC44 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 319COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Is_bad_exception_allowed
                              • String ID: csm$csm$csm
                              • API String ID: 2758241748-393685449
                              • Opcode ID: 0f408a928b9063f3cb43c95ecb0e6ad9ed1d94acb3a705d365a36861a7962b86
                              • Instruction ID: e02c716cddb2886a2968b92cda254b1529e1dde13bd8fc620e7cbc1f2169cb96
                              • Opcode Fuzzy Hash: 0f408a928b9063f3cb43c95ecb0e6ad9ed1d94acb3a705d365a36861a7962b86
                              • Instruction Fuzzy Hash: 1CE1C133908A828AE7129F77D4802AD37A0FBA5768F140175EFDD576A5CF38E681C704
                              Function 00007FFE1828A874 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: _invalid_parameter_noinfo
                              • String ID: UTF-16LEUNICODE$UTF-8$ccs
                              • API String ID: 3215553584-1196891531
                              • Opcode ID: 029c5fe67b73cdfdd60bdaa44205972f0f340c7a38dfe566cdf3be9392e55d4c
                              • Instruction ID: 6d07935dcb972fd0892818e80baf02b7a69eac191346d2e22a384c23148acd01
                              • Opcode Fuzzy Hash: 029c5fe67b73cdfdd60bdaa44205972f0f340c7a38dfe566cdf3be9392e55d4c
                              • Instruction Fuzzy Hash: D381B671E0CA4285FF674E97825027827E0AB937A4F5580B5DA0B576A4CF2DEB81D30B
                              Function 00007FFE1827C3B8 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CallEncodePointerTranslator
                              • String ID: MOC$RCC
                              • API String ID: 3544855599-2084237596
                              • Opcode ID: 4211fc41c4670b12df41ec4f37188319c4c51e10288239ae6050f440ffd2778d
                              • Instruction ID: 7a7c9e9b24b7a5007e41d1a0c4721591dd73f60da9fde75233229a3e1c8bc64b
                              • Opcode Fuzzy Hash: 4211fc41c4670b12df41ec4f37188319c4c51e10288239ae6050f440ffd2778d
                              • Instruction Fuzzy Hash: 6891D373A08B818AE711CB76D4812AD77E0F7947A8F14412AEE8D57765DF3CD291CB04
                              Function 00007FFE18261330 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 172threadCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CurrentDebugDebuggerOutputPresentStringThread
                              • String ID: StartMenuSettings.cpp
                              • API String ID: 4268342597-657291044
                              • Opcode ID: 476302e8e5d956f3031c975a0e71cd5c5f5c843fa5dadd7522758497410bf6e2
                              • Instruction ID: 0d2b3f79f5a58e7f92acc913c246d2229582f250e967a563e79d8015cd3ccdab
                              • Opcode Fuzzy Hash: 476302e8e5d956f3031c975a0e71cd5c5f5c843fa5dadd7522758497410bf6e2
                              • Instruction Fuzzy Hash: E7719462A09F8186FB62CB66E4402A967E1FFC4754F241675EA9D436B4DF3CE740C708
                              Function 00007FFE1827A8F4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                              • String ID: csm
                              • API String ID: 2395640692-1018135373
                              • Opcode ID: b0775caf7f1d2b05c3f24c6280081a2cbd6f04dd6fb58565bd2260f94b75ca7d
                              • Instruction ID: 6b251df4071f7e15391fd4e397cc430b9e68e74f7e74adcd34c560533ca4f8ad
                              • Opcode Fuzzy Hash: b0775caf7f1d2b05c3f24c6280081a2cbd6f04dd6fb58565bd2260f94b75ca7d
                              • Instruction Fuzzy Hash: 2151A132A19E028ADB168F57D144A7933A1EBA4BF4F518170DA8F477A8DF7CEA41C704
                              Function 00007FFE182610E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150threadCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • D:\a\ExplorerPatcher\ExplorerPatcher\packages\Microsoft.Windows.ImplementationLibrary.1.0.230824.2\include\wil\resource.h, xrefs: 00007FFE1826117B
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CurrentDebugDebuggerOutputPresentStringThread
                              • String ID: D:\a\ExplorerPatcher\ExplorerPatcher\packages\Microsoft.Windows.ImplementationLibrary.1.0.230824.2\include\wil\resource.h
                              • API String ID: 4268342597-2916856121
                              • Opcode ID: c2409748dd961db57dd970ab792968617b87b09f0f36ecc3f1e9a3576d394143
                              • Instruction ID: 01d37eeb5cba0754f54f6f9c8dcf85f34f77221bebd75da0b7ed865cfcb2a16a
                              • Opcode Fuzzy Hash: c2409748dd961db57dd970ab792968617b87b09f0f36ecc3f1e9a3576d394143
                              • Instruction Fuzzy Hash: 0E618422A09F8186FB62CF62E4402A967E5FBC8754F244179E99D42BB4DF3CE740C704
                              Function 00007FFE1827C938 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                              • String ID: csm$csm
                              • API String ID: 3896166516-3733052814
                              • Opcode ID: 263a83af241b7526f11cabccce44437bc8b50dcc97adeb20576438e6a8d85533
                              • Instruction ID: 8efa6baef6f5f221996ba994fceddef921034d2ad711dc556bb6ccc05caa158c
                              • Opcode Fuzzy Hash: 263a83af241b7526f11cabccce44437bc8b50dcc97adeb20576438e6a8d85533
                              • Instruction Fuzzy Hash: 8D51AF72A08A42CAEB658E3794443787690FBA4BA4F1451B6EBCD437A5CF3CE750C708
                              Function 00007FFE1827C148 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CallEncodePointerTranslator
                              • String ID: MOC$RCC
                              • API String ID: 3544855599-2084237596
                              • Opcode ID: e23ebe12a3fed4d4a4b3b3f94d318896107ad4b70cc0579e6ea01f0e610919e2
                              • Instruction ID: 019929301a52a62ffd02f477574e10e77d1c08ee8611506e5276c0ad60d864ac
                              • Opcode Fuzzy Hash: e23ebe12a3fed4d4a4b3b3f94d318896107ad4b70cc0579e6ea01f0e610919e2
                              • Instruction Fuzzy Hash: CC616032908BC585E7619B26E4403AAB7A0FBD57A4F044275EBDD07B65DF7CD290CB04
                              Function 00007FFE182690F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121comCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Monitor$CreateFromInfoInstanceRect
                              • String ID: TwinUIPatches.cpp
                              • API String ID: 3092215291-2263794832
                              • Opcode ID: cd0172f9358455f7de5327db1c0183027fbaee7a9058c5023375d1bee2188970
                              • Instruction ID: aa4b936699a12b0d3a3c874996c0733ad73dc661933b0a653cbc857b70e28557
                              • Opcode Fuzzy Hash: cd0172f9358455f7de5327db1c0183027fbaee7a9058c5023375d1bee2188970
                              • Instruction Fuzzy Hash: 52513D32B05E42DAEB01CF76D4906AD73B4FB84B98B149572DE0D67A28DF38D64AC344
                              Function 00007FFE1824A160 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60comCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CreateExecuteInstanceShell
                              • String ID: Microsoft.System$ms-settings:about
                              • API String ID: 2410647072-638507620
                              • Opcode ID: 42bee11b1c3e3a7f817e05cf959c2a86af675b83d456df521f987abda222d2c0
                              • Instruction ID: 5be708263385da2cec4e5ab8637ae1465c4faf1d2345fed7be7e80ef1ed93fed
                              • Opcode Fuzzy Hash: 42bee11b1c3e3a7f817e05cf959c2a86af675b83d456df521f987abda222d2c0
                              • Instruction Fuzzy Hash: 79218976A18E52C2FB56CB16E05577933A0FFD8BA0F842472EA4F02760DF2DD284C614
                              Function 00007FFE1824ACE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57registrystringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Value$AddressHandleModuleOpenProcQuerylstrcmp
                              • String ID: ShowCortanaButton$TaskbarDa
                              • API String ID: 4138643572-1008683796
                              • Opcode ID: e8d2fcebf793612e062714c188ca81e998e14e83a2051103374b5570605be65f
                              • Instruction ID: 5f11d789c729b90795da6b4ea4022f57c0f080b51795eea375bcffa802c0b366
                              • Opcode Fuzzy Hash: e8d2fcebf793612e062714c188ca81e998e14e83a2051103374b5570605be65f
                              • Instruction Fuzzy Hash: FF21A172A08E41C5E7628B13E85067577A0BBC87A5F405175E94E477B4EF3CE644CB08
                              Function 00007FFE18240A00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Value$From_invalid_parameter_noinfo
                              • String ID: EnableMTCUVC$Software\Microsoft\Windows NT\CurrentVersion\MTCUVC
                              • API String ID: 1239731142-1716574372
                              • Opcode ID: 5861e141445f8e955a3289905a4e437a090633403b9959973d8ba9a70dd700b4
                              • Instruction ID: 1d0923f665df10285169e9624288c3079815ebbb6c9ede47d7e18044048b1655
                              • Opcode Fuzzy Hash: 5861e141445f8e955a3289905a4e437a090633403b9959973d8ba9a70dd700b4
                              • Instruction Fuzzy Hash: 35111F22A08F4185EB518B57B44026AB7A5FB88BE4F144175EF8D47B79DF7CD280CB08
                              Function 00007FFE18240EB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ItemMenu$CountInfo
                              • String ID: "$P
                              • API String ID: 115949281-1577843662
                              • Opcode ID: 16e21393e86f85a400357fa905794d203e81493258b4ba4839ecfb9ad0c58f16
                              • Instruction ID: 711e18432f1da342c2ee51cd9c4834a5cb648d23fdc8eb8b6b174f286f982410
                              • Opcode Fuzzy Hash: 16e21393e86f85a400357fa905794d203e81493258b4ba4839ecfb9ad0c58f16
                              • Instruction Fuzzy Hash: 9911A331A18E4282F7A1CB26E40472A73A0FBC87B4F551171EA8D83BA4CF7DE645CB04
                              Function 00007FFE18242F10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44registrystringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Value$Fromlstrcmp
                              • String ID: UseWin32BatteryFlyout
                              • API String ID: 276759952-619460319
                              • Opcode ID: c065c0d2f960dd8f936992df36bb8e8c96ba532300c4fed80597d46d2c895608
                              • Instruction ID: bf5cb45109056143d56d5e32d82ac09e5b1e6856cd1cc9c7354d88dd81af2dce
                              • Opcode Fuzzy Hash: c065c0d2f960dd8f936992df36bb8e8c96ba532300c4fed80597d46d2c895608
                              • Instruction Fuzzy Hash: B211E326A08F8182DB218B17B84055AB7A4FB88BE4F584176EE8D47B78DF3CD154CB04
                              Function 00007FFE18252170 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: FindWindow
                              • String ID: TravelBand
                              • API String ID: 134000473-3549115983
                              • Opcode ID: dc0500de1e088d1a0b9ba6b3fda430eaf04964274eefbdfa7ad72e533d7b7a0d
                              • Instruction ID: cbad020ecc4349eb21f08e8889321aeeabcaf7617ad6041b1ade4aa904128e7a
                              • Opcode Fuzzy Hash: dc0500de1e088d1a0b9ba6b3fda430eaf04964274eefbdfa7ad72e533d7b7a0d
                              • Instruction Fuzzy Hash: 5D01F551B19F5201FF57D71B6A20AB69291AFD9BE0F485071EE0D03FA5FE2CE201C204
                              Function 00007FFE18243EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34threadCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ThreadWindow$EnumFindProcessWindows
                              • String ID: ApplicationManager_ImmersiveShellWindow
                              • API String ID: 274631990-213675812
                              • Opcode ID: 6e7747a90d7feac162397ed771bd533da0d24bf3604af7f567f007bcb59fafea
                              • Instruction ID: 43bd2e328142beb36cbaa1983b6ea7978f1dec25774862d28c52653d99b5140a
                              • Opcode Fuzzy Hash: 6e7747a90d7feac162397ed771bd533da0d24bf3604af7f567f007bcb59fafea
                              • Instruction Fuzzy Hash: 2BF0AF61F18E0281EB569B33BA5447952A2AFC8BA0F489471DD0E47BA4DE3DD684C308
                              Function 00007FFE18232CC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: FindWindow
                              • String ID: SHELLDLL_DefView$WorkerW
                              • API String ID: 134000473-2583568628
                              • Opcode ID: bcb08aa4f46a98805f56447e0641afb3d08a4efac12ff943e5d5823cef5df09c
                              • Instruction ID: d5ec5b20cbcf328595a557d686836b62cebaea4f25380c9ded063c1c3556b72b
                              • Opcode Fuzzy Hash: bcb08aa4f46a98805f56447e0641afb3d08a4efac12ff943e5d5823cef5df09c
                              • Instruction Fuzzy Hash: F6E03061F05B4241EB5A8B62FA24AB562A1AFDCBE0F48C075CD0E07B64DD3CE684C304
                              Function 00007FFE18252F30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: RaiseFailFastException$kernelbase.dll
                              • API String ID: 1646373207-919018592
                              • Opcode ID: aff523935e77aa5942e22dd7d409c00eae744fc5a90c305d315768be12512c97
                              • Instruction ID: c4eb1b61265e93a534012b1ea00f67e8c010a9e4c4ae741064b68bd67e34e472
                              • Opcode Fuzzy Hash: aff523935e77aa5942e22dd7d409c00eae744fc5a90c305d315768be12512c97
                              • Instruction Fuzzy Hash: CEE0ED21B18B9192EB068B03F880079A360FFC9FD0B489076EE1E47B78CE2CE641C704
                              Function 00007FFE182921D8 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                              Download Yara Rule
                              APIs
                              • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00007FFE182921C3), ref: 00007FFE182922F4
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00007FFE182921C3), ref: 00007FFE1829237F
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ConsoleErrorLastMode
                              • String ID:
                              • API String ID: 953036326-0
                              • Opcode ID: 740867f660cb1116079f79a9173af549bbbddc3520b9e653a7959886d0d263f5
                              • Instruction ID: 4b183855c79cb2a9c114fd9a8105953817dafa511d21cdcca1d7b0b4007a3365
                              • Opcode Fuzzy Hash: 740867f660cb1116079f79a9173af549bbbddc3520b9e653a7959886d0d263f5
                              • Instruction Fuzzy Hash: 62910662E08E6185F752CF6684402BC3BA0FB86BA8F5455B9DE1F576A4CF3CD642C308
                              Function 00007FFE1825CEC0 Relevance: 6.2, APIs: 4, Instructions: 211memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Heap_invalid_parameter_noinfo$FreeProcess
                              • String ID:
                              • API String ID: 3364316771-0
                              • Opcode ID: cea42ef51c2c06b5f114bfec80a09f6f38cf7f9a6300bdbeb4d183cee8b85edc
                              • Instruction ID: 76f8b147e9b637b4a1afbd30e4d8ffa5719c5f182f71bf9c91a8ff0fc058da4b
                              • Opcode Fuzzy Hash: cea42ef51c2c06b5f114bfec80a09f6f38cf7f9a6300bdbeb4d183cee8b85edc
                              • Instruction Fuzzy Hash: 2981EAA1A49F4285EF164F1295002F967A1FB84BE4F188172CE0D07BA5EF3DE957C308
                              Function 00007FFE182420A0 Relevance: 6.1, APIs: 4, Instructions: 117windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: PerformanceQuery$#410#412CounterCursorFrequencyMenuPopupTrack
                              • String ID:
                              • API String ID: 2611046820-0
                              • Opcode ID: d9f91fb51b274119763a812330e9a173a7aa76b96a71daf610163dae3d0624c5
                              • Instruction ID: c5b70e87b8f210f14f87525515ecc5efc098eb10ff0dbfcfab0be89481df0aac
                              • Opcode Fuzzy Hash: d9f91fb51b274119763a812330e9a173a7aa76b96a71daf610163dae3d0624c5
                              • Instruction Fuzzy Hash: 56418032A08E42C6EB218B57E44066AB7E1FBC67A0F601576DE4D13A75CF7CE641CB18
                              Function 00007FFE18241EF0 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: PerformanceQuery$#410#412CounterCursorFrequencyMenuPopupTrack
                              • String ID:
                              • API String ID: 2611046820-0
                              • Opcode ID: 83f1402134ad894fb9641df387b04eefb855714a6baca46869ea185859985d1b
                              • Instruction ID: da51a5a18c0ef636fc5d7c74469e005874ce75566cf146a5933271be3fb29b95
                              • Opcode Fuzzy Hash: 83f1402134ad894fb9641df387b04eefb855714a6baca46869ea185859985d1b
                              • Instruction Fuzzy Hash: 4E416E22B18E42C6EB628B53E850669B7E1FBC57A0F601576EA4D036B5CF3CE641C718
                              Function 00007FFE18242270 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: PerformanceQuery$#410#412CounterCursorFrequencyMenuPopupTrack
                              • String ID:
                              • API String ID: 2611046820-0
                              • Opcode ID: ae5920d05fc441cec14f9cadb4f76366b58834c07f057b9e7f92807dcfc90398
                              • Instruction ID: b5902f3f2efd560dba0dd783c46fdd2e1714216dc281c2e7d6cdc212c214cbde
                              • Opcode Fuzzy Hash: ae5920d05fc441cec14f9cadb4f76366b58834c07f057b9e7f92807dcfc90398
                              • Instruction Fuzzy Hash: 59419322A09E42C6EB628B57F850679B7A0FBC67A0F501476ED4D03674CF7CE641CB18
                              Function 00007FFE1823EBF0 Relevance: 6.1, APIs: 4, Instructions: 82memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ProtectVirtual$Search
                              • String ID:
                              • API String ID: 1061791571-0
                              • Opcode ID: 946f8cae8b5b9d015c77196a61e294205d4a01f28a426854e1f270abb1160bd5
                              • Instruction ID: 43446b0608fe8e3fedbb961c6180cca83e25e0e6b25a4431fceed662666e0dbf
                              • Opcode Fuzzy Hash: 946f8cae8b5b9d015c77196a61e294205d4a01f28a426854e1f270abb1160bd5
                              • Instruction Fuzzy Hash: BF413076B08E4A82EB628B13E46036527A5FBD8BA4F104571DE0D43B74DF3CEA95C708
                              Function 00007FFE1825F9C0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ExclusiveLock$AcquireRelease
                              • String ID:
                              • API String ID: 17069307-0
                              • Opcode ID: 313c56aac8693e6bd7644ef5f6484252a958648c6b86227760b8e058a361e185
                              • Instruction ID: 2a0396d898b841da9b3a635c51c7c5e888e414e988ec1a9d15a0fe724aea1050
                              • Opcode Fuzzy Hash: 313c56aac8693e6bd7644ef5f6484252a958648c6b86227760b8e058a361e185
                              • Instruction Fuzzy Hash: 6D218622B18B8581DB41DB22E5502AD6364FB88BD4F584472EE8E43B59DF3CD651C704
                              Function 00007FFE1826FBD0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Process$Window$CloseEnumFileFindHandleImageListNameOpenProcessesRegisterResourcesSessionShutdownStartThreadTimes
                              • String ID:
                              • API String ID: 1342731755-0
                              • Opcode ID: 20e33d10a4184354a0f613581d4d014b7fe66c7707c619d43fa3e48570e76614
                              • Instruction ID: 884b82aa5c66c76e83fbbd7ab4b245a2f8b0dfbd7e84aafb693e8e2686a7802f
                              • Opcode Fuzzy Hash: 20e33d10a4184354a0f613581d4d014b7fe66c7707c619d43fa3e48570e76614
                              • Instruction Fuzzy Hash: 15212C32A18E8187E711DB26E85476AB3E1FFC8360F904171E94E42A74DF7CD645CB44
                              Function 00007FFE18271F08 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                              • String ID:
                              • API String ID: 2933794660-0
                              • Opcode ID: eb4a947963e005101faac0d65b8e27ef659be33c1a433e75e87c82fc8b7ad02a
                              • Instruction ID: fca91966017c9daa020b245b88d973ed8dda4fcda5af62dce766bc52c26e182a
                              • Opcode Fuzzy Hash: eb4a947963e005101faac0d65b8e27ef659be33c1a433e75e87c82fc8b7ad02a
                              • Instruction Fuzzy Hash: D9113036B14F018AEB00DF61E8542B833A4FB59768F440E31EA6E867A4DF7CD254C344
                              Function 00007FFE1827CB70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: __except_validate_context_record
                              • String ID: csm$csm
                              • API String ID: 1467352782-3733052814
                              • Opcode ID: d8082b7006d163f8c35e851c49aec36f61e2f18eb4ee73712fd4fd4773bdb9fc
                              • Instruction ID: 24f6a76a638b5adc51b435c4cd5c7e4348c9968c1fc3a8e6ad2df078d0968469
                              • Opcode Fuzzy Hash: d8082b7006d163f8c35e851c49aec36f61e2f18eb4ee73712fd4fd4773bdb9fc
                              • Instruction Fuzzy Hash: AC71D272908A818AD7728F27D04077D7BA0FB95BA4F148176DECC47AA5CF2CD691C748
                              Function 00007FFE182640D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                              • String ID: .dll
                              • API String ID: 73155330-2738580789
                              • Opcode ID: cfb59001a9207c6cd0ac9777086a35be51a90529a9f34389d0dafd787fd9ac5f
                              • Instruction ID: c2a9a6ac0791a2359603f98b20c2caae8294db77606a3974bc6960289481f3bb
                              • Opcode Fuzzy Hash: cfb59001a9207c6cd0ac9777086a35be51a90529a9f34389d0dafd787fd9ac5f
                              • Instruction Fuzzy Hash: 95419D61B18E4182EF119B16A5442AD6356FB84BF0FA40772DEBD47BE5EE3CE241C308
                              Function 00007FFE1827D1AC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CreateFrameInfo__except_validate_context_record
                              • String ID: csm
                              • API String ID: 2558813199-1018135373
                              • Opcode ID: a107f9d9e706ddb856d916767cedda1278d6f8a640a55a76223d5fe0338d39a4
                              • Instruction ID: 47bd211a617a705bfa5cef7f729b35d6675ba4628fb0d0d1265c3ea5dbe289a4
                              • Opcode Fuzzy Hash: a107f9d9e706ddb856d916767cedda1278d6f8a640a55a76223d5fe0338d39a4
                              • Instruction Fuzzy Hash: FE515C37618B8186E721AB57E14026E77A4FB99BB1F100175EF8D17B66CF38E690CB04
                              Function 00007FFE1828C970 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON
                              Download Yara Rule
                              APIs
                              • _invalid_parameter_noinfo.LIBCMT ref: 00007FFE1828C9A2
                                • Part of subcall function 00007FFE1828DDEC: RtlFreeHeap.NTDLL(?,?,834800000B7CE800,00007FFE1829764A,?,?,?,00007FFE18297687,?,?,00000000,00007FFE18295669,?,?,00007FFE1828D14A,00007FFE1829559B), ref: 00007FFE1828DE02
                                • Part of subcall function 00007FFE1828DDEC: GetLastError.KERNEL32(?,?,834800000B7CE800,00007FFE1829764A,?,?,?,00007FFE18297687,?,?,00000000,00007FFE18295669,?,?,00007FFE1828D14A,00007FFE1829559B), ref: 00007FFE1828DE0C
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ErrorFreeHeapLast_invalid_parameter_noinfo
                              • String ID: 4$C:\Windows\explorer.exe
                              • API String ID: 2724796048-3825512992
                              • Opcode ID: 255c999c3b299fbca813af768a7621ae688cc7f5f0e51db1e41acedcf2c95535
                              • Instruction ID: 976ced4ce1b9163d835edab5e09590127fd5a2989c0319eb1953372013b57d2c
                              • Opcode Fuzzy Hash: 255c999c3b299fbca813af768a7621ae688cc7f5f0e51db1e41acedcf2c95535
                              • Instruction Fuzzy Hash: 8441A232A08F1285EB56DF67A4500B877D4EF867A4F1440B6EA4D43BA5CF3DE681C308
                              Function 00007FFE18291EB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ErrorFileLastWrite
                              • String ID: U
                              • API String ID: 442123175-4171548499
                              • Opcode ID: 6e8b134f65fd2beae049d5b96ea9d5d6d5a4b9a636e8214698cef711629abd11
                              • Instruction ID: 5e5ccc02900eada4acdeb3af550eba57c4af95f5148d44602553923c3994e8b1
                              • Opcode Fuzzy Hash: 6e8b134f65fd2beae049d5b96ea9d5d6d5a4b9a636e8214698cef711629abd11
                              • Instruction Fuzzy Hash: 7C41B022A18F9582DB218F67E4443B967A0FBC87A4F904435EE4E877A8EF3CD641C704
                              Function 00007FFE1824A030 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 82comCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: CreateInstance
                              • String ID: Microsoft.ProgramsAndFeatures$Microsoft.System
                              • API String ID: 542301482-3255149969
                              • Opcode ID: 92763ffc1d9867786412e0d7f6ff3e3557efa1aa0ba69767de9fc49c93acccc8
                              • Instruction ID: 8ecfc65982684991e234d90b0857487137de5f41e05dc02447f1d16ef5f6795f
                              • Opcode Fuzzy Hash: 92763ffc1d9867786412e0d7f6ff3e3557efa1aa0ba69767de9fc49c93acccc8
                              • Instruction Fuzzy Hash: 6A316D26A19E42C6FB528B17E89037563A5BFD4BA0F5060B1ED0F03674EE7CE645C714
                              Function 00007FFE18240F90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ClassName
                              • String ID: Shell_SecondaryTrayWnd$Shell_TrayWnd
                              • API String ID: 1191326365-1433838494
                              • Opcode ID: c9ea4d571e726979cd25428ce0d519139d513b68f189776e072e990548b2ae5e
                              • Instruction ID: 5e132aa7c5e14df61696fa4ee2fd85184e3d44efae6b6a249573c59932b3233a
                              • Opcode Fuzzy Hash: c9ea4d571e726979cd25428ce0d519139d513b68f189776e072e990548b2ae5e
                              • Instruction Fuzzy Hash: C221E822B09D9182F7669B17A4106B933E1FFD8BB0F846172ED4E026A5DF3CD581C304
                              Function 00007FFE182410B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ClassName
                              • String ID: Shell_SecondaryTrayWnd$Shell_TrayWnd
                              • API String ID: 1191326365-1433838494
                              • Opcode ID: a6af8759eadf375a40e26f1fd8c17b4b520a4968ee941da5d07fb15a920493dd
                              • Instruction ID: b573d9138d6412157c973b8841dfb23345843114f072e09b6653121d9606e2c0
                              • Opcode Fuzzy Hash: a6af8759eadf375a40e26f1fd8c17b4b520a4968ee941da5d07fb15a920493dd
                              • Instruction Fuzzy Hash: EC21D422B04D4282F7669B07A8107B933A1FFD8BB0F849172ED4F026A4DF3CD585C218
                              Function 00007FFE182411D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ClassName
                              • String ID: Shell_SecondaryTrayWnd$Shell_TrayWnd
                              • API String ID: 1191326365-1433838494
                              • Opcode ID: 75385296bc8639f1e6cf1d37735fb4491981c04decfcc4f7b51b7449c50bd3fc
                              • Instruction ID: 6a1ce8d021b6b90619fbe9bba7583d3251454e1d47e9f8594eadf8bd9c0becc0
                              • Opcode Fuzzy Hash: 75385296bc8639f1e6cf1d37735fb4491981c04decfcc4f7b51b7449c50bd3fc
                              • Instruction Fuzzy Hash: 5A21E822B09D5182FB669B17A4106B933A1FFD8BB0F845172ED4E426E4EF3CD581C304
                              Function 00007FFE1827AB84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFE1825503F), ref: 00007FFE1827ABD4
                              • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFE1825503F), ref: 00007FFE1827AC15
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: ExceptionFileHeaderRaise
                              • String ID: csm
                              • API String ID: 2573137834-1018135373
                              • Opcode ID: ee37ca2534bea36559d9d190c12bae42e93264b1f79909f83ca4179d035941a4
                              • Instruction ID: 02cc874baba4c5c3b9793b3834440c506582b56ca2d26993098b8b16b317e0ac
                              • Opcode Fuzzy Hash: ee37ca2534bea36559d9d190c12bae42e93264b1f79909f83ca4179d035941a4
                              • Instruction Fuzzy Hash: 3A115E32A08F4182EB218F16E400269B7E1FB98BA4F584270EBCD47764DF3CC651CB04
                              Function 00007FFE1824FEE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • $start.tilegrid$windows.data.curatedtilecollection.tilecollection\Current, xrefs: 00007FFE1824FEFE
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Open
                              • String ID: $start.tilegrid$windows.data.curatedtilecollection.tilecollection\Current
                              • API String ID: 71445658-2485209836
                              • Opcode ID: a4fe59345262f16846a98a3583e81d6852551d9273177763c1f1091658579aff
                              • Instruction ID: a837b729a2cb62dda8e2541a88a6a478bac166bd2a340184d672572512929d1a
                              • Opcode Fuzzy Hash: a4fe59345262f16846a98a3583e81d6852551d9273177763c1f1091658579aff
                              • Instruction Fuzzy Hash: C9011B35A18F9182D7118B03B84042AB3A5FBD9BD4F541575EE8D43B69CF3DD111C704
                              Function 00007FFE1824DA00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32registrystringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Valuelstrcmp
                              • String ID: ReplaceVan
                              • API String ID: 372169353-130473729
                              • Opcode ID: ea89487583a2989f85a63e4f3d37de35d909f03b5df420a7b1d84c36d94bc7b7
                              • Instruction ID: 845f081b13012854ba08361c91e79b066ad259fa3df9971354b4e49af276241d
                              • Opcode Fuzzy Hash: ea89487583a2989f85a63e4f3d37de35d909f03b5df420a7b1d84c36d94bc7b7
                              • Instruction Fuzzy Hash: 17F0FB36A08B91C2EB508B16F44011AA7A4F7D8BE4F184171EBCD43B28DF7CD696CB04
                              Function 00007FFE1823EF20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29windowregistryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Message$PostQuitRegisterWindow
                              • String ID: TaskbarCreated
                              • API String ID: 1640695409-2362178303
                              • Opcode ID: e40dd106e5c28cd757ea849553ffbbc5691f3de6786a5015d584f4b93040861c
                              • Instruction ID: 13d5baff29a0d314d897aae138b924b347e81c419c254c4d5a546e0282959ed4
                              • Opcode Fuzzy Hash: e40dd106e5c28cd757ea849553ffbbc5691f3de6786a5015d584f4b93040861c
                              • Instruction Fuzzy Hash: E3F04431F08E9185E7159B13B550029A760EBE8BE0F1444B5EA4E03B74CE3CD654C748
                              Function 00007FFE1826FE30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Session$ListRegisterResourcesRestartShutdownStart
                              • String ID: RmRestart error: %d
                              • API String ID: 4293926141-2348054958
                              • Opcode ID: 54cc6a934dd87566f3e5259231cbfb4de4c3fcb9d1fe53514352706030b0dc14
                              • Instruction ID: 7ad903d902ca88bd3a1907574a7abcd83c79cc8955ed32c81540c50cfc406bc3
                              • Opcode Fuzzy Hash: 54cc6a934dd87566f3e5259231cbfb4de4c3fcb9d1fe53514352706030b0dc14
                              • Instruction Fuzzy Hash: DEE0E560F18D5287F706AB3B9C6157226E2AFC8331FB046B4D51E866B1DF2CA642C748
                              Function 00007FFE18253D00 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Heap$FreeProcess
                              • String ID:
                              • API String ID: 3859560861-0
                              • Opcode ID: eb2518a923c2e680aae5d6174970ba7f06051d0c2a8381f7bbfd7a6f48999b07
                              • Instruction ID: 6fbc4d9923d1d646a5531620c79cba64b6139e60e896bb9021a53007c38f04bd
                              • Opcode Fuzzy Hash: eb2518a923c2e680aae5d6174970ba7f06051d0c2a8381f7bbfd7a6f48999b07
                              • Instruction Fuzzy Hash: 02117F32A0AF9196EB198F67EA442A9B370FB88BA0F084535CB5D03364DF38E521C744
                              Function 00007FFE1825D190 Relevance: 5.0, APIs: 4, Instructions: 43memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1874538186.00007FFE18231000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE18230000, based on PE: true
                              • Associated: 00000009.00000002.1874494671.00007FFE18230000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874656290.00007FFE1829D000.00000002.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874741848.00007FFE182CA000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874787615.00007FFE182CB000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874825521.00007FFE182D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874859372.00007FFE182D2000.00000008.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1874890542.00007FFE182D8000.00000004.00000001.01000000.00000008.sdmpDownload File
                              • Associated: 00000009.00000002.1875541708.00007FFE182DB000.00000002.00000001.01000000.00000008.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_7ffe18230000_explorer.jbxd
                              Similarity
                              • API ID: Heap$FreeProcess
                              • String ID:
                              • API String ID: 3859560861-0
                              • Opcode ID: 891d694351d2fae2d6a65f8de4288a2eb33e6f1b536c7afc5cac1a0fd545223a
                              • Instruction ID: beab018762f3bf6ef3799013b475c91a7ecd894a1f6c04f6983b0253a02d7ad9
                              • Opcode Fuzzy Hash: 891d694351d2fae2d6a65f8de4288a2eb33e6f1b536c7afc5cac1a0fd545223a
                              • Instruction Fuzzy Hash: AC013962E04E5182EB118F67E6400A97761FB88BE4B194432DF4D23B29DF38E667D344