Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TEKujpTgCK.exe

Overview

General Information

Sample name:TEKujpTgCK.exe
renamed because original name is a hash value
Original sample name:c84ddc7daab32f1835872b0afe99f3691d7ced32cbd253af31ea8a2f121afc15.exe
Analysis ID:1558461
MD5:65c23b196d8c066197b3d6e9fc3282a2
SHA1:7a2412047c4c9d9bd3648600240482122173cb44
SHA256:c84ddc7daab32f1835872b0afe99f3691d7ced32cbd253af31ea8a2f121afc15
Tags:27-124-18-16exeuser-JAMESWT_MHT
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Sigma detected: Execution from Suspicious Folder
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • TEKujpTgCK.exe (PID: 7640 cmdline: "C:\Users\user\Desktop\TEKujpTgCK.exe" MD5: 65C23B196D8C066197B3D6E9FC3282A2)
    • cmd.exe (PID: 7864 cmdline: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Downloads\program\ShellExperienceHosts.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ShellExperienceHosts.exe (PID: 7916 cmdline: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe MD5: 0922B22053A6D5D9516EA910D34A4771)
        • WerFault.exe (PID: 8012 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 956 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe, CommandLine: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe, NewProcessName: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe, OriginalFileName: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Downloads\program\ShellExperienceHosts.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7864, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe, ProcessId: 7916, ProcessName: ShellExperienceHosts.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.9% probability
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CA94E30 CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,5_2_6CA94E30
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CA94F50 CryptStringToBinaryA,CryptAcquireContextW,CryptDestroyHash,CryptReleaseContext,5_2_6CA94F50
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CA952A0 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,5_2_6CA952A0
Source: TEKujpTgCK.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: C:\buildslave\unity\build\artifacts\WindowsPlayer\Win32_VS2019_nondev_i_r\WindowsPlayer_Master_il2cpp_x86.pdb source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002B77000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, ShellExperienceHosts.exe, 00000005.00000002.2538942091.000000000040C000.00000002.00000001.01000000.00000005.sdmp, ShellExperienceHosts.exe.0.dr
Source: Binary string: \Release\yyzyBase.pdb source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmp, yyzyBase.dll.0.dr
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAA6130 CreateThread,CreateThread,WSAStartup,getaddrinfo,closesocket,connect,socket,connect,closesocket,freeaddrinfo,recv,recv,VirtualAlloc,WSACleanup,WSACleanup,5_2_6CAA6130
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ShellExperienceHosts.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://ocsp.digicert.com0L
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://ocsp.digicert.com0N
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
Source: Amcache.hve.LOG1.8.dr, Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: tsetup-x64.5.4.0.exe.0.drString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.drString found in binary or memory: https://www.digicert.com/CPS0
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAB834F GetKeyState,GetKeyState,GetKeyState,SendMessageW,5_2_6CAB834F
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CA952A0 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,5_2_6CA952A0
Source: C:\Users\user\Desktop\TEKujpTgCK.exeCode function: 0_2_005028580_2_00502858
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CC1CED05_2_6CC1CED0
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAEE8375_2_6CAEE837
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CC18A545_2_6CC18A54
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAB8A355_2_6CAB8A35
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CB6EBD15_2_6CB6EBD1
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CC304285_2_6CC30428
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAA00A05_2_6CAA00A0
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CC260005_2_6CC26000
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CC3C3785_2_6CC3C378
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CB6BD125_2_6CB6BD12
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CC23FCB5_2_6CC23FCB
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CC21B545_2_6CC21B54
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CBF15015_2_6CBF1501
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CA9D6805_2_6CA9D680
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CC217F55_2_6CC217F5
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: String function: 6CC18290 appears 74 times
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: String function: 6CC181E5 appears 53 times
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: String function: 6CAC2C67 appears 45 times
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: String function: 6CC17DCB appears 72 times
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: String function: 6CC181B2 appears 226 times
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: String function: 6CAC135E appears 39 times
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 956
Source: TEKujpTgCK.exe, 00000000.00000002.1385681749.000000000067A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs TEKujpTgCK.exe
Source: TEKujpTgCK.exe, 00000000.00000000.1290607503.000000000041A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs TEKujpTgCK.exe
Source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002E45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMFCApplication4.exe8 vs TEKujpTgCK.exe
Source: TEKujpTgCK.exeBinary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs TEKujpTgCK.exe
Source: TEKujpTgCK.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ShellExperienceHosts.exe.0.drStatic PE information: Section: .tp6 ZLIB complexity 1.000637755102041
Source: classification engineClassification label: mal48.evad.winEXE@7/10@0/0
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAA7560 CreateToolhelp32Snapshot,Process32FirstW,WideCharToMultiByte,Process32NextW,CloseHandle,Sleep,5_2_6CAA7560
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAA7850 GetFileAttributesA,SHGetFolderPathA,GetFileAttributesA,CoInitialize,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,CoUninitialize,5_2_6CAA7850
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CBFEBAE GetModuleHandleW,GetUserDefaultUILanguage,FindResourceExW,FindResourceW,LoadResource,GlobalAlloc,5_2_6CBFEBAE
Source: C:\Users\user\Desktop\TEKujpTgCK.exeFile created: C:\Users\Public\Downloads\programJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7916
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\e8a14442-de00-450f-a01b-0c5e7f2cd763Jump to behavior
Source: TEKujpTgCK.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\TEKujpTgCK.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: TEKujpTgCK.exeString found in binary or memory: cc-add-resource
Source: TEKujpTgCK.exeString found in binary or memory: (cc-add-resource gold 100)
Source: C:\Users\user\Desktop\TEKujpTgCK.exeFile read: C:\Users\user\Desktop\TEKujpTgCK.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\TEKujpTgCK.exe "C:\Users\user\Desktop\TEKujpTgCK.exe"
Source: C:\Users\user\Desktop\TEKujpTgCK.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Downloads\program\ShellExperienceHosts.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe C:\Users\Public\Downloads\program\ShellExperienceHosts.exe
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 956
Source: C:\Users\user\Desktop\TEKujpTgCK.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Downloads\program\ShellExperienceHosts.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe C:\Users\Public\Downloads\program\ShellExperienceHosts.exeJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeSection loaded: yyzybase.dllJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeSection loaded: oledlg.dllJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
Source: tsetup-x64.5.4.0.exe.lnk.5.drLNK file: ..\..\Public\Downloads\tsetup-x64.5.4.0.exe
Source: TEKujpTgCK.exeStatic file information: File size 47407259 > 1048576
Source: Binary string: C:\buildslave\unity\build\artifacts\WindowsPlayer\Win32_VS2019_nondev_i_r\WindowsPlayer_Master_il2cpp_x86.pdb source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002B77000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, ShellExperienceHosts.exe, 00000005.00000002.2538942091.000000000040C000.00000002.00000001.01000000.00000005.sdmp, ShellExperienceHosts.exe.0.dr
Source: Binary string: \Release\yyzyBase.pdb source: TEKujpTgCK.exe, 00000000.00000003.1368001960.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmp, yyzyBase.dll.0.dr
Source: initial sampleStatic PE information: section where entry point is pointing to: .tp6d
Source: yyzyBase.dll.0.drStatic PE information: real checksum: 0x2d0cdc should be: 0x2d37bd
Source: ShellExperienceHosts.exe.0.drStatic PE information: section name: .tp6
Source: ShellExperienceHosts.exe.0.drStatic PE information: section name: .tp6a
Source: ShellExperienceHosts.exe.0.drStatic PE information: section name: .tp6
Source: ShellExperienceHosts.exe.0.drStatic PE information: section name: .tp6
Source: ShellExperienceHosts.exe.0.drStatic PE information: section name: .tp6d
Source: tsetup-x64.5.4.0.exe.0.drStatic PE information: section name: .didata
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAAAC77 push edi; ret 5_2_6CAAAC79
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAAAD23 push edi; ret 5_2_6CAAAD25
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAAAE3E push edi; ret 5_2_6CAAAE40
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAAAF02 push edi; ret 5_2_6CAAAF04
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAAA93B push edi; ret 5_2_6CAAA93D
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAAAA17 push edi; ret 5_2_6CAAAA19
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAAAB16 push edi; ret 5_2_6CAAAB18
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAAA44F push esi; ret 5_2_6CAAA451
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAAA5E9 push esi; ret 5_2_6CAAA5EB
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAAA68F push edi; ret 5_2_6CAAA691
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAAA7E2 push edi; ret 5_2_6CAAA7E4
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CC18180 push ecx; ret 5_2_6CC18193
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAAA20F push esi; ret 5_2_6CAAA211
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAAA358 push esi; ret 5_2_6CAAA35A
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAAB804 push esi; ret 5_2_6CAAB806
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAAB579 push esi; ret 5_2_6CAAB57B
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAAB6B9 push esi; ret 5_2_6CAAB6BB
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAAB093 push edi; ret 5_2_6CAAB095
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAAB1E4 push edi; ret 5_2_6CAAB1E6
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAAB2A8 push edi; ret 5_2_6CAAB2AA
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAAB359 push edi; ret 5_2_6CAAB35B
Source: ShellExperienceHosts.exe.0.drStatic PE information: section name: .tp6 entropy: 7.9916235972250025
Source: ShellExperienceHosts.exe.0.drStatic PE information: section name: .tp6d entropy: 7.90195668192099
Source: C:\Users\user\Desktop\TEKujpTgCK.exeFile created: C:\Users\Public\Downloads\program\yyzyBase.dllJump to dropped file
Source: C:\Users\user\Desktop\TEKujpTgCK.exeFile created: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeJump to dropped file
Source: C:\Users\user\Desktop\TEKujpTgCK.exeFile created: C:\Users\Public\Downloads\tsetup-x64.5.4.0.exeJump to dropped file
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAC400C SetForegroundWindow,IsIconic,PostMessageW,IsIconic,5_2_6CAC400C
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAC400C SetForegroundWindow,IsIconic,PostMessageW,IsIconic,5_2_6CAC400C
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CB3A161 IsWindowVisible,IsWindowVisible,GetWindowRect,IsIconic,CopyRect,MonitorFromPoint,GetMonitorInfoW,CopyRect,CopyRect,SystemParametersInfoW,OffsetRect,GetSystemMetrics,GetSystemMetrics,5_2_6CB3A161
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAA9DE0 IsIconic,GetClientRect,5_2_6CAA9DE0
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAB9A46 IsIconic,5_2_6CAB9A46
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAC741B IsWindowVisible,IsIconic,5_2_6CAC741B
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CB3935C IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,5_2_6CB3935C
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CB3935C IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,5_2_6CB3935C
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CB3935C IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,5_2_6CB3935C
Source: C:\Users\user\Desktop\TEKujpTgCK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exeDropped PE file which has not been started: C:\Users\Public\Downloads\tsetup-x64.5.4.0.exeJump to dropped file
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeAPI coverage: 5.6 %
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe TID: 7948Thread sleep time: -73000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeLast function: Thread delayed
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeThread delayed: delay time: 73000Jump to behavior
Source: Amcache.hve.8.drBinary or memory string: VMware
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.drBinary or memory string: vmci.sys
Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: tsetup-x64.5.4.0.exe.0.drBinary or memory string: qemU]a0\LS
Source: Amcache.hve.8.drBinary or memory string: VMware20,1
Source: Amcache.hve.LOG1.8.dr, Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: tsetup-x64.5.4.0.exe.0.drBinary or memory string: IHGfs
Source: Amcache.hve.LOG1.8.dr, Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_004A152F LdrInitializeThunk,5_2_004A152F
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CC18D8D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_6CC18D8D
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CAB479B OutputDebugStringA,GetLastError,5_2_6CAB479B
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CC18D8D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_6CC18D8D
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CC22A72 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_6CC22A72
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CC184AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_6CC184AC
Source: C:\Users\user\Desktop\TEKujpTgCK.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Downloads\program\ShellExperienceHosts.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe C:\Users\Public\Downloads\program\ShellExperienceHosts.exeJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,5_2_6CC3EEAC
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: GetLocaleInfoW,5_2_6CC3602C
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_6CC3F821
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: EnumSystemLocalesW,5_2_6CC35AC0
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: GetLocaleInfoW,5_2_6CC3F51C
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_6CC3F645
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: GetLocaleInfoW,5_2_6CC3F74B
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: GetLocaleInfoW,5_2_6CC3F0B1
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: EnumSystemLocalesW,5_2_6CC3F1A3
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: EnumSystemLocalesW,5_2_6CC3F158
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_6CC3F2C9
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: EnumSystemLocalesW,5_2_6CC3F23E
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CC18EAA GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,5_2_6CC18EAA
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeCode function: 5_2_6CB4666D __EH_prolog3_GS,GetCurrentThread,GetCurrentThreadId,GetVersionExW,5_2_6CB4666D
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Amcache.hve.LOG1.8.dr, Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.LOG1.8.dr, Amcache.hve.8.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.LOG1.8.dr, Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.LOG1.8.dr, Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.LOG1.8.dr, Amcache.hve.8.drBinary or memory string: MsMpEng.exe
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
11
Process Injection
1
Masquerading
1
Input Capture
1
System Time Discovery
Remote Services1
Input Capture
2
Encrypted Channel
Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
21
Virtualization/Sandbox Evasion
LSASS Memory41
Security Software Discovery
Remote Desktop Protocol11
Archive Collected Data
1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection
Security Account Manager21
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
Obfuscated Files or Information
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
Software Packing
Cached Domain Credentials1
File and Directory Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading
DCSync24
System Information Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1558461 Sample: TEKujpTgCK.exe Startdate: 19/11/2024 Architecture: WINDOWS Score: 48 25 AI detected suspicious sample 2->25 27 Sigma detected: Execution from Suspicious Folder 2->27 8 TEKujpTgCK.exe 8 2->8         started        process3 file4 19 C:\Users\Public\...\ShellExperienceHosts.exe, PE32 8->19 dropped 21 C:\Users\Public\...\tsetup-x64.5.4.0.exe, PE32 8->21 dropped 23 C:\Users\Public\Downloads\...\yyzyBase.dll, PE32 8->23 dropped 11 cmd.exe 1 8->11         started        process5 process6 13 ShellExperienceHosts.exe 2 11->13         started        15 conhost.exe 11->15         started        process7 17 WerFault.exe 21 12 13->17         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
TEKujpTgCK.exe3%ReversingLabs
SourceDetectionScannerLabelLink
C:\Users\Public\Downloads\program\ShellExperienceHosts.exe0%ReversingLabs
C:\Users\Public\Downloads\program\yyzyBase.dll3%ReversingLabs
C:\Users\Public\Downloads\tsetup-x64.5.4.0.exe0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUtsetup-x64.5.4.0.exe.0.drfalse
    high
    http://upx.sf.netAmcache.hve.LOG1.8.dr, Amcache.hve.8.drfalse
      high
      No contacted IP infos
      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1558461
      Start date and time:2024-11-19 13:52:40 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 6m 28s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:15
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:TEKujpTgCK.exe
      renamed because original name is a hash value
      Original Sample Name:c84ddc7daab32f1835872b0afe99f3691d7ced32cbd253af31ea8a2f121afc15.exe
      Detection:MAL
      Classification:mal48.evad.winEXE@7/10@0/0
      EGA Information:
      • Successful, ratio: 50%
      HCA Information:
      • Successful, ratio: 96%
      • Number of executed functions: 34
      • Number of non-executed functions: 246
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 52.168.117.173
      • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com
      • Execution Graph export aborted for target TEKujpTgCK.exe, PID 7640 because there are no executed function
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • VT rate limit hit for: TEKujpTgCK.exe
      TimeTypeDescription
      07:53:48API Interceptor1x Sleep call for process: ShellExperienceHosts.exe modified
      No context
      No context
      No context
      No context
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      C:\Users\Public\Downloads\tsetup-x64.5.4.0.exehttp://successguilddi.info/Get hashmaliciousUnknownBrowse
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Mini DuMP crash report, 14 streams, Tue Nov 19 12:53:49 2024, 0x1205a4 type
        Category:dropped
        Size (bytes):62556
        Entropy (8bit):1.8604897137674887
        Encrypted:false
        SSDEEP:192:g1IAZX3/PRQEjPgTDFHvO3SrIbGGqASotG1SflNQRKabqsPNq9cQB5MhrNh:6Io/POEjPgTpGEIbfSq0q6QENr
        MD5:5FED066DD5D01EB481162D02BA1ECA51
        SHA1:4FDEEEF9E1D43989520B23DBC96B0A0A5B176357
        SHA-256:8E997B5BE7B2CDB17BF03A8934A56C63280D030C578DCE56CD7418097BF80C9C
        SHA-512:513044C6F61202237D5DDD0AFFE7F780A27444F5B8A439F5F9C5589EB4F26A1A3901C25160A6E8FE3DCC039B4FCA4731C88AE58341261EFC55EEF80EF89D2103
        Malicious:false
        Reputation:low
        Preview:MDMP..a..... .......].<g............$...............,............9..........T.......8...........T............$..............H...........4...............................................................................eJ..............GenuineIntel............T...........\.<g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
        Category:dropped
        Size (bytes):6390
        Entropy (8bit):3.7243875135570494
        Encrypted:false
        SSDEEP:96:RSIU6o7wVetbbO6ax5Y1QE/fzLhR5aM4U+89b23sf7ym:R6l7wVeJbO6afY19fpr+89b23sf7ym
        MD5:F07929784D1810F5BE78D77DB07B44A8
        SHA1:FEBB48EBBE8F39180953D867B9DC08DA611DF707
        SHA-256:5DACA65A8DEAEF63FAF8A05B2D9C61DC2C134CBCE2F44C9710067F65CEC1E667
        SHA-512:859C6A75F62AED7E04265410FA4BA859C80B8EC2227715765E4425B8739E748D90878FCE024AA9DE717F0A2704E1E3021DF065A0C308069B13521201CA0A1C51
        Malicious:false
        Reputation:low
        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.1.6.<./.P.i.
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4685
        Entropy (8bit):4.501133163114477
        Encrypted:false
        SSDEEP:48:cvIwWl8zsQJg77aI9kpWjI3WpW8VYOYm8M4JAtPztrF0G+q8AtztBy4LKuhDed:uIjfWI7KgIG7VqJAtLt+GBtztM4uuted
        MD5:ADF3C9809CF72EAC545CBF247516C8C0
        SHA1:285D136D95AF895D09DD5CCD517AD10C194E1CDE
        SHA-256:4EE006C25F7CFA017DA1FA1B398014686CD88B6D0015D21B7C13B73B46F00F5F
        SHA-512:FDE73A3F622FCEC3AF238DDD30094A91716CEF65B13147F7717359EB22518FB590BD27B88E8C034B2DCFEC604CCBC2F340B66760B51F0A840650EF5160975DE3
        Malicious:false
        Reputation:low
        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="594956" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
        Process:C:\Users\user\Desktop\TEKujpTgCK.exe
        File Type:openssl enc'd data with salted password, base64 encoded
        Category:dropped
        Size (bytes):56
        Entropy (8bit):5.173251796980338
        Encrypted:false
        SSDEEP:3:iqk94GNUUxkiuNS8:ilNNJH8
        MD5:3534422D0B85476052455B2D51291AED
        SHA1:AA9DBBE75FAB93AFD7E830EE8E743D9F9E12794F
        SHA-256:BB6EB6543FF1435FD5259ACEDAA08EBDE27A53418F55464BAA9D160197D67364
        SHA-512:E7599A845308EB7CEA6978F4FA9F6C837ECFF373C5D9AACC96573087163380E6B112AF125E6195868A3B8AE5E67C6C1F1C588D2364FBD9F723788392B5ECD62D
        Malicious:false
        Reputation:low
        Preview:U2FsdGVkX18ZrUfJM1q4htGAqi0PFxwUl2He6tG8HSioTpsLh6QV7g==
        Process:C:\Users\user\Desktop\TEKujpTgCK.exe
        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):649416
        Entropy (8bit):6.182028963232553
        Encrypted:false
        SSDEEP:12288:zohLz8nnnnntnnnnnnnnnnnnnnnxnMvnnnnPZnnnnPxnnnnnnnnqshJSLnk41mCL:zshQmC5Bz5CLgBFqGI1yi/UQeZndsqro
        MD5:0922B22053A6D5D9516EA910D34A4771
        SHA1:784D3ED35D040091AE209792E2FA8FC97EE6A071
        SHA-256:41F413DEBFE785B95D852A396AEFE1C814F3C13BDEDF85526F2DC4E83127D6CA
        SHA-512:909EC8B2C1045CC11C03C6B82B7ED6AD96BC8E93F9C98CB8A668572C84CBBCE778C12365B2B2EB547218783A830BE41458E0AE21939E99339F54921D98D944D8
        Malicious:true
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Reputation:low
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.....U..U..U]..T..U]..T..U]..T..U]..T..U...T#.U...T..U...T..U...T..U..UW.U...T..U...T..U..[U..U...T..URich..U........................PE..L......d..........".......... ....../.............@.......................... ..................................................(....@...................\..............T........................... ...@............................................tp6............b.................. ..`.tp6.a..nZ.......\...f..............@..@.tp6......... ......................@..@.tp6.........@......................@..@.tp6d...5%.......&...f.............. ...................................................................................................................................................................................................................................................................................
        Process:C:\Users\user\Desktop\TEKujpTgCK.exe
        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):2934784
        Entropy (8bit):6.677264152867375
        Encrypted:false
        SSDEEP:49152:JCeuTwfSCMj8ctcrWLGFt3cai8e8jRJVJmfrO0jbjjeDXjRD6i+uSwZPSCdDS+Ok:JCeuEKCMj8XrW6z3caiYRJArO0jLeDXb
        MD5:BBC7F7FACC3667AF1B57D80FD6D12839
        SHA1:6CAC9DA94670F0A04ED7A4539C8FC2E71BD93563
        SHA-256:C8E901576C91D2CE6821B4F807E3ACE7F28A81E5491C7779B89171E8187B76C6
        SHA-512:928F7EF931D4B6F12717C42031C3B82E2594A38909DE5D2D1E9CD0F5314959AEF6BB123941A0C37CCB04799C3EFF6FED0E0BACEC1F2D0A69F5DF34CC1C85FBD5
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 3%
        Reputation:low
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............._..._..._...^..._...^..._...^..._...^..._...^..._..._..._.T.^..._.T.^..._.T.^P.._HT.^..._HT.^..._HT._..._..p_..._HT.^..._Rich..._................PE..L....^<g...........!...*.T...p......O........p...............................@-.......-...@......................... j".L...lj"......p#..<....................*.\....p .p....................p .....Po .@............p...............................text....S.......T.................. ..`.rdata...5...p...6...X..............@..@.data...H....."..n....".............@....rsrc....<...p#..>....".............@..@.reloc..\.....*......:*.............@..B................................................................................................................................................................................................................................................................................
        Process:C:\Users\user\Desktop\TEKujpTgCK.exe
        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):45728224
        Entropy (8bit):7.9979617231953934
        Encrypted:true
        SSDEEP:786432:nDiGFUGfCK7mtYVMprAcknQyI1PnRbKPkBE25MmXeVYg9n:n1CLtYVMdAcYjGPnpfi25Mj5
        MD5:45177991CB1978D5CB3C06461AE8BE12
        SHA1:C2AA0581C86EAE32CC3D7DA720BF5E7B6E019E0E
        SHA-256:B9C5F836DCBEF426B53B882FA4CD0CBEBD9C43F1734FC20B5001AB9823B8A318
        SHA-512:1B56141CE39B0CBE585574B7C314ACBD7011B4352BF481B80D3C24863198974E885D61E4B92F9E26429E02AF5D3E8D467AF117EA38A2ACB22E8A836E5E7219A7
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Joe Sandbox View:
        • Filename: , Detection: malicious, Browse
        Reputation:low
        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................R...........^.......p....@..........................@......O....@......@...................@....... .......p..<...............+...................................`......................."..T....0.......................text....9.......:.................. ..`.itext.......P.......>.............. ..`.data....7...p...8...V..............@....bss.....m...............................idata....... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc...<....p......................@..@....................................@..@........................................................
        Process:C:\Users\Public\Downloads\program\ShellExperienceHosts.exe
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Nov 19 11:53:39 2024, mtime=Tue Nov 19 11:53:45 2024, atime=Wed Aug 28 17:05:37 2024, length=45728224, window=hide
        Category:dropped
        Size (bytes):1138
        Entropy (8bit):4.686076011074673
        Encrypted:false
        SSDEEP:24:8fmGOMlsZgDue/IUAUbSRkCDMbgTJkTJUwqygm:8fmGOpFe/IjDkATJkTJmyg
        MD5:CEC37821AE6293B3C0450556FE301B4B
        SHA1:E944A70A89B10FE5EA96ACD6A3B24B294F41AF0D
        SHA-256:7277D2559334295B464D11C94E2BAD114446343D8B34D6975248FDD4ACA4804E
        SHA-512:BBD9C0AA78116932D091EE4A59CF6094B29522E148A203C766475ACA261A786E706C5517252C6638A6CA11F96BF5FA527CBF3FDB5071A65B60FF025CF05CA7AD
        Malicious:false
        Preview:L..................F.... ....cc..:..?....:..k9..t................................P.O. .:i.....+00.../C:\...................x.1.....EW.=..Users.d......OwHsY.f....................:.......f.U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1.....CW!H..Public..f......O.IsY.f....+...............<.....r.E.P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.......1.....sY.f..Downloads.l......O.IsY.f....................B.....3~..D.o.w.n.l.o.a.d.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.0.8.....v.2......Y.. .TSETUP~1.EXE..Z......sY.fsY.f....A"......................I.t.s.e.t.u.p.-.x.6.4...5...4...0...e.x.e.......]...............-.......\...................C:\Users\Public\Downloads\tsetup-x64.5.4.0.exe..+.....\.....\.P.u.b.l.i.c.\.D.o.w.n.l.o.a.d.s.\.t.s.e.t.u.p.-.x.6.4...5...4...0...e.x.e..........Ld=..0O.E.p#_y.....`.......X.......618321...........hT..CrF.f4... .../Tc...,......hT..CrF.f4... .../Tc...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:MS Windows registry file, NT/2000 or above
        Category:dropped
        Size (bytes):1835008
        Entropy (8bit):4.417097518177966
        Encrypted:false
        SSDEEP:6144:ycifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNK5+9:fi58oSWIZBk2MM6AFBko9
        MD5:8284D54DCDCC6AA37183FAE05856A8A1
        SHA1:875E8F8D587B9D575FD7A38C67D98365CE45EB95
        SHA-256:1BF73A2EDF27FF599B790829D96C0F8FC5D7AFB1271EF29768E7FD446271BBFE
        SHA-512:D5A6A8738F590099F2A1B3A88FE29D988C6693E4E082456A2D303593EEEA6CFB2BF163585CFB499335D2C85F342023FF355F3FDD9A16203C8E12228707724CCA
        Malicious:false
        Preview:regfE...D....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.J...:.................................................................................................................................................................................................................................................................................................................................................'........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:MS Windows registry file, NT/2000 or above
        Category:dropped
        Size (bytes):1740800
        Entropy (8bit):4.577765358929387
        Encrypted:false
        SSDEEP:6144:Qcifpi6ceLPL9skLmb0moSWSPDaJG8nAgex285i2MMhA20X4WABlGuNK5+9:1i58oSWSZBk2MM6AFBko9
        MD5:33BFF25CFFFEBC782F09CF422F3BD85B
        SHA1:7ED2042068C74A2AC01693748180EE28829F435F
        SHA-256:672095AB29CF28011948CEB7851CEAC355637A52036C06D723CB654DD0F7C526
        SHA-512:09B7D506E1D04F900EF030AED333F247A9C88EBC7550A0E174FDCB9B2CCDCCD4A3DDDAD2C6E82F618159C2C58A99ED0AE5166964BE4B8EFC0B42BB39E708A1AC
        Malicious:false
        Preview:regfD...D....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.J...:.................................................................................................................................................................................................................................................................................................................................................'HvLE........D...........m.k.}P...PZz.lM.....0...@...P..hbin.................\.Z............nk,..\.Z........ ...........h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........M...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.e.n.t.......vk..<...............
        File type:PE32 executable (GUI) Intel 80386, for MS Windows
        Entropy (8bit):7.999165933604983
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.96%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:TEKujpTgCK.exe
        File size:47'407'259 bytes
        MD5:65c23b196d8c066197b3d6e9fc3282a2
        SHA1:7a2412047c4c9d9bd3648600240482122173cb44
        SHA256:c84ddc7daab32f1835872b0afe99f3691d7ced32cbd253af31ea8a2f121afc15
        SHA512:1c98f3ee1262af666c22411c18e08b0175887468bf1c186e19fa5ddd845083f36006ded99e11878f303910547bee3324dcc730628cd1b3214d382c37042831f2
        SSDEEP:786432:pOq/jN3x1O1e7yR4mUsc4dtCO6eZST5u3TzmFIlgkAAXSo8K2ZdTq87JEE+cL1QE:L/ZB17y+tVq6eAc3T6FpkAjozKdTDlxR
        TLSH:42A733283398F069E27AC875C75342FE0C526D1AC926F4AA62753E4E7AF8D44F17B341
        File Content Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................................0....@..........................p.......,.......................................P.............................
        Icon Hash:55497933cc61714d
        Entrypoint:0x411def
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        DLL Characteristics:
        Time Stamp:0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:b5a014d7eeb4c2042897567e1288a095
        Instruction
        push ebp
        mov ebp, esp
        push FFFFFFFFh
        push 00414C50h
        push 00411F80h
        mov eax, dword ptr fs:[00000000h]
        push eax
        mov dword ptr fs:[00000000h], esp
        sub esp, 68h
        push ebx
        push esi
        push edi
        mov dword ptr [ebp-18h], esp
        xor ebx, ebx
        mov dword ptr [ebp-04h], ebx
        push 00000002h
        call dword ptr [00413184h]
        pop ecx
        or dword ptr [00419924h], FFFFFFFFh
        or dword ptr [00419928h], FFFFFFFFh
        call dword ptr [00413188h]
        mov ecx, dword ptr [0041791Ch]
        mov dword ptr [eax], ecx
        call dword ptr [0041318Ch]
        mov ecx, dword ptr [00417918h]
        mov dword ptr [eax], ecx
        mov eax, dword ptr [00413190h]
        mov eax, dword ptr [eax]
        mov dword ptr [00419920h], eax
        call 00007F5088507EA2h
        cmp dword ptr [00417710h], ebx
        jne 00007F5088507D8Eh
        push 00411F78h
        call dword ptr [00413194h]
        pop ecx
        call 00007F5088507E74h
        push 00417048h
        push 00417044h
        call 00007F5088507E5Fh
        mov eax, dword ptr [00417914h]
        mov dword ptr [ebp-6Ch], eax
        lea eax, dword ptr [ebp-6Ch]
        push eax
        push dword ptr [00417910h]
        lea eax, dword ptr [ebp-64h]
        push eax
        lea eax, dword ptr [ebp-70h]
        push eax
        lea eax, dword ptr [ebp-60h]
        push eax
        call dword ptr [0041319Ch]
        push 00417040h
        push 00417000h
        call 00007F5088507E2Ch
        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x150dc0xb4.rdata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x6cb00.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x130000x310.rdata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x113170x11400797279c5ab1a163aed1f2a528f9fe3ceFalse0.6174988677536232data6.576987441854239IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rdata0x130000x30ea0x32001359639b02bcb8f0a8743e6ead1c0030False0.43828125data5.549434098115495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x170000x292c0x8009415c9c8dea3245d6d73c23393e27d8eFalse0.431640625data3.6583182363171756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .rsrc0x1a0000x6cb000x6cc00bbd437e4641c3885ad89fc27ee6f1626False0.14299119971264368data5.721209360114448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        NameRVASizeTypeLanguageCountryZLIB Complexity
        RT_CURSOR0x1c6000x134Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"0.35714285714285715
        RT_CURSOR0x1c7340x134data0.44155844155844154
        RT_CURSOR0x1c8680x134Targa image data - Mono 64 x 65536 x 1 +32 "\001"0.40584415584415584
        RT_CURSOR0x1c99c0x134Targa image data 64 x 65536 x 1 +32 "\001"0.5746753246753247
        RT_CURSOR0x1cad00x134AmigaOS bitmap font "(", fc_YSize 4294966287, 3840 elements, 2nd "\376\017\340\377\377\017\341\377\377\217\343\377\377\337\367\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd0.4642857142857143
        RT_CURSOR0x1cc040x134Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"0.32142857142857145
        RT_CURSOR0x1cd380x134data0.3409090909090909
        RT_CURSOR0x1ce6c0x134Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"0.4837662337662338
        RT_CURSOR0x1cfa00x134AmigaOS bitmap font "(", fc_YSize 4294935297, 3840 elements, 2nd "\200\003\377\201\300\007\377\203\300\017\377\003\340\037\376\007\360\037\370\017\370\003\300\037\374", 3rd0.711038961038961
        RT_CURSOR0x1d0d40x134data0.6038961038961039
        RT_CURSOR0x1d2080x134Targa image data 64 x 65536 x 1 +32 "\001"0.36038961038961037
        RT_CURSOR0x1d33c0x134Targa image data 64 x 65536 x 1 +32 "\001"0.3474025974025974
        RT_CURSOR0x1d4700x134AmigaOS bitmap font "(", fc_YSize 4294967040, 3840 elements, 2nd "\376", 3rd0.4383116883116883
        RT_CURSOR0x1d5a40x134Targa image data - RLE 64 x 65536 x 1 +32 "\001"0.35064935064935066
        RT_CURSOR0x1d6d80x134Targa image data - Mono 64 x 65536 x 1 +32 "\001"0.4512987012987013
        RT_CURSOR0x1d80c0x134Targa image data - Mono 64 x 65536 x 1 +32 "\001"0.39285714285714285
        RT_CURSOR0x1d9400x134Targa image data - Mono 64 x 65536 x 1 +32 "\001"0.4967532467532468
        RT_CURSOR0x1da740x134Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"0.32142857142857145
        RT_CURSOR0x1dba80x134Targa image data - Map 64 x 65536 x 1 +32 "\001"0.38636363636363635
        RT_CURSOR0x1dcdc0x134data0.4642857142857143
        RT_CURSOR0x1de100x134data0.4805194805194805
        RT_CURSOR0x1df440x134data0.38311688311688313
        RT_CURSOR0x1e0780x134data0.36038961038961037
        RT_CURSOR0x1e1ac0x134data0.4090909090909091
        RT_CURSOR0x1e2e00x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"0.4967532467532468
        RT_BITMAP0x1e4140x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.43103448275862066
        RT_BITMAP0x1e5e40x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 3800.46487603305785125
        RT_BITMAP0x1e7c80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.43103448275862066
        RT_BITMAP0x1e9980x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39870689655172414
        RT_BITMAP0x1eb680x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.4245689655172414
        RT_BITMAP0x1ed380x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5021551724137931
        RT_BITMAP0x1ef080x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5064655172413793
        RT_BITMAP0x1f0d80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39655172413793105
        RT_BITMAP0x1f2a80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5344827586206896
        RT_BITMAP0x1f4780x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39655172413793105
        RT_BITMAP0x1f6480xc0Device independent bitmap graphic, 11 x 11 x 4, image size 88RussianRussia0.40625
        RT_BITMAP0x1f7080xc0Device independent bitmap graphic, 11 x 11 x 4, image size 88RussianRussia0.40625
        RT_BITMAP0x1f7c80xa8Device independent bitmap graphic, 10 x 8 x 4, image size 640.49404761904761907
        RT_BITMAP0x1f8700x134Device independent bitmap graphic, 18 x 17 x 4, image size 2040.37337662337662336
        RT_BITMAP0x1f9a40xb8Device independent bitmap graphic, 10 x 10 x 4, image size 80RussianRussia0.41304347826086957
        RT_BITMAP0x1fa5c0xb8Device independent bitmap graphic, 11 x 10 x 4, image size 80RussianRussia0.45652173913043476
        RT_BITMAP0x1fb140xb8Device independent bitmap graphic, 10 x 10 x 4, image size 80RussianRussia0.42391304347826086
        RT_BITMAP0x1fbcc0xb8Device independent bitmap graphic, 11 x 10 x 4, image size 80RussianRussia0.44565217391304346
        RT_BITMAP0x1fc840x90Device independent bitmap graphic, 8 x 10 x 4, image size 400.4861111111111111
        RT_BITMAP0x1fd140x11cDevice independent bitmap graphic, 38 x 9 x 4, image size 1800.4507042253521127
        RT_BITMAP0x1fe300xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors0.5208333333333334
        RT_BITMAP0x1fef00xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors0.42857142857142855
        RT_BITMAP0x1ffd00xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors0.4955357142857143
        RT_BITMAP0x200b00x8cDevice independent bitmap graphic, 5 x 9 x 4, image size 360.5285714285714286
        RT_BITMAP0x2013c0xc8Device independent bitmap graphic, 12 x 12 x 4, image size 96RussianRussia0.41
        RT_BITMAP0x202040xc8Device independent bitmap graphic, 12 x 12 x 4, image size 96RussianRussia0.39
        RT_BITMAP0x202cc0x8cDevice independent bitmap graphic, 5 x 9 x 4, image size 360.45
        RT_BITMAP0x203580x238Device independent bitmap graphic, 29 x 29 x 4, image size 4640.25
        RT_BITMAP0x205900x238Device independent bitmap graphic, 29 x 29 x 4, image size 4640.20950704225352113
        RT_BITMAP0x207c80x8cDevice independent bitmap graphic, 5 x 9 x 4, image size 360.5071428571428571
        RT_BITMAP0x208540x8cDevice independent bitmap graphic, 5 x 9 x 4, image size 360.5142857142857142
        RT_BITMAP0x208e00x8cDevice independent bitmap graphic, 5 x 9 x 4, image size 360.4857142857142857
        RT_BITMAP0x2096c0x238Device independent bitmap graphic, 29 x 29 x 4, image size 4640.21654929577464788
        RT_BITMAP0x20ba40xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.3232758620689655
        RT_BITMAP0x20c8c0xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.28448275862068967
        RT_BITMAP0x20d740xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.2629310344827586
        RT_BITMAP0x20e5c0xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.33189655172413796
        RT_BITMAP0x20f440x4acDevice independent bitmap graphic, 11 x 11 x 8, image size 1320.4498327759197324
        RT_BITMAP0x213f00x4acDevice independent bitmap graphic, 11 x 11 x 8, image size 1320.459866220735786
        RT_BITMAP0x2189c0x528Device independent bitmap graphic, 16 x 16 x 8, image size 2560.5280303030303031
        RT_BITMAP0x21dc40xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors0.38392857142857145
        RT_BITMAP0x21ea40xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors0.4947916666666667
        RT_BITMAP0x21f640xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors0.484375
        RT_BITMAP0x220240xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors0.42410714285714285
        RT_BITMAP0x221040xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors0.5104166666666666
        RT_BITMAP0x221c40xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors0.5
        RT_BITMAP0x222a40xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.4870689655172414
        RT_BITMAP0x2238c0xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors0.4895833333333333
        RT_BITMAP0x2244c0x378Device independent bitmap graphic, 110 x 14 x 4, image size 784GermanGermany0.23085585585585586
        RT_BITMAP0x227c40xd8Device independent bitmap graphic, 15 x 14 x 4, image size 112, resolution 2834 x 2834 px/mSerbianCyrillic0.4675925925925926
        RT_BITMAP0x2289c0xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors0.3794642857142857
        RT_ICON0x2297c0x668Device independent bitmap graphic, 48 x 96 x 4, image size 00.21341463414634146
        RT_ICON0x22fe40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 00.34139784946236557
        RT_ICON0x232cc0x128Device independent bitmap graphic, 16 x 32 x 4, image size 00.5202702702702703
        RT_ICON0x233f40xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.47334754797441364
        RT_ICON0x2429c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.6101083032490975
        RT_ICON0x24b440x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.596820809248555
        RT_ICON0x250ac0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.2932572614107884
        RT_ICON0x276540x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.4343339587242026
        RT_ICON0x286fc0x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.7198581560283688
        RT_DIALOG0x28b640x52data0.7682926829268293
        RT_STRING0x28bb80x6cdata0.6851851851851852
        RT_STRING0x28c240x2d0data0.46111111111111114
        RT_STRING0x28ef40x250data0.49155405405405406
        RT_STRING0x291440x214data0.4567669172932331
        RT_STRING0x293580x180data0.5286458333333334
        RT_STRING0x294d80x1a4data0.5428571428571428
        RT_STRING0x2967c0x3c0data0.3489583333333333
        RT_STRING0x29a3c0x6a4data0.36
        RT_STRING0x2a0e00x48cdata0.38230240549828176
        RT_STRING0x2a56c0x19cdata0.5145631067961165
        RT_STRING0x2a7080xecdata0.597457627118644
        RT_STRING0x2a7f40x1a8data0.5
        RT_STRING0x2a99c0x2b8data0.4454022988505747
        RT_STRING0x2ac540x414data0.36398467432950193
        RT_STRING0x2b0680x3b4data0.37658227848101267
        RT_STRING0x2b41c0x340data0.3762019230769231
        RT_STRING0x2b75c0x354data0.35563380281690143
        RT_STRING0x2bab00x2d0data0.4513888888888889
        RT_STRING0x2bd800xd8data0.5694444444444444
        RT_STRING0x2be580xf0data0.55
        RT_STRING0x2bf480x350data0.4033018867924528
        RT_STRING0x2c2980x384data0.37444444444444447
        RT_STRING0x2c61c0x2d8data0.375
        RT_RCDATA0x2c8f40x10data1.5
        RT_RCDATA0x2c9040x590data0.6327247191011236
        RT_RCDATA0x2ce940x133dbDelphi compiled form 'TCreatePluginForm'0.09238558069305046
        RT_RCDATA0x402700x2f1aDelphi compiled form 'TdxBarCustomizingForm'0.25543207828827336
        RT_RCDATA0x4318c0x4b0Delphi compiled form 'TdxBarItemAddEditor'0.4608333333333333
        RT_RCDATA0x4363c0x287Delphi compiled form 'TdxBarNameEd'0.6058732612055642
        RT_RCDATA0x438c40x171Delphi compiled form 'TdxBarSubMenuEditor'0.7100271002710027
        RT_RCDATA0x43a380x1491Delphi compiled form 'TFindForm'0.2641975308641975
        RT_RCDATA0x44ecc0x49cDelphi compiled form 'TfrmAddGroupItems'0.4610169491525424
        RT_RCDATA0x453680x1595Delphi compiled form 'THintForm'0.11782805429864253
        RT_RCDATA0x469000x1aafDelphi compiled form 'TInputStringForm'0.2577953447518665
        RT_RCDATA0x483b00x36a23Delphi compiled form 'TMainForm'0.09694832848479974
        RT_RCDATA0x7edd40x751eDelphi compiled form 'TPageForm'0.1721032619571743
        RT_GROUP_CURSOR0x862f40x14data1.35
        RT_GROUP_CURSOR0x863080x14data1.3
        RT_GROUP_CURSOR0x8631c0x14data1.4
        RT_GROUP_CURSOR0x863300x14data1.4
        RT_GROUP_CURSOR0x863440x14data1.4
        RT_GROUP_CURSOR0x863580x14data1.4
        RT_GROUP_CURSOR0x8636c0x14data1.4
        RT_GROUP_CURSOR0x863800x14data1.4
        RT_GROUP_CURSOR0x863940x14data1.4
        RT_GROUP_CURSOR0x863a80x14data1.4
        RT_GROUP_CURSOR0x863bc0x14data1.4
        RT_GROUP_CURSOR0x863d00x14data1.4
        RT_GROUP_CURSOR0x863e40x14data1.4
        RT_GROUP_CURSOR0x863f80x14data1.4
        RT_GROUP_CURSOR0x8640c0x14data1.4
        RT_GROUP_CURSOR0x864200x14data1.4
        RT_GROUP_CURSOR0x864340x14data1.4
        RT_GROUP_CURSOR0x864480x14data1.4
        RT_GROUP_CURSOR0x8645c0x14Lotus unknown worksheet or configuration, revision 0x11.3
        RT_GROUP_CURSOR0x864700x14Lotus unknown worksheet or configuration, revision 0x11.3
        RT_GROUP_CURSOR0x864840x14Lotus unknown worksheet or configuration, revision 0x11.3
        RT_GROUP_CURSOR0x864980x14Lotus unknown worksheet or configuration, revision 0x11.3
        RT_GROUP_CURSOR0x864ac0x14Lotus unknown worksheet or configuration, revision 0x11.3
        RT_GROUP_CURSOR0x864c00x14Lotus unknown worksheet or configuration, revision 0x11.3
        RT_GROUP_CURSOR0x864d40x14Lotus unknown worksheet or configuration, revision 0x11.3
        RT_GROUP_ICON0x864e80x84data0.6363636363636364
        RT_VERSION0x8656c0x350dataEnglishUnited States0.47523584905660377
        RT_MANIFEST0x868bc0x244XML 1.0 document, ASCII text, with CRLF line terminatorsChineseChina0.453448275862069
        DLLImport
        COMCTL32.dll
        KERNEL32.dllGetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
        USER32.dllCharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
        GDI32.dllGetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
        SHELL32.dllSHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
        ole32.dllCoInitialize, CreateStreamOnHGlobal, CoCreateInstance
        OLEAUT32.dllVariantClear, OleLoadPicture, SysAllocString
        MSVCRT.dll__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp
        Language of compilation systemCountry where language is spokenMap
        RussianRussia
        GermanGermany
        SerbianCyrillic
        EnglishUnited States
        ChineseChina
        No network behavior found

        Click to jump to process

        Click to jump to process

        Click to dive into process behavior distribution

        Click to jump to process

        Target ID:0
        Start time:07:53:39
        Start date:19/11/2024
        Path:C:\Users\user\Desktop\TEKujpTgCK.exe
        Wow64 process (32bit):true
        Commandline:"C:\Users\user\Desktop\TEKujpTgCK.exe"
        Imagebase:0x400000
        File size:47'407'259 bytes
        MD5 hash:65C23B196D8C066197B3D6E9FC3282A2
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true

        Target ID:3
        Start time:07:53:48
        Start date:19/11/2024
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:"C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Downloads\program\ShellExperienceHosts.exe
        Imagebase:0x410000
        File size:236'544 bytes
        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:4
        Start time:07:53:48
        Start date:19/11/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff75da10000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:5
        Start time:07:53:48
        Start date:19/11/2024
        Path:C:\Users\Public\Downloads\program\ShellExperienceHosts.exe
        Wow64 process (32bit):true
        Commandline:C:\Users\Public\Downloads\program\ShellExperienceHosts.exe
        Imagebase:0x400000
        File size:649'416 bytes
        MD5 hash:0922B22053A6D5D9516EA910D34A4771
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Antivirus matches:
        • Detection: 0%, ReversingLabs
        Reputation:low
        Has exited:false

        Target ID:8
        Start time:07:53:48
        Start date:19/11/2024
        Path:C:\Windows\SysWOW64\WerFault.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 956
        Imagebase:0x290000
        File size:483'680 bytes
        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        Reset < >
          Memory Dump Source
          • Source File: 00000000.00000002.1385301671.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_500000_TEKujpTgCK.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c2793ea8b727ee30cf7dfe56bca7f9f16396b1f4e053aea4b006f50796a9003c
          • Instruction ID: 49ec19e4040ffd4d1e2747fb5d1e03d60a054d8406a85dc3726067d4b40c4442
          • Opcode Fuzzy Hash: c2793ea8b727ee30cf7dfe56bca7f9f16396b1f4e053aea4b006f50796a9003c
          • Instruction Fuzzy Hash: 3332DE6144E7C11FC7178770497E499BFA47A13214B0ECADFC8898F8E3E398994AC766

          Execution Graph

          Execution Coverage:3.4%
          Dynamic/Decrypted Code Coverage:0.1%
          Signature Coverage:8.5%
          Total number of Nodes:1234
          Total number of Limit Nodes:27
          execution_graph 51229 6cc17e11 51230 6cc17e1c 51229->51230 51231 6cc17e4f 51229->51231 51233 6cc17e41 51230->51233 51234 6cc17e21 51230->51234 51259 6cc17f6b 248 API calls 4 library calls 51231->51259 51241 6cc17e64 51233->51241 51236 6cc17e37 51234->51236 51237 6cc17e26 51234->51237 51258 6cc17b74 23 API calls 51236->51258 51240 6cc17e2b 51237->51240 51257 6cc17b93 21 API calls 51237->51257 51242 6cc17e70 ___scrt_is_nonwritable_in_current_image 51241->51242 51260 6cc17c04 51242->51260 51244 6cc17eed ___scrt_is_nonwritable_in_current_image 51244->51240 51245 6cc17e77 __DllMainCRTStartup@12 51245->51244 51246 6cc17f63 51245->51246 51247 6cc17e9e 51245->51247 51280 6cc18d8d 4 API calls 2 library calls 51246->51280 51268 6cc17b66 51247->51268 51250 6cc17f6a 51251 6cc17ead __RTC_Initialize 51251->51244 51271 6cc18f42 InitializeSListHead 51251->51271 51253 6cc17ebb 51253->51244 51272 6cc17b3b 51253->51272 51255 6cc17eda 51255->51244 51276 6cc3002a 51255->51276 51257->51240 51258->51240 51259->51240 51261 6cc17c0d 51260->51261 51281 6cc18a54 IsProcessorFeaturePresent 51261->51281 51263 6cc17c19 51282 6cc1ce1b 10 API calls 2 library calls 51263->51282 51265 6cc17c1e 51266 6cc17c22 51265->51266 51283 6cc1ce4d 7 API calls 2 library calls 51265->51283 51266->51245 51284 6cc17c3d 51268->51284 51270 6cc17b6d 51270->51251 51271->51253 51273 6cc17b40 ___scrt_release_startup_lock 51272->51273 51275 6cc17b49 51273->51275 51291 6cc18a54 IsProcessorFeaturePresent 51273->51291 51275->51255 51277 6cc30051 51276->51277 51278 6cc30038 51276->51278 51277->51244 51278->51277 51292 6ca910d0 51278->51292 51280->51250 51281->51263 51282->51265 51283->51266 51285 6cc17c49 51284->51285 51286 6cc17c4d 51284->51286 51285->51270 51287 6cc17c5a ___scrt_release_startup_lock 51286->51287 51290 6cc18d8d 4 API calls 2 library calls 51286->51290 51287->51270 51289 6cc17cc3 51290->51289 51291->51275 51301 6cafa01f 51292->51301 51294 6ca910fb 51313 6cb4d67b 51294->51313 51300 6ca91146 51300->51278 51302 6cafa02b __EH_prolog3 51301->51302 51320 6cb4666d 51302->51320 51308 6cafa090 51348 6caaba70 51308->51348 51310 6cafa09d 51359 6cabd081 51310->51359 51312 6cafa0ac Concurrency::details::ExternalContextBase::~ExternalContextBase 51312->51294 51439 6cb45d15 51313->51439 51315 6ca9110f 51316 6cb48711 GetModuleHandleW 51315->51316 51317 6cb48726 GetProcAddress 51316->51317 51318 6ca9113c 51316->51318 51317->51318 51319 6cc17dcb 194 API calls 51318->51319 51319->51300 51321 6cb4667c __EH_prolog3_GS 51320->51321 51366 6cae5c4c 51321->51366 51323 6cb46692 51324 6cb466a7 51323->51324 51388 6cc2a10c 194 API calls 2 library calls 51323->51388 51372 6cac3111 51324->51372 51328 6cb467c7 51389 6cac191a 28 API calls Concurrency::cancel_current_task 51328->51389 51331 6cb466cb 51331->51328 51333 6cb466d3 GetCurrentThread GetCurrentThreadId GetVersionExW 51331->51333 51332 6cb467cc 51334 6cb4678a 51333->51334 51385 6cc18194 51334->51385 51336 6cafa038 51337 6ca92b90 51336->51337 51338 6ca92b98 51337->51338 51339 6ca92b9e 51338->51339 51412 6ca91ee0 24 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 51338->51412 51342 6cafa549 51339->51342 51343 6cafa555 __EH_prolog3 51342->51343 51346 6cafa560 Concurrency::details::ExternalContextBase::~ExternalContextBase 51343->51346 51413 6cab4f63 51343->51413 51346->51308 51349 6caaba94 51348->51349 51350 6caaba9a 51349->51350 51351 6caabaf2 51349->51351 51355 6caabab9 51350->51355 51435 6ca92f30 194 API calls _memcpy_s 51350->51435 51436 6ca91ee0 24 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 51351->51436 51355->51310 51357 6caabadf 51357->51310 51360 6cabd099 51359->51360 51365 6cabd0ac 51359->51365 51361 6cabd0be 51360->51361 51362 6cabd0a5 51360->51362 51438 6ca92e10 194 API calls _memcpy_s 51361->51438 51437 6caac239 194 API calls 3 library calls 51362->51437 51365->51312 51367 6cae5c58 __EH_prolog3 51366->51367 51390 6cac3221 51367->51390 51371 6cae5c7a Concurrency::details::ExternalContextBase::~ExternalContextBase 51371->51323 51373 6cb932a0 Concurrency::details::ExternalContextBase::~ExternalContextBase 28 API calls 51372->51373 51374 6cac3120 51373->51374 51376 6cac313a 51374->51376 51408 6cb93244 28 API calls 2 library calls 51374->51408 51376->51328 51377 6cb932a0 51376->51377 51380 6cb932ac __EH_prolog3 51377->51380 51378 6cb93325 51410 6cac191a 28 API calls Concurrency::cancel_current_task 51378->51410 51380->51378 51381 6cb932ed Concurrency::details::ExternalContextBase::~ExternalContextBase 51380->51381 51383 6cb932d3 51380->51383 51409 6cb92f70 TlsAlloc InitializeCriticalSection RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 51380->51409 51381->51331 51382 6cb9332a 51382->51331 51383->51378 51383->51381 51411 6cc18172 5 API calls _ValidateLocalCookies 51385->51411 51387 6cc1819e 51387->51387 51388->51324 51389->51332 51391 6cac3111 Concurrency::details::ExternalContextBase::~ExternalContextBase 28 API calls 51390->51391 51392 6cac3229 51391->51392 51393 6cae5f33 51392->51393 51396 6cac3165 51393->51396 51395 6cae5f4a GetCursorPos 51395->51371 51397 6cb932a0 Concurrency::details::ExternalContextBase::~ExternalContextBase 28 API calls 51396->51397 51399 6cac191a 51397->51399 51400 6cac317c 51399->51400 51402 6cb96c1a 51399->51402 51404 6cc1b8ae 51399->51404 51400->51395 51402->51399 51403 6cb96c27 SendMessageW 51402->51403 51407 6cb96d35 28 API calls 51402->51407 51403->51395 51405 6cc1b8f6 RaiseException 51404->51405 51406 6cc1b8c8 51404->51406 51405->51399 51406->51405 51407->51402 51408->51376 51409->51383 51410->51382 51411->51387 51415 6cab4f6a 51413->51415 51416 6cab4f95 51415->51416 51423 6cc280fa 51415->51423 51416->51346 51417 6cbbecc0 51416->51417 51418 6cbbecee 51417->51418 51419 6cbbecd2 SHGetMalloc 51417->51419 51434 6cac191a 28 API calls Concurrency::cancel_current_task 51418->51434 51419->51418 51420 6cbbecea 51419->51420 51420->51346 51422 6cbbecf3 51422->51346 51424 6cc315d2 51423->51424 51425 6cc31610 51424->51425 51427 6cc315fb HeapAlloc 51424->51427 51430 6cc315e4 __dosmaperr 51424->51430 51433 6cc22d6c 14 API calls __dosmaperr 51425->51433 51428 6cc3160e 51427->51428 51427->51430 51429 6cc31615 51428->51429 51429->51415 51430->51425 51430->51427 51432 6cc3af17 EnterCriticalSection LeaveCriticalSection __dosmaperr 51430->51432 51432->51430 51433->51429 51434->51422 51435->51357 51437->51365 51438->51365 51440 6cb45d21 __EH_prolog3 51439->51440 51441 6cac3221 28 API calls 51440->51441 51442 6cb45d2b 51441->51442 51445 6cb45ef3 51442->51445 51444 6cb45d51 Concurrency::details::ExternalContextBase::~ExternalContextBase 51444->51315 51446 6cac3111 Concurrency::details::ExternalContextBase::~ExternalContextBase 28 API calls 51445->51446 51447 6cb45f35 51446->51447 51452 6cb95d74 51447->51452 51449 6cb45f3e 51463 6cb95de8 51449->51463 51451 6cb45f4e 51451->51444 51453 6cb95d80 51452->51453 51454 6cb95de2 51452->51454 51456 6cb95d8e 51453->51456 51468 6cb95d50 InitializeCriticalSection 51453->51468 51469 6cac191a 28 API calls Concurrency::cancel_current_task 51454->51469 51459 6cb95d9e EnterCriticalSection 51456->51459 51460 6cb95dd0 EnterCriticalSection 51456->51460 51457 6cb95de7 51461 6cb95dc8 LeaveCriticalSection 51459->51461 51462 6cb95db5 InitializeCriticalSection 51459->51462 51460->51449 51461->51460 51462->51461 51464 6cb95df3 LeaveCriticalSection 51463->51464 51465 6cb95e06 51463->51465 51464->51451 51470 6cac191a 28 API calls Concurrency::cancel_current_task 51465->51470 51467 6cb95e0b 51468->51456 51469->51457 51470->51467 51471 4a152f LdrInitializeThunk 51472 6ca911ae 51477 6cab5069 51472->51477 51476 6ca911c4 51478 6cac3221 28 API calls 51477->51478 51479 6ca911ba 51478->51479 51480 6cc17dcb 194 API calls 51479->51480 51480->51476 51481 6caa8130 GetLastInputInfo GetTickCount 51482 6caa816f 51481->51482 51483 6caa8477 MessageBoxA 51481->51483 51527 6caa7dd0 GetModuleFileNameA 51482->51527 51633 6cc27ee9 194 API calls std::locale::_Setgloballocale 51483->51633 51486 6caa8187 51536 6ca987f0 51486->51536 51487 6caa84a0 51634 6cc22c7e 51487->51634 51490 6caa8193 51541 6caa6d30 51490->51541 51491 6caa84a5 51493 6cc22c7e 194 API calls 51491->51493 51494 6caa84aa 51493->51494 51495 6cc22c7e 194 API calls 51494->51495 51496 6caa84af 51495->51496 51497 6cc22c7e 194 API calls 51496->51497 51500 6caa84b4 51497->51500 51498 6caa83c4 CreateThread 51503 6caa83db WaitForSingleObject 51498->51503 51504 6caa8436 51498->51504 52450 6caa72a0 Sleep 51498->52450 51499 6caa81dc std::ios_base::_Ios_base_dtor 51499->51487 51526 6caa8354 std::ios_base::_Ios_base_dtor 51499->51526 51568 6caa7060 51499->51568 51503->51504 51507 6caa83ee CloseHandle 51503->51507 51627 6caa7f60 195 API calls 2 library calls 51504->51627 51505 6caa8271 51508 6caa7dd0 195 API calls 51505->51508 51506 6caa83a1 CreateThread 51506->51498 52451 6caa7560 51506->52451 51510 6caa83fe 51507->51510 51513 6caa8421 std::ios_base::_Ios_base_dtor 51507->51513 51511 6caa827a 51508->51511 51510->51496 51510->51513 51520 6caa828b std::ios_base::_Ios_base_dtor _memcpy_s 51511->51520 51626 6ca9b8a0 194 API calls 4 library calls 51511->51626 51512 6caa843f 51628 6caa7d70 195 API calls 51512->51628 51515 6caa8448 51629 6ca96970 294 API calls 2 library calls 51515->51629 51518 6caa8455 51630 6caa7210 276 API calls 2 library calls 51518->51630 51520->51491 51577 6cc28085 51520->51577 51521 6caa845a CreateThread 51631 6caa62b0 215 API calls 3 library calls 51521->51631 52472 6caa7290 310 API calls 51521->52472 51524 6caa8470 51632 6cc27ee9 194 API calls std::locale::_Setgloballocale 51524->51632 51526->51494 51526->51498 51590 6caa7850 51526->51590 51528 6caa7e40 51527->51528 51528->51528 51639 6ca958c0 51528->51639 51530 6caa7e59 51531 6ca958c0 194 API calls 51530->51531 51532 6caa7ec4 51530->51532 51531->51532 51533 6caa7eea std::ios_base::_Ios_base_dtor 51532->51533 51534 6cc22c7e 194 API calls 51532->51534 51533->51486 51535 6caa7f5c 51534->51535 51537 6ca98800 51536->51537 51537->51537 51540 6ca98817 _memcpy_s 51537->51540 51656 6ca9b8a0 194 API calls 4 library calls 51537->51656 51539 6ca98852 51539->51490 51540->51490 51657 6ca974f0 51541->51657 51544 6caa6e18 51667 6caa8a20 51544->51667 51545 6caa6d8e 51711 6ca98140 231 API calls std::ios_base::_Ios_base_dtor 51545->51711 51551 6caa6de5 std::ios_base::_Ios_base_dtor 51551->51499 51553 6caa6e4e 51697 6caa8c80 51553->51697 51556 6caa6e7b 51558 6caa6ed1 std::ios_base::_Ios_base_dtor 51556->51558 51562 6caa704c 51556->51562 51557 6caa6f52 51705 6ca999e0 51557->51705 51712 6ca98140 231 API calls std::ios_base::_Ios_base_dtor 51558->51712 51565 6cc22c7e 194 API calls 51562->51565 51563 6caa6f8a 51724 6ca98140 231 API calls std::ios_base::_Ios_base_dtor 51563->51724 51567 6caa7051 51565->51567 51569 6caa70d0 51568->51569 51569->51569 51570 6ca958c0 194 API calls 51569->51570 51571 6caa70e6 51570->51571 52389 6ca952a0 51571->52389 51573 6caa71ec std::ios_base::_Ios_base_dtor 51573->51505 51574 6caa70fb std::ios_base::_Ios_base_dtor 51574->51573 51575 6cc22c7e 194 API calls 51574->51575 51576 6caa720d 51575->51576 51578 6cc28093 51577->51578 51579 6cc2809d 51577->51579 51580 6cc37420 16 API calls 51578->51580 51581 6cc27fce __wsopen_s 203 API calls 51579->51581 51582 6cc2809a 51580->51582 51583 6cc280b7 51581->51583 51582->51526 51584 6cc27fb1 __wsopen_s 17 API calls 51583->51584 51585 6cc280c4 51584->51585 51586 6cc280cb 51585->51586 52435 6cc37420 DeleteFileW 51585->52435 51588 6cc280e9 51586->51588 51589 6cc31598 ___free_lconv_mon 14 API calls 51586->51589 51588->51526 51589->51588 51591 6caa78c7 51590->51591 51591->51591 51592 6ca958c0 194 API calls 51591->51592 51593 6caa78e0 51592->51593 52441 6caa25f0 51593->52441 51595 6caa78fd 51596 6caa793b GetFileAttributesA 51595->51596 51598 6caa7931 std::ios_base::_Ios_base_dtor 51595->51598 51600 6caa7d5a 51595->51600 51597 6caa7977 SHGetFolderPathA 51596->51597 51603 6caa7bd4 std::ios_base::_Ios_base_dtor 51596->51603 51601 6caa7994 51597->51601 51597->51603 51598->51596 51599 6caa7c40 std::ios_base::_Ios_base_dtor 51599->51506 51602 6cc22c7e 194 API calls 51600->51602 51605 6ca958c0 194 API calls 51601->51605 51604 6caa7d5f 51602->51604 51603->51599 51607 6cc22c7e 194 API calls 51603->51607 51609 6caa7d69 51603->51609 51606 6cc22c7e 194 API calls 51604->51606 51608 6caa79cb 51605->51608 51606->51603 51607->51609 51610 6caa79de 51608->51610 52445 6ca9b8a0 194 API calls 4 library calls 51608->52445 51611 6cc22c7e 194 API calls 51609->51611 51614 6caa25f0 194 API calls 51610->51614 51613 6caa7d6e 51611->51613 51615 6caa7a5c 51614->51615 51617 6caa7a74 std::ios_base::_Ios_base_dtor 51615->51617 52446 6ca9b8a0 194 API calls 4 library calls 51615->52446 51617->51604 51618 6caa7bab GetFileAttributesA 51617->51618 51619 6caa7ba1 std::ios_base::_Ios_base_dtor 51617->51619 51618->51603 51620 6caa7c45 CoInitialize CoCreateInstance 51618->51620 51619->51618 51621 6caa7c6d MultiByteToWideChar 51620->51621 51622 6caa7d05 CoUninitialize 51620->51622 51623 6caa7cac 51621->51623 51622->51603 51624 6caa7cf3 51623->51624 51625 6caa7cc1 MultiByteToWideChar 51623->51625 51624->51622 51625->51624 51626->51520 51627->51512 51628->51515 51629->51518 51630->51521 51631->51524 51632->51483 51633->51487 52448 6cc22bba 194 API calls _memcpy_s 51634->52448 51636 6cc22c8d 52449 6cc22c9b 11 API calls std::locale::_Setgloballocale 51636->52449 51638 6cc22c9a 51640 6ca95982 51639->51640 51645 6ca958d7 51639->51645 51654 6ca94da0 194 API calls 51640->51654 51642 6ca9590b 51647 6cab4f63 Concurrency::details::ExternalContextBase::~ExternalContextBase 15 API calls 51642->51647 51643 6ca95987 51655 6ca94d00 194 API calls 2 library calls 51643->51655 51645->51642 51646 6ca958dc _memcpy_s 51645->51646 51649 6ca9594a 51645->51649 51650 6ca95953 51645->51650 51646->51530 51648 6ca9591e 51647->51648 51648->51646 51652 6cc22c7e 194 API calls 51648->51652 51649->51642 51649->51643 51651 6cab4f63 Concurrency::details::ExternalContextBase::~ExternalContextBase 15 API calls 51650->51651 51651->51646 51653 6ca95991 51652->51653 51655->51648 51656->51539 51658 6ca97523 51657->51658 51725 6ca9a7a0 51658->51725 51664 6ca975b3 51665 6ca975d8 51664->51665 51666 6ca96840 231 API calls 51664->51666 51665->51544 51665->51545 51666->51665 51668 6caa8a56 51667->51668 52130 6ca9d1e0 51668->52130 51670 6caa8a6b 51671 6caa6e2a 51670->51671 52141 6ca977b0 51670->52141 51673 6caa8b30 51671->51673 51674 6ca96840 231 API calls 51673->51674 51675 6caa8b7e 51674->51675 51676 6ca9d1e0 261 API calls 51675->51676 51677 6caa8ba3 51676->51677 51678 6caa8bd2 51677->51678 51681 6ca977b0 229 API calls 51677->51681 51679 6ca96840 231 API calls 51678->51679 51680 6caa6e43 51679->51680 51682 6ca98860 51680->51682 51681->51678 51683 6ca9893e 51682->51683 51688 6ca9888b 51682->51688 52235 6ca94da0 194 API calls 51683->52235 51684 6ca98890 _memcpy_s 51684->51553 51686 6ca98943 52236 6ca94d00 194 API calls 2 library calls 51686->52236 51688->51684 51690 6ca9890b 51688->51690 51691 6ca98902 51688->51691 51695 6ca988c3 51688->51695 51689 6cab4f63 Concurrency::details::ExternalContextBase::~ExternalContextBase 15 API calls 51693 6ca988d6 51689->51693 51692 6cab4f63 Concurrency::details::ExternalContextBase::~ExternalContextBase 15 API calls 51690->51692 51691->51686 51691->51695 51692->51684 51693->51684 51694 6cc22c7e 194 API calls 51693->51694 51696 6ca9894d 51694->51696 51695->51689 51698 6caa8cc1 51697->51698 51699 6ca9d1e0 261 API calls 51698->51699 51702 6caa8cd6 51699->51702 51700 6ca96840 231 API calls 51701 6caa6e6b 51700->51701 51701->51556 51701->51557 51703 6caa8d0d 51702->51703 52237 6ca97a80 51702->52237 51703->51700 51706 6ca999fd 51705->51706 51710 6ca99a3a 51705->51710 51707 6ca99850 228 API calls 51706->51707 51708 6ca99a2b 51707->51708 51709 6cc26a50 231 API calls 51708->51709 51709->51710 51710->51563 51713 6ca96840 51710->51713 51711->51551 51712->51551 51714 6ca9685a 51713->51714 51715 6ca96862 51713->51715 51716 6cc1b8ae Concurrency::cancel_current_task RaiseException 51714->51716 51717 6ca96872 51714->51717 51715->51563 51716->51717 52378 6ca96760 231 API calls 3 library calls 51717->52378 51719 6ca968a8 51720 6cc1b8ae Concurrency::cancel_current_task RaiseException 51719->51720 51721 6ca968b7 51720->51721 52379 6cc1ad11 51721->52379 51724->51551 51726 6ca96840 231 API calls 51725->51726 51727 6ca9a80f 51726->51727 51728 6cab4f63 Concurrency::details::ExternalContextBase::~ExternalContextBase 15 API calls 51727->51728 51729 6ca9a816 51728->51729 51730 6ca9a82d 51729->51730 51767 6cc19b4c 198 API calls 6 library calls 51729->51767 51750 6ca9a960 51730->51750 51733 6ca9a8ab 51735 6ca97579 51733->51735 51768 6cc19d65 9 API calls 2 library calls 51733->51768 51738 6ca9a280 51735->51738 51736 6ca96840 231 API calls 51736->51733 51789 6ca9a6e0 51738->51789 51740 6ca9759f 51741 6ca9a1d0 51740->51741 51742 6ca9a269 51741->51742 51743 6ca9a1f5 51741->51743 51742->51664 51795 6cc19f24 51743->51795 51747 6ca9a213 51804 6ca9afd0 227 API calls 3 library calls 51747->51804 51749 6ca9a233 51749->51664 51769 6cc1996b 51750->51769 51753 6cc1996b std::_Lockit::_Lockit 7 API calls 51754 6ca9a9ab 51753->51754 51757 6cc199c3 std::_Lockit::~_Lockit 2 API calls 51754->51757 51755 6ca9a9cb 51766 6ca9aa18 51755->51766 51782 6ca96410 233 API calls 6 library calls 51755->51782 51757->51755 51758 6ca9a864 51758->51733 51758->51736 51760 6ca9aa28 51761 6ca9aa6b 51760->51761 51762 6ca9aa30 51760->51762 51784 6ca96250 194 API calls 2 library calls 51761->51784 51783 6cc19b19 16 API calls 2 library calls 51762->51783 51765 6ca9aa70 51775 6cc199c3 51766->51775 51767->51730 51768->51735 51770 6cc19981 51769->51770 51771 6cc1997a 51769->51771 51773 6ca9a988 51770->51773 51786 6cc1a49f EnterCriticalSection 51770->51786 51785 6cc30a74 6 API calls std::_Lockit::_Lockit 51771->51785 51773->51753 51773->51755 51776 6cc30a82 51775->51776 51777 6cc199cd 51775->51777 51788 6cc30a5d LeaveCriticalSection 51776->51788 51779 6cc199e0 51777->51779 51787 6cc1a4ad LeaveCriticalSection 51777->51787 51779->51758 51780 6cc30a89 51780->51758 51782->51760 51783->51766 51784->51765 51785->51773 51786->51773 51787->51779 51788->51780 51790 6cab4f63 Concurrency::details::ExternalContextBase::~ExternalContextBase 15 API calls 51789->51790 51791 6ca9a75d 51790->51791 51793 6ca9a774 51791->51793 51794 6cc19b4c 198 API calls 6 library calls 51791->51794 51793->51740 51794->51793 51796 6cc19e9f 51795->51796 51797 6ca9a202 51796->51797 51805 6cc30dcf 51796->51805 51797->51742 51803 6ca998f0 194 API calls 51797->51803 51803->51747 51804->51749 51807 6cc30d18 ___scrt_is_nonwritable_in_current_image 51805->51807 51806 6cc30d2b 51850 6cc22d6c 14 API calls __dosmaperr 51806->51850 51807->51806 51809 6cc30d4b 51807->51809 51811 6cc30d50 51809->51811 51812 6cc30d5d 51809->51812 51810 6cc30d30 51851 6cc22c6e 194 API calls _memcpy_s 51810->51851 51852 6cc22d6c 14 API calls __dosmaperr 51811->51852 51836 6cc35773 51812->51836 51816 6cc19ef3 51816->51797 51824 6cc27b7f 51816->51824 51818 6cc30d7a 51844 6cc3ba22 51818->51844 51819 6cc30d6d 51853 6cc22d6c 14 API calls __dosmaperr 51819->51853 51825 6cc27b92 _memcpy_s 51824->51825 51998 6cc278d6 51825->51998 51829 6cc19f0e 51829->51797 51830 6cc26a50 51829->51830 51831 6cc26a63 _memcpy_s 51830->51831 52065 6cc2692b 51831->52065 51833 6cc26a6f 52076 6cc20710 194 API calls _memcpy_s 51833->52076 51835 6cc26a7b 51835->51797 51837 6cc3577f ___scrt_is_nonwritable_in_current_image 51836->51837 51855 6cc30a15 EnterCriticalSection 51837->51855 51839 6cc3578d 51856 6cc35817 51839->51856 51845 6cc3b99f 51844->51845 51893 6cc2e3d5 51845->51893 51849 6cc30d8f 51854 6cc30db8 LeaveCriticalSection __fread_nolock 51849->51854 51850->51810 51851->51816 51852->51816 51853->51816 51854->51816 51855->51839 51863 6cc3583a 51856->51863 51857 6cc35892 51872 6cc347ac 51857->51872 51863->51857 51863->51863 51868 6cc3579a 51863->51868 51879 6cc26d85 EnterCriticalSection 51863->51879 51880 6cc26d99 LeaveCriticalSection 51863->51880 51865 6cc358c3 51888 6cc26d85 EnterCriticalSection 51865->51888 51869 6cc357d3 51868->51869 51892 6cc30a5d LeaveCriticalSection 51869->51892 51871 6cc30d66 51871->51818 51871->51819 51877 6cc347b9 __dosmaperr 51872->51877 51873 6cc347f9 51890 6cc22d6c 14 API calls __dosmaperr 51873->51890 51874 6cc347e4 RtlAllocateHeap 51875 6cc347f7 51874->51875 51874->51877 51881 6cc31598 51875->51881 51877->51873 51877->51874 51889 6cc3af17 EnterCriticalSection LeaveCriticalSection __dosmaperr 51877->51889 51879->51863 51880->51863 51882 6cc315a3 RtlFreeHeap 51881->51882 51883 6cc315cd 51881->51883 51882->51883 51884 6cc315b8 GetLastError 51882->51884 51883->51868 51887 6cc360a7 6 API calls std::_Lockit::_Lockit 51883->51887 51885 6cc315c5 __dosmaperr 51884->51885 51891 6cc22d6c 14 API calls __dosmaperr 51885->51891 51887->51865 51888->51868 51889->51877 51890->51875 51891->51883 51892->51871 51894 6cc2e3f4 51893->51894 51895 6cc2e407 51894->51895 51903 6cc2e41c 51894->51903 51913 6cc22d6c 14 API calls __dosmaperr 51895->51913 51897 6cc2e40c 51914 6cc22c6e 194 API calls _memcpy_s 51897->51914 51899 6cc2e417 51899->51849 51910 6cc41673 51899->51910 51901 6cc2e5ed 51919 6cc22c6e 194 API calls _memcpy_s 51901->51919 51908 6cc2e53c 51903->51908 51915 6cc2affd 203 API calls _memcpy_s 51903->51915 51905 6cc2e58c 51905->51908 51916 6cc2affd 203 API calls _memcpy_s 51905->51916 51907 6cc2e5aa 51907->51908 51917 6cc2affd 203 API calls _memcpy_s 51907->51917 51908->51899 51918 6cc22d6c 14 API calls __dosmaperr 51908->51918 51920 6cc4101b 51910->51920 51913->51897 51914->51899 51915->51905 51916->51907 51917->51908 51918->51901 51919->51899 51921 6cc41027 ___scrt_is_nonwritable_in_current_image 51920->51921 51922 6cc4102e 51921->51922 51925 6cc41059 51921->51925 51940 6cc22d6c 14 API calls __dosmaperr 51922->51940 51924 6cc41033 51941 6cc22c6e 194 API calls _memcpy_s 51924->51941 51931 6cc41605 51925->51931 51930 6cc4103d 51930->51849 51943 6cc27fce 51931->51943 51936 6cc4163b 51938 6cc4107d 51936->51938 51939 6cc31598 ___free_lconv_mon 14 API calls 51936->51939 51942 6cc410b0 LeaveCriticalSection __wsopen_s 51938->51942 51939->51938 51940->51924 51941->51930 51942->51930 51944 6cc23b40 __wsopen_s 203 API calls 51943->51944 51945 6cc27fe0 51944->51945 51946 6cc27ff2 51945->51946 51947 6cc35e5d __wsopen_s 5 API calls 51945->51947 51948 6cc27fb1 51946->51948 51947->51946 51949 6cc27eff __wsopen_s 17 API calls 51948->51949 51950 6cc27fc9 51949->51950 51950->51936 51951 6cc41693 51950->51951 51952 6cc413e1 __wsopen_s 194 API calls 51951->51952 51953 6cc416b0 51952->51953 51954 6cc416c5 51953->51954 51955 6cc416de 51953->51955 51957 6cc22d59 __dosmaperr 14 API calls 51954->51957 51956 6cc2ef98 __wsopen_s 18 API calls 51955->51956 51958 6cc416e3 51956->51958 51959 6cc416ca 51957->51959 51960 6cc41703 51958->51960 51961 6cc416ec 51958->51961 51962 6cc22d6c _memcpy_s 14 API calls 51959->51962 51964 6cc4134c __wsopen_s CreateFileW 51960->51964 51963 6cc22d59 __dosmaperr 14 API calls 51961->51963 51965 6cc416d7 51962->51965 51966 6cc416f1 51963->51966 51972 6cc4173c 51964->51972 51965->51936 51967 6cc22d6c _memcpy_s 14 API calls 51966->51967 51967->51959 51968 6cc417b9 GetFileType 51969 6cc417c4 GetLastError 51968->51969 51970 6cc4180b 51968->51970 51974 6cc22d12 __dosmaperr 14 API calls 51969->51974 51977 6cc2eee3 __wsopen_s 15 API calls 51970->51977 51971 6cc4178e GetLastError 51973 6cc22d12 __dosmaperr 14 API calls 51971->51973 51972->51968 51972->51971 51975 6cc4134c __wsopen_s CreateFileW 51972->51975 51973->51959 51976 6cc417d2 CloseHandle 51974->51976 51978 6cc41781 51975->51978 51976->51959 51979 6cc417fb 51976->51979 51980 6cc4182c 51977->51980 51978->51968 51978->51971 51981 6cc22d6c _memcpy_s 14 API calls 51979->51981 51982 6cc41878 51980->51982 51984 6cc4155b __wsopen_s 234 API calls 51980->51984 51983 6cc41800 51981->51983 51985 6cc410f6 __wsopen_s 234 API calls 51982->51985 51987 6cc4187f 51982->51987 51983->51959 51984->51982 51986 6cc418ad 51985->51986 51986->51987 51988 6cc418bb 51986->51988 51989 6cc356a3 __wsopen_s 197 API calls 51987->51989 51988->51965 51990 6cc41937 CloseHandle 51988->51990 51989->51965 51991 6cc4134c __wsopen_s CreateFileW 51990->51991 51992 6cc41962 51991->51992 51993 6cc4196c GetLastError 51992->51993 51997 6cc41998 51992->51997 51994 6cc22d12 __dosmaperr 14 API calls 51993->51994 51995 6cc41978 51994->51995 51996 6cc2f0ab __wsopen_s 15 API calls 51995->51996 51996->51997 51997->51965 52000 6cc278e2 ___scrt_is_nonwritable_in_current_image 51998->52000 51999 6cc278e8 52020 6cc22bf1 29 API calls 2 library calls 51999->52020 52000->51999 52002 6cc2792b 52000->52002 52010 6cc26d85 EnterCriticalSection 52002->52010 52003 6cc27903 52009 6cc20710 194 API calls _memcpy_s 52003->52009 52005 6cc27937 52011 6cc27a59 52005->52011 52007 6cc2794d 52021 6cc27976 LeaveCriticalSection __fread_nolock 52007->52021 52009->51829 52010->52005 52012 6cc27a7f 52011->52012 52013 6cc27a6c 52011->52013 52022 6cc27980 52012->52022 52013->52007 52016 6cc27aa2 52019 6cc27b30 52016->52019 52026 6cc26801 52016->52026 52019->52007 52020->52003 52021->52003 52023 6cc27991 52022->52023 52025 6cc279e9 52022->52025 52023->52025 52035 6cc3727a 196 API calls 2 library calls 52023->52035 52025->52016 52027 6cc2681a 52026->52027 52028 6cc26841 52026->52028 52027->52028 52036 6cc2e713 52027->52036 52032 6cc372ba 52028->52032 52030 6cc26836 52043 6cc35242 226 API calls 3 library calls 52030->52043 52046 6cc37199 52032->52046 52034 6cc372d3 52034->52019 52035->52025 52037 6cc2e734 52036->52037 52038 6cc2e71f 52036->52038 52037->52030 52044 6cc22d6c 14 API calls __dosmaperr 52038->52044 52040 6cc2e724 52045 6cc22c6e 194 API calls _memcpy_s 52040->52045 52042 6cc2e72f 52042->52030 52043->52028 52044->52040 52045->52042 52052 6cc2f13c 52046->52052 52048 6cc371ab 52049 6cc371c7 SetFilePointerEx 52048->52049 52051 6cc371b3 __wsopen_s 52048->52051 52050 6cc371df GetLastError 52049->52050 52049->52051 52050->52051 52051->52034 52053 6cc2f149 52052->52053 52054 6cc2f15e 52052->52054 52055 6cc22d59 __dosmaperr 14 API calls 52053->52055 52056 6cc22d59 __dosmaperr 14 API calls 52054->52056 52058 6cc2f183 52054->52058 52057 6cc2f14e 52055->52057 52059 6cc2f18e 52056->52059 52060 6cc22d6c _memcpy_s 14 API calls 52057->52060 52058->52048 52061 6cc22d6c _memcpy_s 14 API calls 52059->52061 52062 6cc2f156 52060->52062 52063 6cc2f196 52061->52063 52062->52048 52064 6cc22c6e _memcpy_s 194 API calls 52063->52064 52064->52062 52066 6cc26937 ___scrt_is_nonwritable_in_current_image 52065->52066 52067 6cc26941 52066->52067 52068 6cc26964 52066->52068 52092 6cc22bf1 29 API calls 2 library calls 52067->52092 52075 6cc2695c 52068->52075 52077 6cc26d85 EnterCriticalSection 52068->52077 52071 6cc26982 52078 6cc269c2 52071->52078 52073 6cc2698f 52093 6cc269ba LeaveCriticalSection __fread_nolock 52073->52093 52075->51833 52076->51835 52077->52071 52079 6cc269f2 52078->52079 52080 6cc269cf 52078->52080 52082 6cc26801 ___scrt_uninitialize_crt 226 API calls 52079->52082 52091 6cc269ea 52079->52091 52105 6cc22bf1 29 API calls 2 library calls 52080->52105 52083 6cc26a0a 52082->52083 52094 6cc358d9 52083->52094 52086 6cc2e713 __fread_nolock 194 API calls 52087 6cc26a1e 52086->52087 52098 6cc35600 52087->52098 52090 6cc31598 ___free_lconv_mon 14 API calls 52090->52091 52091->52073 52092->52075 52093->52075 52095 6cc358f0 52094->52095 52096 6cc26a12 52094->52096 52095->52096 52097 6cc31598 ___free_lconv_mon 14 API calls 52095->52097 52096->52086 52097->52096 52100 6cc35629 52098->52100 52101 6cc26a25 52098->52101 52099 6cc35678 52114 6cc22bf1 29 API calls 2 library calls 52099->52114 52100->52099 52103 6cc35650 52100->52103 52101->52090 52101->52091 52106 6cc3556f 52103->52106 52105->52091 52107 6cc3557b ___scrt_is_nonwritable_in_current_image 52106->52107 52115 6cc2eec0 EnterCriticalSection 52107->52115 52109 6cc35589 52112 6cc355ba 52109->52112 52116 6cc356d3 52109->52116 52129 6cc355f4 LeaveCriticalSection __wsopen_s 52112->52129 52113 6cc355dd 52113->52101 52114->52101 52115->52109 52117 6cc2f13c __wsopen_s 194 API calls 52116->52117 52119 6cc356e3 52117->52119 52118 6cc356e9 52120 6cc2f0ab __wsopen_s 15 API calls 52118->52120 52119->52118 52121 6cc3571b 52119->52121 52123 6cc2f13c __wsopen_s 194 API calls 52119->52123 52128 6cc35741 __wsopen_s 52120->52128 52121->52118 52122 6cc2f13c __wsopen_s 194 API calls 52121->52122 52124 6cc35727 CloseHandle 52122->52124 52125 6cc35712 52123->52125 52124->52118 52126 6cc35733 GetLastError 52124->52126 52127 6cc2f13c __wsopen_s 194 API calls 52125->52127 52126->52118 52127->52121 52128->52112 52129->52113 52131 6ca9d214 52130->52131 52133 6ca9d242 52130->52133 52132 6ca96840 231 API calls 52131->52132 52135 6ca9d22d 52132->52135 52137 6ca9d24e 52133->52137 52149 6ca9a380 231 API calls 52133->52149 52134 6ca9d31d 52134->51670 52135->51670 52137->52134 52138 6ca9a960 233 API calls 52137->52138 52139 6ca9d28d 52138->52139 52139->52134 52140 6ca96840 231 API calls 52139->52140 52140->52134 52142 6ca977c8 52141->52142 52148 6ca9782e 52142->52148 52150 6ca99850 52142->52150 52145 6ca9781a 52145->52148 52160 6cc270d4 52145->52160 52148->51671 52149->52137 52151 6ca9985f 52150->52151 52152 6ca977f9 52150->52152 52151->52152 52174 6cc2709a 228 API calls _memcpy_s 52151->52174 52152->52145 52152->52148 52154 6cc27b45 52152->52154 52155 6cc27b58 _memcpy_s 52154->52155 52156 6cc278d6 228 API calls 52155->52156 52157 6cc27b6d 52156->52157 52175 6cc20710 194 API calls _memcpy_s 52157->52175 52159 6cc27b7a 52159->52145 52161 6cc270f4 52160->52161 52162 6cc270df 52160->52162 52164 6cc27111 52161->52164 52165 6cc270fc 52161->52165 52182 6cc22d6c 14 API calls __dosmaperr 52162->52182 52176 6cc2ed31 52164->52176 52184 6cc22d6c 14 API calls __dosmaperr 52165->52184 52167 6cc270e4 52183 6cc22c6e 194 API calls _memcpy_s 52167->52183 52169 6cc2710c 52169->52148 52171 6cc27101 52185 6cc22c6e 194 API calls _memcpy_s 52171->52185 52172 6cc270ef 52172->52148 52174->52152 52175->52159 52177 6cc2ed45 _memcpy_s 52176->52177 52186 6cc2e73a 52177->52186 52181 6cc2ed5f 52181->52169 52182->52167 52183->52172 52184->52171 52185->52169 52187 6cc2e746 ___scrt_is_nonwritable_in_current_image 52186->52187 52188 6cc2e770 52187->52188 52189 6cc2e74d 52187->52189 52198 6cc26d85 EnterCriticalSection 52188->52198 52213 6cc22bf1 29 API calls 2 library calls 52189->52213 52192 6cc2e766 52197 6cc20710 194 API calls _memcpy_s 52192->52197 52193 6cc2e77e 52199 6cc2e7c9 52193->52199 52195 6cc2e78d 52214 6cc2e7bf LeaveCriticalSection __fread_nolock 52195->52214 52197->52181 52198->52193 52200 6cc2e800 52199->52200 52201 6cc2e7d8 52199->52201 52203 6cc2e713 __fread_nolock 194 API calls 52200->52203 52218 6cc22bf1 29 API calls 2 library calls 52201->52218 52204 6cc2e809 52203->52204 52215 6cc3725c 52204->52215 52207 6cc2e8b3 52219 6cc2eb35 199 API calls 4 library calls 52207->52219 52209 6cc2e8ca 52212 6cc2e7f3 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 52209->52212 52220 6cc2e96a 198 API calls 2 library calls 52209->52220 52210 6cc2e8c2 52210->52212 52212->52195 52213->52192 52214->52192 52221 6cc37074 52215->52221 52218->52212 52219->52210 52220->52212 52222 6cc37080 ___scrt_is_nonwritable_in_current_image 52221->52222 52223 6cc2e827 52222->52223 52224 6cc370c3 52222->52224 52226 6cc37109 52222->52226 52223->52207 52223->52209 52223->52212 52233 6cc22bf1 29 API calls 2 library calls 52224->52233 52232 6cc2eec0 EnterCriticalSection 52226->52232 52228 6cc3710f 52229 6cc37130 52228->52229 52230 6cc37199 __fread_nolock 196 API calls 52228->52230 52234 6cc37191 LeaveCriticalSection __wsopen_s 52229->52234 52230->52229 52232->52228 52233->52223 52234->52223 52236->51693 52241 6ca97a98 _memcpy_s 52237->52241 52238 6ca97c44 52239 6ca97a9e _memcpy_s 52238->52239 52243 6cc277a2 52238->52243 52239->51703 52240 6cc277a2 __fread_nolock 207 API calls 52240->52241 52241->52238 52241->52239 52241->52240 52246 6cc277bf 52243->52246 52248 6cc277cb ___scrt_is_nonwritable_in_current_image 52246->52248 52247 6cc277ba 52247->52239 52248->52247 52249 6cc27815 52248->52249 52250 6cc277de _memcpy_s 52248->52250 52259 6cc26d85 EnterCriticalSection 52249->52259 52273 6cc22d6c 14 API calls __dosmaperr 52250->52273 52253 6cc2781f 52260 6cc275c9 52253->52260 52254 6cc277f8 52274 6cc22c6e 194 API calls _memcpy_s 52254->52274 52259->52253 52263 6cc275db _memcpy_s 52260->52263 52266 6cc275f8 52260->52266 52261 6cc275e8 52343 6cc22d6c 14 API calls __dosmaperr 52261->52343 52263->52261 52263->52266 52268 6cc27639 __fread_nolock 52263->52268 52264 6cc275ed 52344 6cc22c6e 194 API calls _memcpy_s 52264->52344 52275 6cc27854 LeaveCriticalSection __fread_nolock 52266->52275 52267 6cc27764 _memcpy_s 52346 6cc22d6c 14 API calls __dosmaperr 52267->52346 52268->52266 52268->52267 52270 6cc2e713 __fread_nolock 194 API calls 52268->52270 52276 6cc36ce9 52268->52276 52345 6cc26519 194 API calls _memcpy_s 52268->52345 52270->52268 52273->52254 52274->52247 52275->52247 52277 6cc36d13 52276->52277 52278 6cc36cfb 52276->52278 52280 6cc37055 52277->52280 52285 6cc36d56 52277->52285 52356 6cc22d59 14 API calls __dosmaperr 52278->52356 52372 6cc22d59 14 API calls __dosmaperr 52280->52372 52281 6cc36d00 52357 6cc22d6c 14 API calls __dosmaperr 52281->52357 52284 6cc3705a 52373 6cc22d6c 14 API calls __dosmaperr 52284->52373 52286 6cc36d08 52285->52286 52288 6cc36d61 52285->52288 52293 6cc36d91 52285->52293 52286->52268 52358 6cc22d59 14 API calls __dosmaperr 52288->52358 52290 6cc36d6e 52374 6cc22c6e 194 API calls _memcpy_s 52290->52374 52291 6cc36d66 52359 6cc22d6c 14 API calls __dosmaperr 52291->52359 52295 6cc36daa 52293->52295 52296 6cc36db7 52293->52296 52297 6cc36de5 52293->52297 52295->52296 52298 6cc36dd3 52295->52298 52360 6cc22d59 14 API calls __dosmaperr 52296->52360 52363 6cc315d2 15 API calls 2 library calls 52297->52363 52347 6cc3db87 52298->52347 52302 6cc36dbc 52361 6cc22d6c 14 API calls __dosmaperr 52302->52361 52303 6cc36df6 52307 6cc31598 ___free_lconv_mon 14 API calls 52303->52307 52306 6cc36f31 52309 6cc36fa5 52306->52309 52312 6cc36f4a GetConsoleMode 52306->52312 52310 6cc36dff 52307->52310 52308 6cc36dc3 52362 6cc22c6e 194 API calls _memcpy_s 52308->52362 52314 6cc36fa9 ReadFile 52309->52314 52313 6cc31598 ___free_lconv_mon 14 API calls 52310->52313 52312->52309 52317 6cc36f5b 52312->52317 52318 6cc36e06 52313->52318 52315 6cc36fc1 52314->52315 52316 6cc3701d GetLastError 52314->52316 52315->52316 52321 6cc36f9a 52315->52321 52319 6cc36f81 52316->52319 52320 6cc3702a 52316->52320 52317->52314 52322 6cc36f61 ReadConsoleW 52317->52322 52323 6cc36e10 52318->52323 52324 6cc36e2b 52318->52324 52340 6cc36dce __fread_nolock 52319->52340 52367 6cc22d12 14 API calls 2 library calls 52319->52367 52370 6cc22d6c 14 API calls __dosmaperr 52320->52370 52335 6cc36fe6 52321->52335 52336 6cc36ffd 52321->52336 52321->52340 52322->52321 52327 6cc36f7b GetLastError 52322->52327 52364 6cc22d6c 14 API calls __dosmaperr 52323->52364 52366 6cc3727a 196 API calls 2 library calls 52324->52366 52327->52319 52328 6cc31598 ___free_lconv_mon 14 API calls 52328->52286 52330 6cc3702f 52371 6cc22d59 14 API calls __dosmaperr 52330->52371 52331 6cc36e39 52331->52298 52333 6cc36e15 52365 6cc22d59 14 API calls __dosmaperr 52333->52365 52368 6cc369fb 199 API calls 3 library calls 52335->52368 52339 6cc37016 52336->52339 52336->52340 52369 6cc36841 197 API calls __fread_nolock 52339->52369 52340->52328 52342 6cc36e20 52342->52340 52343->52264 52344->52266 52345->52268 52346->52264 52348 6cc3db94 52347->52348 52350 6cc3dba1 52347->52350 52375 6cc22d6c 14 API calls __dosmaperr 52348->52375 52352 6cc3dbad 52350->52352 52376 6cc22d6c 14 API calls __dosmaperr 52350->52376 52351 6cc3db99 52351->52306 52352->52306 52354 6cc3dbce 52377 6cc22c6e 194 API calls _memcpy_s 52354->52377 52356->52281 52357->52286 52358->52291 52359->52290 52360->52302 52361->52308 52362->52340 52363->52303 52364->52333 52365->52342 52366->52331 52367->52340 52368->52340 52369->52342 52370->52330 52371->52340 52372->52284 52373->52290 52374->52286 52375->52351 52376->52354 52377->52351 52378->51719 52380 6ca968e4 52379->52380 52381 6cc1ad1e 52379->52381 52380->51563 52381->52380 52382 6cc280fa ___std_exception_copy 15 API calls 52381->52382 52383 6cc1ad3b 52382->52383 52384 6cc1ad4b 52383->52384 52387 6cc314c2 194 API calls _memcpy_s 52383->52387 52388 6cc22d7f 14 API calls ___free_lconv_mon 52384->52388 52387->52384 52388->52380 52406 6ca94e30 52389->52406 52391 6ca952df _memcpy_s 52419 6ca94f50 CryptAcquireContextW 52391->52419 52393 6ca953a1 CryptAcquireContextW 52394 6ca953c8 CryptImportKey 52393->52394 52395 6ca9541b CryptReleaseContext 52394->52395 52396 6ca956de 52395->52396 52397 6ca94db0 194 API calls 52396->52397 52398 6ca956e6 52397->52398 52399 6cc1b8ae Concurrency::cancel_current_task RaiseException 52398->52399 52400 6ca956f4 52399->52400 52401 6cc22c7e 194 API calls 52400->52401 52402 6ca956fe 52401->52402 52403 6ca95726 std::ios_base::_Ios_base_dtor 52402->52403 52404 6cc22c7e 194 API calls 52402->52404 52403->51574 52405 6ca9574d 52404->52405 52407 6ca94e71 52406->52407 52408 6ca94e73 CryptStringToBinaryA 52406->52408 52407->52408 52409 6ca94f10 52408->52409 52410 6ca94e93 52408->52410 52432 6ca94db0 52409->52432 52411 6ca94ec6 _memcpy_s 52410->52411 52416 6ca94f45 52410->52416 52431 6ca959b0 194 API calls 3 library calls 52410->52431 52413 6ca94efc CryptStringToBinaryA 52411->52413 52413->52409 52414 6ca94f17 52413->52414 52414->52391 52418 6cc1b8ae Concurrency::cancel_current_task RaiseException 52418->52416 52420 6ca95243 52419->52420 52421 6ca94db0 194 API calls 52420->52421 52422 6ca95250 52421->52422 52423 6cc1b8ae Concurrency::cancel_current_task RaiseException 52422->52423 52424 6ca9525e CryptDestroyHash CryptReleaseContext 52423->52424 52425 6ca94db0 194 API calls 52424->52425 52426 6ca9527f 52425->52426 52427 6cc1b8ae Concurrency::cancel_current_task RaiseException 52426->52427 52428 6ca9528d 52427->52428 52429 6cc22c7e 194 API calls 52428->52429 52430 6ca95292 52429->52430 52431->52411 52433 6cc1ad11 ___std_exception_copy 194 API calls 52432->52433 52434 6ca94ddd 52433->52434 52434->52418 52436 6cc37432 GetLastError 52435->52436 52437 6cc37444 52435->52437 52440 6cc22d12 14 API calls 2 library calls 52436->52440 52437->51586 52439 6cc3743e 52439->51586 52440->52439 52442 6caa260b 52441->52442 52443 6caa261f _memcpy_s 52442->52443 52447 6ca9b8a0 194 API calls 4 library calls 52442->52447 52443->51595 52445->51610 52446->51617 52447->52443 52448->51636 52449->51638 52460 6caa7594 std::ios_base::_Ios_base_dtor _memcpy_s 52451->52460 52452 6ca958c0 194 API calls 52453 6caa75c4 CreateToolhelp32Snapshot 52452->52453 52453->52460 52454 6caa7606 Process32FirstW 52457 6caa7755 CloseHandle 52454->52457 52454->52460 52455 6caa77c3 52464 6ca958c0 194 API calls 52455->52464 52456 6caa77a3 Sleep 52456->52460 52457->52460 52458 6caa7620 WideCharToMultiByte 52458->52460 52459 6caa7849 52461 6cc22c7e 194 API calls 52459->52461 52460->52452 52460->52454 52460->52455 52460->52456 52460->52458 52460->52459 52466 6ca958c0 194 API calls 52460->52466 52470 6caa773f Process32NextW 52460->52470 52471 6caa77b3 CloseHandle 52460->52471 52463 6caa784e 52461->52463 52465 6caa77f3 52464->52465 52473 6caa72b0 203 API calls 2 library calls 52465->52473 52466->52460 52468 6caa7828 std::ios_base::_Ios_base_dtor 52469 6caa7802 52469->52459 52469->52468 52470->52457 52470->52458 52471->52459 52471->52460 52473->52469 52474 6ca91285 52479 6cabeccf 52474->52479 52476 6ca9128a 52483 6cc17dcb 194 API calls 52476->52483 52478 6ca91294 52480 6cabecdb __EH_prolog3 52479->52480 52484 6cabfab5 52480->52484 52482 6cabeec4 Concurrency::details::ExternalContextBase::~ExternalContextBase 52482->52476 52483->52478 52485 6cabfad6 _memcpy_s 52484->52485 52486 6cabfb5d 52484->52486 52488 6cabfb06 VerSetConditionMask VerSetConditionMask VerifyVersionInfoW GetSystemMetrics 52485->52488 52658 6cc18172 5 API calls _ValidateLocalCookies 52486->52658 52495 6cac056d 52488->52495 52489 6cabfb70 52489->52482 52491 6cabfb4f 52572 6cac004e 52491->52572 52659 6cc181b2 52495->52659 52497 6cac0579 GetSysColor 52498 6cac059a GetSysColor 52497->52498 52499 6cac058e GetSysColor 52497->52499 52501 6cac05b1 GetSysColor 52498->52501 52502 6cac05bd 52498->52502 52499->52498 52501->52502 52660 6cabd5b9 52502->52660 52504 6cac05d3 22 API calls 52505 6cac06fd 52504->52505 52506 6cac0706 GetSysColor 52504->52506 52507 6cac0718 GetSysColorBrush 52505->52507 52506->52507 52508 6cac0734 GetSysColorBrush 52507->52508 52509 6cac0985 52507->52509 52508->52509 52511 6cac0747 GetSysColorBrush 52508->52511 52700 6cac191a 28 API calls Concurrency::cancel_current_task 52509->52700 52511->52509 52512 6cac075a 52511->52512 52668 6cabe03f 52512->52668 52513 6cac098a 52515 6cac0767 CreateSolidBrush 52673 6cabdecf 52515->52673 52518 6cabe03f 29 API calls 52519 6cac0785 CreateSolidBrush 52518->52519 52520 6cabdecf 28 API calls 52519->52520 52521 6cac0796 52520->52521 52522 6cabe03f 29 API calls 52521->52522 52523 6cac07a3 CreateSolidBrush 52522->52523 52524 6cabdecf 28 API calls 52523->52524 52525 6cac07b4 52524->52525 52526 6cabe03f 29 API calls 52525->52526 52527 6cac07c1 CreateSolidBrush 52526->52527 52528 6cabdecf 28 API calls 52527->52528 52529 6cac07d5 52528->52529 52530 6cabe03f 29 API calls 52529->52530 52531 6cac07e2 CreateSolidBrush 52530->52531 52532 6cabdecf 28 API calls 52531->52532 52533 6cac07f3 52532->52533 52534 6cabe03f 29 API calls 52533->52534 52535 6cac0800 CreateSolidBrush 52534->52535 52536 6cabdecf 28 API calls 52535->52536 52537 6cac0811 52536->52537 52538 6cabe03f 29 API calls 52537->52538 52539 6cac081e CreateSolidBrush 52538->52539 52540 6cabdecf 28 API calls 52539->52540 52541 6cac082f 52540->52541 52542 6cabe03f 29 API calls 52541->52542 52543 6cac083c CreatePen 52542->52543 52544 6cabdecf 28 API calls 52543->52544 52545 6cac0855 52544->52545 52546 6cabe03f 29 API calls 52545->52546 52547 6cac0862 CreatePen 52546->52547 52548 6cabdecf 28 API calls 52547->52548 52549 6cac0879 52548->52549 52550 6cabe03f 29 API calls 52549->52550 52551 6cac0886 CreatePen 52550->52551 52552 6cabdecf 28 API calls 52551->52552 52553 6cac089d 52552->52553 52554 6cac08b4 52553->52554 52558 6cabe03f 29 API calls 52553->52558 52555 6cac08bd CreateSolidBrush 52554->52555 52556 6cac0921 52554->52556 52559 6cabdecf 28 API calls 52555->52559 52696 6cabf4da 7 API calls 2 library calls 52556->52696 52558->52554 52561 6cac091f 52559->52561 52560 6cac092b 52560->52509 52562 6cac092f 52560->52562 52679 6cb65651 52561->52679 52563 6cabdecf 28 API calls 52562->52563 52565 6cac0948 CreatePatternBrush 52563->52565 52567 6cabdecf 28 API calls 52565->52567 52569 6cac0959 52567->52569 52697 6ca920f0 52569->52697 52570 6cac097f Concurrency::details::ExternalContextBase::~ExternalContextBase 52570->52491 52573 6cac005d __EH_prolog3_GS 52572->52573 52574 6cabd5b9 29 API calls 52573->52574 52575 6cac006c GetDeviceCaps 52574->52575 52576 6cac00a6 52575->52576 52577 6cac00da 52576->52577 52579 6cabe092 28 API calls 52576->52579 52578 6cac00f8 52577->52578 52582 6cabe092 28 API calls 52577->52582 52580 6cac0116 52578->52580 52586 6cabe092 28 API calls 52578->52586 52581 6cac00d3 DeleteObject 52579->52581 52583 6cac0134 52580->52583 52587 6cabe092 28 API calls 52580->52587 52581->52577 52585 6cac00f1 DeleteObject 52582->52585 52584 6cac0152 52583->52584 52591 6cabe092 28 API calls 52583->52591 52588 6cac0170 52584->52588 52595 6cabe092 28 API calls 52584->52595 52585->52578 52589 6cac010f DeleteObject 52586->52589 52590 6cac012d DeleteObject 52587->52590 52592 6cac018e 52588->52592 52598 6cabe092 28 API calls 52588->52598 52589->52580 52590->52583 52594 6cac014b DeleteObject 52591->52594 52593 6cac01ac 52592->52593 52600 6cabe092 28 API calls 52592->52600 52596 6cac01ca 52593->52596 52604 6cabe092 28 API calls 52593->52604 52594->52584 52597 6cac0169 DeleteObject 52595->52597 52601 6cac01e8 52596->52601 52607 6cabe092 28 API calls 52596->52607 52597->52588 52599 6cac0187 DeleteObject 52598->52599 52599->52592 52603 6cac01a5 DeleteObject 52600->52603 52751 6cabfa11 52601->52751 52603->52593 52606 6cac01c3 DeleteObject 52604->52606 52605 6cac0200 _memcpy_s 52609 6cac020d GetTextCharsetInfo 52605->52609 52606->52596 52608 6cac01e1 DeleteObject 52607->52608 52608->52601 52610 6cac0247 lstrcpyW 52609->52610 52612 6cac027b 52610->52612 52613 6cac02e7 CreateFontIndirectW 52610->52613 52612->52613 52615 6cac0284 EnumFontFamiliesW 52612->52615 52614 6cabdecf 28 API calls 52613->52614 52621 6cac02f9 52614->52621 52616 6cac02b5 EnumFontFamiliesW 52615->52616 52617 6cac02a0 lstrcpyW 52615->52617 52618 6cac02d4 lstrcpyW 52616->52618 52617->52613 52618->52613 52620 6cac032f CreateFontIndirectW 52622 6cabdecf 28 API calls 52620->52622 52621->52620 52623 6cac0341 52622->52623 52624 6cabfa11 SystemParametersInfoW 52623->52624 52625 6cac035c CreateFontIndirectW 52624->52625 52626 6cabdecf 28 API calls 52625->52626 52627 6cac0384 CreateFontIndirectW 52626->52627 52628 6cabdecf 28 API calls 52627->52628 52629 6cac03b0 CreateFontIndirectW 52628->52629 52630 6cabdecf 28 API calls 52629->52630 52631 6cac03d1 GetSystemMetrics lstrcpyW CreateFontIndirectW 52630->52631 52632 6cabdecf 28 API calls 52631->52632 52633 6cac040d GetStockObject 52632->52633 52634 6cac043b GetObjectW 52633->52634 52635 6cac0505 52633->52635 52634->52635 52636 6cac0450 lstrcpyW CreateFontIndirectW 52634->52636 52754 6cac098b 52635->52754 52638 6cabdecf 28 API calls 52636->52638 52639 6cac049f CreateFontIndirectW 52638->52639 52640 6cabdecf 28 API calls 52639->52640 52644 6cac04b8 GetObjectW CreateFontIndirectW 52640->52644 52641 6cac0541 52645 6ca920f0 29 API calls 52641->52645 52642 6cac050c 52642->52641 52643 6cac0567 52642->52643 52772 6cab718f 28 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 52642->52772 52773 6cac191a 28 API calls Concurrency::cancel_current_task 52643->52773 52648 6cabdecf 28 API calls 52644->52648 52649 6cac0556 52645->52649 52651 6cac04e4 CreateFontIndirectW 52648->52651 52652 6cabd707 30 API calls 52649->52652 52650 6cac056c 52653 6cabdecf 28 API calls 52651->52653 52654 6cac0561 52652->52654 52653->52635 52655 6cc18194 5 API calls 52654->52655 52656 6cabfb56 52655->52656 52657 6cabfc21 8 API calls 52656->52657 52657->52486 52658->52489 52659->52497 52661 6cabd5c5 __EH_prolog3 52660->52661 52662 6cabd5e8 GetWindowDC 52661->52662 52701 6cabde8d 52662->52701 52665 6cabd5fe Concurrency::details::ExternalContextBase::~ExternalContextBase 52665->52504 52669 6cabe048 52668->52669 52670 6cabe045 52668->52670 52710 6cabe092 52669->52710 52670->52515 52672 6cabe04d DeleteObject 52672->52515 52674 6cabdedc 52673->52674 52675 6cabdef1 52673->52675 52676 6cabeb24 28 API calls 52674->52676 52675->52518 52677 6cabdee6 52676->52677 52735 6cb92c6a 28 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 52677->52735 52680 6cb6565a 52679->52680 52690 6cac096d 52679->52690 52680->52690 52736 6cacd4e5 37 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 52680->52736 52682 6cb6566d 52737 6cacd4e5 37 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 52682->52737 52684 6cb65677 52738 6cacd4e5 37 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 52684->52738 52686 6cb65681 52739 6cacd4e5 37 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 52686->52739 52688 6cb6568b 52740 6cacd4e5 37 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 52688->52740 52691 6cabd707 52690->52691 52741 6cabe055 52691->52741 52693 6cabd737 ReleaseDC 52745 6cabd662 52693->52745 52696->52560 52698 6cabe03f 29 API calls 52697->52698 52699 6ca92126 52698->52699 52699->52561 52700->52513 52702 6cabde9a 52701->52702 52706 6cabd5fa 52701->52706 52708 6cabeab3 28 API calls 2 library calls 52702->52708 52704 6cabdea5 52709 6cb92c6a 28 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 52704->52709 52706->52665 52707 6cabde59 RaiseException Concurrency::cancel_current_task 52706->52707 52708->52704 52709->52706 52711 6cabe09d 52710->52711 52713 6cabe0a4 52710->52713 52714 6cabeb24 52711->52714 52713->52672 52715 6cabeb30 __EH_prolog3 52714->52715 52722 6cac3144 52715->52722 52717 6cabeb35 Concurrency::details::ExternalContextBase::~ExternalContextBase 52718 6cab4f63 Concurrency::details::ExternalContextBase::~ExternalContextBase 15 API calls 52717->52718 52721 6cabeb7b Concurrency::details::ExternalContextBase::~ExternalContextBase 52717->52721 52719 6cabeb56 52718->52719 52719->52721 52733 6cb95e0c 28 API calls 3 library calls 52719->52733 52721->52713 52723 6cac3111 Concurrency::details::ExternalContextBase::~ExternalContextBase 27 API calls 52722->52723 52724 6cac3149 52723->52724 52725 6cb932a0 Concurrency::details::ExternalContextBase::~ExternalContextBase 27 API calls 52724->52725 52728 6cac191a 52725->52728 52726 6cac315e 52726->52717 52727 6cc1b8ae Concurrency::cancel_current_task RaiseException 52727->52728 52728->52726 52728->52727 52729 6cb96c1a 52728->52729 52730 6cb96c13 52728->52730 52729->52728 52732 6cb96c27 SendMessageW 52729->52732 52734 6cb96d35 28 API calls 52729->52734 52730->52717 52732->52717 52733->52721 52734->52729 52735->52675 52736->52682 52737->52684 52738->52686 52739->52688 52740->52690 52742 6cabe061 52741->52742 52744 6cabe068 52741->52744 52750 6cabeab3 28 API calls 2 library calls 52742->52750 52744->52693 52746 6cabd69c 52745->52746 52747 6cabd690 52745->52747 52746->52570 52748 6cabe055 28 API calls 52747->52748 52749 6cabd695 DeleteDC 52748->52749 52749->52746 52750->52744 52752 6cabfa20 52751->52752 52753 6cabfa26 SystemParametersInfoW 52751->52753 52752->52753 52753->52605 52755 6cac0997 __EH_prolog3_GS 52754->52755 52756 6cabd5b9 29 API calls 52755->52756 52757 6cac09a3 52756->52757 52774 6cabe6e0 52757->52774 52760 6cac09c0 GetTextMetricsW 52762 6cabe6e0 30 API calls 52760->52762 52761 6cac0a43 52782 6cac191a 28 API calls Concurrency::cancel_current_task 52761->52782 52764 6cac0a00 GetTextMetricsW 52762->52764 52766 6cabe6e0 30 API calls 52764->52766 52765 6cac0a48 52767 6cac0a35 52766->52767 52768 6cabd707 30 API calls 52767->52768 52769 6cac0a3d 52768->52769 52770 6cc18194 5 API calls 52769->52770 52771 6cac0a42 52770->52771 52771->52642 52772->52642 52773->52650 52775 6cabe6f7 SelectObject 52774->52775 52776 6cabe706 52774->52776 52775->52776 52778 6cabe71c 52776->52778 52779 6cabe712 SelectObject 52776->52779 52783 6cabe1ab 52778->52783 52779->52778 52781 6cabe722 52781->52760 52781->52761 52782->52765 52784 6cabeb24 28 API calls 52783->52784 52785 6cabe1b5 52784->52785 52788 6cb960a5 Concurrency::details::ExternalContextBase::~ExternalContextBase 52785->52788 52798 6cb92e14 28 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 52785->52798 52787 6cb960b8 52787->52788 52799 6cb92e14 28 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 52787->52799 52788->52781 52790 6cb960c5 Concurrency::details::ExternalContextBase::~ExternalContextBase 52790->52788 52800 6cbfeb1d 28 API calls 52790->52800 52792 6cb960f4 52793 6cb9614b 52792->52793 52794 6cb960fb 52792->52794 52802 6cac1934 RaiseException Concurrency::cancel_current_task 52793->52802 52801 6cb92c6a 28 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 52794->52801 52798->52787 52799->52790 52800->52792 52801->52788 52803 6cc1814f 52804 6cc18158 52803->52804 52805 6cc1815d 52803->52805 52820 6cc18ef7 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 52804->52820 52809 6cc18019 52805->52809 52810 6cc18025 ___scrt_is_nonwritable_in_current_image 52809->52810 52811 6cc1804e dllmain_raw 52810->52811 52816 6cc18049 __DllMainCRTStartup@12 52810->52816 52817 6cc18034 52810->52817 52812 6cc18068 dllmain_crt_dispatch 52811->52812 52811->52817 52812->52816 52812->52817 52813 6cc180ba 52814 6cc180c3 dllmain_crt_dispatch 52813->52814 52813->52817 52815 6cc180d6 dllmain_raw 52814->52815 52814->52817 52815->52817 52816->52813 52821 6cc17f6b 248 API calls 4 library calls 52816->52821 52819 6cc180af dllmain_raw 52819->52813 52820->52805 52821->52819 52822 6ca913c6 52827 6cbac20e 52822->52827 52826 6ca913d5 52831 6cbabc7a 52827->52831 52829 6ca913cb 52830 6cc17dcb 194 API calls 52829->52830 52830->52826 52832 6cbabc86 __EH_prolog3 52831->52832 52833 6cac3221 28 API calls 52832->52833 52834 6cbabc90 52833->52834 52835 6cb95d74 Concurrency::details::ExternalContextBase::~ExternalContextBase 28 API calls 52834->52835 52836 6cbabcbe 52835->52836 52837 6cbabcff 52836->52837 52838 6cbabcc7 GetProfileIntW GetProfileIntW 52836->52838 52839 6cb95de8 ~refcount_ptr 28 API calls 52837->52839 52838->52837 52840 6cbabd06 Concurrency::details::ExternalContextBase::~ExternalContextBase 52839->52840 52840->52829

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 206 6ca94e30-6ca94e6f 207 6ca94e71 206->207 208 6ca94e73-6ca94e8d CryptStringToBinaryA 206->208 207->208 209 6ca94f2a 208->209 210 6ca94e93-6ca94eb1 208->210 211 6ca94f2f-6ca94f40 call 6ca94db0 call 6cc1b8ae 209->211 212 6ca94eb3-6ca94eb8 210->212 213 6ca94ee6-6ca94ef8 210->213 216 6ca94f45-6ca94f4a call 6ca959a0 211->216 215 6ca94ebe-6ca94ee4 call 6ca959b0 call 6cc1b340 212->215 212->216 217 6ca94efa 213->217 218 6ca94efc-6ca94f0e CryptStringToBinaryA 213->218 215->213 217->218 219 6ca94f10-6ca94f15 218->219 220 6ca94f17-6ca94f29 218->220 219->211
          APIs
          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6CA94E89
          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6CA94F0A
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: BinaryCryptString
          • String ID: Failed to acquire cryptographic context.$Failed to calculate base64 decoded size.$Failed to create hash object.$Failed to decode base64 string.$Failed to decrypt data.$Failed to get hash length.$Failed to get hash value.$Failed to hash data.$Failed to import key.$Failed to set IV.$Failed to set cipher mode.$Invalid encrypted data header.$Salt$`nmu$ed__$wi65
          • API String ID: 80407269-3879860581
          • Opcode ID: 0adedd7e6fada7eb0f905d0ae3a537ff5eea13b264c691df3362b23de498116d
          • Instruction ID: a471d77dad06620ca38cc6f273a412818c69f36a5ba05335d78f80f92f42f372
          • Opcode Fuzzy Hash: 0adedd7e6fada7eb0f905d0ae3a537ff5eea13b264c691df3362b23de498116d
          • Instruction Fuzzy Hash: 2731A271A10205EBEB10CF98CD96BAEBBF8EB04714F244559F514EB7C0E7B4A944CBA1

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 229 6caa7850-6caa78c0 230 6caa78c7-6caa78cc 229->230 230->230 231 6caa78ce-6caa790a call 6ca958c0 call 6caa25f0 230->231 236 6caa793b-6caa7971 GetFileAttributesA 231->236 237 6caa790c-6caa791b 231->237 238 6caa7c08-6caa7c11 236->238 239 6caa7977-6caa798e SHGetFolderPathA 236->239 240 6caa791d-6caa792b 237->240 241 6caa7931-6caa7938 call 6cc17de0 237->241 242 6caa7d48-6caa7d59 238->242 243 6caa7c17-6caa7c26 238->243 239->238 246 6caa7994-6caa79af 239->246 240->241 244 6caa7d5a call 6cc22c7e 240->244 241->236 247 6caa7d3e-6caa7d45 call 6cc17de0 243->247 248 6caa7c2c-6caa7c3a 243->248 256 6caa7d5f call 6cc22c7e 244->256 250 6caa79b2-6caa79b7 246->250 247->242 252 6caa7c40 248->252 253 6caa7d64 call 6cc22c7e 248->253 250->250 255 6caa79b9-6caa79dc call 6ca958c0 250->255 252->247 262 6caa7d69-6caa7d6f call 6cc22c7e 253->262 263 6caa79f9-6caa7a0c call 6ca9b8a0 255->263 264 6caa79de-6caa79f7 255->264 256->253 266 6caa7a11-6caa7a72 call 6caa25f0 263->266 264->266 271 6caa7a91-6caa7aa6 call 6ca9b8a0 266->271 272 6caa7a74-6caa7a7f 266->272 276 6caa7aa8-6caa7ae9 271->276 273 6caa7a83-6caa7a8f 272->273 274 6caa7a81 272->274 273->276 274->273 278 6caa7aeb-6caa7af7 276->278 279 6caa7b17-6caa7b33 276->279 280 6caa7af9-6caa7b07 278->280 281 6caa7b0d-6caa7b14 call 6cc17de0 278->281 282 6caa7b61-6caa7b7d 279->282 283 6caa7b35-6caa7b41 279->283 280->256 280->281 281->279 284 6caa7bab-6caa7bd2 GetFileAttributesA 282->284 285 6caa7b7f-6caa7b8b 282->285 287 6caa7b43-6caa7b51 283->287 288 6caa7b57-6caa7b5e call 6cc17de0 283->288 292 6caa7bd4-6caa7bda 284->292 293 6caa7c45-6caa7c67 CoInitialize CoCreateInstance 284->293 290 6caa7b8d-6caa7b9b 285->290 291 6caa7ba1-6caa7ba8 call 6cc17de0 285->291 287->256 287->288 288->282 290->256 290->291 291->284 292->238 299 6caa7bdc-6caa7be8 292->299 296 6caa7c6d-6caa7cbf MultiByteToWideChar 293->296 297 6caa7d05-6caa7d11 CoUninitialize 293->297 310 6caa7cfc-6caa7d00 296->310 311 6caa7cc1-6caa7cee MultiByteToWideChar 296->311 297->238 300 6caa7d17-6caa7d23 297->300 302 6caa7bea-6caa7bf8 299->302 303 6caa7bfe-6caa7c05 call 6cc17de0 299->303 300->303 304 6caa7d29-6caa7d37 300->304 302->262 302->303 303->238 304->262 307 6caa7d39 304->307 307->303 310->297 312 6caa7cf3-6caa7cf7 311->312 312->310
          APIs
          • GetFileAttributesA.KERNELBASE(?), ref: 6CAA7968
          • SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?), ref: 6CAA7986
          • GetFileAttributesA.KERNELBASE(?,00000004,00000000,.lnk,00000004,?), ref: 6CAA7BC9
          • CoInitialize.OLE32(00000000), ref: 6CAA7C47
          • CoCreateInstance.OLE32(6CC89BD8,00000000,00000001,6CC94A88,?), ref: 6CAA7C5F
          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 6CAA7C9A
          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 6CAA7CDF
          • CoUninitialize.COMBASE ref: 6CAA7D05
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: AttributesByteCharFileMultiWide$CreateFolderInitializeInstancePathUninitialize
          • String ID: .lnk$Down$load
          • API String ID: 120116150-380299436
          • Opcode ID: f2c9a808fd533f7c85d3667bf53fabc6cce47ce9b7f081af8d412d0808ee36e2
          • Instruction ID: ea671a3b89c5da946761e15f7a06ff42af816adc054d04979162ee52dbac056c
          • Opcode Fuzzy Hash: f2c9a808fd533f7c85d3667bf53fabc6cce47ce9b7f081af8d412d0808ee36e2
          • Instruction Fuzzy Hash: C5E1F570D102089FDB04CFA4CD94BEEBBB5EF45308F248288E055EBA95DB709AC6CB51

          Control-flow Graph

          APIs
            • Part of subcall function 6CA94E30: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6CA94E89
            • Part of subcall function 6CA94E30: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6CA94F0A
          • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000), ref: 6CA953BA
          • CryptImportKey.ADVAPI32(00000000,00000208,00000014,00000000,00000000,?), ref: 6CA9540F
          • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6CA9541E
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Crypt$BinaryContextString$AcquireImportRelease
          • String ID: Failed to import key.$Salt$ed__$wi65
          • API String ID: 552557845-1924075180
          • Opcode ID: 325abb51a64f758683b547f3e277e0888f856390d7218b6d8e7bde969954376d
          • Instruction ID: 125c4682850f6b91c690040c20c97bb1dad3c4d0ee7fe920998d398e67fb9802
          • Opcode Fuzzy Hash: 325abb51a64f758683b547f3e277e0888f856390d7218b6d8e7bde969954376d
          • Instruction Fuzzy Hash: FF51A5719102089FEB10CFA4CD5ABDEBBF8EF01308F244518E555AB680DB75A989CF51

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 787 6caa7560-6caa7593 788 6caa7594-6caa75ae 787->788 789 6caa75b1-6caa75b6 788->789 789->789 790 6caa75b8-6caa75e3 call 6ca958c0 CreateToolhelp32Snapshot 789->790 793 6caa75e9-6caa7619 call 6cc1b340 Process32FirstW 790->793 794 6caa775f 790->794 802 6caa761f 793->802 803 6caa7755-6caa775c CloseHandle 793->803 796 6caa7763-6caa7770 794->796 798 6caa779d-6caa77a1 796->798 799 6caa7772-6caa777d 796->799 800 6caa77c3-6caa77dd 798->800 801 6caa77a3-6caa77ae Sleep 798->801 804 6caa777f-6caa778d 799->804 805 6caa7793-6caa779a call 6cc17de0 799->805 806 6caa77e0-6caa77e5 800->806 801->788 807 6caa7620-6caa765e WideCharToMultiByte 802->807 803->794 804->805 808 6caa7849-6caa784f call 6cc22c7e 804->808 805->798 806->806 811 6caa77e7-6caa7808 call 6ca958c0 call 6caa72b0 806->811 812 6caa7661-6caa7666 807->812 825 6caa780a-6caa7816 811->825 826 6caa7832-6caa7846 811->826 812->812 816 6caa7668-6caa7698 call 6ca958c0 812->816 822 6caa769a-6caa769e 816->822 823 6caa76a0-6caa76a2 816->823 824 6caa7706-6caa770c 822->824 827 6caa76aa-6caa76af 823->827 828 6caa76a4-6caa76a8 823->828 829 6caa7739-6caa773d 824->829 830 6caa770e-6caa7719 824->830 831 6caa7828-6caa782f call 6cc17de0 825->831 832 6caa7818-6caa7826 825->832 833 6caa76c2-6caa76c5 827->833 834 6caa76b1-6caa76b5 827->834 828->824 837 6caa773f-6caa774f Process32NextW 829->837 838 6caa77b3-6caa77c1 CloseHandle 829->838 835 6caa771b-6caa7729 830->835 836 6caa772f-6caa7736 call 6cc17de0 830->836 831->826 832->808 832->831 840 6caa76c7-6caa76cb 833->840 842 6caa76fb 833->842 834->840 841 6caa76b7-6caa76c0 834->841 835->808 835->836 836->829 837->803 837->807 838->796 838->808 846 6caa76cd-6caa76d0 840->846 847 6caa76f4-6caa76f9 840->847 841->833 841->834 844 6caa76fd-6caa7702 842->844 844->824 846->842 848 6caa76d2-6caa76d8 846->848 847->844 848->847 850 6caa76da-6caa76dd 848->850 850->842 851 6caa76df-6caa76e5 850->851 851->847 852 6caa76e7-6caa76ea 851->852 852->842 853 6caa76ec-6caa76f2 852->853 853->842 853->847
          APIs
          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?), ref: 6CAA75CF
          • Process32FirstW.KERNEL32(00000000,?), ref: 6CAA7611
          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 6CAA763D
          • Process32NextW.KERNEL32(?,0000022C), ref: 6CAA7747
          • CloseHandle.KERNELBASE(00000000,?,?), ref: 6CAA7756
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Process32$ByteCharCloseCreateFirstHandleMultiNextSnapshotToolhelp32Wide
          • String ID:
          • API String ID: 4013288513-0
          • Opcode ID: 38565062a3dfde2a1fcd9c9feb789d6307837ca1b4030c2db5ee18926eef4026
          • Instruction ID: cb79ccb0aae5288f92b6f2df542e6cc9ce35244da8b0e1617324caa5d1301f44
          • Opcode Fuzzy Hash: 38565062a3dfde2a1fcd9c9feb789d6307837ca1b4030c2db5ee18926eef4026
          • Instruction Fuzzy Hash: E0714871D142089FDB05CFA4CC94BEEB7B9EF45314F288358E414A7A85E7706ACACB90

          Control-flow Graph

          APIs
          • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,756D6E60), ref: 6CA94FA2
          • CryptDestroyHash.ADVAPI32(?,?,6CCB68B4,Failed to acquire cryptographic context.), ref: 6CA95261
          • CryptReleaseContext.ADVAPI32(?,00000000), ref: 6CA9526C
          Strings
          • Failed to hash data., xrefs: 6CA95272
          • Failed to acquire cryptographic context., xrefs: 6CA95243
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Crypt$Context$AcquireDestroyHashRelease
          • String ID: Failed to acquire cryptographic context.$Failed to hash data.
          • API String ID: 2937476097-442885999
          • Opcode ID: bd40860b72128b27a55909d13fa497d5e1727f628aaf8654f5568e68d29fb899
          • Instruction ID: 64c62b7c80ab6168e6a7a87ca07447cee5f51c7e99f3a5f78f821e5be381a856
          • Opcode Fuzzy Hash: bd40860b72128b27a55909d13fa497d5e1727f628aaf8654f5568e68d29fb899
          • Instruction Fuzzy Hash: 1911F8B1D10258AFDF40DFE8CD45BDEBBF8AB08700F204929E114F6A80E77556488B50
          APIs
          Memory Dump Source
          • Source File: 00000005.00000002.2539107475.000000000049F000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000005.00000002.2538875705.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
          • Associated: 00000005.00000002.2538910241.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
          • Associated: 00000005.00000002.2538942091.000000000040C000.00000002.00000001.01000000.00000005.sdmpDownload File
          • Associated: 00000005.00000002.2538942091.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
          • Associated: 00000005.00000002.2538942091.0000000000456000.00000002.00000001.01000000.00000005.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_400000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: InitializeThunk
          • String ID:
          • API String ID: 2994545307-0
          • Opcode ID: eda3440530c695fabe89684c08ced21f14d361cbd0f309897fafc30276024117
          • Instruction ID: 43da5d217c0980cd259a2d2a29eecca7fa398e6e45ce52ccb5a58d6b0a96cd39
          • Opcode Fuzzy Hash: eda3440530c695fabe89684c08ced21f14d361cbd0f309897fafc30276024117
          • Instruction Fuzzy Hash:

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 0 6cac004e-6cac00a4 call 6cc181e5 call 6cabd5b9 GetDeviceCaps 5 6cac00bc-6cac00c4 0->5 6 6cac00a6-6cac00b2 0->6 8 6cac00da-6cac00e2 5->8 9 6cac00c6-6cac00ca 5->9 6->5 7 6cac00b4 6->7 7->5 11 6cac00f8-6cac0100 8->11 12 6cac00e4-6cac00e8 8->12 9->8 10 6cac00cc-6cac00d4 call 6cabe092 DeleteObject 9->10 10->8 15 6cac0116-6cac011e 11->15 16 6cac0102-6cac0106 11->16 12->11 14 6cac00ea-6cac00f2 call 6cabe092 DeleteObject 12->14 14->11 20 6cac0134-6cac013c 15->20 21 6cac0120-6cac0124 15->21 16->15 19 6cac0108-6cac0110 call 6cabe092 DeleteObject 16->19 19->15 22 6cac013e-6cac0142 20->22 23 6cac0152-6cac015a 20->23 21->20 26 6cac0126-6cac012e call 6cabe092 DeleteObject 21->26 22->23 28 6cac0144-6cac014c call 6cabe092 DeleteObject 22->28 29 6cac015c-6cac0160 23->29 30 6cac0170-6cac0178 23->30 26->20 28->23 29->30 34 6cac0162-6cac016a call 6cabe092 DeleteObject 29->34 35 6cac018e-6cac0196 30->35 36 6cac017a-6cac017e 30->36 34->30 37 6cac01ac-6cac01b4 35->37 38 6cac0198-6cac019c 35->38 36->35 41 6cac0180-6cac0188 call 6cabe092 DeleteObject 36->41 43 6cac01ca-6cac01d2 37->43 44 6cac01b6-6cac01ba 37->44 38->37 42 6cac019e-6cac01a6 call 6cabe092 DeleteObject 38->42 41->35 42->37 50 6cac01e8-6cac0245 call 6cabfa11 call 6cc1b340 GetTextCharsetInfo 43->50 51 6cac01d4-6cac01d8 43->51 44->43 49 6cac01bc-6cac01c4 call 6cabe092 DeleteObject 44->49 49->43 62 6cac024c-6cac0250 50->62 63 6cac0247-6cac024a 50->63 51->50 55 6cac01da-6cac01e2 call 6cabe092 DeleteObject 51->55 55->50 64 6cac0253-6cac0279 lstrcpyW 62->64 65 6cac0252 62->65 63->64 66 6cac027b-6cac0282 64->66 67 6cac02e7-6cac0328 CreateFontIndirectW call 6cabdecf call 6cc297db 64->67 65->64 66->67 69 6cac0284-6cac029e EnumFontFamiliesW 66->69 78 6cac032f-6cac0435 CreateFontIndirectW call 6cabdecf call 6cabfa11 CreateFontIndirectW call 6cabdecf CreateFontIndirectW call 6cabdecf CreateFontIndirectW call 6cabdecf GetSystemMetrics lstrcpyW CreateFontIndirectW call 6cabdecf GetStockObject 67->78 79 6cac032a-6cac032c 67->79 71 6cac02b5-6cac02d2 EnumFontFamiliesW 69->71 72 6cac02a0-6cac02b3 lstrcpyW 69->72 74 6cac02db 71->74 75 6cac02d4-6cac02d9 71->75 72->67 77 6cac02e0-6cac02e1 lstrcpyW 74->77 75->77 77->67 92 6cac043b-6cac044a GetObjectW 78->92 93 6cac0505-6cac0512 call 6cac098b 78->93 79->78 92->93 94 6cac0450-6cac0500 lstrcpyW CreateFontIndirectW call 6cabdecf CreateFontIndirectW call 6cabdecf GetObjectW CreateFontIndirectW call 6cabdecf CreateFontIndirectW call 6cabdecf 92->94 99 6cac053d-6cac053f 93->99 94->93 101 6cac0514-6cac051b 99->101 102 6cac0541-6cac0551 call 6ca920f0 99->102 103 6cac051d-6cac0527 call 6cab718f 101->103 104 6cac0567-6cac056c call 6cac191a 101->104 110 6cac0556-6cac0566 call 6cabd707 call 6cc18194 102->110 103->99 115 6cac0529-6cac0539 103->115 115->99
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CAC0058
            • Part of subcall function 6CABD5B9: __EH_prolog3.LIBCMT ref: 6CABD5C0
            • Part of subcall function 6CABD5B9: GetWindowDC.USER32(00000000,00000004,6CAC05D3,00000000), ref: 6CABD5EC
          • GetDeviceCaps.GDI32(?,00000058), ref: 6CAC0078
          • DeleteObject.GDI32(00000000), ref: 6CAC00D4
          • DeleteObject.GDI32(00000000), ref: 6CAC00F2
          • DeleteObject.GDI32(00000000), ref: 6CAC0110
          • DeleteObject.GDI32(00000000), ref: 6CAC012E
          • DeleteObject.GDI32(00000000), ref: 6CAC014C
          • DeleteObject.GDI32(00000000), ref: 6CAC016A
          • DeleteObject.GDI32(00000000), ref: 6CAC0188
          • DeleteObject.GDI32(00000000), ref: 6CAC01A6
          • DeleteObject.GDI32(00000000), ref: 6CAC01C4
          • DeleteObject.GDI32(00000000), ref: 6CAC01E2
          • GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 6CAC021A
          • lstrcpyW.KERNEL32(?,?), ref: 6CAC026F
          • EnumFontFamiliesW.GDI32(?,00000000,6CABF89C,Segoe UI), ref: 6CAC0296
          • lstrcpyW.KERNEL32(?,Segoe UI), ref: 6CAC02A9
          • EnumFontFamiliesW.GDI32(?,00000000,6CABF89C,Tahoma), ref: 6CAC02C7
          • lstrcpyW.KERNEL32(?,MS Sans Serif), ref: 6CAC02E1
          • CreateFontIndirectW.GDI32(?), ref: 6CAC02EB
          • CreateFontIndirectW.GDI32(?), ref: 6CAC0333
          • CreateFontIndirectW.GDI32(?), ref: 6CAC0372
          • CreateFontIndirectW.GDI32(?), ref: 6CAC039E
          • CreateFontIndirectW.GDI32(?), ref: 6CAC03BF
          • GetSystemMetrics.USER32(00000048), ref: 6CAC03DE
          • lstrcpyW.KERNEL32(?,Marlett), ref: 6CAC03F1
          • CreateFontIndirectW.GDI32(?), ref: 6CAC03FB
          • GetStockObject.GDI32(00000011), ref: 6CAC0427
          • GetObjectW.GDI32(00000000,0000005C,?), ref: 6CAC0442
          • lstrcpyW.KERNEL32(?,Arial), ref: 6CAC0483
          • CreateFontIndirectW.GDI32(?), ref: 6CAC048D
          • CreateFontIndirectW.GDI32(?), ref: 6CAC04A6
          • GetObjectW.GDI32(?,0000005C,?), ref: 6CAC04C4
          • CreateFontIndirectW.GDI32(?), ref: 6CAC04D2
          • CreateFontIndirectW.GDI32(?), ref: 6CAC04F3
            • Part of subcall function 6CAC098B: __EH_prolog3_GS.LIBCMT ref: 6CAC0992
            • Part of subcall function 6CAC098B: GetTextMetricsW.GDI32(?,?), ref: 6CAC09C7
            • Part of subcall function 6CAC098B: GetTextMetricsW.GDI32(?,?), ref: 6CAC0A07
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Object$Font$CreateDeleteIndirect$lstrcpy$MetricsText$EnumFamiliesH_prolog3_$CapsCharsetDeviceH_prolog3InfoStockSystemWindow
          • String ID: Arial$MS Sans Serif$Marlett$Segoe UI$Tahoma
          • API String ID: 2837096512-1395034203
          • Opcode ID: 9af13ff16677cd8d270995eb3b4e6f76060e5e3cfd69059274a5d5efca408bda
          • Instruction ID: 6df18fdcb890d84ce9f4a81586950827ec211e836f382bb4cfe96abb1c79fd31
          • Opcode Fuzzy Hash: 9af13ff16677cd8d270995eb3b4e6f76060e5e3cfd69059274a5d5efca408bda
          • Instruction Fuzzy Hash: ADE13AB1A01348DBDF119FB0CD48BDEBBBCAF05308F448599E11ABB640EB349999CB51

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 121 6cac056d-6cac058c call 6cc181b2 GetSysColor 124 6cac059d 121->124 125 6cac058e-6cac0598 GetSysColor 121->125 127 6cac059f-6cac05af GetSysColor 124->127 125->124 126 6cac059a-6cac059b 125->126 126->127 128 6cac05b1-6cac05bb GetSysColor 127->128 129 6cac05c2 127->129 128->129 130 6cac05bd-6cac05c0 128->130 131 6cac05c4-6cac06fb call 6cabd5b9 GetDeviceCaps GetSysColor * 21 129->131 130->131 134 6cac06fd-6cac0704 131->134 135 6cac0706-6cac0712 GetSysColor 131->135 136 6cac0718-6cac072e GetSysColorBrush 134->136 135->136 137 6cac0734-6cac0741 GetSysColorBrush 136->137 138 6cac0985-6cac098a call 6cac191a 136->138 137->138 140 6cac0747-6cac0754 GetSysColorBrush 137->140 140->138 141 6cac075a-6cac08a5 call 6cabe03f CreateSolidBrush call 6cabdecf call 6cabe03f CreateSolidBrush call 6cabdecf call 6cabe03f CreateSolidBrush call 6cabdecf call 6cabe03f CreateSolidBrush call 6cabdecf call 6cabe03f CreateSolidBrush call 6cabdecf call 6cabe03f CreateSolidBrush call 6cabdecf call 6cabe03f CreateSolidBrush call 6cabdecf call 6cabe03f CreatePen call 6cabdecf call 6cabe03f CreatePen call 6cabdecf call 6cabe03f CreatePen call 6cabdecf 140->141 183 6cac08b4-6cac08bb 141->183 184 6cac08a7-6cac08ab 141->184 186 6cac08bd-6cac091f CreateSolidBrush call 6cabdecf 183->186 187 6cac0921-6cac092d call 6cabf4da 183->187 184->183 185 6cac08ad-6cac08af call 6cabe03f 184->185 185->183 193 6cac0968-6cac0984 call 6cb65651 call 6cabd707 call 6cc18180 186->193 187->138 194 6cac092f-6cac0963 call 6cabdecf CreatePatternBrush call 6cabdecf call 6ca920f0 187->194 194->193
          APIs
          • __EH_prolog3.LIBCMT ref: 6CAC0574
          • GetSysColor.USER32(00000016), ref: 6CAC057D
          • GetSysColor.USER32(0000000F), ref: 6CAC0590
          • GetSysColor.USER32(00000015), ref: 6CAC05A7
          • GetSysColor.USER32(0000000F), ref: 6CAC05B3
          • GetDeviceCaps.GDI32(?,0000000C), ref: 6CAC05DB
          • GetSysColor.USER32(0000000F), ref: 6CAC05E9
          • GetSysColor.USER32(00000010), ref: 6CAC05F7
          • GetSysColor.USER32(00000015), ref: 6CAC0605
          • GetSysColor.USER32(00000016), ref: 6CAC0613
          • GetSysColor.USER32(00000014), ref: 6CAC0621
          • GetSysColor.USER32(00000012), ref: 6CAC062F
          • GetSysColor.USER32(00000011), ref: 6CAC063D
          • GetSysColor.USER32(00000006), ref: 6CAC0648
          • GetSysColor.USER32(0000000D), ref: 6CAC0653
          • GetSysColor.USER32(0000000E), ref: 6CAC065E
          • GetSysColor.USER32(00000005), ref: 6CAC0669
          • GetSysColor.USER32(00000008), ref: 6CAC0677
          • GetSysColor.USER32(00000009), ref: 6CAC0682
          • GetSysColor.USER32(00000007), ref: 6CAC068D
          • GetSysColor.USER32(00000002), ref: 6CAC0698
          • GetSysColor.USER32(00000003), ref: 6CAC06A3
          • GetSysColor.USER32(0000001B), ref: 6CAC06B1
          • GetSysColor.USER32(0000001C), ref: 6CAC06BF
          • GetSysColor.USER32(0000000A), ref: 6CAC06CD
          • GetSysColor.USER32(0000000B), ref: 6CAC06DB
          • GetSysColor.USER32(00000013), ref: 6CAC06E9
          • GetSysColor.USER32(0000001A), ref: 6CAC0712
          • GetSysColorBrush.USER32(00000010), ref: 6CAC0723
          • GetSysColorBrush.USER32(00000014), ref: 6CAC0736
          • GetSysColorBrush.USER32(00000005), ref: 6CAC0749
          • CreateSolidBrush.GDI32(?), ref: 6CAC076A
          • CreateSolidBrush.GDI32(?), ref: 6CAC0788
          • CreateSolidBrush.GDI32(00000006), ref: 6CAC07A6
          • CreateSolidBrush.GDI32(?), ref: 6CAC07C7
          • CreateSolidBrush.GDI32(?), ref: 6CAC07E5
          • CreateSolidBrush.GDI32(?), ref: 6CAC0803
          • CreateSolidBrush.GDI32(?), ref: 6CAC0821
          • CreatePen.GDI32(00000000,00000001,00000000), ref: 6CAC0847
          • CreatePen.GDI32(00000000,00000001,00000000), ref: 6CAC086B
          • CreatePen.GDI32(00000000,00000001,00000000), ref: 6CAC088F
          • CreateSolidBrush.GDI32(?), ref: 6CAC090D
          • CreatePatternBrush.GDI32(00000000), ref: 6CAC094B
            • Part of subcall function 6CABE03F: DeleteObject.GDI32(00000000), ref: 6CABE04E
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
          • String ID:
          • API String ID: 3754413814-0
          • Opcode ID: fc653eba108ed2918283b5c545dfbb47b52b0a38ec713a356af4af4514f58c50
          • Instruction ID: 7673131a00e4afa21d6208b3f7e1f51571b0b4388e2fba1485bb11d6b282f20f
          • Opcode Fuzzy Hash: fc653eba108ed2918283b5c545dfbb47b52b0a38ec713a356af4af4514f58c50
          • Instruction Fuzzy Hash: BCC1AC71B00A02AFDB059FB089087EDBBB4BF09705F448119E615F7A81DB35A5A8EFD1

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 313 6caa8130-6caa8169 GetLastInputInfo GetTickCount 314 6caa816f-6caa81e3 call 6caa7dd0 call 6ca987f0 call 6caa6d30 313->314 315 6caa8477-6caa849b MessageBoxA call 6cc27ee9 313->315 328 6caa8212-6caa822e 314->328 329 6caa81e5-6caa81f2 314->329 319 6caa84a0 call 6cc22c7e 315->319 323 6caa84a5 call 6cc22c7e 319->323 327 6caa84aa call 6cc22c7e 323->327 331 6caa84af-6caa84c5 call 6cc22c7e 327->331 334 6caa825d-6caa8262 328->334 335 6caa8230-6caa823d 328->335 332 6caa8208-6caa820f call 6cc17de0 329->332 333 6caa81f4-6caa8202 329->333 332->328 333->319 333->332 337 6caa8268-6caa8289 call 6caa7060 call 6caa7dd0 334->337 338 6caa838d-6caa839a 334->338 340 6caa823f-6caa824d 335->340 341 6caa8253-6caa825a call 6cc17de0 335->341 363 6caa828b-6caa8296 337->363 364 6caa82b3-6caa82cc call 6ca9b8a0 337->364 342 6caa839c-6caa83c2 call 6caa7850 CreateThread 338->342 343 6caa83c4-6caa83d9 CreateThread 338->343 340->319 340->341 341->334 342->343 350 6caa83db-6caa83ec WaitForSingleObject 343->350 351 6caa8436-6caa8472 call 6caa7f60 call 6caa7d70 call 6ca96970 call 6caa7210 CreateThread call 6caa62b0 call 6cc27ee9 343->351 350->351 354 6caa83ee-6caa83fc CloseHandle 350->354 351->315 357 6caa842b-6caa8435 354->357 358 6caa83fe-6caa840b 354->358 361 6caa840d-6caa841b 358->361 362 6caa8421-6caa8428 call 6cc17de0 358->362 361->331 361->362 362->357 368 6caa829a-6caa82b1 call 6cc1adc0 363->368 369 6caa8298 363->369 375 6caa82ce-6caa8311 364->375 368->375 369->368 378 6caa8313-6caa8320 375->378 379 6caa8340-6caa834f call 6cc28085 375->379 381 6caa8322-6caa8330 378->381 382 6caa8336-6caa833d call 6cc17de0 378->382 387 6caa8354-6caa835e 379->387 381->323 381->382 382->379 387->338 390 6caa8360-6caa836d 387->390 392 6caa836f-6caa837d 390->392 393 6caa8383-6caa838a call 6cc17de0 390->393 392->327 392->393 393->338
          APIs
          • GetLastInputInfo.USER32 ref: 6CAA8154
          • GetTickCount.KERNEL32 ref: 6CAA815A
          • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 6CAA8493
            • Part of subcall function 6CAA7DD0: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 6CAA7E17
            • Part of subcall function 6CAA6D30: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CAA702F
          • CreateThread.KERNELBASE(00000000,00000000,6CAA7560,6CCBCB7C,00000000,00000000), ref: 6CAA83C2
          • CreateThread.KERNELBASE(00000000,00000000,6CAA72A0,00000000,00000000,00000000), ref: 6CAA83D3
          • WaitForSingleObject.KERNEL32(00000000,00011170), ref: 6CAA83E1
          • CloseHandle.KERNEL32(00000000), ref: 6CAA83EF
            • Part of subcall function 6CAA7F60: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 6CAA7FA7
            • Part of subcall function 6CAA7D70: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 6CAA7D8D
            • Part of subcall function 6CA96970: GetTempPathA.KERNEL32(00000104,?,771B0F10,00000000), ref: 6CA969B7
            • Part of subcall function 6CAA7210: GetModuleHandleA.KERNEL32(yyzyBase.dll,?,00000000), ref: 6CAA7218
            • Part of subcall function 6CAA7210: FindResourceW.KERNEL32(00000000,CONFIG,AFX_DIALOG_LAYOUT), ref: 6CAA722B
            • Part of subcall function 6CAA7210: LoadResource.KERNEL32(00000000,00000000), ref: 6CAA7239
            • Part of subcall function 6CAA7210: SizeofResource.KERNEL32(00000000,00000000), ref: 6CAA7243
            • Part of subcall function 6CAA7210: LockResource.KERNEL32(00000000), ref: 6CAA724C
          • CreateThread.KERNEL32(00000000,00000000,6CAA7290,00000000,00000000,00000000), ref: 6CAA8469
            • Part of subcall function 6CAA62B0: WSAStartup.WS2_32(00000202,?), ref: 6CAA62CF
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ModuleResource$CreateFileNameThread$Handle$CloseCountFindInfoInputIos_base_dtorLastLoadLockMessageObjectPathSingleSizeofStartupTempTickWaitstd::ios_base::_
          • String ID: IOVA$IOVAS$S
          • API String ID: 1854476981-1164367841
          • Opcode ID: 51092cf3a616cf0abee576c7adec0df828380c781cfead0edbf8b305843f45da
          • Instruction ID: fdb09f8ce1bfaaf09a5f2aa6a1eaeab420e4e1cca6b3b397fe8787eb91ceaef9
          • Opcode Fuzzy Hash: 51092cf3a616cf0abee576c7adec0df828380c781cfead0edbf8b305843f45da
          • Instruction Fuzzy Hash: BB9103306187809FD304DFA8CC55BAEB7E1BF85308F148A0DF1949BA91EB74E5C99B52

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 396 6caa72b0-6caa72fc SHGetFolderPathA 397 6caa7542-6caa7553 396->397 398 6caa7302-6caa7315 396->398 399 6caa7318-6caa731d 398->399 399->399 400 6caa731f-6caa7345 call 6ca958c0 399->400 403 6caa7362-6caa7375 call 6ca9b8a0 400->403 404 6caa7347-6caa7360 400->404 405 6caa737a-6caa73d7 call 6caa25f0 403->405 404->405 409 6caa73d9-6caa73e4 405->409 410 6caa73f6-6caa740b call 6ca9b8a0 405->410 411 6caa73e8-6caa73f4 409->411 412 6caa73e6 409->412 414 6caa740d-6caa744a 410->414 411->414 412->411 416 6caa7478-6caa7490 414->416 417 6caa744c-6caa7458 414->417 418 6caa74be-6caa74d6 416->418 419 6caa7492-6caa749e 416->419 420 6caa745a-6caa7468 417->420 421 6caa746e-6caa7475 call 6cc17de0 417->421 424 6caa74d8-6caa74e4 418->424 425 6caa7500-6caa7518 DeleteFileA 418->425 422 6caa74a0-6caa74ae 419->422 423 6caa74b4-6caa74bb call 6cc17de0 419->423 420->421 426 6caa7554 call 6cc22c7e 420->426 421->416 422->423 422->426 423->418 431 6caa74f6-6caa74fd call 6cc17de0 424->431 432 6caa74e6-6caa74f4 424->432 425->397 433 6caa751a-6caa7526 425->433 435 6caa7559-6caa7593 call 6cc22c7e 426->435 431->425 432->426 432->431 437 6caa7538-6caa753f call 6cc17de0 433->437 438 6caa7528-6caa7536 433->438 445 6caa7594-6caa75ae 435->445 437->397 438->435 438->437 446 6caa75b1-6caa75b6 445->446 446->446 447 6caa75b8-6caa75e3 call 6ca958c0 CreateToolhelp32Snapshot 446->447 450 6caa75e9-6caa7619 call 6cc1b340 Process32FirstW 447->450 451 6caa775f 447->451 459 6caa761f 450->459 460 6caa7755-6caa775c CloseHandle 450->460 453 6caa7763-6caa7770 451->453 455 6caa779d-6caa77a1 453->455 456 6caa7772-6caa777d 453->456 457 6caa77c3-6caa77dd 455->457 458 6caa77a3-6caa77ae Sleep 455->458 461 6caa777f-6caa778d 456->461 462 6caa7793-6caa779a call 6cc17de0 456->462 463 6caa77e0-6caa77e5 457->463 458->445 464 6caa7620-6caa765e WideCharToMultiByte 459->464 460->451 461->462 465 6caa7849-6caa784f call 6cc22c7e 461->465 462->455 463->463 468 6caa77e7-6caa7808 call 6ca958c0 call 6caa72b0 463->468 469 6caa7661-6caa7666 464->469 482 6caa780a-6caa7816 468->482 483 6caa7832-6caa7846 468->483 469->469 473 6caa7668-6caa7698 call 6ca958c0 469->473 479 6caa769a-6caa769e 473->479 480 6caa76a0-6caa76a2 473->480 481 6caa7706-6caa770c 479->481 484 6caa76aa-6caa76af 480->484 485 6caa76a4-6caa76a8 480->485 486 6caa7739-6caa773d 481->486 487 6caa770e-6caa7719 481->487 488 6caa7828-6caa782f call 6cc17de0 482->488 489 6caa7818-6caa7826 482->489 490 6caa76c2-6caa76c5 484->490 491 6caa76b1-6caa76b5 484->491 485->481 494 6caa773f-6caa774f Process32NextW 486->494 495 6caa77b3-6caa77c1 CloseHandle 486->495 492 6caa771b-6caa7729 487->492 493 6caa772f-6caa7736 call 6cc17de0 487->493 488->483 489->465 489->488 497 6caa76c7-6caa76cb 490->497 499 6caa76fb 490->499 491->497 498 6caa76b7-6caa76c0 491->498 492->465 492->493 493->486 494->460 494->464 495->453 495->465 503 6caa76cd-6caa76d0 497->503 504 6caa76f4-6caa76f9 497->504 498->490 498->491 501 6caa76fd-6caa7702 499->501 501->481 503->499 505 6caa76d2-6caa76d8 503->505 504->501 505->504 507 6caa76da-6caa76dd 505->507 507->499 508 6caa76df-6caa76e5 507->508 508->504 509 6caa76e7-6caa76ea 508->509 509->499 510 6caa76ec-6caa76f2 509->510 510->499 510->504
          APIs
          • SHGetFolderPathA.SHELL32(00000000,00000010,00000000,00000000,?,?), ref: 6CAA72F4
          • DeleteFileA.KERNEL32(?,00000004,00000000,.lnk,00000004,?), ref: 6CAA750C
          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?), ref: 6CAA75CF
          • Process32FirstW.KERNEL32(00000000,?), ref: 6CAA7611
          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 6CAA763D
          • Process32NextW.KERNEL32(?,0000022C), ref: 6CAA7747
          • CloseHandle.KERNELBASE(00000000,?,?), ref: 6CAA7756
          • Sleep.KERNELBASE(00000BB8,?,?,?,?,?), ref: 6CAA77A8
          • CloseHandle.KERNEL32(?,00000000,?,?), ref: 6CAA77B4
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CloseHandleProcess32$ByteCharCreateDeleteFileFirstFolderMultiNextPathSleepSnapshotToolhelp32Wide
          • String ID: .lnk
          • API String ID: 775680180-24824748
          • Opcode ID: 710e03455e0f159b1593834aa1fea1342380deab30d0636ff79d1fbc3035839d
          • Instruction ID: 21726bb439e8c5bbcdfe13624d457a92db870bcfaf774b4b32b15d0ae2c3c6c5
          • Opcode Fuzzy Hash: 710e03455e0f159b1593834aa1fea1342380deab30d0636ff79d1fbc3035839d
          • Instruction Fuzzy Hash: 95F14971D042089FDB05CFA8CC54BEEBBB5AF05314F288358E454EBA95D770AAC6CB91

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 511 6cc41693-6cc416c3 call 6cc413e1 514 6cc416c5-6cc416d0 call 6cc22d59 511->514 515 6cc416de-6cc416ea call 6cc2ef98 511->515 520 6cc416d2-6cc416d9 call 6cc22d6c 514->520 521 6cc41703-6cc4174c call 6cc4134c 515->521 522 6cc416ec-6cc41701 call 6cc22d59 call 6cc22d6c 515->522 529 6cc419b8-6cc419bc 520->529 531 6cc4174e-6cc41757 521->531 532 6cc417b9-6cc417c2 GetFileType 521->532 522->520 536 6cc4178e-6cc417b4 GetLastError call 6cc22d12 531->536 537 6cc41759-6cc4175d 531->537 533 6cc417c4-6cc417f5 GetLastError call 6cc22d12 CloseHandle 532->533 534 6cc4180b-6cc4180e 532->534 533->520 550 6cc417fb-6cc41806 call 6cc22d6c 533->550 541 6cc41817-6cc4181d 534->541 542 6cc41810-6cc41815 534->542 536->520 537->536 538 6cc4175f-6cc4178c call 6cc4134c 537->538 538->532 538->536 543 6cc41821-6cc4186f call 6cc2eee3 541->543 544 6cc4181f 541->544 542->543 553 6cc41871-6cc4187d call 6cc4155b 543->553 554 6cc4188e-6cc418b6 call 6cc410f6 543->554 544->543 550->520 553->554 560 6cc4187f 553->560 561 6cc418b8-6cc418b9 554->561 562 6cc418bb-6cc418fc 554->562 565 6cc41881-6cc41889 call 6cc356a3 560->565 561->565 563 6cc4191d-6cc4192b 562->563 564 6cc418fe-6cc41902 562->564 567 6cc419b6 563->567 568 6cc41931-6cc41935 563->568 564->563 566 6cc41904-6cc41918 564->566 565->529 566->563 567->529 568->567 570 6cc41937-6cc4196a CloseHandle call 6cc4134c 568->570 574 6cc4196c-6cc41998 GetLastError call 6cc22d12 call 6cc2f0ab 570->574 575 6cc4199e-6cc419b2 570->575 574->575 575->567
          APIs
            • Part of subcall function 6CC4134C: CreateFileW.KERNELBASE(?,00000000,?,6CC4173C,?,?,00000000,?,6CC4173C,?,0000000C), ref: 6CC41369
          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC417A7
          • __dosmaperr.LIBCMT ref: 6CC417AE
          • GetFileType.KERNELBASE(00000000), ref: 6CC417BA
          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC417C4
          • __dosmaperr.LIBCMT ref: 6CC417CD
          • CloseHandle.KERNEL32(00000000), ref: 6CC417ED
          • CloseHandle.KERNEL32(6CC3B9DE), ref: 6CC4193A
          • GetLastError.KERNEL32 ref: 6CC4196C
          • __dosmaperr.LIBCMT ref: 6CC41973
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
          • String ID:
          • API String ID: 4237864984-0
          • Opcode ID: c5a4751170a8920e5cd96645a138d294f6be0c43a556ef88122977e066f5649c
          • Instruction ID: d7f3f356d4ee4e1e5a65ebd4f1bbacee1cd3c3314d00d443b0cac353d59f0d84
          • Opcode Fuzzy Hash: c5a4751170a8920e5cd96645a138d294f6be0c43a556ef88122977e066f5649c
          • Instruction Fuzzy Hash: 0BA12332A141189FCF098F6CC855BED3BB1AB06328F18825DE851EB791EB35D926CB51

          Control-flow Graph

          APIs
          • __RTC_Initialize.LIBCMT ref: 6CC17FB2
          • ___scrt_uninitialize_crt.LIBCMT ref: 6CC17FCC
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Initialize___scrt_uninitialize_crt
          • String ID:
          • API String ID: 2442719207-0
          • Opcode ID: 8677777c76bc981aa7fb2ac0048d0f82002d5521846178459de2606cdeb74de9
          • Instruction ID: c69979c38274ea31db5454fd9e98ed9a6daf9c804d0f6124fc6d3daaab722152
          • Opcode Fuzzy Hash: 8677777c76bc981aa7fb2ac0048d0f82002d5521846178459de2606cdeb74de9
          • Instruction Fuzzy Hash: E341C572E0D619AFDB118F67CC40F9E37B5EB45768F22451AE804A7F40E7348906BB90

          Control-flow Graph

          APIs
          • __EH_prolog3.LIBCMT ref: 6CBABC81
            • Part of subcall function 6CB95D74: EnterCriticalSection.KERNEL32(6CCC5378,?,00000000,?,?,6CB9325E,00000010,00000008,6CAC313A,6CAC317D,6CAB6C9B,6CAC3149,6CABEB35,00000004,6CABE0A4,00000000), ref: 6CB95DA5
            • Part of subcall function 6CB95D74: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,6CB9325E,00000010,00000008,6CAC313A,6CAC317D,6CAB6C9B,6CAC3149,6CABEB35,00000004,6CABE0A4,00000000), ref: 6CB95DBB
            • Part of subcall function 6CB95D74: LeaveCriticalSection.KERNEL32(6CCC5378,?,00000000,?,?,6CB9325E,00000010,00000008,6CAC313A,6CAC317D,6CAB6C9B,6CAC3149,6CABEB35,00000004,6CABE0A4,00000000), ref: 6CB95DC9
            • Part of subcall function 6CB95D74: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,6CB9325E,00000010,00000008,6CAC313A,6CAC317D,6CAB6C9B,6CAC3149,6CABEB35,00000004,6CABE0A4,00000000,?), ref: 6CB95DD6
          • GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6CBABCD4
          • GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6CBABCEA
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
          • String ID: DragDelay$DragMinDist$windows
          • API String ID: 3965097884-2101198082
          • Opcode ID: 37d6e9363b1056fb3ef40ca7507d857f233a6bb1a8db457cc626e9936aeaf19d
          • Instruction ID: 731d489b2e38c3d50751d5ada6285784eb1108a17a7d55f7cd34552a813c178a
          • Opcode Fuzzy Hash: 37d6e9363b1056fb3ef40ca7507d857f233a6bb1a8db457cc626e9936aeaf19d
          • Instruction Fuzzy Hash: FF0171B0A01B409FDBA0CF758946B897AF4FB09715F90492EE085DBF50E774A148EF54

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 679 6cc36ce9-6cc36cf9 680 6cc36d13-6cc36d15 679->680 681 6cc36cfb-6cc36d0e call 6cc22d59 call 6cc22d6c 679->681 683 6cc37055-6cc37062 call 6cc22d59 call 6cc22d6c 680->683 684 6cc36d1b-6cc36d21 680->684 698 6cc3706d 681->698 703 6cc37068 call 6cc22c6e 683->703 684->683 687 6cc36d27-6cc36d50 684->687 687->683 690 6cc36d56-6cc36d5f 687->690 693 6cc36d61-6cc36d74 call 6cc22d59 call 6cc22d6c 690->693 694 6cc36d79-6cc36d7b 690->694 693->703 696 6cc37051-6cc37053 694->696 697 6cc36d81-6cc36d85 694->697 700 6cc37070-6cc37073 696->700 697->696 702 6cc36d8b-6cc36d8f 697->702 698->700 702->693 705 6cc36d91-6cc36da8 702->705 703->698 708 6cc36daa-6cc36dad 705->708 709 6cc36ddd-6cc36de3 705->709 712 6cc36dd3-6cc36ddb 708->712 713 6cc36daf-6cc36db5 708->713 710 6cc36db7-6cc36dce call 6cc22d59 call 6cc22d6c call 6cc22c6e 709->710 711 6cc36de5-6cc36dec 709->711 742 6cc36f88 710->742 715 6cc36df0-6cc36e0e call 6cc315d2 call 6cc31598 * 2 711->715 716 6cc36dee 711->716 714 6cc36e50-6cc36e6f 712->714 713->710 713->712 718 6cc36e75-6cc36e81 714->718 719 6cc36f2b-6cc36f34 call 6cc3db87 714->719 752 6cc36e10-6cc36e26 call 6cc22d6c call 6cc22d59 715->752 753 6cc36e2b-6cc36e4e call 6cc3727a 715->753 716->715 718->719 722 6cc36e87-6cc36e89 718->722 730 6cc36f36-6cc36f48 719->730 731 6cc36fa5 719->731 722->719 727 6cc36e8f-6cc36eb0 722->727 727->719 732 6cc36eb2-6cc36ec8 727->732 730->731 736 6cc36f4a-6cc36f59 GetConsoleMode 730->736 739 6cc36fa9-6cc36fbf ReadFile 731->739 732->719 737 6cc36eca-6cc36ecc 732->737 736->731 743 6cc36f5b-6cc36f5f 736->743 737->719 744 6cc36ece-6cc36ef1 737->744 740 6cc36fc1-6cc36fc7 739->740 741 6cc3701d-6cc37028 GetLastError 739->741 740->741 748 6cc36fc9 740->748 746 6cc37041-6cc37044 741->746 747 6cc3702a-6cc3703c call 6cc22d6c call 6cc22d59 741->747 750 6cc36f8b-6cc36f95 call 6cc31598 742->750 743->739 749 6cc36f61-6cc36f79 ReadConsoleW 743->749 744->719 751 6cc36ef3-6cc36f09 744->751 759 6cc36f81-6cc36f87 call 6cc22d12 746->759 760 6cc3704a-6cc3704c 746->760 747->742 755 6cc36fcc-6cc36fde 748->755 757 6cc36f7b GetLastError 749->757 758 6cc36f9a-6cc36fa3 749->758 750->700 751->719 762 6cc36f0b-6cc36f0d 751->762 752->742 753->714 755->750 765 6cc36fe0-6cc36fe4 755->765 757->759 758->755 759->742 760->750 762->719 769 6cc36f0f-6cc36f26 762->769 772 6cc36fe6-6cc36ff6 call 6cc369fb 765->772 773 6cc36ffd-6cc3700a 765->773 769->719 784 6cc36ff9-6cc36ffb 772->784 779 6cc37016-6cc3701b call 6cc36841 773->779 780 6cc3700c call 6cc36b52 773->780 785 6cc37011-6cc37014 779->785 780->785 784->750 785->784
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 8fd4bc6eacd199f7aa6dc40963310f4c29dd4df9d53d11c9c7dbcb90ec2401e4
          • Instruction ID: 4586e1cd7e4194d6fa3ab97d0faa7da3ff142374322f710f697536826c48f537
          • Opcode Fuzzy Hash: 8fd4bc6eacd199f7aa6dc40963310f4c29dd4df9d53d11c9c7dbcb90ec2401e4
          • Instruction Fuzzy Hash: 05B16970A146199FDF01CFA8E880BAD7BB1BF0A318F145198E819E7781E774D946CFA0

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 866 6cc18019-6cc1802a call 6cc18290 869 6cc1803b-6cc18042 866->869 870 6cc1802c-6cc18032 866->870 872 6cc18044-6cc18047 869->872 873 6cc1804e-6cc18062 dllmain_raw 869->873 870->869 871 6cc18034-6cc18036 870->871 874 6cc18114-6cc18123 871->874 872->873 875 6cc18049-6cc1804c 872->875 876 6cc18068-6cc18079 dllmain_crt_dispatch 873->876 877 6cc1810b-6cc18112 873->877 878 6cc1807f-6cc18091 call 6cb1bd86 875->878 876->877 876->878 877->874 881 6cc18093-6cc18095 878->881 882 6cc180ba-6cc180bc 878->882 881->882 885 6cc18097-6cc180b5 call 6cb1bd86 call 6cc17f6b dllmain_raw 881->885 883 6cc180c3-6cc180d4 dllmain_crt_dispatch 882->883 884 6cc180be-6cc180c1 882->884 883->877 886 6cc180d6-6cc18108 dllmain_raw 883->886 884->877 884->883 885->882 886->877
          APIs
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: dllmain_raw$dllmain_crt_dispatch
          • String ID:
          • API String ID: 3136044242-0
          • Opcode ID: eb5bfc8ea18819d0ae77acb4d1e359e1d26f2f1fc46c9d367556a5f4351a878a
          • Instruction ID: 85d2b6f0f914b8ee523433b4883f56be3684a2af5aec302cf349c40d1a43b50b
          • Opcode Fuzzy Hash: eb5bfc8ea18819d0ae77acb4d1e359e1d26f2f1fc46c9d367556a5f4351a878a
          • Instruction Fuzzy Hash: 0E217172D0D619AFDB218E57CC40DAF3A79EB85BA8B224516FC1497F10E3308D42BB90

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 892 6cb48711-6cb48724 GetModuleHandleW 893 6cb48726-6cb48737 GetProcAddress 892->893 894 6cb4874b-6cb4874d 892->894 895 6cb48739-6cb48748 893->895 896 6cb4874a 893->896 895->896 896->894
          APIs
          • GetModuleHandleW.KERNEL32(Shell32,?,?,6CA9113C,MFCApplication4.AppID.NoVersion,00000001,?,Function_001B32D0,000000FF), ref: 6CB4871C
          • GetProcAddress.KERNEL32(00000000,SetCurrentProcessExplicitAppUserModelID), ref: 6CB4872D
          Strings
          • Shell32, xrefs: 6CB48715
          • SetCurrentProcessExplicitAppUserModelID, xrefs: 6CB48727
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: AddressHandleModuleProc
          • String ID: SetCurrentProcessExplicitAppUserModelID$Shell32
          • API String ID: 1646373207-2658420654
          • Opcode ID: 46ae4ac6a6becc4b04c568b3b4a15b6efd2e86c124896bc9b572a1fae21db4e4
          • Instruction ID: 3a1b4316294b465ae673a326f935359ed337844a2cd78c51674c704868516747
          • Opcode Fuzzy Hash: 46ae4ac6a6becc4b04c568b3b4a15b6efd2e86c124896bc9b572a1fae21db4e4
          • Instruction Fuzzy Hash: B8E04F757056256786141B669C28C6A7F78EA92AA1340842BF905E7A00DA31D851DBE4
          APIs
          • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000001,6CCC3990), ref: 6CABFB12
          • VerSetConditionMask.KERNEL32(00000000), ref: 6CABFB1A
          • VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6CABFB2B
          • GetSystemMetrics.USER32(00001000), ref: 6CABFB3C
            • Part of subcall function 6CAC056D: __EH_prolog3.LIBCMT ref: 6CAC0574
            • Part of subcall function 6CAC056D: GetSysColor.USER32(00000016), ref: 6CAC057D
            • Part of subcall function 6CAC056D: GetSysColor.USER32(0000000F), ref: 6CAC0590
            • Part of subcall function 6CAC056D: GetSysColor.USER32(00000015), ref: 6CAC05A7
            • Part of subcall function 6CAC056D: GetSysColor.USER32(0000000F), ref: 6CAC05B3
            • Part of subcall function 6CAC056D: GetDeviceCaps.GDI32(?,0000000C), ref: 6CAC05DB
            • Part of subcall function 6CAC056D: GetSysColor.USER32(0000000F), ref: 6CAC05E9
            • Part of subcall function 6CAC056D: GetSysColor.USER32(00000010), ref: 6CAC05F7
            • Part of subcall function 6CAC056D: GetSysColor.USER32(00000015), ref: 6CAC0605
            • Part of subcall function 6CAC056D: GetSysColor.USER32(00000016), ref: 6CAC0613
            • Part of subcall function 6CAC056D: GetSysColor.USER32(00000014), ref: 6CAC0621
            • Part of subcall function 6CAC056D: GetSysColor.USER32(00000012), ref: 6CAC062F
            • Part of subcall function 6CAC056D: GetSysColor.USER32(00000011), ref: 6CAC063D
            • Part of subcall function 6CAC056D: GetSysColor.USER32(00000006), ref: 6CAC0648
            • Part of subcall function 6CAC056D: GetSysColor.USER32(0000000D), ref: 6CAC0653
            • Part of subcall function 6CAC056D: GetSysColor.USER32(0000000E), ref: 6CAC065E
            • Part of subcall function 6CAC056D: GetSysColor.USER32(00000005), ref: 6CAC0669
            • Part of subcall function 6CAC056D: GetSysColor.USER32(00000008), ref: 6CAC0677
            • Part of subcall function 6CAC056D: GetSysColor.USER32(00000009), ref: 6CAC0682
            • Part of subcall function 6CAC056D: GetSysColor.USER32(00000007), ref: 6CAC068D
            • Part of subcall function 6CAC056D: GetSysColor.USER32(00000002), ref: 6CAC0698
            • Part of subcall function 6CAC056D: GetSysColor.USER32(00000003), ref: 6CAC06A3
            • Part of subcall function 6CAC056D: GetSysColor.USER32(0000001B), ref: 6CAC06B1
            • Part of subcall function 6CAC056D: GetSysColor.USER32(0000001C), ref: 6CAC06BF
            • Part of subcall function 6CAC056D: GetSysColor.USER32(0000000A), ref: 6CAC06CD
            • Part of subcall function 6CAC004E: __EH_prolog3_GS.LIBCMT ref: 6CAC0058
            • Part of subcall function 6CAC004E: GetDeviceCaps.GDI32(?,00000058), ref: 6CAC0078
            • Part of subcall function 6CAC004E: DeleteObject.GDI32(00000000), ref: 6CAC00D4
            • Part of subcall function 6CAC004E: DeleteObject.GDI32(00000000), ref: 6CAC00F2
            • Part of subcall function 6CAC004E: DeleteObject.GDI32(00000000), ref: 6CAC0110
            • Part of subcall function 6CAC004E: DeleteObject.GDI32(00000000), ref: 6CAC012E
            • Part of subcall function 6CAC004E: DeleteObject.GDI32(00000000), ref: 6CAC014C
            • Part of subcall function 6CAC004E: DeleteObject.GDI32(00000000), ref: 6CAC016A
            • Part of subcall function 6CAC004E: DeleteObject.GDI32(00000000), ref: 6CAC0188
            • Part of subcall function 6CAC004E: DeleteObject.GDI32(00000000), ref: 6CAC01A6
            • Part of subcall function 6CABFC21: GetSystemMetrics.USER32(00000031), ref: 6CABFC2F
            • Part of subcall function 6CABFC21: GetSystemMetrics.USER32(00000032), ref: 6CABFC3D
            • Part of subcall function 6CABFC21: SetRectEmpty.USER32(6CCC3AFC), ref: 6CABFC50
            • Part of subcall function 6CABFC21: EnumDisplayMonitors.USER32(00000000,00000000,6CABFA37,6CCC3AFC), ref: 6CABFC60
            • Part of subcall function 6CABFC21: SystemParametersInfoW.USER32(00000030,00000000,6CCC3AFC,00000000), ref: 6CABFC6F
            • Part of subcall function 6CABFC21: SystemParametersInfoW.USER32(00001002,00000000,6CCC3B20,00000000), ref: 6CABFC9C
            • Part of subcall function 6CABFC21: SystemParametersInfoW.USER32(00001012,00000000,6CCC3B24,00000000), ref: 6CABFCB0
            • Part of subcall function 6CABFC21: SystemParametersInfoW.USER32(0000100A,00000000,6CCC3B34,00000000), ref: 6CABFCD6
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Color$DeleteObject$System$Info$Parameters$Metrics$CapsConditionDeviceMask$DisplayEmptyEnumH_prolog3H_prolog3_MonitorsRectVerifyVersion
          • String ID:
          • API String ID: 2442922003-0
          • Opcode ID: 429cd7366c16b639c513b677dd0cd45956a79d121b4d3d156f7b3d4e66f1026e
          • Instruction ID: 8f4053fc5122b5dc5d431dd1024eb06dc12a50f78e0e79583f0fdffb1dc294a4
          • Opcode Fuzzy Hash: 429cd7366c16b639c513b677dd0cd45956a79d121b4d3d156f7b3d4e66f1026e
          • Instruction Fuzzy Hash: 6411ECB0B00308ABDB149F75DC55FEFB7BCEB89708F40445DA106A2281DBB44A989F90
          APIs
          • CloseHandle.KERNELBASE(00000000,00000000,CF830579,?,6CC355BA,00000000,CF830579,6CCB6678,0000000C,6CC35676,6CC26A25,?), ref: 6CC35729
          • GetLastError.KERNEL32(?,6CC355BA,00000000,CF830579,6CCB6678,0000000C,6CC35676,6CC26A25,?), ref: 6CC35733
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CloseErrorHandleLast
          • String ID: @;l
          • API String ID: 918212764-4151154329
          • Opcode ID: 485d937d7f5fdaf24273b0dc6fcf18129a0c2a9d90d82e50106858791dc88e62
          • Instruction ID: 56c9fadba0fac0ef302e52c951094cabf110a4a9aa84a40d2d8d6269716cdfc5
          • Opcode Fuzzy Hash: 485d937d7f5fdaf24273b0dc6fcf18129a0c2a9d90d82e50106858791dc88e62
          • Instruction Fuzzy Hash: D31148327151345AC7005235E948BAE77B99B8373CF690649E81CD7BC1FB64C4868250
          APIs
          • DeleteFileW.KERNELBASE(6CC280D8,?,6CC280D8,00000000), ref: 6CC37428
          • GetLastError.KERNEL32(?,6CC280D8,00000000), ref: 6CC37432
          • __dosmaperr.LIBCMT ref: 6CC37439
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: DeleteErrorFileLast__dosmaperr
          • String ID:
          • API String ID: 1545401867-0
          • Opcode ID: 617b7e5f0083b5b3b6feffd9a11f6d51f88923862c0df8bf589dcf6b989b1304
          • Instruction ID: 2fcae98077bd28f2805354a3128693927eadcade50e97805edc9ee117128cdf8
          • Opcode Fuzzy Hash: 617b7e5f0083b5b3b6feffd9a11f6d51f88923862c0df8bf589dcf6b989b1304
          • Instruction Fuzzy Hash: D7D0C9322285096B8B001ABAAC0C5163B7CAA812797549A55F42CC5A90EA36D4A0AA51
          APIs
          • __EH_prolog3.LIBCMT ref: 6CAFA026
            • Part of subcall function 6CB4666D: __EH_prolog3_GS.LIBCMT ref: 6CB46677
            • Part of subcall function 6CB4666D: GetCurrentThread.KERNEL32 ref: 6CB466D6
            • Part of subcall function 6CB4666D: GetCurrentThreadId.KERNEL32 ref: 6CB466DF
            • Part of subcall function 6CB4666D: GetVersionExW.KERNEL32 ref: 6CB4677B
            • Part of subcall function 6CAFA549: __EH_prolog3.LIBCMT ref: 6CAFA550
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CurrentH_prolog3Thread$H_prolog3_Version
          • String ID: Workspace
          • API String ID: 3621167777-258310842
          • Opcode ID: 7b3187a9a82d53f2677df0950427f03052af3547dcf9eba0c59e60a1a41f1647
          • Instruction ID: b404ec2af1a330435e7e98795593ec4d5584cc40376815b5d495309f18fa884c
          • Opcode Fuzzy Hash: 7b3187a9a82d53f2677df0950427f03052af3547dcf9eba0c59e60a1a41f1647
          • Instruction Fuzzy Hash: 002134B0A00A56AFC758CF78C540BD9FAA4BF08304F50872AD02DE3B40D7702669CBD0
          APIs
          • SHGetMalloc.SHELL32(00000004), ref: 6CBBECE0
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Malloc
          • String ID: h-i
          • API String ID: 2696272793-2915156121
          • Opcode ID: 61dea2d8e0c83d85ce7594cb7a6d12d62f716095613e00d52185254638674bb4
          • Instruction ID: b550ee7759dec386a65018722efaa0f7305ec62dcf2fa9bfa8940a064485e915
          • Opcode Fuzzy Hash: 61dea2d8e0c83d85ce7594cb7a6d12d62f716095613e00d52185254638674bb4
          • Instruction Fuzzy Hash: 791192727046549FDB14CF04D844B66B7F8FB09726F20856EE415D3E50DB74E940CB90
          APIs
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: __fread_nolock
          • String ID:
          • API String ID: 2638373210-0
          • Opcode ID: b7820042098da492085148a100d4a16174ee2d72cef90cd5d92ceb65b6c8a3ac
          • Instruction ID: 282439801a7e6115f4a69ba59a9ac52ead5c386896ac0b934456e4972892c949
          • Opcode Fuzzy Hash: b7820042098da492085148a100d4a16174ee2d72cef90cd5d92ceb65b6c8a3ac
          • Instruction Fuzzy Hash: 8A619F366192058FCB04CF2DC88195AB7E1EFC9724F1986A9FC18CB754E731D949CBA1
          APIs
          • __RTC_Initialize.LIBCMT ref: 6CC17EB1
            • Part of subcall function 6CC18F42: InitializeSListHead.KERNEL32(6CCC5960,6CC17EBB,6CCB5F30,00000010,6CC17E4C,?,?,?,6CC18072,?,00000001,?,?,00000001,?,6CCB5F78), ref: 6CC18F47
          • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CC17F1B
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
          • String ID:
          • API String ID: 3231365870-0
          • Opcode ID: 9c1d8261fcfceb5aadc57fbb104feeaedf8efcd6621972d2835b8c01986aaf95
          • Instruction ID: aa74be1c64934835e309f52e489bbc2375d1491f24da976786c42937a034566e
          • Opcode Fuzzy Hash: 9c1d8261fcfceb5aadc57fbb104feeaedf8efcd6621972d2835b8c01986aaf95
          • Instruction Fuzzy Hash: D321CF3260D2019ADB01ABB6D8047DA33B19F0632CF20844AD44566FC1FB615699F799
          APIs
          • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,?,6CC372D3,00000000,00000000,00000000,00000002,00000000), ref: 6CC371D5
          • GetLastError.KERNEL32(00000000,?,6CC372D3,00000000,00000000,00000000,00000002,00000000,?,6CC353F8,00000000,00000000,00000000,00000002,00000000,00000000), ref: 6CC371E2
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ErrorFileLastPointer
          • String ID:
          • API String ID: 2976181284-0
          • Opcode ID: f2b0c641d42beea4f9235c6b0ad92ffd55d013cfef5446e2a725ffd2e81d9c07
          • Instruction ID: 9229b8e27da11de963d8aa288bda796383f07072ece10f2a6c3a47b2b28d8447
          • Opcode Fuzzy Hash: f2b0c641d42beea4f9235c6b0ad92ffd55d013cfef5446e2a725ffd2e81d9c07
          • Instruction Fuzzy Hash: 9201C473714526EFCB058F59DC05C9E3B79EB86324B240648F815EB290FA71E951AB90
          APIs
          • RtlFreeHeap.NTDLL(00000000,00000000,?,6CC2FDF6), ref: 6CC315AE
          • GetLastError.KERNEL32(?,?,6CC2FDF6), ref: 6CC315B9
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ErrorFreeHeapLast
          • String ID:
          • API String ID: 485612231-0
          • Opcode ID: ef5db8d33d880d24c1c237968a2bc1a81c7a786f3464ac6f6a039a9d2bccfa73
          • Instruction ID: 2a27cf033d53f6321247224711ec7c9ac0a7bd1d320444222b9c9be988e1c7f1
          • Opcode Fuzzy Hash: ef5db8d33d880d24c1c237968a2bc1a81c7a786f3464ac6f6a039a9d2bccfa73
          • Instruction Fuzzy Hash: E7E0CD322102146FCF111FA5E90CB953B78AB41799F505451F50CD6950FF34D550D794
          APIs
          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CAA702F
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Ios_base_dtorstd::ios_base::_
          • String ID:
          • API String ID: 323602529-0
          • Opcode ID: 99bb65944a3929bff92edc10dacc84f950633dfed978f0a1fbcc824f48150358
          • Instruction ID: 762516ec19a07eec6d48e119fb9355c8427a86dabd8163e4b5703bf73049ccb7
          • Opcode Fuzzy Hash: 99bb65944a3929bff92edc10dacc84f950633dfed978f0a1fbcc824f48150358
          • Instruction Fuzzy Hash: C2911A71900288CBDB10CF68C945B9EBBF4AF04314F14C599D40EAB751EB75AA89CF90
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 5c57a564805cf30eb43480554f6e6e266c1bcd2c0a597111f87f94b72b529a63
          • Instruction ID: 1717bde035a4d74c628b8b31faa61bd05087fde266e114784c4b8a37eaf0837e
          • Opcode Fuzzy Hash: 5c57a564805cf30eb43480554f6e6e266c1bcd2c0a597111f87f94b72b529a63
          • Instruction Fuzzy Hash: C751B470A04204AFDB04DF6DC880AD9BBB1EF4A329F24815DE8597B751E3769E41DBD0
          APIs
          • __EH_prolog3.LIBCMT ref: 6CABECD6
            • Part of subcall function 6CABFAB5: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000001,6CCC3990), ref: 6CABFB12
            • Part of subcall function 6CABFAB5: VerSetConditionMask.KERNEL32(00000000), ref: 6CABFB1A
            • Part of subcall function 6CABFAB5: VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6CABFB2B
            • Part of subcall function 6CABFAB5: GetSystemMetrics.USER32(00001000), ref: 6CABFB3C
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ConditionMask$H_prolog3InfoMetricsSystemVerifyVersion
          • String ID:
          • API String ID: 2710481357-0
          • Opcode ID: 1cba15b2a8239bde47fa244b530f7f29971d33d9b9f03bde821c43e4ea495bd4
          • Instruction ID: b8a508d984d97f971406450a2bbf1a37a2b5e7421f3e66a5a740225df06035c2
          • Opcode Fuzzy Hash: 1cba15b2a8239bde47fa244b530f7f29971d33d9b9f03bde821c43e4ea495bd4
          • Instruction Fuzzy Hash: 4351EEB0905F418FD3A8CF3A85417C6FAE0BF89310F50CA2E81AED6760EB7161848F54
          APIs
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: __wsopen_s
          • String ID:
          • API String ID: 3347428461-0
          • Opcode ID: 7cfd27dbb0989c9e11b4756a758283288d86ae7c24f9e0e32c3cf1210301bc96
          • Instruction ID: bd07776ea91017c7aee3eb24afa3bb884d43a7fc3493dae33b08273712e3674c
          • Opcode Fuzzy Hash: 7cfd27dbb0989c9e11b4756a758283288d86ae7c24f9e0e32c3cf1210301bc96
          • Instruction Fuzzy Hash: 9D114C71A0420EAFCB05CF59E9459DF7BF9EF49314F144069F808AB301E670E911CBA4
          APIs
          • __EH_prolog3.LIBCMT ref: 6CB932A7
            • Part of subcall function 6CB92F70: TlsAlloc.KERNEL32(?,6CB932D3,00000004,6CAC3120,6CAB6C9B,6CAC3149,6CABEB35,00000004,6CABE0A4,00000000,?,?,6CABE04D,6CA92126,?,?), ref: 6CB92F8F
            • Part of subcall function 6CB92F70: InitializeCriticalSection.KERNEL32(6CCC515C), ref: 6CB92FA0
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: AllocCriticalH_prolog3InitializeSection
          • String ID:
          • API String ID: 2369468792-0
          • Opcode ID: 224c4321f1428735b44512e8a202afc6e7c694adec51a99d50bdebddc7e3b0db
          • Instruction ID: f5fcd51638371b1d1f1916e6b1bd107e9964172c089df64553c559ec41409f53
          • Opcode Fuzzy Hash: 224c4321f1428735b44512e8a202afc6e7c694adec51a99d50bdebddc7e3b0db
          • Instruction Fuzzy Hash: 36113C31B496428FEF149F76C85869E77B4AF02798B604238D819CBF90EF71CA44D741
          APIs
          • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6CC32B50,00000001,00000364,00000000,00000006,000000FF,?,?,6CC2FDF6), ref: 6CC347ED
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: AllocateHeap
          • String ID:
          • API String ID: 1279760036-0
          • Opcode ID: 5eb6025cfc37f89bb21ca27a7c9d37346a92161f00364d7b7748f84b8f9ccabe
          • Instruction ID: a02693aba7db7f3e6489f35d824549e55f80884da7c0502f4c183684041bb91b
          • Opcode Fuzzy Hash: 5eb6025cfc37f89bb21ca27a7c9d37346a92161f00364d7b7748f84b8f9ccabe
          • Instruction Fuzzy Hash: 0EF0B43161553566EB11DA26BC0CA9A3F68AB43778B106112AC1CE6E80FB22D800CEE0
          APIs
          • CreateFileW.KERNELBASE(?,00000000,?,6CC4173C,?,?,00000000,?,6CC4173C,?,0000000C), ref: 6CC41369
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CreateFile
          • String ID:
          • API String ID: 823142352-0
          • Opcode ID: 2d798d13ff4bcd195c71129678f54d989bed5d1e053f17c6cba88abc1fcf1502
          • Instruction ID: 94baf4c598aed74cc10e290bcb93b865177a0ad66e302039a931ad4cff72e24e
          • Opcode Fuzzy Hash: 2d798d13ff4bcd195c71129678f54d989bed5d1e053f17c6cba88abc1fcf1502
          • Instruction Fuzzy Hash: 15D06C3211010DBBDF029E84DD06EDA3FBAFB48714F018050BA1866020C732E871AB91
          APIs
          • DeleteObject.GDI32(00000000), ref: 6CABE04E
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: DeleteObject
          • String ID:
          • API String ID: 1531683806-0
          • Opcode ID: 859e46f696c3c75ff06c42ffb21076488c0a96af44ca0e9c76cc74b67d675c31
          • Instruction ID: 1064690b3c491e1f8681c4b9b90bb617218fcb3947aac179a4a105c7bcaa255d
          • Opcode Fuzzy Hash: 859e46f696c3c75ff06c42ffb21076488c0a96af44ca0e9c76cc74b67d675c31
          • Instruction Fuzzy Hash: D2B09270956210AADF005A309A0831629B85B4130AF98C8E4F008A1504DF39C8C99690
          APIs
          • Sleep.KERNELBASE(00011D28), ref: 6CAA72A5
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Sleep
          • String ID:
          • API String ID: 3472027048-0
          • Opcode ID: 745657f3b7707f58ffcbdd6c46f9e8d07da65cb441ffff0abc5d82106beb980e
          • Instruction ID: 2c60ea85a58758af63f179dadd7a5facc24d9328e6ff6f3b4c8de2902f28432e
          • Opcode Fuzzy Hash: 745657f3b7707f58ffcbdd6c46f9e8d07da65cb441ffff0abc5d82106beb980e
          • Instruction Fuzzy Hash: 9AA0223032000002030003380A0E88228F80FB8302380C0203300CC000CF3000A0AB20
          APIs
          • IsWindowVisible.USER32(?), ref: 6CB3A19E
          • IsWindowVisible.USER32(?), ref: 6CB3A1B9
          • GetWindowRect.USER32(?,?), ref: 6CB3A21B
          • IsIconic.USER32(?), ref: 6CB3A22A
          • CopyRect.USER32(?,?), ref: 6CB3A258
          • MonitorFromPoint.USER32(?,?,00000002), ref: 6CB3A28F
          • GetMonitorInfoW.USER32(00000000), ref: 6CB3A296
          • CopyRect.USER32(?,?), ref: 6CB3A2A8
          • CopyRect.USER32(?,?), ref: 6CB3A2B6
          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6CB3A2EC
          • OffsetRect.USER32(?,?,?), ref: 6CB3A31B
          • GetSystemMetrics.USER32(00000022), ref: 6CB3A3A2
          • GetSystemMetrics.USER32(00000023), ref: 6CB3A3AD
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Rect$CopySystemWindow$InfoMetricsMonitorVisible$FromIconicOffsetParametersPoint
          • String ID: ($,
          • API String ID: 388708526-170869519
          • Opcode ID: 21cb1988724b9b8ef0d445a56f97c357cf712bcfdf0e3756d03b38f8cfe9672f
          • Instruction ID: 05017867a292a071f75bbb74b762b9fdc1adc9591e486891be121f4cb50a8858
          • Opcode Fuzzy Hash: 21cb1988724b9b8ef0d445a56f97c357cf712bcfdf0e3756d03b38f8cfe9672f
          • Instruction Fuzzy Hash: 00814C71A112299FDF04CFA4C944BEEBBB9FF09304F205169E519E7681DB30A984CF91
          APIs
          • WSAStartup.WS2_32(00000202,?), ref: 6CAA62CF
          • getaddrinfo.WS2_32(6CCBCB64,6CCBCB4C,00000000,00000000), ref: 6CAA64BC
          • socket.WS2_32(?,?,?), ref: 6CAA64E9
          • connect.WS2_32(00000000,?,?), ref: 6CAA6504
          • closesocket.WS2_32 ref: 6CAA6511
          • freeaddrinfo.WS2_32(00000000), ref: 6CAA6528
          • recv.WS2_32(006CC0C8,00001000,00000000), ref: 6CAA6563
          • VirtualAlloc.KERNEL32(00000000,00003000,00000040), ref: 6CAA65AE
          • WSACleanup.WS2_32 ref: 6CAA65D6
          • WSACleanup.WS2_32 ref: 6CAA65F5
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Cleanup$AllocStartupVirtualclosesocketconnectfreeaddrinfogetaddrinforecvsocket
          • String ID: $IOVA
          • API String ID: 2484549806-670572268
          • Opcode ID: 7d652a92527dbf4a0c18082a3378eb48eaf5dafc2f596ed909cb1d7fe18e41f6
          • Instruction ID: 8d2b0cbc9e807d98aec592a9f6b4f46567ed397e98e1b65f16d39a0e2b772552
          • Opcode Fuzzy Hash: 7d652a92527dbf4a0c18082a3378eb48eaf5dafc2f596ed909cb1d7fe18e41f6
          • Instruction Fuzzy Hash: C3D12371B006049FCB09DFA8C9547ADBBB0BF4A308F284269E451DBB81E7749AD5CF90
          APIs
          • __EH_prolog3.LIBCMT ref: 6CB6EBD8
          • CreateCompatibleDC.GDI32(00000000), ref: 6CB6EC5E
          • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6CB6EC95
          • SelectObject.GDI32(?,00000000), ref: 6CB6ECF4
          • BitBlt.GDI32(?,00000000,00000000,?,?,00000001,?,?,00CC0020), ref: 6CB6ED1C
          • MulDiv.KERNEL32(?,00000048,00000064), ref: 6CB6EF0E
          • MulDiv.KERNEL32(?,00000048,00000064), ref: 6CB6EF29
          • MulDiv.KERNEL32(6CAAF46A,00000048,00000064), ref: 6CB6EF45
          • MulDiv.KERNEL32(6CAAF46A,00000048,00000064), ref: 6CB6EF60
          • MulDiv.KERNEL32(?,00000048,00000064), ref: 6CB6EF79
          • MulDiv.KERNEL32(?,00000048,00000064), ref: 6CB6EF93
          • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 6CB6EFF2
          • DeleteObject.GDI32(?), ref: 6CB6F009
            • Part of subcall function 6CACF3FD: FillRect.USER32(?,?,-000000A8), ref: 6CACF419
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CompatibleCreateObject$BitmapDeleteFillH_prolog3RectSelect
          • String ID:
          • API String ID: 3910664508-0
          • Opcode ID: ec8bf9de9db8119834af938a5a562a66d0b14e795e9c754747b173e9d846e69c
          • Instruction ID: 1bfc70cc4ea25877f77eb2541b5f8d5563f22ca536222de4e0084c59d424f9e4
          • Opcode Fuzzy Hash: ec8bf9de9db8119834af938a5a562a66d0b14e795e9c754747b173e9d846e69c
          • Instruction Fuzzy Hash: 88F1D271A002999FDF04CFAACD54AEE7BB4EF49308F14821AF945B7A90D730D955CBA0
          APIs
          • GetModuleHandleW.KERNEL32(comctl32.dll,6CBFECF3,00000000,00000000,00000000,?,6CB97A34,00000000,00000000,6CB966FC,0000001C,6CB9782A,?,6CB966FC,?,00000000), ref: 6CBFEBE1
          • GetUserDefaultUILanguage.KERNEL32(?,6CB97A34,00000000,00000000,6CB966FC,0000001C,6CB9782A,?,6CB966FC,?,00000000,00000000,00000000,?,6CB966FC,00000000), ref: 6CBFEBF1
          • FindResourceExW.KERNEL32(00000000,00000005,000003EE,0000FC11,?,6CB97A34,00000000,00000000,6CB966FC,0000001C,6CB9782A,?,6CB966FC,?,00000000,00000000), ref: 6CBFEC2F
          • FindResourceW.KERNEL32(00000000,000003EE,00000005,?,6CB97A34,00000000,00000000,6CB966FC,0000001C,6CB9782A,?,6CB966FC,?,00000000,00000000,00000000), ref: 6CBFEC4E
          • LoadResource.KERNEL32(00000000,00000000,?,6CB97A34,00000000,00000000,6CB966FC,0000001C,6CB9782A,?,6CB966FC,?,00000000,00000000,00000000), ref: 6CBFEC5A
            • Part of subcall function 6CBFED31: GetDC.USER32(00000000), ref: 6CBFED84
            • Part of subcall function 6CBFED31: EnumFontFamiliesExW.GDI32(00000000,?,6CBFED1B,?,00000000,?,?,?,?,?,00000000,00000000), ref: 6CBFED9F
            • Part of subcall function 6CBFED31: ReleaseDC.USER32(00000000,00000000), ref: 6CBFEDA7
          • GlobalAlloc.KERNEL32(00000040,00000000,?,6CB97A34,00000000,00000000,6CB966FC,0000001C,6CB9782A,?,6CB966FC,?,00000000,00000000,00000000), ref: 6CBFEC8A
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Resource$Find$AllocDefaultEnumFamiliesFontGlobalHandleLanguageLoadModuleReleaseUser
          • String ID: MS UI Gothic$comctl32.dll
          • API String ID: 1606157363-3248924666
          • Opcode ID: 7523a76ba72076634026a09aac3108924725cca27e100d45715a72c59f2f5602
          • Instruction ID: 94ce5037996f7bafefcb4e7e38e786fe06625ee8699645e614a91844a03283c2
          • Opcode Fuzzy Hash: 7523a76ba72076634026a09aac3108924725cca27e100d45715a72c59f2f5602
          • Instruction Fuzzy Hash: 6341F231200685ABEB005B65CC59B7F73BCEF45718F108029F825DBB80EB30D88987A2
          APIs
            • Part of subcall function 6CB65431: IsWindow.USER32(00000000), ref: 6CB65450
          • IsIconic.USER32(?), ref: 6CB39390
          • GetWindowRect.USER32(?,6CB3C845), ref: 6CB393C9
          • IsIconic.USER32(?), ref: 6CB393EA
          • GetSystemMetrics.USER32(00000004), ref: 6CB393F6
          • OffsetRect.USER32(6CB3C845,00000000,00000000), ref: 6CB39406
          • GetSystemMetrics.USER32(00000004), ref: 6CB3940E
          • IsIconic.USER32(?), ref: 6CB39444
          • GetSystemMetrics.USER32(00000021), ref: 6CB39451
          • GetSystemMetrics.USER32(00000020), ref: 6CB3945C
            • Part of subcall function 6CABC609: GetWindowLongW.USER32(?,000000F0), ref: 6CABC616
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: MetricsSystem$IconicWindow$Rect$LongOffset
          • String ID:
          • API String ID: 812917121-0
          • Opcode ID: 41d9f77edc07fbcf1d01b9a07955285f1af3a14d41f11146e35e2991ca8a0d02
          • Instruction ID: 4e9ec8ea55e21ffa96224fbb1cb855fe6aa5356206bef454bbe49a109f1789f2
          • Opcode Fuzzy Hash: 41d9f77edc07fbcf1d01b9a07955285f1af3a14d41f11146e35e2991ca8a0d02
          • Instruction Fuzzy Hash: A3313E71A1020AAFCB00DFA9C984FAEB7F5FF09308F148159E509FB251DB30A995DB51
          APIs
          • SetRectEmpty.USER32(?), ref: 6CAEE86A
          • SetRectEmpty.USER32(?), ref: 6CAEE877
          • InflateRect.USER32(00000000,00000000,?), ref: 6CAEE974
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Rect$Empty$Inflate
          • String ID:
          • API String ID: 3025764292-0
          • Opcode ID: f970f0eb559fa11e75e23db6bacf91014ee517174e004338f6469ca95f5897dd
          • Instruction ID: 8b0a953b335222ac630a97fbb968d814dbf8b4d6d7e3303a5ab3d0c581976498
          • Opcode Fuzzy Hash: f970f0eb559fa11e75e23db6bacf91014ee517174e004338f6469ca95f5897dd
          • Instruction Fuzzy Hash: 14F17A31A016199FDF09CFA4C844BDEB7B2FF49319F188229E815A7680DB71A895DBD0
          APIs
          • GetLocaleInfoW.KERNEL32(?,2000000B,6CC3F957,00000002,00000000,?,?,?,6CC3F957,?,00000000), ref: 6CC3F6DE
          • GetLocaleInfoW.KERNEL32(?,20001004,6CC3F957,00000002,00000000,?,?,?,6CC3F957,?,00000000), ref: 6CC3F707
          • GetACP.KERNEL32(?,?,6CC3F957,?,00000000), ref: 6CC3F71C
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: InfoLocale
          • String ID: ACP$OCP
          • API String ID: 2299586839-711371036
          • Opcode ID: fe7458e2f7f7d0089d341d264fdb2551c49b56094ff11dd6b2b1b4806360d229
          • Instruction ID: d71e4889bc383bdc3fec5995a744d205dc7508015d9b1bd60c2bb6515c27fd43
          • Opcode Fuzzy Hash: fe7458e2f7f7d0089d341d264fdb2551c49b56094ff11dd6b2b1b4806360d229
          • Instruction Fuzzy Hash: AE21D332705121AEE7208F6AE904A8773BAEF45B68B6699A4E90DD7920F732DD40C350
          APIs
            • Part of subcall function 6CC329B2: GetLastError.KERNEL32(00000000,?,6CC3B277), ref: 6CC329B6
            • Part of subcall function 6CC329B2: SetLastError.KERNEL32(00000000,?,?,00000028,6CC3130E), ref: 6CC32A58
          • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6CC3F929
          • IsValidCodePage.KERNEL32(00000000), ref: 6CC3F967
          • IsValidLocale.KERNEL32(?,00000001), ref: 6CC3F97A
          • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6CC3F9C2
          • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6CC3F9DD
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
          • String ID:
          • API String ID: 415426439-0
          • Opcode ID: 1a105c691fe900e5e770ca022e9fa42eb34cf1b5f611e588848315342752b907
          • Instruction ID: 9584aeba3ec49d94a56f49518bd610b458212e843f8ac7c98cd12d01bbe61884
          • Opcode Fuzzy Hash: 1a105c691fe900e5e770ca022e9fa42eb34cf1b5f611e588848315342752b907
          • Instruction Fuzzy Hash: 41519671A0122AAFEF00DFA5EC44AEE77B8FF05708F1058A9E919E7550FB709544CBA1
          APIs
            • Part of subcall function 6CC329B2: GetLastError.KERNEL32(00000000,?,6CC3B277), ref: 6CC329B6
            • Part of subcall function 6CC329B2: SetLastError.KERNEL32(00000000,?,?,00000028,6CC3130E), ref: 6CC32A58
          • GetACP.KERNEL32(?,?,?,?,?,?,6CC333E2,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 6CC3EF6B
          • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6CC333E2,?,?,?,00000055,?,-00000050,?,?), ref: 6CC3EFA2
          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6CC3F105
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ErrorLast$CodeInfoLocalePageValid
          • String ID: utf8
          • API String ID: 607553120-905460609
          • Opcode ID: 1ab711ccbcc74c6c79da7a96fc4df8894223f0d8f381bcd965f78360533b14d8
          • Instruction ID: a4135de6c1222d7e69f7d68d0c0b8483a7525b5d8a826bce9b5a082044208888
          • Opcode Fuzzy Hash: 1ab711ccbcc74c6c79da7a96fc4df8894223f0d8f381bcd965f78360533b14d8
          • Instruction Fuzzy Hash: 5E713A31601226AEE7149B39EC41FEB73B8EF05708F10156EE91DD7A80FB74D8458BA4
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 31143bf70f31fe54bb0b7b911e31a5d3aba014327072bf311d4d32eaeb942acb
          • Instruction ID: d2e5e98feccf04add43e3937c9268c3195f64ed4dee85bb4e7058eae70cdfc71
          • Opcode Fuzzy Hash: 31143bf70f31fe54bb0b7b911e31a5d3aba014327072bf311d4d32eaeb942acb
          • Instruction Fuzzy Hash: CE026B71E016199BDB14CFA9C8906DEFBF1FF48318F248269D919E7740E735A941CB90
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CB46677
            • Part of subcall function 6CAE5C4C: __EH_prolog3.LIBCMT ref: 6CAE5C53
          • GetCurrentThread.KERNEL32 ref: 6CB466D6
          • GetCurrentThreadId.KERNEL32 ref: 6CB466DF
          • GetVersionExW.KERNEL32 ref: 6CB4677B
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CurrentThread$H_prolog3H_prolog3_Version
          • String ID:
          • API String ID: 786120064-0
          • Opcode ID: 9e716303b9ddf99343f85341993974c09420bea67a4d756b5dde4d8d6516e2c5
          • Instruction ID: 55d34cc6c154871743f8dd5f7e837ce43bfd8d47aeb3ac07b825d6aaed29acce
          • Opcode Fuzzy Hash: 9e716303b9ddf99343f85341993974c09420bea67a4d756b5dde4d8d6516e2c5
          • Instruction Fuzzy Hash: F041A3B0905B44CFD7218F2A858468AFBF4BF49704F90896ED5AEC7B10DB30A588DF41
          APIs
          • IsProcessorFeaturePresent.KERNEL32(00000017,00000001), ref: 6CC18D99
          • IsDebuggerPresent.KERNEL32 ref: 6CC18E65
          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CC18E7E
          • UnhandledExceptionFilter.KERNEL32(?), ref: 6CC18E88
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
          • String ID:
          • API String ID: 254469556-0
          • Opcode ID: 14c5751b5f862ef70f83dbaabbb465e4091904f1ac9625a5927099ff94f7a5d8
          • Instruction ID: 30cefe4f0328030f80f177459ca618e06601e8f725c39c86bd78aaa1c3d9dfcd
          • Opcode Fuzzy Hash: 14c5751b5f862ef70f83dbaabbb465e4091904f1ac9625a5927099ff94f7a5d8
          • Instruction Fuzzy Hash: F331F975D052199BDF11DF65C949BCDBBB8AF08304F1041EAE40CAB640EB749A849F45
          APIs
          • SetForegroundWindow.USER32(?), ref: 6CAC4042
          • IsIconic.USER32(?), ref: 6CAC404B
            • Part of subcall function 6CABCC71: ShowWindow.USER32(?,6CBFEDF4,00000000,?,6CACA7D4,00000000,?,?,6CBFEDF4,?,00000000,?,?,6CACA374,00000000,000000FF), ref: 6CABCC82
          • PostMessageW.USER32(?,00000000,?,00000005), ref: 6CAC4073
          • IsIconic.USER32(?), ref: 6CAC407C
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: IconicWindow$ForegroundMessagePostShow
          • String ID:
          • API String ID: 675533722-0
          • Opcode ID: d1e8f34fa70a622fecfd1d37cfda781b2c45c2ed25f45ffe4dee10b5d3128ace
          • Instruction ID: deaf07b5492aac861aec830bdab8de76f0f7aed16111a5e4b5001a1f0a6f61a4
          • Opcode Fuzzy Hash: d1e8f34fa70a622fecfd1d37cfda781b2c45c2ed25f45ffe4dee10b5d3128ace
          • Instruction Fuzzy Hash: A801B532314511BBDF152B74DD18E7A3B75FF8A325B140229F909A6AE0DF319CA4DB90
          APIs
            • Part of subcall function 6CABC609: GetWindowLongW.USER32(?,000000F0), ref: 6CABC616
          • GetKeyState.USER32(00000010), ref: 6CAB836C
          • GetKeyState.USER32(00000011), ref: 6CAB8379
          • GetKeyState.USER32(00000012), ref: 6CAB8386
          • SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 6CAB83A0
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: State$LongMessageSendWindow
          • String ID:
          • API String ID: 1063413437-0
          • Opcode ID: a27463b2e6ba724f6714f1ac6a271c4e05a04db7b27baf9647c9e6bf7146b54c
          • Instruction ID: ac570bfc6aba3352a746154ca132635f9f928b39ce4c5acab2502aff80c08de3
          • Opcode Fuzzy Hash: a27463b2e6ba724f6714f1ac6a271c4e05a04db7b27baf9647c9e6bf7146b54c
          • Instruction Fuzzy Hash: 42F0E9313652876FEA102738DC05FED36789F01B88F8419256542FA9C0CEB4C4C57260
          APIs
          • GetSystemTimeAsFileTime.KERNEL32(00000001), ref: 6CC18EBC
          • GetCurrentThreadId.KERNEL32 ref: 6CC18ECB
          • GetCurrentProcessId.KERNEL32 ref: 6CC18ED4
          • QueryPerformanceCounter.KERNEL32(?), ref: 6CC18EE1
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
          • String ID:
          • API String ID: 2933794660-0
          • Opcode ID: 04add9f5a0f7160958c0b94718907f504d85ee84de99ee0ff099224ef1d72eb9
          • Instruction ID: faafe3dc5a3119040bb7491f004c6250f43dd094804043d0d88a264caf1c4aa0
          • Opcode Fuzzy Hash: 04add9f5a0f7160958c0b94718907f504d85ee84de99ee0ff099224ef1d72eb9
          • Instruction Fuzzy Hash: 8FF06274D1020DEBCF00DBB4C64999EBBF8FF1D204B918596A412F7500EB34AB949F50
          APIs
          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,6CC185CC,6CC89B40), ref: 6CC184B1
          • UnhandledExceptionFilter.KERNEL32(6CC185CC,?,6CC185CC,6CC89B40), ref: 6CC184BA
          • GetCurrentProcess.KERNEL32(C0000409,?,6CC185CC,6CC89B40), ref: 6CC184C5
          • TerminateProcess.KERNEL32(00000000,?,6CC185CC,6CC89B40), ref: 6CC184CC
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
          • String ID:
          • API String ID: 3231755760-0
          • Opcode ID: 1329404bb72242dab727cd56677a6970b8f8af88b873f6afd0fa945e86c8006c
          • Instruction ID: 88510581fdafc6d852ef99f13c052f60ae86cda25b2a74607d2c2b5e01863c4a
          • Opcode Fuzzy Hash: 1329404bb72242dab727cd56677a6970b8f8af88b873f6afd0fa945e86c8006c
          • Instruction Fuzzy Hash: 11D01232220208EBCF012BE0CC0DA083F38EB0A222F80C040FB0AA2452DB3144E0ABA1
          APIs
          • OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup,?,?,6CABBE5C,00000010,6CCA5C00,00000010,6CAB5A99,00000000,?,6CB29E87,?), ref: 6CAB47AF
          • GetLastError.KERNEL32(?,?,?,6CABBE5C,00000010,6CCA5C00,00000010,6CAB5A99,00000000,?,6CB29E87,?), ref: 6CAB47E6
            • Part of subcall function 6CAB48CE: GetModuleFileNameW.KERNEL32(?,?,00000105,?,6CABBE5C,00000010,6CCA5C00,00000010,6CAB5A99,00000000,?,6CB29E87,?), ref: 6CAB497E
            • Part of subcall function 6CAB48CE: SetLastError.KERNEL32(0000006F,?,6CABBE5C,00000010,6CCA5C00,00000010,6CAB5A99,00000000,?,6CB29E87,?), ref: 6CAB4992
          Strings
          • IsolationAware function called after IsolationAwareCleanup, xrefs: 6CAB47AA
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ErrorLast$DebugFileModuleNameOutputString
          • String ID: IsolationAware function called after IsolationAwareCleanup
          • API String ID: 3265401609-2690750368
          • Opcode ID: 3f419039821a2adb369b356bc57de30caeb123677400d9199e813f035baab1fd
          • Instruction ID: 80ed90b920165e0ab5aa939374fe25b15c3b62b962b6b24373e4f13263c37186
          • Opcode Fuzzy Hash: 3f419039821a2adb369b356bc57de30caeb123677400d9199e813f035baab1fd
          • Instruction Fuzzy Hash: 17F0C231B25161474F145AE9C98456A7A7C6B07B4D3780126FD15F1E00EB30C8F0CB95
          APIs
            • Part of subcall function 6CC329B2: GetLastError.KERNEL32(00000000,?,6CC3B277), ref: 6CC329B6
            • Part of subcall function 6CC329B2: SetLastError.KERNEL32(00000000,?,?,00000028,6CC3130E), ref: 6CC32A58
          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6CC3F31D
          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6CC3F367
          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6CC3F42D
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: InfoLocale$ErrorLast
          • String ID:
          • API String ID: 661929714-0
          • Opcode ID: d081eaba7c46c0d73bb49ac056ce0184679209a8445a4d58cb80528f2e9330a1
          • Instruction ID: 7fffa2abaf75831963681cb424f975f7cc879b69e1fd81ee76a38bf27b2147de
          • Opcode Fuzzy Hash: d081eaba7c46c0d73bb49ac056ce0184679209a8445a4d58cb80528f2e9330a1
          • Instruction Fuzzy Hash: 2861B0715112279FEB148F29DC81BAAB7B8FF04308F2055A9ED19C6E84FB34D985CB54
          APIs
          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CC22B6A
          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CC22B74
          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CC22B81
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ExceptionFilterUnhandled$DebuggerPresent
          • String ID:
          • API String ID: 3906539128-0
          • Opcode ID: 2db03219b2c3354608c62ba117580f1d7417ca15fcb95a46617a6324ec5038a2
          • Instruction ID: f547a4e98a43f1ffac07f5a432a9df0cfe5f36dfde94dab22dcbb50a289a9e6d
          • Opcode Fuzzy Hash: 2db03219b2c3354608c62ba117580f1d7417ca15fcb95a46617a6324ec5038a2
          • Instruction Fuzzy Hash: 6631E37491122D9BCB21DF29DD88BCDBBB8BF08314F5041EAE81CA7650EB749B859F44
          APIs
          • IsIconic.USER32(?), ref: 6CAA9E2F
          • GetClientRect.USER32(00000000,?), ref: 6CAA9E4D
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ClientIconicRect
          • String ID:
          • API String ID: 1086547473-0
          • Opcode ID: 90462d769062d737845985bccdc21cc262f7b023ea9a9221ed2ed0b14382ea3f
          • Instruction ID: a5fae2ccd033c4b636be3199ad7fde5b7e45ccc712b2324e3e3f4001f9c82d16
          • Opcode Fuzzy Hash: 90462d769062d737845985bccdc21cc262f7b023ea9a9221ed2ed0b14382ea3f
          • Instruction Fuzzy Hash: 21314C716047019FD714CF78C988FABBBE9EF88348F044619F999D72A1DB30E985CA91
          APIs
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: IconicVisibleWindow
          • String ID:
          • API String ID: 1797901696-0
          • Opcode ID: 2164db92cd430eee471d22a0d797d424163556e6e07c3eb909f0792d9ab5edea
          • Instruction ID: a37dab50a2fba91ab4cfe53578e32d46e9b67c0ecdb34c183766b1cd2f38db04
          • Opcode Fuzzy Hash: 2164db92cd430eee471d22a0d797d424163556e6e07c3eb909f0792d9ab5edea
          • Instruction Fuzzy Hash: 37F0E232310430679A0416399E00DADB6ADEB962347080326EA25E2AE0EFA4989563D2
          APIs
            • Part of subcall function 6CC329B2: GetLastError.KERNEL32(00000000,?,6CC3B277), ref: 6CC329B6
            • Part of subcall function 6CC329B2: SetLastError.KERNEL32(00000000,?,?,00000028,6CC3130E), ref: 6CC32A58
          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6CC3F570
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ErrorLast$InfoLocale
          • String ID:
          • API String ID: 3736152602-0
          • Opcode ID: 3811872a8ca04eed75071925e22cb9878e050a189da9e82226d52f55e467a026
          • Instruction ID: 3f06cf8a42129409c11b40df5a3f0e46f66ffa5b3df252dd265965be714b87ad
          • Opcode Fuzzy Hash: 3811872a8ca04eed75071925e22cb9878e050a189da9e82226d52f55e467a026
          • Instruction Fuzzy Hash: A621D732616216AFEB18DE29EC41EAA73BCEF05318F1015BAFD09C6A40FB34D9458760
          APIs
            • Part of subcall function 6CC329B2: GetLastError.KERNEL32(00000000,?,6CC3B277), ref: 6CC329B6
            • Part of subcall function 6CC329B2: SetLastError.KERNEL32(00000000,?,?,00000028,6CC3130E), ref: 6CC32A58
          • EnumSystemLocalesW.KERNEL32(6CC3F2C9,00000001,00000000,?,-00000050,?,6CC3F8FD,00000000,?,?,?,00000055,?), ref: 6CC3F215
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ErrorLast$EnumLocalesSystem
          • String ID:
          • API String ID: 2417226690-0
          • Opcode ID: f736a04b5eb4cbea3ada07cd902c796ceb3249bc5e7ee8926f9b4743df528a86
          • Instruction ID: a0295e4242b9cb87dc489616a2865f970bc8b7843a8c67a920bb0b4460aa800f
          • Opcode Fuzzy Hash: f736a04b5eb4cbea3ada07cd902c796ceb3249bc5e7ee8926f9b4743df528a86
          • Instruction Fuzzy Hash: E5112C3B2043119FDB189F76E8945AA77A1FF8035CB184D2DE58A87B00E7716443C740
          APIs
            • Part of subcall function 6CC329B2: GetLastError.KERNEL32(00000000,?,6CC3B277), ref: 6CC329B6
            • Part of subcall function 6CC329B2: SetLastError.KERNEL32(00000000,?,?,00000028,6CC3130E), ref: 6CC32A58
          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,6CC3F4E5,00000000,00000000,?), ref: 6CC3F777
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ErrorLast$InfoLocale
          • String ID:
          • API String ID: 3736152602-0
          • Opcode ID: aa2c7d883df1b5d1074985cce8e1243aa9e7a65f6827d771088b9ec3613a20e9
          • Instruction ID: 9cac72ab46f6db2a4d6b1c956997a3caa681b36ba9809d0d2dc232c593ff7a9b
          • Opcode Fuzzy Hash: aa2c7d883df1b5d1074985cce8e1243aa9e7a65f6827d771088b9ec3613a20e9
          • Instruction Fuzzy Hash: 0A01FE37710232AFDB185A659809BFB7764EB42358F11486CDC59E3680FA70FD41CAD0
          APIs
            • Part of subcall function 6CC329B2: GetLastError.KERNEL32(00000000,?,6CC3B277), ref: 6CC329B6
            • Part of subcall function 6CC329B2: SetLastError.KERNEL32(00000000,?,?,00000028,6CC3130E), ref: 6CC32A58
          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6CC3F105
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ErrorLast$InfoLocale
          • String ID: utf8
          • API String ID: 3736152602-905460609
          • Opcode ID: a19a705b28b460e4976ab363bca756b9f59c14385eefc85d0f8be986fd0504e5
          • Instruction ID: e294cdf654dfa39bc1445b0e223d55affe3f2101209fe86b40ffc9a5242e7e25
          • Opcode Fuzzy Hash: a19a705b28b460e4976ab363bca756b9f59c14385eefc85d0f8be986fd0504e5
          • Instruction Fuzzy Hash: 64F02832B11215ABCB149F38EC49EFA33BCDB45318F1110B9A506D7740FB34AD058790
          APIs
            • Part of subcall function 6CC329B2: GetLastError.KERNEL32(00000000,?,6CC3B277), ref: 6CC329B6
            • Part of subcall function 6CC329B2: SetLastError.KERNEL32(00000000,?,?,00000028,6CC3130E), ref: 6CC32A58
          • EnumSystemLocalesW.KERNEL32(6CC3F51C,00000001,?,?,-00000050,?,6CC3F8C5,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 6CC3F288
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ErrorLast$EnumLocalesSystem
          • String ID:
          • API String ID: 2417226690-0
          • Opcode ID: d8e9e0760a12aafdb5f21136d09afff6479bd2c3d9accaec4b6610aea2348992
          • Instruction ID: 5219a4beafa799c0638ba1eab0ceaba77e32cdd546b6731f13b6e234c682430c
          • Opcode Fuzzy Hash: d8e9e0760a12aafdb5f21136d09afff6479bd2c3d9accaec4b6610aea2348992
          • Instruction Fuzzy Hash: 24F081363003149FDB044F35EC84AAA7BA1FF8031CF18496CF94D4BA40E7729842CB54
          APIs
            • Part of subcall function 6CC30A15: EnterCriticalSection.KERNEL32(-6CCC5F28,?,6CC27BCF,?,6CCB63C8,00000008,6CC27D7F,?,?,00000000,9380FC14,?,00000000), ref: 6CC30A24
          • EnumSystemLocalesW.KERNEL32(6CC35AB3,00000001,6CCB66B8,0000000C,6CC35F28,00000000), ref: 6CC35AF8
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CriticalEnterEnumLocalesSectionSystem
          • String ID:
          • API String ID: 1272433827-0
          • Opcode ID: 9d910aa5d5e3fe80ce33f4ba27ecb3d5ee2063ddc70f1106a69112604e845b31
          • Instruction ID: c3d41ed8f70064034663eda98eec1ee15a3294005976128a9d4c2d42d1554065
          • Opcode Fuzzy Hash: 9d910aa5d5e3fe80ce33f4ba27ecb3d5ee2063ddc70f1106a69112604e845b31
          • Instruction Fuzzy Hash: 9FF06732A00229DFDB00DFA8E541BED77F0EB49329F00412BE414EBB90EB7989459F80
          APIs
            • Part of subcall function 6CC329B2: GetLastError.KERNEL32(00000000,?,6CC3B277), ref: 6CC329B6
            • Part of subcall function 6CC329B2: SetLastError.KERNEL32(00000000,?,?,00000028,6CC3130E), ref: 6CC32A58
          • EnumSystemLocalesW.KERNEL32(6CC3F0B1,00000001,?,?,?,6CC3F91F,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 6CC3F18F
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ErrorLast$EnumLocalesSystem
          • String ID:
          • API String ID: 2417226690-0
          • Opcode ID: 126ec4912758ce324c4fa6c80a9dce34d6b21400d148830f4af2a5c88cbbcc2b
          • Instruction ID: 83fb01b876d0dcdae419d19ef617aba721133547c40e0e1c691e9eac1f2d2b25
          • Opcode Fuzzy Hash: 126ec4912758ce324c4fa6c80a9dce34d6b21400d148830f4af2a5c88cbbcc2b
          • Instruction Fuzzy Hash: 69F0E5363002156BCB049F3AE85466A7FA4EFC1714B0A4498EE0DCBA41D635D882C7D0
          APIs
          • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,6CC33F58,?,20001004,00000000,00000002,?,?,6CC3354A), ref: 6CC36060
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: InfoLocale
          • String ID:
          • API String ID: 2299586839-0
          • Opcode ID: f263316da7c917efdc5f83c2d86a61e48f4cb209a9ab5620820c927ec999f4f8
          • Instruction ID: ece687977baf12674843e50310c46c7d0c1ff7afca7e36166d7409fecd6e8477
          • Opcode Fuzzy Hash: f263316da7c917efdc5f83c2d86a61e48f4cb209a9ab5620820c927ec999f4f8
          • Instruction Fuzzy Hash: 35E01A31501928BBCF222F61EC08AAE3A29FB45764F005010FD08A5A509B368971AB95
          APIs
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Iconic
          • String ID:
          • API String ID: 110040809-0
          • Opcode ID: e77518dba4cff4b51115ea6b32c091ef6b1fcb607e3e7851883c2d2f720f6fa5
          • Instruction ID: 57c8c3188bb56d33d2675f44621618f2ee2181f7eaf5fc5708dd798b3e2f20ec
          • Opcode Fuzzy Hash: e77518dba4cff4b51115ea6b32c091ef6b1fcb607e3e7851883c2d2f720f6fa5
          • Instruction Fuzzy Hash: 55D01232114764CBC7156E26E4447C673FCAF55719F08452DD04A63960EBB098C1DB40
          APIs
          • OpenThemeData.UXTHEME(?,WINDOW,?,?,6CAABD10,?,6CAABD2A,00000004,6CA92450,00000000), ref: 6CAB41F5
          • OpenThemeData.UXTHEME(?,TOOLBAR,?,?,6CAABD10,?,6CAABD2A,00000004,6CA92450,00000000), ref: 6CAB4214
          • OpenThemeData.UXTHEME(?,BUTTON,?,?,6CAABD10,?,6CAABD2A,00000004,6CA92450,00000000), ref: 6CAB4233
          • OpenThemeData.UXTHEME(?,STATUS,?,?,6CAABD10,?,6CAABD2A,00000004,6CA92450,00000000), ref: 6CAB4252
          • OpenThemeData.UXTHEME(?,REBAR,?,?,6CAABD10,?,6CAABD2A,00000004,6CA92450,00000000), ref: 6CAB4271
          • OpenThemeData.UXTHEME(?,COMBOBOX,?,?,6CAABD10,?,6CAABD2A,00000004,6CA92450,00000000), ref: 6CAB4290
          • OpenThemeData.UXTHEME(?,PROGRESS,?,?,6CAABD10,?,6CAABD2A,00000004,6CA92450,00000000), ref: 6CAB42AF
          • OpenThemeData.UXTHEME(?,HEADER,?,?,6CAABD10,?,6CAABD2A,00000004,6CA92450,00000000), ref: 6CAB42CE
          • OpenThemeData.UXTHEME(?,SCROLLBAR,?,?,6CAABD10,?,6CAABD2A,00000004,6CA92450,00000000), ref: 6CAB42ED
          • OpenThemeData.UXTHEME(?,EXPLORERBAR,?,?,6CAABD10,?,6CAABD2A,00000004,6CA92450,00000000), ref: 6CAB430C
          • OpenThemeData.UXTHEME(?,TREEVIEW,?,?,6CAABD10,?,6CAABD2A,00000004,6CA92450,00000000), ref: 6CAB432B
          • OpenThemeData.UXTHEME(?,STARTPANEL,?,?,6CAABD10,?,6CAABD2A,00000004,6CA92450,00000000), ref: 6CAB434A
          • OpenThemeData.UXTHEME(?,TASKBAND,?,?,6CAABD10,?,6CAABD2A,00000004,6CA92450,00000000), ref: 6CAB4369
          • OpenThemeData.UXTHEME(?,TASKBAR,?,?,6CAABD10,?,6CAABD2A,00000004,6CA92450,00000000), ref: 6CAB4388
          • OpenThemeData.UXTHEME(?,SPIN,?,?,6CAABD10,?,6CAABD2A,00000004,6CA92450,00000000), ref: 6CAB43A7
          • OpenThemeData.UXTHEME(?,TAB,?,?,6CAABD10,?,6CAABD2A,00000004,6CA92450,00000000), ref: 6CAB43C6
          • OpenThemeData.UXTHEME(?,TOOLTIP,?,?,6CAABD10,?,6CAABD2A,00000004,6CA92450,00000000), ref: 6CAB43E5
          • OpenThemeData.UXTHEME(?,TRACKBAR,?,?,6CAABD10,?,6CAABD2A,00000004,6CA92450,00000000), ref: 6CAB4404
          • OpenThemeData.UXTHEME(00000000,MENU,?,?,6CAABD10,?,6CAABD2A,00000004,6CA92450,00000000), ref: 6CAB441F
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: DataOpenTheme
          • String ID: BUTTON$COMBOBOX$EXPLORERBAR$HEADER$MENU$PROGRESS$REBAR$SCROLLBAR$SPIN$STARTPANEL$STATUS$TAB$TASKBAND$TASKBAR$TOOLBAR$TOOLTIP$TRACKBAR$TREEVIEW$WINDOW
          • API String ID: 1744092376-1233129369
          • Opcode ID: 48e299862218bba781876dd8edb7ac8f070b1f6d15be0d435c1e6f8a03231318
          • Instruction ID: 3da389b808a3cb52ab51578850fddac1ac089f8dd0b9e57d57aa85e4beb31d08
          • Opcode Fuzzy Hash: 48e299862218bba781876dd8edb7ac8f070b1f6d15be0d435c1e6f8a03231318
          • Instruction Fuzzy Hash: FB6140B46A5B519FCB005BB59E08C1DBABCBF0D3083488996AD45E7F00FB34D4A49B94
          APIs
            • Part of subcall function 6CAC135E: SendMessageW.USER32(?,00001132,00000000,?), ref: 6CAC13A8
            • Part of subcall function 6CAC1561: SendMessageW.USER32(?,0000113F,00000000,00000000), ref: 6CAC15A5
          • SendMessageW.USER32(?,00001102,00000002,00000000), ref: 6CA9447C
          • SendMessageW.USER32(75FF0000,00001102,00000002,00000000), ref: 6CA94644
          • SendMessageW.USER32(75FF0000,00001102,00000002,00000000), ref: 6CA94778
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: MessageSend
          • String ID: CFakeAboutDlg$CFakeAboutDlg()$CFakeApp$CFakeApp()$CFakeAppDoc$CFakeAppDoc()$CFakeAppFrame$CFakeAppFrame()$CFakeAppView$CFakeAppView()$FakeApp $GetDocument()$Globals$InitInstance()$OnAppAbout()$OnNewDocument()$m_wndMenuBar$m_wndStatusBar$m_wndToolBar$theFakeApp$~CFakeAppDoc()$~CFakeAppFrame()$~CFakeAppView()
          • API String ID: 3850602802-4118746453
          • Opcode ID: 5f6da0f2efc188fa156399ed16406688f7480f5449a9392518b223ffc9557144
          • Instruction ID: 1085a109841cfd2dd6cbe878ecb4fc0ddf0f901e90c610121c98545b8e6069c4
          • Opcode Fuzzy Hash: 5f6da0f2efc188fa156399ed16406688f7480f5449a9392518b223ffc9557144
          • Instruction Fuzzy Hash: C8A15D307C53147AFA348610CD6BFEA66699B00F18F744064B3993EBD5D6D23F89864E
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CACFB4B
          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,6CC5BE48,00000000,6CC5BE44,00000000,6CC588E0,00000000,?,?,00000A88,6CAD0E2B,?,00000000,00000038), ref: 6CACFBEA
          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,6CC588E0,00000000,?,?,00000A88,6CAD0E2B,?,00000000,00000038), ref: 6CACFC9D
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: File$CreateH_prolog3_ModuleName
          • String ID:
          • API String ID: 3408945735-3916222277
          • Opcode ID: 3ab49d0855d0b7eac3fe61e44841e487ab2400baf95b135632ae7e447690ad6c
          • Instruction ID: 01f993ec98397ba84426630de2878fe2a11eb5b9378e6fc2a67f9ea93ec24f2e
          • Opcode Fuzzy Hash: 3ab49d0855d0b7eac3fe61e44841e487ab2400baf95b135632ae7e447690ad6c
          • Instruction Fuzzy Hash: C5C16E72B00218AFDF209F60CD44FEA77B8EF4A314F144599F909A6950DB309AD5DF62
          APIs
          • RegisterClipboardFormatW.USER32(Native), ref: 6CB4EBB0
          • RegisterClipboardFormatW.USER32(OwnerLink), ref: 6CB4EBBD
          • RegisterClipboardFormatW.USER32(ObjectLink), ref: 6CB4EBCB
          • RegisterClipboardFormatW.USER32(Embedded Object), ref: 6CB4EBD9
          • RegisterClipboardFormatW.USER32(Embed Source), ref: 6CB4EBE7
          • RegisterClipboardFormatW.USER32(Link Source), ref: 6CB4EBF5
          • RegisterClipboardFormatW.USER32(Object Descriptor), ref: 6CB4EC03
          • RegisterClipboardFormatW.USER32(Link Source Descriptor), ref: 6CB4EC11
          • RegisterClipboardFormatW.USER32(FileName), ref: 6CB4EC1F
          • RegisterClipboardFormatW.USER32(FileNameW), ref: 6CB4EC2D
          • RegisterClipboardFormatW.USER32(Rich Text Format), ref: 6CB4EC3B
          • RegisterClipboardFormatW.USER32(RichEdit Text and Objects), ref: 6CB4EC49
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ClipboardFormatRegister
          • String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
          • API String ID: 1228543026-2889995556
          • Opcode ID: 03e231e28f0edba77cdeb92238700495c60653c214b881c429ea088998f62356
          • Instruction ID: 2b41f2aa3e9950e6be203640a3f402a72672a122d65b515348ec339abda7310c
          • Opcode Fuzzy Hash: 03e231e28f0edba77cdeb92238700495c60653c214b881c429ea088998f62356
          • Instruction Fuzzy Hash: BA11E5759107509FCF219FB29A8C496BBF0EA0A712380CE1AE296B7E05E734D095DF44
          APIs
            • Part of subcall function 6CAC135E: SendMessageW.USER32(?,00001132,00000000,?), ref: 6CAC13A8
            • Part of subcall function 6CAC1561: SendMessageW.USER32(?,0000113F,00000000,00000000), ref: 6CAC15A5
          • SendMessageW.USER32(?,00001102,00000002,?), ref: 6CAA3764
          • SendMessageW.USER32(?,00001102,00000002,00000000), ref: 6CAA3777
          • SendMessageW.USER32(?,00001102,00000002,00000000), ref: 6CAA3787
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: MessageSend
          • String ID: FakeApp $FakeApp $FakeApp $FakeApp $FakeApp.cpp$FakeApp.h$FakeApp.ico$FakeApp.rc$FakeApp.rc2$FakeAppDoc.cpp$FakeAppDoc.h$FakeAppDoc.ico$FakeAppView.cpp$FakeAppView.h$FakeToolbar.bmp$MainFrm.cpp$MainFrm.h$Resource.h$pch.cpp$pch.h
          • API String ID: 3850602802-2747208130
          • Opcode ID: e1ca6c178617d37f961ba1b7d2b5ba4f1e40842f493f6bae0e5c2422efb708e5
          • Instruction ID: ae6243d3657c2e59f9e6ff4f0a8acfb79149f3487bffe78f35d6515443e44c78
          • Opcode Fuzzy Hash: e1ca6c178617d37f961ba1b7d2b5ba4f1e40842f493f6bae0e5c2422efb708e5
          • Instruction Fuzzy Hash: EE8183307C431476FA7192108D5FFEA6A269B44F08FB88164B3183EBD6DBD27E468249
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CB452BF
          • LoadRegTypeLib.OLEAUT32(?,?,?,000000FF,?), ref: 6CB452EC
          • StringFromGUID2.OLE32(?,00000001,00000027,00000694,6CAA8763,6CC92F78,00000001,00000000,00000000,00000003,00000000,00000000,00000000,?,?,00000001), ref: 6CB45303
          • swprintf.LIBCMT ref: 6CB4534C
          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6CB45399
          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00030019,?,?,?,?,00000001,?,00000001), ref: 6CB453CD
          • CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,HELPDIR,000000FF,?,?,?,00000001,?,00000001), ref: 6CB45403
          • CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,FLAGS,000000FF,?,?,?,00000001,?,00000001), ref: 6CB45427
          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00030019,?,?,?,?,00000001,?,00000001), ref: 6CB45457
          • RegOpenKeyExW.ADVAPI32(?,win64,00000000,00020000,?,?,?,?,00000001,?,00000001), ref: 6CB45479
          • RegCloseKey.ADVAPI32 ref: 6CB454B9
          • RegCloseKey.ADVAPI32(?,?,?,?,00000001,?,00000001), ref: 6CB4548D
            • Part of subcall function 6CB45B01: __EH_prolog3.LIBCMT ref: 6CB45B08
          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6CB454D3
          • RegCloseKey.ADVAPI32(?,?,?,?,00000001,?,00000001), ref: 6CB454E7
          • RegEnumKeyW.ADVAPI32(?,00000001,?,00000104), ref: 6CB45518
          • RegCloseKey.ADVAPI32(?,?,?,?,00000001,?,00000001), ref: 6CB45532
          • LoadRegTypeLib.OLEAUT32(?,?,?,000000FF,?), ref: 6CB4558E
          • RegCloseKey.ADVAPI32(?,?,?,?,00000001,?,00000001), ref: 6CB455AC
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Close$EnumOpenString$CompareLoadType$FromH_prolog3H_prolog3_swprintf
          • String ID: FLAGS$HELPDIR$TYPELIB\%Ts$win32$win64
          • API String ID: 3736468143-1045325687
          • Opcode ID: f4855ac3c0f1e4e429d65ece4e38b79a0263f1f415c21b3edb2d1d4c70bfbb2b
          • Instruction ID: 0107cb37fcd8ab172538a342cc7a4c5f7b2eda2946f918f24334969bdd1e259c
          • Opcode Fuzzy Hash: f4855ac3c0f1e4e429d65ece4e38b79a0263f1f415c21b3edb2d1d4c70bfbb2b
          • Instruction Fuzzy Hash: 2C917F71908528AFDF108F60CC44FAE777AEB85714F408295F519A2554DB328EE9EF24
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CABD856
          • CreateCompatibleDC.GDI32(00000000), ref: 6CABD8AB
          • CreateCompatibleDC.GDI32(00000000), ref: 6CABD8C3
          • CreateCompatibleDC.GDI32(00000000), ref: 6CABD8DB
          • GetObjectW.GDI32(00000004,00000018,?), ref: 6CABD8FB
          • CreateBitmap.GDI32(?,?,?,?,00000000), ref: 6CABD921
          • CreateBitmap.GDI32(00000008,00000008,00000001,00000001,6CC5971C), ref: 6CABD944
          • CreatePatternBrush.GDI32(?), ref: 6CABD956
          • DeleteObject.GDI32(?), ref: 6CABD985
          • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 6CABD996
          • GetPixel.GDI32(?,00000000,00000000), ref: 6CABD9DE
          • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6CABDA04
          • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 6CABDA2C
          • FillRect.USER32(?,?,?), ref: 6CABDA8E
            • Part of subcall function 6CABEB24: __EH_prolog3.LIBCMT ref: 6CABEB2B
          • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 6CABDABC
          • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 6CABDAD7
          • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 6CABDAEE
          • DeleteDC.GDI32(00000000), ref: 6CABDB5B
          • DeleteDC.GDI32(00000000), ref: 6CABDB77
          • DeleteDC.GDI32(00000000), ref: 6CABDB96
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Create$Delete$BitmapCompatible$Object$BrushFillH_prolog3H_prolog3_PatternPixelRect
          • String ID:
          • API String ID: 308707564-0
          • Opcode ID: fd0c481cfa54dfa4aa912f0f6a4edb182f50b2a098aae82e01f2f72fb6ab8133
          • Instruction ID: d516563cf1a3e5be49fa1fd526ac1797b6fb70ef89f3daa02922666d55d04021
          • Opcode Fuzzy Hash: fd0c481cfa54dfa4aa912f0f6a4edb182f50b2a098aae82e01f2f72fb6ab8133
          • Instruction Fuzzy Hash: B2B1BEB1D01208AEDF119FA0CD84AEEBFB9FF08348F648059F505B6660DB314DA9DB60
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CACF52F
          • CreateCompatibleDC.GDI32(00000000), ref: 6CACF577
          • GetObjectW.GDI32(?,00000018,?), ref: 6CACF598
          • SelectObject.GDI32(?,?), ref: 6CACF5D3
          • CreateCompatibleDC.GDI32(?), ref: 6CACF600
          • CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 6CACF668
          • SelectObject.GDI32(?,00000000), ref: 6CACF67F
          • SelectObject.GDI32(?,00000000), ref: 6CACF691
          • SelectObject.GDI32(?,00000000), ref: 6CACF6A8
          • DeleteObject.GDI32(?), ref: 6CACF6B4
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Object$Select$Create$Compatible$DeleteH_prolog3_Section
          • String ID: $(
          • API String ID: 1429849173-55695022
          • Opcode ID: 9e1761fc90af76be4e7ab69e2243159c50f6c2bd2ac32f07ebca1fbe02ec171f
          • Instruction ID: 32713e7c83382b6a6836f20ad2653c4b0597505b628f86c4c35781bd66b2a6ba
          • Opcode Fuzzy Hash: 9e1761fc90af76be4e7ab69e2243159c50f6c2bd2ac32f07ebca1fbe02ec171f
          • Instruction Fuzzy Hash: 8AB12930E10269DFEF25CF65CD84B9EBBB5AF49304F0481EAE549AA651DB304AC4DF21
          APIs
            • Part of subcall function 6CABC609: GetWindowLongW.USER32(?,000000F0), ref: 6CABC616
          • GetParent.USER32(?), ref: 6CAB67BF
          • SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 6CAB67E1
          • GetWindowRect.USER32(?,?), ref: 6CAB6805
          • GetWindowLongW.USER32(00000000,000000F0), ref: 6CAB6825
          • MonitorFromWindow.USER32(00000000,00000001), ref: 6CAB685E
          • GetMonitorInfoW.USER32(00000000), ref: 6CAB6865
          • CopyRect.USER32(?,?), ref: 6CAB6873
          • GetWindowRect.USER32(00000000,?), ref: 6CAB6880
          • MonitorFromWindow.USER32(00000000,00000002), ref: 6CAB688D
          • GetMonitorInfoW.USER32(00000000), ref: 6CAB6894
          • CopyRect.USER32(?,?), ref: 6CAB68A2
          • GetParent.USER32(?), ref: 6CAB68AC
          • GetClientRect.USER32(00000000,?), ref: 6CAB68B9
          • GetClientRect.USER32(00000000,?), ref: 6CAB68C4
          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 6CAB68D2
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Window$Rect$Monitor$ClientCopyFromInfoLongParent$MessagePointsSend
          • String ID: (
          • API String ID: 3610148278-3887548279
          • Opcode ID: 4718dfeb5ddb47b42f5a2926dc9d2296a0a85b5744964b069b81a89b2503fcb1
          • Instruction ID: c14ed8342f86ca9724cae3a6a39238bd9e8525dd3ebb2929aed13fd219a06e16
          • Opcode Fuzzy Hash: 4718dfeb5ddb47b42f5a2926dc9d2296a0a85b5744964b069b81a89b2503fcb1
          • Instruction Fuzzy Hash: 6B615D72A00619AFDF01CFA8CD88AEE7BB9FF49314F654214E515F7280DB30A995CB60
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CAC24A5
          • CreateRectRgnIndirect.GDI32(?), ref: 6CAC24DD
          • CopyRect.USER32(?,?), ref: 6CAC24F1
          • InflateRect.USER32(?,?,?), ref: 6CAC2507
          • IntersectRect.USER32(?,?,?), ref: 6CAC2513
          • CreateRectRgnIndirect.GDI32(?), ref: 6CAC251D
          • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6CAC2532
          • CombineRgn.GDI32(?,?,?,00000003), ref: 6CAC254C
          • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6CAC2593
          • SetRectRgn.GDI32(?,?,00000004,?,?), ref: 6CAC25B0
          • CopyRect.USER32(?,?), ref: 6CAC25BB
          • InflateRect.USER32(?,?,?), ref: 6CAC25D1
          • IntersectRect.USER32(?,?,?), ref: 6CAC25DD
          • SetRectRgn.GDI32(?,?,?,?,?), ref: 6CAC25F2
          • CombineRgn.GDI32(?,?,?,00000003), ref: 6CAC2603
          • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6CAC2617
          • CombineRgn.GDI32(?,?,?,00000003), ref: 6CAC2631
            • Part of subcall function 6CAC27FA: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 6CAC2841
            • Part of subcall function 6CAC27FA: CreatePatternBrush.GDI32(00000000), ref: 6CAC284E
            • Part of subcall function 6CAC27FA: DeleteObject.GDI32(00000000), ref: 6CAC285A
          • PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 6CAC268F
            • Part of subcall function 6CABE6E0: SelectObject.GDI32(?,00000000), ref: 6CABE700
            • Part of subcall function 6CABE6E0: SelectObject.GDI32(?,00000000), ref: 6CABE716
            • Part of subcall function 6CABE5F5: SelectClipRgn.GDI32(?,00000000), ref: 6CABE615
            • Part of subcall function 6CABE5F5: SelectClipRgn.GDI32(?,00000000), ref: 6CABE62B
          • PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 6CAC26F2
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Rect$Create$Select$CombineObject$ClipCopyIndirectInflateIntersect$BitmapBrushDeleteH_prolog3_Pattern
          • String ID:
          • API String ID: 770706554-0
          • Opcode ID: 5ae0de14754e0de8bff38af2b12afac82ea3d16e3103ea9344a5f64ea65d3b32
          • Instruction ID: c78a06332416a69f8f22084d55fb0c414766d0d242e77fb54ebaeddddf607b95
          • Opcode Fuzzy Hash: 5ae0de14754e0de8bff38af2b12afac82ea3d16e3103ea9344a5f64ea65d3b32
          • Instruction Fuzzy Hash: 9C91E1B2A10219AFCF05DFA4CD98DEEBBB9FF48300B144519F906B3650DB34A995DB60
          APIs
          • CloseThemeData.UXTHEME(?), ref: 6CAAC123
          • CloseThemeData.UXTHEME(00000000), ref: 6CAAC132
          • CloseThemeData.UXTHEME(?), ref: 6CAAC141
          • CloseThemeData.UXTHEME(00000000), ref: 6CAAC150
          • CloseThemeData.UXTHEME(00000000), ref: 6CAAC15F
          • CloseThemeData.UXTHEME(?), ref: 6CAAC16E
          • CloseThemeData.UXTHEME(00000000), ref: 6CAAC17D
          • CloseThemeData.UXTHEME(?), ref: 6CAAC18C
          • CloseThemeData.UXTHEME(00000000), ref: 6CAAC19B
          • CloseThemeData.UXTHEME(?), ref: 6CAAC1AA
          • CloseThemeData.UXTHEME(00000000), ref: 6CAAC1B9
          • CloseThemeData.UXTHEME(?), ref: 6CAAC1C8
          • CloseThemeData.UXTHEME(00000000), ref: 6CAAC1D7
          • CloseThemeData.UXTHEME(?), ref: 6CAAC1E6
          • CloseThemeData.UXTHEME(00000000), ref: 6CAAC1F5
          • CloseThemeData.UXTHEME(00000000), ref: 6CAAC204
          • CloseThemeData.UXTHEME(00000000), ref: 6CAAC213
          • CloseThemeData.UXTHEME(?), ref: 6CAAC222
          • CloseThemeData.UXTHEME(00000000), ref: 6CAAC231
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CloseDataTheme
          • String ID:
          • API String ID: 2797872399-0
          • Opcode ID: f872c43778f0139f2c37a5cfdb073594de60d88df57f26301791ef9e4dea540b
          • Instruction ID: 5d80f1f81ba6ccc88ac8e127e5352231c2c52a6b8aaf605e81f31a12cbabc0e4
          • Opcode Fuzzy Hash: f872c43778f0139f2c37a5cfdb073594de60d88df57f26301791ef9e4dea540b
          • Instruction Fuzzy Hash: 34318D70112601DFEB226F55C908756BAF2BF0530AF949928F0A761CB0C776A8E5EF50
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CABA4F5
            • Part of subcall function 6CB932A0: __EH_prolog3.LIBCMT ref: 6CB932A7
          • CallNextHookEx.USER32(?,?,?,?), ref: 6CABA52D
          • SetWindowLongW.USER32(?,000000FC,6CAB5D08), ref: 6CABA5D1
          • CallNextHookEx.USER32(?,00000003,?,?), ref: 6CABA6E1
          • UnhookWindowsHookEx.USER32(?), ref: 6CABA6F5
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Hook$CallNext$H_prolog3H_prolog3_LongUnhookWindowWindows
          • String ID: #32768$AfxOldWndProc423
          • API String ID: 1591070667-2141921550
          • Opcode ID: 3225f5cf7b327ba01a81cd52b9b85855e891267100cd5b6ebe225171d61e3220
          • Instruction ID: 228ae65e0630e17a8c4070cd5386ddcd93ec7b4c21e503c241ef07fedc49d4b3
          • Opcode Fuzzy Hash: 3225f5cf7b327ba01a81cd52b9b85855e891267100cd5b6ebe225171d61e3220
          • Instruction Fuzzy Hash: F8510371A50125AFCF119F54CC98FEA3B79AF05764F144289F805B7A80EB309EE4DBA4
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CACD7EE
          • GetObjectW.GDI32(00000000,00000018,?), ref: 6CACD82C
          • CreateCompatibleDC.GDI32(00000000), ref: 6CACD86B
          • SelectObject.GDI32(?,00000000), ref: 6CACD88E
          • GetObjectW.GDI32(?,00000054,?), ref: 6CACD8DB
          • CreateDIBSection.GDI32(?,?), ref: 6CACD93D
          • CreateCompatibleDC.GDI32(?), ref: 6CACD977
          • SelectObject.GDI32(?,00000000), ref: 6CACD990
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Object$Create$CompatibleSelect$H_prolog3_Section
          • String ID: (
          • API String ID: 1338481308-3887548279
          • Opcode ID: a40ceaa241a98d4dc7f32d8d92e9cfff206d3c899a1b55f19d68d24006c2be9b
          • Instruction ID: e058331065ac042fdb5c5de6875cbc69ba66ce1a7cac9327d0665c066a49f3e1
          • Opcode Fuzzy Hash: a40ceaa241a98d4dc7f32d8d92e9cfff206d3c899a1b55f19d68d24006c2be9b
          • Instruction Fuzzy Hash: 56A12774A00618DFDB61CF64CD84B9ABBB5BF09304F1081A9E85DE7651DB30AAC9CF21
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: f232fdeb4e8f584c2b85609a85feffdbe942f1067dc88f816858b52388cb51bd
          • Instruction ID: 2a37f4d6f59c2e5cf8e330f4341f10ff4e9c69f6d0fb4f67324e61b381c651f3
          • Opcode Fuzzy Hash: f232fdeb4e8f584c2b85609a85feffdbe942f1067dc88f816858b52388cb51bd
          • Instruction Fuzzy Hash: ADB19271B41605AFEB00DBA4CC49FAE77B8FF05714F148168BA05BB6D1DBB0A989CB50
          APIs
          • __EH_prolog3.LIBCMT ref: 6CABDBAB
          • GetSysColor.USER32(00000014), ref: 6CABDBE2
            • Part of subcall function 6CABD46D: __EH_prolog3.LIBCMT ref: 6CABD474
            • Part of subcall function 6CABD46D: CreateSolidBrush.GDI32(?), ref: 6CABD48F
          • GetSysColor.USER32(00000010), ref: 6CABDBF7
          • CreateCompatibleDC.GDI32(00000000), ref: 6CABDC0B
          • CreateCompatibleDC.GDI32(00000000), ref: 6CABDC23
          • GetObjectW.GDI32(00000004,00000018,?), ref: 6CABDC46
          • CreateBitmap.GDI32(?,?,?,?,00000000), ref: 6CABDC67
          • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 6CABDC88
            • Part of subcall function 6CABE681: SelectObject.GDI32(00000048,?), ref: 6CABE68A
          • GetPixel.GDI32(?,00000000,00000000), ref: 6CABDCD0
            • Part of subcall function 6CABE79A: SetBkColor.GDI32(?,?), ref: 6CABE7AF
            • Part of subcall function 6CABE79A: SetBkColor.GDI32(?,?), ref: 6CABE7C1
          • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6CABDCF9
          • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,001100A6), ref: 6CABDD23
          • BitBlt.GDI32(?,00000001,00000001,?,?,?,00000000,00000000,00E20746), ref: 6CABDD8E
          • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00E20746), ref: 6CABDDB7
          • DeleteDC.GDI32(00000000), ref: 6CABDE2C
          • DeleteDC.GDI32(00000000), ref: 6CABDE4B
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Create$Color$BitmapCompatibleDeleteH_prolog3Object$BrushPixelSelectSolid
          • String ID:
          • API String ID: 2254850417-0
          • Opcode ID: 18c36052899a724fd239035c0b500663e694460e1d0ed007744be8617b68673b
          • Instruction ID: 7dfe0688600cf2b6c4476b9ad6bf8135d59d913d5f1abad53a455c83209c32f9
          • Opcode Fuzzy Hash: 18c36052899a724fd239035c0b500663e694460e1d0ed007744be8617b68673b
          • Instruction Fuzzy Hash: C281F271D01208BFDF019FE0CE85AEEBF79AF08304F544059F905B66A4DB315AA9EB60
          APIs
          • __EH_prolog3.LIBCMT ref: 6CBFE5B6
            • Part of subcall function 6CBCD5EB: __EH_prolog3.LIBCMT ref: 6CBCD5F2
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: H_prolog3
          • String ID: MFCButton$MFCColorButton$MFCEditBrowse$MFCFontComboBox$MFCLink$MFCMaskedEdit$MFCMenuButton$MFCPropertyGrid$MFCShellList$MFCShellTree$MFCVSListBox
          • API String ID: 431132790-2110171958
          • Opcode ID: 5815cc56e0bc05ef5b31071262d5f35b4169c1d1cfb02206c5461d8e0caf1673
          • Instruction ID: 7ad323e55c9a5cf7547fbaad04400738a58c1f5815df407dbffe5872a7639b47
          • Opcode Fuzzy Hash: 5815cc56e0bc05ef5b31071262d5f35b4169c1d1cfb02206c5461d8e0caf1673
          • Instruction Fuzzy Hash: D8616422A493C99DEF04E6B49A047FD67949F0561CF60045ED430EBFC1EF358A8DC2A6
          APIs
          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CAA6C30
          • Concurrency::cancel_current_task.LIBCPMT ref: 6CAA6C85
          • Concurrency::cancel_current_task.LIBCPMT ref: 6CAA6C8A
          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CAA6D07
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Concurrency::cancel_current_taskIos_base_dtorstd::ios_base::_
          • String ID: IP: $IP=$Port: $Port=$re41$vi65$vwer
          • API String ID: 4106036149-4278047753
          • Opcode ID: e04ddff44172922c4a2c27595fb7ee6afe92d3f17bb52abb179d80b9003149ea
          • Instruction ID: b7e786af703f5e21dfe1335dd07d01f0caca8241195ad4681edcb1bd1cffff32
          • Opcode Fuzzy Hash: e04ddff44172922c4a2c27595fb7ee6afe92d3f17bb52abb179d80b9003149ea
          • Instruction Fuzzy Hash: 8F12B271E002488BDB14CFA8C995BDDB7B5FF45308F1482A9E409AB791EB31AA85CF50
          APIs
          • SetRectEmpty.USER32(?), ref: 6CAA97AB
            • Part of subcall function 6CB56E53: __EH_prolog3.LIBCMT ref: 6CB56E5A
          • SendMessageW.USER32(?,00000030,00000001), ref: 6CAA985C
          • SendMessageW.USER32(?,00000030,00000001), ref: 6CAA986E
          • SendMessageW.USER32(?,00000030,00000001), ref: 6CAA9880
          • SendMessageW.USER32(?,00000180,00000000,6CC95020), ref: 6CAA992B
          • SendMessageW.USER32(?,00000180,00000000,6CC95038), ref: 6CAA993F
          • SendMessageW.USER32(?,00000180,00000000,6CC95054), ref: 6CAA9953
          • SendMessageW.USER32(?,00000180,00000000,6CC9507C), ref: 6CAA9967
          • SendMessageW.USER32(?,00000180,00000000,6CC95038), ref: 6CAA997B
          • SendMessageW.USER32(?,00000180,00000000,6CC95054), ref: 6CAA998F
          • SendMessageW.USER32(?,00000180,00000000,6CC95094), ref: 6CAA99A3
          • SendMessageW.USER32(?,00000180,00000000,6CC95038), ref: 6CAA99B7
          • SendMessageW.USER32(?,00000180,00000000,6CC95054), ref: 6CAA99CB
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: MessageSend$EmptyH_prolog3Rect
          • String ID:
          • API String ID: 3306255916-0
          • Opcode ID: 3bd10bcc9c12281ac600de7c3dbf3890823664e2cad1a80127869d560bde3bda
          • Instruction ID: 8a634ebea8448dafb6c7d6fd10bb2bcda207e78df9d7a8d08bf09b86bfe8e087
          • Opcode Fuzzy Hash: 3bd10bcc9c12281ac600de7c3dbf3890823664e2cad1a80127869d560bde3bda
          • Instruction Fuzzy Hash: 7371C231380209BFEB159FA4CC85FE9B765FF08714F108315F6296A5D0DBB2A969CB84
          APIs
          • __EH_prolog3.LIBCMT ref: 6CB6D89E
          • IsRectEmpty.USER32(?), ref: 6CB6D8C4
          • CreateCompatibleDC.GDI32(?), ref: 6CB6D99D
          • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6CB6D9E5
          • SelectObject.GDI32(?,00000000), ref: 6CB6DA44
          • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6CB6DA7E
          • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 6CB6DC56
          • CreateCompatibleBitmap.GDI32(?,00000075,?), ref: 6CB6DC75
            • Part of subcall function 6CB6DD88: DrawStateW.USER32(00000001,?,00000000,00000001,00000000,?,?,?,?,?), ref: 6CB6DDC6
          • BitBlt.GDI32(?,00000000,00000000,00000074,?,?,?,?,00CC0020), ref: 6CB6DCC4
          • CreateCompatibleBitmap.GDI32(?,?,00000075), ref: 6CB6DCE3
          • BitBlt.GDI32(?,00000000,00000000,?,00000074,?,?,?,00CC0020), ref: 6CB6DD35
          • DeleteObject.GDI32(?), ref: 6CB6DD4C
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CompatibleCreate$Bitmap$Object$DeleteDrawEmptyH_prolog3RectSelectState
          • String ID:
          • API String ID: 1489821248-0
          • Opcode ID: 7fb1d69c1f1164b795f3f2c0e847a26d9d0b5b8b775758568e993cee5d3e8a99
          • Instruction ID: a791a03335b9128e2626971ddde661deac6822e32a469d87b8d20a3d2a99d678
          • Opcode Fuzzy Hash: 7fb1d69c1f1164b795f3f2c0e847a26d9d0b5b8b775758568e993cee5d3e8a99
          • Instruction Fuzzy Hash: 7002E271E00259EFCF05DFA9D984AEEBBB6FF48304F248119F819A7650D731A951CB90
          APIs
          • __EH_prolog3.LIBCMT ref: 6CAB3CF5
          • IsWindowVisible.USER32(?), ref: 6CAB3D4E
          • CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 6CAB3D80
          • CreateRectRgn.GDI32(00000000,00000000,00000005,00000005), ref: 6CAB3D9F
          • CombineRgn.GDI32(?,?,?,00000003), ref: 6CAB3DB9
          • CreateEllipticRgn.GDI32(00000000,00000000,0000000B,0000000B), ref: 6CAB3DCD
          • CombineRgn.GDI32(?,?,?,00000002), ref: 6CAB3DE7
          • CreateRectRgn.GDI32(?,00000000,?,00000005), ref: 6CAB3E00
          • CombineRgn.GDI32(?,?,?,00000003), ref: 6CAB3E1A
          • CreateEllipticRgn.GDI32(?,00000000,?,0000000B), ref: 6CAB3E36
          • CombineRgn.GDI32(?,?,?,00000002), ref: 6CAB3E50
          • SetWindowRgn.USER32(?,00000000,00000001), ref: 6CAB3E64
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Create$Combine$Rect$EllipticWindow$H_prolog3Visible
          • String ID:
          • API String ID: 1706452674-0
          • Opcode ID: c318200d47b8b2d9821e7003db75db3a3a48511844ed5d16e3e0dc124274d858
          • Instruction ID: 662379642e79e66717ef1ed85c31fc6c2f398714f844471296afb80787d32ea0
          • Opcode Fuzzy Hash: c318200d47b8b2d9821e7003db75db3a3a48511844ed5d16e3e0dc124274d858
          • Instruction Fuzzy Hash: 88415B71A0110AABDF029FA0CD49EEFBB79BF44304F544419F212B6590EF319A99DBA0
          APIs
          • __EH_prolog3.LIBCMT ref: 6CB6BB10
          • GetObjectW.GDI32(00000008,00000018,00000000), ref: 6CB6BB27
            • Part of subcall function 6CB6BA66: CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 6CB6BADD
          • CreateCompatibleDC.GDI32(00000000), ref: 6CB6BBA7
          • SelectObject.GDI32(?,00000008), ref: 6CB6BBBA
          • CreateCompatibleDC.GDI32(00000000), ref: 6CB6BBD8
          • SelectObject.GDI32(00000000,?), ref: 6CB6BBED
          • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00CC0020), ref: 6CB6BC0C
          • SelectObject.GDI32(00000000,00000000), ref: 6CB6BC1A
          • SelectObject.GDI32(?,00000000), ref: 6CB6BC24
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Object$Select$Create$Compatible$H_prolog3Section
          • String ID:
          • API String ID: 2431383920-3916222277
          • Opcode ID: 09a6a4f4350ba92b64d45e60aef28c60dab7a3ebcc00e7f79335cddc81153e43
          • Instruction ID: 51778834041d35e6e7997409815a7f7fe60719a19c21634fa233a8cd3c32a5bc
          • Opcode Fuzzy Hash: 09a6a4f4350ba92b64d45e60aef28c60dab7a3ebcc00e7f79335cddc81153e43
          • Instruction Fuzzy Hash: BB41A072D00119AFDB01DFE5CD44AEEBB79EF45308F108129F511B6A64DF318A49EBA1
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CAB6E5A
          • SendMessageW.USER32(?,00000000,00000000,00000080), ref: 6CAB6EA1
          • SendMessageW.USER32(?,00000000,00000000,?), ref: 6CAB6ECD
          • ValidateRect.USER32(?,00000000), ref: 6CAB6EE0
            • Part of subcall function 6CB93A48: GetClientRect.USER32(?,?), ref: 6CB93AAC
          • GetClientRect.USER32(?,?), ref: 6CAB6F51
          • BeginPaint.USER32(?,?), ref: 6CAB6F5E
          • SendMessageW.USER32(?,00000000,00000000,?), ref: 6CAB6F94
          • SendMessageW.USER32(?,00000000,00000000), ref: 6CAB6FB6
          • EndPaint.USER32(?,?), ref: 6CAB6FCE
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: MessageSend$Rect$ClientPaint$BeginH_prolog3_Validate
          • String ID: W
          • API String ID: 3883544035-655174618
          • Opcode ID: 11c9264e921dabd973ee437ea0d74977c1e74f224a1c916993185c403f6f79e6
          • Instruction ID: 80e88d4fc759c2cd6f2f12e6e4c526c2796950164aad000b1ae0b832d5f5f070
          • Opcode Fuzzy Hash: 11c9264e921dabd973ee437ea0d74977c1e74f224a1c916993185c403f6f79e6
          • Instruction Fuzzy Hash: DA415F71A10605EFDF159F74C884EAEBABAFF49308F14812DE056F3A20DB319994DB50
          APIs
          • CoInitialize.OLE32(00000000), ref: 6CB93BB7
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Initialize
          • String ID: D2D1.dll$D2D1CreateFactory$D2D1MakeRotateMatrix$DWrite.dll$DWriteCreateFactory
          • API String ID: 2538663250-1403614551
          • Opcode ID: 91ca205d522d00f6aa48151d784fe7c8db1483f18b231fe98d7e6fe9f6583538
          • Instruction ID: 385006f64a140072ffba4ccc8a60d31c53a103940df33a4d4e09ed6d3a7cbca3
          • Opcode Fuzzy Hash: 91ca205d522d00f6aa48151d784fe7c8db1483f18b231fe98d7e6fe9f6583538
          • Instruction Fuzzy Hash: 6621C175250B45AFDB309F75CC98F17BAB9EB42359F018A39E85AD3D40EB30D4949B20
          APIs
          • std::_Lockit::_Lockit.LIBCPMT ref: 6CA9CC37
          • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6CA9CD76
          • std::_Lockit::~_Lockit.LIBCPMT ref: 6CA9CE0B
          • Concurrency::cancel_current_task.LIBCPMT ref: 6CA9CE25
          • Concurrency::cancel_current_task.LIBCPMT ref: 6CA9CE2A
          • Concurrency::cancel_current_task.LIBCPMT ref: 6CA9CE2F
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Concurrency::cancel_current_taskstd::_$Lockit$Locinfo::_Locinfo_dtorLockit::_Lockit::~_
          • String ID: bad locale name$false$true
          • API String ID: 2199893758-1062449267
          • Opcode ID: 4defd0d69bed4d086dd2dbd35674db3eacd5f58ab4d5ef52250d5665548db3d6
          • Instruction ID: f2527a3aebf556fbff26119cfd676a0cbce867f73fea83b2b51eb911cad48053
          • Opcode Fuzzy Hash: 4defd0d69bed4d086dd2dbd35674db3eacd5f58ab4d5ef52250d5665548db3d6
          • Instruction Fuzzy Hash: B171DBB0D017489FEB10DFA5C9557CEBBF4AF01308F244528D819ABB80FB799A48CB91
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CAACD98
          • GetCurrentThemeName.UXTHEME(?,000000FF,?,000000FF,00000000,00000000), ref: 6CAACDEE
          • GetThemeColor.UXTHEME(00000000,00000001,00000000,00000EEF,?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 6CAACEB8
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Theme$ColorCurrentH_prolog3_Name
          • String ID: Aero$Luna$homestead$metallic$normalcolor$royale
          • API String ID: 2781885202-2881773410
          • Opcode ID: 52e7f7b93078ab5d540f5e04ba942e82eca4ec9dca7d0e5df849d3adea841b46
          • Instruction ID: 673594dfe535015ef7550793ab92d24aed2f68a351b69132546f10caab51daf0
          • Opcode Fuzzy Hash: 52e7f7b93078ab5d540f5e04ba942e82eca4ec9dca7d0e5df849d3adea841b46
          • Instruction Fuzzy Hash: 9351DB7194512CA6EB24DB61CC44FDFB779AF0431CF1405EAA409A3980EF325BE5CAA4
          APIs
          • __EH_prolog3_catch_GS.LIBCMT ref: 6CABA393
          • GetPropW.USER32(?,AfxOldWndProc423), ref: 6CABA3AA
          • CallWindowProcW.USER32(?,?,00000110,?,?), ref: 6CABA40A
            • Part of subcall function 6CABA8C0: GetWindowRect.USER32(?,00000000), ref: 6CABA8F9
            • Part of subcall function 6CABA8C0: GetWindow.USER32(?,00000004), ref: 6CABA916
          • SetWindowLongW.USER32(?,000000FC,?), ref: 6CABA42D
          • RemovePropW.USER32(?,AfxOldWndProc423), ref: 6CABA439
          • GlobalFindAtomW.KERNEL32(AfxOldWndProc423), ref: 6CABA444
          • GlobalDeleteAtom.KERNEL32(?), ref: 6CABA44E
            • Part of subcall function 6CABA963: GetWindowRect.USER32(?,?), ref: 6CABA970
          • CallWindowProcW.USER32(?,?,?,?,?), ref: 6CABA496
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catch_LongRemove
          • String ID: AfxOldWndProc423
          • API String ID: 3351853316-1060338832
          • Opcode ID: 59dd596e6672f3804ed722498d4bd5355e20d67fce9bf653ee06116c9671496e
          • Instruction ID: bdee9a82bd4ebe7550a6ff5f5581b7f877aae4f839839cb9dfa86784c33d8334
          • Opcode Fuzzy Hash: 59dd596e6672f3804ed722498d4bd5355e20d67fce9bf653ee06116c9671496e
          • Instruction Fuzzy Hash: E9319C72911208ABCB019FB49D48CEFBA7EEF4A314B154509F502B2A40EB749DA4DB74
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: eb1cb0f3ca8351a662ae72709e973bf19d81995962c0c9fcf7b5a9181e8948d7
          • Instruction ID: b3842c124dff7ed366aac499c32ce3a92d3ef8ca58b364e5f54e17f483373d39
          • Opcode Fuzzy Hash: eb1cb0f3ca8351a662ae72709e973bf19d81995962c0c9fcf7b5a9181e8948d7
          • Instruction Fuzzy Hash: F2029A35A00A15DFCB05CF69C880A9EF7BAFF4A318B558258E905BB750D731ADC1CB90
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CAD07B6
          • GetObjectW.GDI32(?,00000018,?), ref: 6CAD07DB
          • GetObjectW.GDI32(?,00000054,?), ref: 6CAD0820
          • CreateCompatibleDC.GDI32(00000000), ref: 6CAD090C
          • SelectObject.GDI32(?,?), ref: 6CAD092E
          • GetPixel.GDI32(?,00000000,00000000), ref: 6CAD098D
          • GetPixel.GDI32(?,?,00000000), ref: 6CAD099F
          • SetPixel.GDI32(?,00000000,00000000,00000000), ref: 6CAD09AE
          • SetPixel.GDI32(?,?,00000000,00000000), ref: 6CAD09C0
          • SelectObject.GDI32(?,00000000), ref: 6CAD0A0E
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ObjectPixel$Select$CompatibleCreateH_prolog3_
          • String ID:
          • API String ID: 1266819874-0
          • Opcode ID: 5b836c00c6d064efc81c46e577de03cf7b826b737ebf8bd6f0313a046cf368f8
          • Instruction ID: 99b21d253f1b1ee243b4e25bdab50b77d7b069c68b77d59a5d1bced39eba2f91
          • Opcode Fuzzy Hash: 5b836c00c6d064efc81c46e577de03cf7b826b737ebf8bd6f0313a046cf368f8
          • Instruction Fuzzy Hash: 25811A71E002698FDB20CFA9C884A9DBBB5FF49304F1581A9E848E7711DB30AD85DF50
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CAC1B15
          • GetMenuItemCount.USER32(?), ref: 6CAC1B41
          • GetSubMenu.USER32(?,00000000), ref: 6CAC1B77
          • GetMenuState.USER32(?,?,00000400), ref: 6CAC1B94
          • GetSubMenu.USER32(?,00000000), ref: 6CAC1BF1
          • GetMenuStringW.USER32(?,?,?,00000100,00000400), ref: 6CAC1C1A
          • AppendMenuW.USER32(00000000,00000010,00000000,?), ref: 6CAC1CA2
          • GetMenuItemCount.USER32(00000000), ref: 6CAC1D12
          • InsertMenuW.USER32(?,00000000,?,00000000), ref: 6CAC1D3F
          • GetMenuItemID.USER32(?,?), ref: 6CAC1D70
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Menu$Item$Count$AppendH_prolog3_InsertStateString
          • String ID:
          • API String ID: 2171526683-0
          • Opcode ID: 06f2c7f65c52b65f095b7dcb94ace1058cb65271446e0d385ae71d66f3449924
          • Instruction ID: 014691fa67591bd9292e5f0a1069f17c96710a8e44b52cd5cb5f227e3335bd2f
          • Opcode Fuzzy Hash: 06f2c7f65c52b65f095b7dcb94ace1058cb65271446e0d385ae71d66f3449924
          • Instruction Fuzzy Hash: D3615271A4122CAFCF25DF64CD88BE9B7B4BB18304F1041E9E509A62A0DB309ED5CF51
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CB2F70E
          • SetRectEmpty.USER32(00000001), ref: 6CB2F74E
            • Part of subcall function 6CABC609: GetWindowLongW.USER32(?,000000F0), ref: 6CABC616
          • __EH_prolog3_GS.LIBCMT ref: 6CB2F8EE
          • GetClientRect.USER32(?,0000E801), ref: 6CB2F926
          • SelectObject.GDI32(00000001,00000000), ref: 6CB2F962
          • SelectObject.GDI32(00000001,?), ref: 6CB2FA10
          • IsRectEmpty.USER32(?), ref: 6CB2FA1D
            • Part of subcall function 6CAB73EC: GetParent.USER32(8D6CC831), ref: 6CAB7418
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Rect$EmptyH_prolog3_ObjectSelect$ClientLongParentWindow
          • String ID: Afx:StatusBar
          • API String ID: 2548710182-3033333705
          • Opcode ID: 9dd058814f7e7541f96803d55ae3f25314387481c83bae379f673f787f530c79
          • Instruction ID: c17ca10ba3420df3fa92dfbc67c5d47886610523aa16dc276b8b18f7062faab0
          • Opcode Fuzzy Hash: 9dd058814f7e7541f96803d55ae3f25314387481c83bae379f673f787f530c79
          • Instruction Fuzzy Hash: CEA1C131B002259BDF159F74CD54ABEB7BAEF89314B104169E809F7B80EF349985CBA1
          APIs
          • WSAStartup.WS2_32(00000202,?), ref: 6CAA62CF
          • getaddrinfo.WS2_32(6CCBCB64,6CCBCB4C,00000000,00000000), ref: 6CAA64BC
          • socket.WS2_32(?,?,?), ref: 6CAA64E9
          • connect.WS2_32(00000000,?,?), ref: 6CAA6504
          • closesocket.WS2_32 ref: 6CAA6511
          • freeaddrinfo.WS2_32(00000000), ref: 6CAA6528
          • recv.WS2_32(006CC0C8,00001000,00000000), ref: 6CAA6563
          • VirtualAlloc.KERNEL32(00000000,00003000,00000040), ref: 6CAA65AE
          • WSACleanup.WS2_32 ref: 6CAA65D6
          • WSACleanup.WS2_32 ref: 6CAA65F5
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Cleanup$AllocStartupVirtualclosesocketconnectfreeaddrinfogetaddrinforecvsocket
          • String ID: IOVA
          • API String ID: 2484549806-1369737602
          • Opcode ID: 11a2cb2f82e0d3ca48dc580c4857566e863d47d9548b260a850b1b658867e2ff
          • Instruction ID: 84531172dddf619873b482aaff7c3b5d4735f56f62ee220d623be4fb26d4be11
          • Opcode Fuzzy Hash: 11a2cb2f82e0d3ca48dc580c4857566e863d47d9548b260a850b1b658867e2ff
          • Instruction Fuzzy Hash: 7971FFB1B016008FCB14DFA8CE5476EBBB1AF4A304F148218E451EBB91E734A9C6DF54
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CB45119
          • GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000104,0000002C,6CAA8790,?,6CC92F78,00000000,00000000,00000001,00000003,00000000,00000000,00000001,?), ref: 6CB45151
          • LoadTypeLib.OLEAUT32(?,?), ref: 6CB451C3
          • GetModuleHandleW.KERNEL32(OLEAUT32.DLL,00000000,?,?,?,?,00000001), ref: 6CB4524B
          • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 6CB4525B
          • RegisterTypeLib.OLEAUT32 ref: 6CB4527E
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ModuleType$AddressFileH_prolog3_HandleLoadNameProcRegister
          • String ID: OLEAUT32.DLL$RegisterTypeLibForUser
          • API String ID: 866051225-2666564778
          • Opcode ID: 9363f4b833644f0ac006f5e3711b5613797b3a75e8ab5c3b0f342dbbdbdd8c93
          • Instruction ID: 6b5201e882db6a9b70ce214fcec9e9e0fcc9aac01aaf68d786dd1df2f8211f89
          • Opcode Fuzzy Hash: 9363f4b833644f0ac006f5e3711b5613797b3a75e8ab5c3b0f342dbbdbdd8c93
          • Instruction Fuzzy Hash: 68518F31E145099FDF01DFA4C984DEEBBB9AF09318F144159E901B7B90EB31AE49DB60
          APIs
          • GetStockObject.GDI32(00000011), ref: 6CBE6348
          • GetStockObject.GDI32(0000000D), ref: 6CBE6354
          • GetObjectW.GDI32(00000000,0000005C,?), ref: 6CBE6365
          • GetDC.USER32(00000000), ref: 6CBE6374
          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 6CBE638B
          • MulDiv.KERNEL32(?,00000048,00000000), ref: 6CBE6397
          • ReleaseDC.USER32(00000000,00000000), ref: 6CBE63A3
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Object$Stock$CapsDeviceRelease
          • String ID: System
          • API String ID: 46613423-3470857405
          • Opcode ID: be1f8969699721dfec6048867661eb4c27bf5010327fe13f706da01fe8a83416
          • Instruction ID: 12d04df77f76c90ca8b16d4761162b06e2bc9f240ef1a8ab2ac49262d2b076ee
          • Opcode Fuzzy Hash: be1f8969699721dfec6048867661eb4c27bf5010327fe13f706da01fe8a83416
          • Instruction Fuzzy Hash: 31117971700308ABEF049B69CC49FAF7BB9EB49B55F440119F606EB680EB60D841EB61
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Window$ActiveFocus$MessageSend
          • String ID: u
          • API String ID: 1556911595-4067256894
          • Opcode ID: 815017b8fef6eb34dc94f3fe3897ddf8916493bf4ee7f82bcc575e2cccf408de
          • Instruction ID: d1826f9056906cd3f1bc01062a7af1ff472d3287bdf125a9f3dc68e0acf76cb8
          • Opcode Fuzzy Hash: 815017b8fef6eb34dc94f3fe3897ddf8916493bf4ee7f82bcc575e2cccf408de
          • Instruction Fuzzy Hash: 2311E732611205ABDB121BB4CD0CA6E367DEB05349B14C624F916F5E5AD7B4C4D4E770
          APIs
          • GetModuleHandleA.KERNEL32(yyzyBase.dll,?,00000000), ref: 6CAA7218
          • FindResourceW.KERNEL32(00000000,CONFIG,AFX_DIALOG_LAYOUT), ref: 6CAA722B
          • LoadResource.KERNEL32(00000000,00000000), ref: 6CAA7239
          • SizeofResource.KERNEL32(00000000,00000000), ref: 6CAA7243
          • LockResource.KERNEL32(00000000), ref: 6CAA724C
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Resource$FindHandleLoadLockModuleSizeof
          • String ID: AFX_DIALOG_LAYOUT$CONFIG$yyzyBase.dll
          • API String ID: 1601749889-1902995937
          • Opcode ID: ef0668573191ad0786a2ba7b549cee2bacd73849f30beb747712c55440b8f9d8
          • Instruction ID: 2c29061052c7c2fbd1a245b3a15b94845798848f13b212423f47575d0061ddb3
          • Opcode Fuzzy Hash: ef0668573191ad0786a2ba7b549cee2bacd73849f30beb747712c55440b8f9d8
          • Instruction Fuzzy Hash: 2AF0AF726105116BEB0216F15C88EBB7ABC9F971597440038F51293A04FF258C9A97B6
          APIs
          • __EH_prolog3.LIBCMT ref: 6CBFD5CA
            • Part of subcall function 6CB95D74: EnterCriticalSection.KERNEL32(6CCC5378,?,00000000,?,?,6CB9325E,00000010,00000008,6CAC313A,6CAC317D,6CAB6C9B,6CAC3149,6CABEB35,00000004,6CABE0A4,00000000), ref: 6CB95DA5
            • Part of subcall function 6CB95D74: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,6CB9325E,00000010,00000008,6CAC313A,6CAC317D,6CAB6C9B,6CAC3149,6CABEB35,00000004,6CABE0A4,00000000), ref: 6CB95DBB
            • Part of subcall function 6CB95D74: LeaveCriticalSection.KERNEL32(6CCC5378,?,00000000,?,?,6CB9325E,00000010,00000008,6CAC313A,6CAC317D,6CAB6C9B,6CAC3149,6CABEB35,00000004,6CABE0A4,00000000), ref: 6CB95DC9
            • Part of subcall function 6CB95D74: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,6CB9325E,00000010,00000008,6CAC313A,6CAC317D,6CAB6C9B,6CAC3149,6CABEB35,00000004,6CABE0A4,00000000,?), ref: 6CB95DD6
          • GetProfileIntW.KERNEL32(windows,DragScrollInset,0000000B), ref: 6CBFD615
          • GetProfileIntW.KERNEL32(windows,DragScrollDelay,00000032), ref: 6CBFD628
          • GetProfileIntW.KERNEL32(windows,DragScrollInterval,00000032), ref: 6CBFD63B
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CriticalSection$Profile$Enter$H_prolog3InitializeLeave
          • String ID: DragScrollDelay$DragScrollInset$DragScrollInterval$windows
          • API String ID: 4229786687-1024936294
          • Opcode ID: ac4144cd856f0458f61f46d91d49ddc0565099f52ac8cf58ab53ac0bab37bfcd
          • Instruction ID: 9d067b4c9060736a6c0621ab66bdab149c72bdde13860787f9d3114ca674db0b
          • Opcode Fuzzy Hash: ac4144cd856f0458f61f46d91d49ddc0565099f52ac8cf58ab53ac0bab37bfcd
          • Instruction Fuzzy Hash: E10144B1A55710AFDF10CF74C80EB4A7AF0AF16B59F444529F144EAB90E7B44185EB05
          APIs
          • SetRectEmpty.USER32(?), ref: 6CB63484
          • InvalidateRect.USER32(?,?,00000001), ref: 6CB634DD
          • InvalidateRect.USER32(?,?,00000001), ref: 6CB634EC
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Rect$Invalidate$Empty
          • String ID:
          • API String ID: 1126320529-0
          • Opcode ID: 2ce1da1f4bcaeb084c2103d354bf1741cd2e07d8fb843809c82a41aec457fe44
          • Instruction ID: 0b269349c2ca576e94e762e3430f3846fbfd30961056632f262fd8f6876a8bff
          • Opcode Fuzzy Hash: 2ce1da1f4bcaeb084c2103d354bf1741cd2e07d8fb843809c82a41aec457fe44
          • Instruction Fuzzy Hash: 98712535A006189FCF01DF65C884AAEBBB6FF49314F55406AEC01BB651CB71AE81CF91
          APIs
          • FindResourceW.KERNEL32(?,00000000,00000005,00000024,6CAF9EB0,?,?,00000170,80004005,80004005,54000000,?,000000DD,000000FF,00000001), ref: 6CB4A078
          • LoadResource.KERNEL32(?,00000000,?,?,00000170,80004005,80004005,54000000,?,000000DD,000000FF,00000001,?,?), ref: 6CB4A084
          • LockResource.KERNEL32(0000007E,00000024,6CAF9EB0,?,?,00000170,80004005,80004005,54000000,?,000000DD,000000FF,00000001,?,?), ref: 6CB4A094
          • GetDesktopWindow.USER32 ref: 6CB4A0CB
          • IsWindowEnabled.USER32(00000000), ref: 6CB4A0D6
          • EnableWindow.USER32(00000000,00000000), ref: 6CB4A0E2
          • EnableWindow.USER32(00000000,00000001), ref: 6CB4A1C6
          • GetActiveWindow.USER32 ref: 6CB4A1D0
          • SetActiveWindow.USER32(00000000,?,00000024,6CAF9EB0,?,?,00000170), ref: 6CB4A1DC
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Window$Resource$ActiveEnable$DesktopEnabledFindLoadLock
          • String ID:
          • API String ID: 2497874451-0
          • Opcode ID: a554bd2d00e77f5b624ad8831cd996c5aa2bd14862881d27db50987905f71902
          • Instruction ID: d3050391a182005edac76ea98ea29127c93ea4a7bc652388b30c0f0af44b349e
          • Opcode Fuzzy Hash: a554bd2d00e77f5b624ad8831cd996c5aa2bd14862881d27db50987905f71902
          • Instruction Fuzzy Hash: 67517C70B05255DBDF019FA0C984BEEBBB8FF0A319F108129E911B7785DB3498859FA1
          APIs
          • __EH_prolog3.LIBCMT ref: 6CAC1D8B
          • GetMenuItemCount.USER32(?), ref: 6CAC1DD1
          • GetMenuItemCount.USER32(6CBFE061), ref: 6CAC1DDD
          • GetSubMenu.USER32(6CBFE061,-00000001), ref: 6CAC1DF4
          • GetMenuItemCount.USER32(00000000), ref: 6CAC1E07
          • GetSubMenu.USER32(00000000,00000000), ref: 6CAC1E18
          • RemoveMenu.USER32(00000000,00000000,00000400,?,?,?,?,?,6CCA67DC,0000000C,00000004,6CA91EF8,6CBFE061,?,6CA92BB6,80004005), ref: 6CAC1E32
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Menu$CountItem$H_prolog3Remove
          • String ID:
          • API String ID: 3061525546-0
          • Opcode ID: cc271947f2abadb896606ff451793b26d3fc763cfd46b92d8382be2d0c072baa
          • Instruction ID: f166c705ab63b5fad09a04d0859f9fd65a886d28feadaa44cbcb19f22b6153f3
          • Opcode Fuzzy Hash: cc271947f2abadb896606ff451793b26d3fc763cfd46b92d8382be2d0c072baa
          • Instruction Fuzzy Hash: 2721AC31B01209EBDF018F68CD48ABF3BB9EB81354FA08569F615E6A40DB30CA95DB51
          APIs
            • Part of subcall function 6CACF4E1: GdipGetImagePixelFormat.GDIPLUS(?,6CCC3BD8,00000000,00000000,?,6CACDE79,9380FC14,?,00000000,6CCC3BD8), ref: 6CACF4EF
            • Part of subcall function 6CACF499: GdipGetImagePalette.GDIPLUS(?,00000000,?,?,?,6CACDF98,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,9380FC14), ref: 6CACF4A8
          • GdipBitmapLockBits.GDIPLUS(?,?,00000001,?,?,00000000,00000000,?,00000000,00000000,00000000,9380FC14,?,00000000,6CCC3BD8), ref: 6CACE08D
          • GdipBitmapUnlockBits.GDIPLUS(?,?,?,?,00000001,?,?,00000000,00000000,?,00000000,00000000,00000000,9380FC14,?,00000000), ref: 6CACE13D
          • GdipDrawImageI.GDIPLUS(?,00000000,00000000,00000000,?,?,00000082,00000000,00022009,?,00000000,00000000,?,00000000,00000000,00000000), ref: 6CACE18F
          • GdipDeleteGraphics.GDIPLUS(?,?,00000000,00000000,00000000,?,?,00000082,00000000,00022009,?,00000000,00000000,?,00000000,00000000), ref: 6CACE19A
          • GdipDisposeImage.GDIPLUS(?,?,?,00000000,00000000,00000000,?,?,00000082,00000000,00022009,?,00000000,00000000,?,00000000), ref: 6CACE1A5
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Gdip$Image$BitmapBits$DeleteDisposeDrawFormatGraphicsLockPalettePixelUnlock
          • String ID: &$ &
          • API String ID: 1665940520-360661826
          • Opcode ID: f71f1113961fdbc2d901e672e5791ace1ef480efd75742a951c3f683cdaf9590
          • Instruction ID: 9f5890ade7cb69ba29927e2c0c099b54aca915cdaa390d031135c3c5d6e79308
          • Opcode Fuzzy Hash: f71f1113961fdbc2d901e672e5791ace1ef480efd75742a951c3f683cdaf9590
          • Instruction Fuzzy Hash: B6A161B1A001299BCB24CF15CD90BE9B7B5EF84318F1541E9EA19A7B01DB309EC5CF99
          APIs
          • GetModuleHandleW.KERNEL32(user32.dll), ref: 6CAB8068
          • GetProcAddress.KERNEL32(00000000,GetGestureInfo), ref: 6CAB809D
          • GetProcAddress.KERNEL32(00000000,CloseGestureInfoHandle), ref: 6CAB80C5
          • ScreenToClient.USER32(?,?), ref: 6CAB8151
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: AddressProc$ClientHandleModuleScreen
          • String ID: CloseGestureInfoHandle$GetGestureInfo$user32.dll
          • API String ID: 471820996-2905070798
          • Opcode ID: fbdb8dff4971811f6bd9d1ed0943c0d57c83ead34eb51c262fae95b9a0652d48
          • Instruction ID: 2d63315b334cef74d941611677321d0730d9558b5bfc0bb692d6dbe4db12b617
          • Opcode Fuzzy Hash: fbdb8dff4971811f6bd9d1ed0943c0d57c83ead34eb51c262fae95b9a0652d48
          • Instruction Fuzzy Hash: B181B3B4700A16EFCB09CF68C9949A9BBB9FF09314B14415AE815E3B50D731EAB4DF90
          APIs
          • MonitorFromPoint.USER32(80004005,80004005,00000002), ref: 6CB3BD75
          • GetMonitorInfoW.USER32(00000000), ref: 6CB3BD7C
          • CopyRect.USER32(6CAA4E9D,?), ref: 6CB3BD8E
          • SystemParametersInfoW.USER32(00000030,00000000,6CAA4E9D,00000000), ref: 6CB3BDA0
          • IntersectRect.USER32(6CAF9624,6CAA4E9D,80004005), ref: 6CB3BDD3
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: InfoMonitorRect$CopyFromIntersectParametersPointSystem
          • String ID: ($4(@P
          • API String ID: 2931574886-3162098019
          • Opcode ID: 925cdbf7e08d184d93514d9c75d42ee8426d2d241e87164cf4195bb92ad1fbe1
          • Instruction ID: 7521d66d39392a5320ee09901292732d5ee62246cc03457fb6d584cfba4210fd
          • Opcode Fuzzy Hash: 925cdbf7e08d184d93514d9c75d42ee8426d2d241e87164cf4195bb92ad1fbe1
          • Instruction Fuzzy Hash: 0B510A71E016699FCB01CFA9C948ADEBBF4FF09304F10426AE518E7654D730EA94CB91
          APIs
          • CheckMenuItem.USER32(?,?,00000400), ref: 6CAC3791
            • Part of subcall function 6CB95A11: GetWindowTextW.USER32(?,?,00000100), ref: 6CB95A6F
            • Part of subcall function 6CB95A11: lstrcmpW.KERNEL32(?,?,?,00000000), ref: 6CB95A81
            • Part of subcall function 6CB95A11: SetWindowTextW.USER32(?,?), ref: 6CB95A8D
          • SendMessageW.USER32(?,00000087,00000000,00000000), ref: 6CAC37AC
          • SendMessageW.USER32(?,000000F1,?,00000000), ref: 6CAC37C9
          • SetMenuItemBitmaps.USER32(?,?,00000400,00000000,00000000), ref: 6CAC3836
          • SetMenuItemInfoW.USER32(?,?,00000001,?), ref: 6CAC3886
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ItemMenu$MessageSendTextWindow$BitmapsCheckInfolstrcmp
          • String ID: 0$@
          • API String ID: 72408025-1545510068
          • Opcode ID: 1910d7bb08a897569824193d0f44c9e10ba520e254b090e24c73d3db28c04b34
          • Instruction ID: 13b1f161983ae53a4e72575c281b10af112fc2d0b54392530a8adb9c78a3f5d0
          • Opcode Fuzzy Hash: 1910d7bb08a897569824193d0f44c9e10ba520e254b090e24c73d3db28c04b34
          • Instruction Fuzzy Hash: 5241A171702205EFDB149F59C888FDABBB9FF00714F248629E649AB950C770E8D1CB92
          APIs
          • GetModuleHandleW.KERNEL32(uxtheme.dll,?,?,6CABF85D,?,00000000,?,?,?,000000FF,?,?,00000040), ref: 6CB94F4F
          • GetProcAddress.KERNEL32(00000000,DrawThemeTextEx), ref: 6CB94F5F
          • EncodePointer.KERNEL32(00000000,?,6CABF85D,?,00000000,?,?,?,000000FF,?,?,00000040), ref: 6CB94F68
          • DecodePointer.KERNEL32(00000000,?,?,6CABF85D,?,00000000,?,?,?,000000FF,?,?,00000040), ref: 6CB94F76
          • DrawThemeText.UXTHEME(?,?,?,?,?,?,?,00000000,?,?,6CABF85D,?,00000000,?,?,?), ref: 6CB94FC3
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Pointer$AddressDecodeDrawEncodeHandleModuleProcTextTheme
          • String ID: DrawThemeTextEx$uxtheme.dll
          • API String ID: 1727381832-3035683158
          • Opcode ID: fa16facf7a518649a6ba9f30a8bb3da9131c996c4b1ff9d2c6f47589a8f2d3df
          • Instruction ID: 1302fd19d2f6553465a647e4cdf3b25440b2f651ba9d545b6babe1b89a2950e2
          • Opcode Fuzzy Hash: fa16facf7a518649a6ba9f30a8bb3da9131c996c4b1ff9d2c6f47589a8f2d3df
          • Instruction Fuzzy Hash: 0011A53610555AEFDF025FA0CD08D9A3F76EF0A355B058520FE19A5520D736D8B1AF90
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CB6D556
          • CreateCompatibleDC.GDI32(00000000), ref: 6CB6D5BA
          • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6CB6D5F0
          • SelectObject.GDI32(?,00000000), ref: 6CB6D644
          • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 6CB6D7AE
          • DeleteObject.GDI32(?), ref: 6CB6D7E7
          • GetPixel.GDI32(00000000,?,00000000), ref: 6CB6D859
          • SetPixel.GDI32(?,00000000,000000FF,00000000), ref: 6CB6D870
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CompatibleCreateObjectPixel$BitmapDeleteH_prolog3_Select
          • String ID:
          • API String ID: 1635930241-0
          • Opcode ID: 5120076c531dbd49860a25c0132db97b37652c296be8f56565e3b226a7d3cf5f
          • Instruction ID: 0c7e99086cd9852deabf675257efe5e12161b98b4119bd7a2864a99774e40968
          • Opcode Fuzzy Hash: 5120076c531dbd49860a25c0132db97b37652c296be8f56565e3b226a7d3cf5f
          • Instruction Fuzzy Hash: 14B14072E012189FCF04CFA9D944AEEBBB6EF84314F258129E419FBA50D7309A45CB91
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CAC1FE3
          • OleDuplicateData.OLE32(?,00000000,00000000), ref: 6CAC2074
          • GlobalLock.KERNEL32(00000000), ref: 6CAC2096
          • CopyMetaFileW.GDI32(?,00000000), ref: 6CAC20A4
          • GlobalUnlock.KERNEL32(00000000), ref: 6CAC20B2
          • GlobalFree.KERNEL32(00000000), ref: 6CAC20B9
          • GlobalUnlock.KERNEL32(00000000), ref: 6CAC20C6
          • CopyFileW.KERNEL32(?,?,00000000,016087C7,?,00000054,6CBAB78D,-00000014,?,-00000014,6CB4EC90,00000000), ref: 6CAC2272
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Global$CopyFileUnlock$DataDuplicateFreeH_prolog3_LockMeta
          • String ID:
          • API String ID: 985170318-0
          • Opcode ID: 25d7b86c46d94e435d8d7e19a943a5d82dc00d6ba3c3eb85e917519c45f7862a
          • Instruction ID: d908a517a8852a9a0d1ae92a2dd4fbc69e1856287e0e7ee6c2d102812df1a5e8
          • Opcode Fuzzy Hash: 25d7b86c46d94e435d8d7e19a943a5d82dc00d6ba3c3eb85e917519c45f7862a
          • Instruction Fuzzy Hash: 5CA1AF71710602EFDB148F64C94CA2ABBB9FF89714704D219F819DBA54DB31EC91CBA2
          APIs
          • __EH_prolog3.LIBCMT ref: 6CAAD977
          • InflateRect.USER32(?), ref: 6CAAD99F
          • DrawFocusRect.USER32(?,?), ref: 6CAADA09
          • InflateRect.USER32(?), ref: 6CAADA1D
          • InflateRect.USER32(?), ref: 6CAADA65
          • InflateRect.USER32(?), ref: 6CAADAB5
          • CreateHatchBrush.GDI32(00000005,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CAADAD9
          • FillRect.USER32(?,?,00000000), ref: 6CAADAF4
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Rect$Inflate$BrushCreateDrawFillFocusH_prolog3Hatch
          • String ID:
          • API String ID: 4128771895-0
          • Opcode ID: b056b4787e8377d200b99077ad25887c48fe97ddc303150d4225b3064b057438
          • Instruction ID: 336a64c0c454328e0e963997933d6360cb9620b500baf9cdff0b93a29a7f81df
          • Opcode Fuzzy Hash: b056b4787e8377d200b99077ad25887c48fe97ddc303150d4225b3064b057438
          • Instruction Fuzzy Hash: 98514C72900118EFCB00DFD5C944EDE77BCEF45718F418166F815ABA90DB359A89CBA0
          APIs
          • GetClientRect.USER32(?,?), ref: 6CAB9913
          • BeginDeferWindowPos.USER32(00000008), ref: 6CAB9929
          • GetTopWindow.USER32(?), ref: 6CAB993A
          • GetDlgCtrlID.USER32(00000000), ref: 6CAB9943
          • SendMessageW.USER32(00000000,00000361,00000000,00000000), ref: 6CAB997B
          • GetWindow.USER32(00000000,00000002), ref: 6CAB9984
          • CopyRect.USER32(?,?), ref: 6CAB999F
          • EndDeferWindowPos.USER32(00000000), ref: 6CAB9A2F
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
          • String ID:
          • API String ID: 1228040700-0
          • Opcode ID: 9541ca077e778275c26521f5a2248d48c60a38912e526bfa1f8c3c118156a540
          • Instruction ID: 47e1e9d6a35dad7217ed77d95b17bf79b86936c77e9c8c92efa4bca5f8188619
          • Opcode Fuzzy Hash: 9541ca077e778275c26521f5a2248d48c60a38912e526bfa1f8c3c118156a540
          • Instruction Fuzzy Hash: CF512431A01218DFCF01DFA8C984BDEBBB9FF59315F188059E805BB650C734A981CB60
          APIs
          • __EH_prolog3.LIBCMT ref: 6CAD1099
          • EnterCriticalSection.KERNEL32(6CCC3BD8,00000018,6CA93E9D,?,00000000,00000000,00000000), ref: 6CAD10B7
          • SelectObject.GDI32(?,00000018), ref: 6CAD1104
          • LeaveCriticalSection.KERNEL32(6CCC3BD8,?), ref: 6CAD1121
          • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 6CAD1149
          • SelectObject.GDI32(00000000), ref: 6CAD1158
          • CreateCompatibleDC.GDI32(00000000), ref: 6CAD11E0
          • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6CAD1200
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Create$BitmapCompatibleCriticalObjectSectionSelect$EnterH_prolog3Leave
          • String ID:
          • API String ID: 4255533662-0
          • Opcode ID: 3f5b190dc6cefdb9ca462da93773257d51aca2d0d7bc3c15219227e67a4e6de5
          • Instruction ID: e3d655ac261327c52db00b4d1711552cf07e66192bb05b99b2c7a9904b9f7574
          • Opcode Fuzzy Hash: 3f5b190dc6cefdb9ca462da93773257d51aca2d0d7bc3c15219227e67a4e6de5
          • Instruction Fuzzy Hash: 6451CF34601B01DFDB21CF25C940AA7B7F4FF46328B19892DE696D7A14E731E588CB20
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CAAFCD0
          • GetSysColor.USER32(00000017), ref: 6CAAFCED
          • InflateRect.USER32(?,00000002,00000002), ref: 6CAAFD10
          • DrawThemeBackground.UXTHEME(?,?,00000001,00000000,?,00000000), ref: 6CAAFD33
          • GetThemeColor.UXTHEME(?,00000001,00000000,00000EDB,?), ref: 6CAAFD48
          • GetThemeColor.UXTHEME(?,00000001,00000000,00000EDC,?), ref: 6CAAFD5D
          • GetSysColorBrush.USER32(00000018), ref: 6CAAFD67
          • FillRect.USER32(00000000,?,00000000), ref: 6CAAFD7A
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Color$Theme$Rect$BackgroundBrushDrawFillH_prolog3_Inflate
          • String ID:
          • API String ID: 229325109-0
          • Opcode ID: 7557928602bc0d4d453b19006b441f698398f21639366a023f673d6f65f25c4b
          • Instruction ID: c4eea977521435a6d9952c64a56b2fe3c0d28ff9ea6ee6bd2bea726507f997f3
          • Opcode Fuzzy Hash: 7557928602bc0d4d453b19006b441f698398f21639366a023f673d6f65f25c4b
          • Instruction Fuzzy Hash: 3A411575A10219AFDF04CFA4C888EEE7BB9FB09314B045469F902BB650DB31AD85CB60
          APIs
          • GlobalAlloc.KERNEL32(00000002,00000000,00000000,00000000,?,?,6CAD0039,00000000,00000000,?,6CC5BE30,?,6CAD0E95,?,?,?), ref: 6CAD0055
          • GlobalLock.KERNEL32(00000000), ref: 6CAD0062
          • GlobalUnlock.KERNEL32(00000000), ref: 6CAD006D
          • GlobalFree.KERNEL32(00000000), ref: 6CAD0074
          • GlobalUnlock.KERNEL32(00000000), ref: 6CAD0092
          • CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000), ref: 6CAD009F
          • EnterCriticalSection.KERNEL32(6CCC3BD8,00000000), ref: 6CAD00B8
          • LeaveCriticalSection.KERNEL32(6CCC3BD8,00000000), ref: 6CAD011F
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Global$CriticalSectionUnlock$AllocCreateEnterFreeLeaveLockStream
          • String ID:
          • API String ID: 295443201-0
          • Opcode ID: 35ee5d5c216c6b5f71142e9b182043d530cca71d987c677c35d3096d5f1ae077
          • Instruction ID: 5e9b436925bfa88fbbfd0f6b942de4392f01043fcd182e45740fb300a284b7c3
          • Opcode Fuzzy Hash: 35ee5d5c216c6b5f71142e9b182043d530cca71d987c677c35d3096d5f1ae077
          • Instruction Fuzzy Hash: 8321D135711601BBDF116B75DC18A9E3BB8BF96309F084014F901E3A80EB34EA84DBA1
          APIs
          • GetSystemMetrics.USER32(00000031), ref: 6CABFC2F
          • GetSystemMetrics.USER32(00000032), ref: 6CABFC3D
          • SetRectEmpty.USER32(6CCC3AFC), ref: 6CABFC50
          • EnumDisplayMonitors.USER32(00000000,00000000,6CABFA37,6CCC3AFC), ref: 6CABFC60
          • SystemParametersInfoW.USER32(00000030,00000000,6CCC3AFC,00000000), ref: 6CABFC6F
          • SystemParametersInfoW.USER32(00001002,00000000,6CCC3B20,00000000), ref: 6CABFC9C
          • SystemParametersInfoW.USER32(00001012,00000000,6CCC3B24,00000000), ref: 6CABFCB0
          • SystemParametersInfoW.USER32(0000100A,00000000,6CCC3B34,00000000), ref: 6CABFCD6
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
          • String ID:
          • API String ID: 2614369430-0
          • Opcode ID: 1e9f3437731b9286718b1a327549aee1ac4c394a6a5d31ff8e16d353a7f1a047
          • Instruction ID: 6dfec05de7d31542354d6d97431a0a25ffe9c389df48a497cfaaf143281d5e6e
          • Opcode Fuzzy Hash: 1e9f3437731b9286718b1a327549aee1ac4c394a6a5d31ff8e16d353a7f1a047
          • Instruction Fuzzy Hash: 172130B5301615BFEB044F758C48AE3BBBCFF1A395F404229F959E6140D7746891DBA0
          APIs
          • GlobalLock.KERNEL32(00000000), ref: 6CB46CEA
          • lstrcmpW.KERNEL32(00000000,?), ref: 6CB46D03
          • OpenPrinterW.WINSPOOL.DRV(?,?,00000000), ref: 6CB46D18
          • DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6CB46D38
          • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6CB46D40
          • GlobalLock.KERNEL32(00000000), ref: 6CB46D4E
          • DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 6CB46D5F
          • ClosePrinter.WINSPOOL.DRV(?), ref: 6CB46D77
            • Part of subcall function 6CB959DE: GlobalFlags.KERNEL32(6CAC096D), ref: 6CB959EB
            • Part of subcall function 6CB959DE: GlobalUnlock.KERNEL32(6CAC096D), ref: 6CB959F9
            • Part of subcall function 6CB959DE: GlobalFree.KERNEL32(6CAC096D), ref: 6CB95A05
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
          • String ID:
          • API String ID: 168474834-0
          • Opcode ID: cc69ee17baed6b314be5bba2f159efdcd09e54f1b98b1ea7ec9a17c176b96a93
          • Instruction ID: 1e28b9e6768c5e87e968baeb0bacb26ab7cd08dc6d0277119a8512e8772dda52
          • Opcode Fuzzy Hash: cc69ee17baed6b314be5bba2f159efdcd09e54f1b98b1ea7ec9a17c176b96a93
          • Instruction Fuzzy Hash: 781190B1108A08BFEF125F71CC45DAA7ABDEF04749B11852AB662D1D30D731C954FB61
          APIs
          • GetSystemMetrics.USER32(00000020), ref: 6CB653BA
          • GetSystemMetrics.USER32(00000021), ref: 6CB653C4
          • GetSystemMetrics.USER32(00000005), ref: 6CB653D3
          • GetSystemMetrics.USER32(00000006), ref: 6CB653DD
          • GetSystemMetrics.USER32(0000005C), ref: 6CB653F4
          • GetSystemMetrics.USER32(0000005C), ref: 6CB653FE
          • GetSystemMetrics.USER32(00000007), ref: 6CB65416
          • GetSystemMetrics.USER32(00000008), ref: 6CB65420
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: MetricsSystem
          • String ID:
          • API String ID: 4116985748-0
          • Opcode ID: f5f379261b7a534a2632bb5efc2180e98369256d50698114ad0ef6c502c15d39
          • Instruction ID: 0e7a13cd736d9f7095fd8a5416981c5c8b8e4b8d27d28bd07706b81c3436e8f9
          • Opcode Fuzzy Hash: f5f379261b7a534a2632bb5efc2180e98369256d50698114ad0ef6c502c15d39
          • Instruction Fuzzy Hash: F211CE32210B41AFE7104FA6C809716B7F0FF00B1BF20882EE695E7982E77090E4EB11
          APIs
          • GlobalSize.KERNEL32(-00000014), ref: 6CAC1F66
          • GlobalAlloc.KERNEL32(00002002,00000000,?,?,6CAC229F,016087C7,?,00000054,6CBAB78D,-00000014,?,-00000014,6CB4EC90,00000000), ref: 6CAC1F7E
          • GlobalLock.KERNEL32(-00000014), ref: 6CAC1F8E
          • GlobalLock.KERNEL32(?), ref: 6CAC1F97
          • GlobalSize.KERNEL32(?), ref: 6CAC1FA4
            • Part of subcall function 6CABEC8A: _memcpy_s.LIBCMT ref: 6CABEC99
          • GlobalUnlock.KERNEL32(?), ref: 6CAC1FB5
          • GlobalUnlock.KERNEL32(?), ref: 6CAC1FBE
          • GlobalSize.KERNEL32(?), ref: 6CAC1FCE
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Global$Size$LockUnlock$Alloc_memcpy_s
          • String ID:
          • API String ID: 3833998449-0
          • Opcode ID: 86d1accb9ceed9ce93c082c6422313e96b1f6ac833464b1f46f65036cee20d6a
          • Instruction ID: e5942779e7acf4556e4b2abdf0bf3f0d4fe8a44fbc238843d1a12066c7a95947
          • Opcode Fuzzy Hash: 86d1accb9ceed9ce93c082c6422313e96b1f6ac833464b1f46f65036cee20d6a
          • Instruction Fuzzy Hash: 2C017171711614BBDB102BA5CC8C8AE7FBDEB062557848520FA09A2A01D73098A4AFA1
          APIs
          • GetSystemMetrics.USER32(0000000B), ref: 6CB82046
          • GetSystemMetrics.USER32(0000000C), ref: 6CB82051
          • GetSystemMetrics.USER32(00000002), ref: 6CB8205C
          • GetSystemMetrics.USER32(00000003), ref: 6CB8206A
          • GetDC.USER32(00000000), ref: 6CB82078
          • GetDeviceCaps.GDI32(00000000,00000058), ref: 6CB82083
          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 6CB8208F
          • ReleaseDC.USER32(00000000,00000000), ref: 6CB8209B
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: MetricsSystem$CapsDevice$Release
          • String ID:
          • API String ID: 1151147025-0
          • Opcode ID: fd99f50b7aeafa6a06f2ea510ed89503f6ad781abbee816982d305dad8c46c11
          • Instruction ID: 1b674d01ea2795d6930c73c81cbc08956c4163222084890588e10692425ab8ba
          • Opcode Fuzzy Hash: fd99f50b7aeafa6a06f2ea510ed89503f6ad781abbee816982d305dad8c46c11
          • Instruction Fuzzy Hash: A0F0E271B50700ABEB105FB5980DB5A3BB4FB46712F40851AF202EA180DBB584A1DF80
          APIs
          • __EH_prolog3.LIBCMT ref: 6CB29393
          • GetWindow.USER32(?,00000005), ref: 6CB29402
            • Part of subcall function 6CB2938C: __EH_prolog3.LIBCMT ref: 6CB28E38
            • Part of subcall function 6CB2938C: GetWindow.USER32(?,00000005), ref: 6CB28E56
            • Part of subcall function 6CB2938C: GetWindow.USER32(?,00000002), ref: 6CB28E8F
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Window$H_prolog3
          • String ID:
          • API String ID: 1351209170-0
          • Opcode ID: 23503143514705ccb68219f8f6d14179cac239e5543564e739f4048317de54b3
          • Instruction ID: fad3e144a9374616a2aaad321cb5dd4adf2cc88f22883cc62fbc2d7767529baa
          • Opcode Fuzzy Hash: 23503143514705ccb68219f8f6d14179cac239e5543564e739f4048317de54b3
          • Instruction Fuzzy Hash: D5F14735F012159FCF059F64C858AFDBBB5EF09314F144169E81AABB90CB38AD85CB92
          APIs
          • SendMessageW.USER32(?,00000401,00000001,00000000), ref: 6CBCF68A
          • __EH_prolog3_GS.LIBCMT ref: 6CBCF6ED
          • GetClientRect.USER32(00000000,?), ref: 6CBCF788
          • GetParent.USER32(?), ref: 6CBCF930
          • GetNextDlgGroupItem.USER32(?,?,00000000), ref: 6CBCF964
          • RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 6CBCF9D8
          • GetNextDlgGroupItem.USER32(?,?,00000000), ref: 6CBCF9E9
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: GroupItemNext$ClientH_prolog3_MessageParentRectRedrawSendWindow
          • String ID:
          • API String ID: 2296408814-0
          • Opcode ID: 51a4a983b6105da9bc74e5deea91293ae756c5813970bf1c8d94b05fb04cdbfd
          • Instruction ID: 61018381ec9ad48cb727298a52f4f3c3eef6ed42896652bfde14dca5c0e88a65
          • Opcode Fuzzy Hash: 51a4a983b6105da9bc74e5deea91293ae756c5813970bf1c8d94b05fb04cdbfd
          • Instruction Fuzzy Hash: 39C1AE31B01214AFDF00DF68C994BEE7BB9EF49314F1441AAE905B7790DB70A985CB62
          APIs
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: _strrchr
          • String ID:
          • API String ID: 3213747228-0
          • Opcode ID: 15e1bcecc5968a93ea416e1938c36c66204e08d29b2f9682e5d25721f3eb5c4f
          • Instruction ID: 260fe57d4b76551d6ad89415c78bf15fff3b39ea0a391b5ffa3bf827d03f9adf
          • Opcode Fuzzy Hash: 15e1bcecc5968a93ea416e1938c36c66204e08d29b2f9682e5d25721f3eb5c4f
          • Instruction Fuzzy Hash: B7B16432A043A5AFDB018E6DDC81BEE7BB5EF06318F155255E808AB781F370D941CBA1
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CAAF4E7
          • CreatePolygonRgn.GDI32(?,00000008,00000002), ref: 6CAAF73E
          • FillRect.USER32(00000002,?,?), ref: 6CAAF7C2
          • FillRect.USER32(00000002,?,-000000D0), ref: 6CAAF805
          • Polyline.GDI32(00000002,?,00000008), ref: 6CAAF81D
          • OffsetRect.USER32(00000000,00000001,00000001), ref: 6CAAF87B
          • OffsetRect.USER32(00000000,000000FF,000000FF), ref: 6CAAF8A3
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Rect$FillOffset$CreateH_prolog3_PolygonPolyline
          • String ID:
          • API String ID: 2710902255-0
          • Opcode ID: 7d9f0aac20e01bd8356ca36fe873cf4baa2c83fd8b5a53fc5276f54b6d9294b6
          • Instruction ID: 61793268edfd71dc1e718f0cc2275659eb3e8a97f94b33e118ff761692bc212a
          • Opcode Fuzzy Hash: 7d9f0aac20e01bd8356ca36fe873cf4baa2c83fd8b5a53fc5276f54b6d9294b6
          • Instruction Fuzzy Hash: 15D14C71E002199FDF04DFA4C984BEDBBB9BF04304F1441AAE809AB791DB709A89CF50
          APIs
          • __EH_prolog3.LIBCMT ref: 6CAAEEE1
          • GetParent.USER32(?), ref: 6CAAEEF5
            • Part of subcall function 6CABC235: GetWindowLongW.USER32(00076850,000000EC), ref: 6CABC242
            • Part of subcall function 6CB65480: __EH_prolog3.LIBCMT ref: 6CB65487
            • Part of subcall function 6CB65480: SendMessageW.USER32(00000000,0000007F,00000000,00000000), ref: 6CB654AA
            • Part of subcall function 6CB65480: SendMessageW.USER32(00000000,0000007F,00000001,00000000), ref: 6CB654BE
            • Part of subcall function 6CB65480: GetClassLongW.USER32(00000000,000000DE), ref: 6CB6551B
            • Part of subcall function 6CB65480: GetClassLongW.USER32(00000000,000000F2), ref: 6CB6552C
          • GetSystemMetrics.USER32(00000032), ref: 6CAAEF3E
          • GetSystemMetrics.USER32(00000031), ref: 6CAAEF49
          • GetSystemMetrics.USER32(00000004), ref: 6CAAEF5A
          • GetSystemMetrics.USER32(00000004), ref: 6CAAEF66
          • DrawIconEx.USER32(?,?,?,?,?,?,00000000,00000000,00000003), ref: 6CAAEFC3
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: MetricsSystem$Long$ClassH_prolog3MessageSend$DrawIconParentWindow
          • String ID:
          • API String ID: 1977492230-0
          • Opcode ID: 2e901206383e489c2749d988e338c3f3c4d82edf0b1df283f8f2281db2266786
          • Instruction ID: f1cba69e5db8a7bb65185d825fff9742707a9439eb5e6e5c55b3946e9a9d7064
          • Opcode Fuzzy Hash: 2e901206383e489c2749d988e338c3f3c4d82edf0b1df283f8f2281db2266786
          • Instruction Fuzzy Hash: 49B17D72A102199FCF05DFA8C984AEEBBB6FF49314F14411AE905F7780DB34A985CB90
          APIs
          • __EH_prolog3.LIBCMT ref: 6CB6E4A8
          • CreateCompatibleDC.GDI32(00000000), ref: 6CB6E514
          • CreateCompatibleBitmap.GDI32(?,00000020,?), ref: 6CB6E54A
          • SelectObject.GDI32(?,00000000), ref: 6CB6E5A4
          • BitBlt.GDI32(?,00000000,00000000,00000020,?,03E8FFFF,00000020,?,00CC0020), ref: 6CB6E5CC
          • BitBlt.GDI32(?,00000020,?,00000020,00000048,?,00000000,00000000,00CC0020), ref: 6CB6E7A5
          • DeleteObject.GDI32(?), ref: 6CB6E7BC
            • Part of subcall function 6CACF3FD: FillRect.USER32(?,?,-000000A8), ref: 6CACF419
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CompatibleCreateObject$BitmapDeleteFillH_prolog3RectSelect
          • String ID:
          • API String ID: 3910664508-0
          • Opcode ID: e3108c7fa6922e771cc485d0ad670b53fdda7bd7b23de60992e88572e937a0c9
          • Instruction ID: 826c4282e90a685f159a25b78aa2cb2357c4065358bd8e11759ea2e4e00cd2d4
          • Opcode Fuzzy Hash: e3108c7fa6922e771cc485d0ad670b53fdda7bd7b23de60992e88572e937a0c9
          • Instruction Fuzzy Hash: CAA1AC71A0068A9FDB01CFA9CD94AEEBBF9FF48304F104229F555E6A50EB30D944DB90
          APIs
          • SetRectEmpty.USER32(?), ref: 6CA940BD
          • LoadBitmapW.USER32(?,-000000B1), ref: 6CA94161
          • GetObjectW.GDI32(00000000,00000018,?), ref: 6CA94188
          • ImageList_AddMasked.COMCTL32(?,00000000,000000FF,00000010,?,00000005,00000000,00000000,?,50402808,000000AB,?,?,56000007,?), ref: 6CA941C1
          • SendMessageW.USER32(?,00001109,00000000,?), ref: 6CA941E0
          • LoadMenuW.USER32(?,000000AD), ref: 6CA9429C
          • GetSubMenu.USER32(00000000,00000000), ref: 6CA942B0
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: LoadMenu$BitmapEmptyImageList_MaskedMessageObjectRectSend
          • String ID:
          • API String ID: 4268898049-0
          • Opcode ID: 58fa8440645812b01155ffcdd075c122dfa741a8961ad0c708ad962b32bf2517
          • Instruction ID: 030076086eccdf7d1e76016df7a004add85847178491f5a634ef3a0c17d03740
          • Opcode Fuzzy Hash: 58fa8440645812b01155ffcdd075c122dfa741a8961ad0c708ad962b32bf2517
          • Instruction Fuzzy Hash: FE81B071B40205AFDB04DFA4CD55BEEB7B8BF08714F104268F625AB6C0DB746A98CB90
          APIs
          • __EH_prolog3.LIBCMT ref: 6CBF1CB8
          • _memcpy_s.LIBCMT ref: 6CBF1DC9
          • CoTaskMemFree.OLE32(?,000000FF), ref: 6CBF1DF1
          • GetParent.USER32(?), ref: 6CBF1E57
          • SendMessageW.USER32(?,00000464,00000104,00000000), ref: 6CBF1E80
          • GetParent.USER32(?), ref: 6CBF1EA6
          • SendMessageW.USER32(?,00000465,00000104,00000000), ref: 6CBF1ECC
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: MessageParentSend$FreeH_prolog3Task_memcpy_s
          • String ID:
          • API String ID: 3096905456-0
          • Opcode ID: d5028da9349f973d83e6fcc221ddd0cba41922eb6ca73726f0ab4f38022bfad0
          • Instruction ID: aec138f5176b84d9d2ff8262a33c9f5545caa285b9b870f48efeeac90431ed31
          • Opcode Fuzzy Hash: d5028da9349f973d83e6fcc221ddd0cba41922eb6ca73726f0ab4f38022bfad0
          • Instruction Fuzzy Hash: EE618475A0011A9FCF04DFA4CD84DAEB7B8FF05318B140919E525A7BA0DB30ED8ACB64
          APIs
          • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002000), ref: 6CAD021D
          • GetObjectW.GDI32(00000000,00000018,?), ref: 6CAD023A
          • DeleteObject.GDI32(00000000), ref: 6CAD0245
          • DeleteObject.GDI32(00000000), ref: 6CAD02EA
            • Part of subcall function 6CAD0FCC: GetObjectW.GDI32(?,00000054,?), ref: 6CAD0FE6
          • __EH_prolog3.LIBCMT ref: 6CAD0141
            • Part of subcall function 6CB959B8: DeleteObject.GDI32(6CAC096D), ref: 6CB959CA
            • Part of subcall function 6CACFFE0: FindResourceW.KERNEL32(00000000,?,PNG,?,?,?,6CC5BE30,?,6CAD0E95,?,?,?,00000038,6CACFA98), ref: 6CAD0002
            • Part of subcall function 6CACFFE0: LoadResource.KERNEL32(00000000,00000000,?,6CC5BE30,?,6CAD0E95,?,?,?,00000038,6CACFA98), ref: 6CAD0010
            • Part of subcall function 6CACFFE0: LockResource.KERNEL32(00000000,?,6CC5BE30,?,6CAD0E95,?,?,?,00000038,6CACFA98), ref: 6CAD001B
            • Part of subcall function 6CACFFE0: SizeofResource.KERNEL32(00000000,00000000,?,6CC5BE30,?,6CAD0E95,?,?,?,00000038,6CACFA98), ref: 6CAD0029
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Object$Resource$Delete$Load$FindH_prolog3ImageLockSizeof
          • String ID:
          • API String ID: 1337615151-3916222277
          • Opcode ID: d6d61d823566d97413209d7019f413e107b97ce955ed0835e77cc9591a7b92ce
          • Instruction ID: f7bb8d37420ac977c62dd8da7750328bd5a4d4fd462b8888d8e300be9ae9825e
          • Opcode Fuzzy Hash: d6d61d823566d97413209d7019f413e107b97ce955ed0835e77cc9591a7b92ce
          • Instruction Fuzzy Hash: B251C371A02656EFDF04DFB4C980BEEB778BF05308F554129E525A7A40DB30A9D8CBA1
          APIs
          • __EH_prolog3.LIBCMT ref: 6CB55DD4
            • Part of subcall function 6CB8447F: __EH_prolog3.LIBCMT ref: 6CB84486
            • Part of subcall function 6CB8447F: SetRectEmpty.USER32(?), ref: 6CB8467C
            • Part of subcall function 6CBCD5EB: __EH_prolog3.LIBCMT ref: 6CBCD5F2
          • SetRectEmpty.USER32(?), ref: 6CB55F5D
          • SetRectEmpty.USER32(?), ref: 6CB55F64
          • SetRectEmpty.USER32(?), ref: 6CB55F97
          • SetRectEmpty.USER32(?), ref: 6CB56001
          • SetRectEmpty.USER32(?), ref: 6CB5600E
          • SetRectEmpty.USER32(?), ref: 6CB5601B
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: EmptyRect$H_prolog3
          • String ID:
          • API String ID: 3752103406-0
          • Opcode ID: 370dd6b1cf3b3958ab2c21c47fcd0661814d90c294da63c4179bd3754024bc62
          • Instruction ID: 75cb5cd26c41d3d7d1d2f7ffd081a8f3e09399cb7a5c06e4d337977148a39cd6
          • Opcode Fuzzy Hash: 370dd6b1cf3b3958ab2c21c47fcd0661814d90c294da63c4179bd3754024bc62
          • Instruction Fuzzy Hash: 8E71FEB0905B158FCB64CF29D58868AFBF4BF08300F14886ED4AEAB711C7346A44CF84
          APIs
          • GetParent.USER32(?), ref: 6CAB9A94
          • PeekMessageW.USER32(000000FF,00000000,00000000,00000000,00000000), ref: 6CAB9AB6
          • UpdateWindow.USER32(?), ref: 6CAB9AD0
          • SendMessageW.USER32(000000DD,00000121,00000001,?), ref: 6CAB9AF6
          • SendMessageW.USER32(?,0000036A,00000000,00000000), ref: 6CAB9B0E
          • UpdateWindow.USER32(?), ref: 6CAB9B5B
            • Part of subcall function 6CABC609: GetWindowLongW.USER32(?,000000F0), ref: 6CABC616
          • PeekMessageW.USER32(000000FF,00000000,00000000,00000000,00000000), ref: 6CAB9BA5
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Message$Window$PeekSendUpdate$LongParent
          • String ID:
          • API String ID: 2853195852-0
          • Opcode ID: 24477aa82dba53e4140baf022562864c540d4583834f18e64019ebed6ac228cd
          • Instruction ID: 87437f25c448f9fa83c26ff783eb63568553286d92ffee8b917a20c8787f46f9
          • Opcode Fuzzy Hash: 24477aa82dba53e4140baf022562864c540d4583834f18e64019ebed6ac228cd
          • Instruction Fuzzy Hash: 9241B171B11219ABEF049F74CA88BAEBBBCEF04718F148158E815F7A80D770D990DB90
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CAE8BA5
          • CopyRect.USER32(?,?), ref: 6CAE8C53
          • IsRectEmpty.USER32(?), ref: 6CAE8C6B
          • IsRectEmpty.USER32(?), ref: 6CAE8C83
          • IsRectEmpty.USER32(?), ref: 6CAE8C98
            • Part of subcall function 6CABFCED: __EH_prolog3.LIBCMT ref: 6CABFCF4
            • Part of subcall function 6CABFCED: LoadCursorW.USER32(00000000,00007F00), ref: 6CABFD18
            • Part of subcall function 6CABFCED: GetClassInfoW.USER32(?,?,?), ref: 6CABFD53
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Rect$Empty$ClassCopyCursorH_prolog3H_prolog3_InfoLoad
          • String ID: Afx:ControlBar
          • API String ID: 685170547-4244778371
          • Opcode ID: fe5bde16ba1de385ccbc69decffd20b9df388b50a1489fa5fb11182a39331424
          • Instruction ID: 1b51dadd72c27c5a0f397daa23e668088a50ad2a9cfc5653a550e5b0c7df1bf3
          • Opcode Fuzzy Hash: fe5bde16ba1de385ccbc69decffd20b9df388b50a1489fa5fb11182a39331424
          • Instruction Fuzzy Hash: 4A414D35A112099BDF01CFA8C984AEE77F9BF4E304F144069FD05BB640DB75A989DBA0
          APIs
          • __EH_prolog3.LIBCMT ref: 6CB5BD43
            • Part of subcall function 6CBA08BB: __EH_prolog3.LIBCMT ref: 6CBA08C2
            • Part of subcall function 6CBA92DA: SetRectEmpty.USER32(?), ref: 6CBA930F
          • SetRectEmpty.USER32(?), ref: 6CB5BE73
          • SetRectEmpty.USER32 ref: 6CB5BE84
          • SetRectEmpty.USER32(?), ref: 6CB5BE8B
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: EmptyRect$H_prolog3
          • String ID: False$True
          • API String ID: 3752103406-1895882422
          • Opcode ID: 1297e539e0b7980e3c7131361554f7b631161daa0267d9b736a65d9859ab0f4d
          • Instruction ID: 61190514aa094036d1b9377e8dc5c8aefb0c357887ec17ae6e27717ee0cd5885
          • Opcode Fuzzy Hash: 1297e539e0b7980e3c7131361554f7b631161daa0267d9b736a65d9859ab0f4d
          • Instruction Fuzzy Hash: F451F3B09052419FCB0ACF29C585BE8BBE8BF08314F5881BEE81D9F796DB701654CB64
          APIs
            • Part of subcall function 6CAC2A4A: GetParent.USER32(?), ref: 6CAC2AA7
            • Part of subcall function 6CAC2A4A: GetLastActivePopup.USER32(?), ref: 6CAC2ABA
            • Part of subcall function 6CAC2A4A: IsWindowEnabled.USER32(?), ref: 6CAC2ACE
            • Part of subcall function 6CAC2A4A: EnableWindow.USER32(?,00000000), ref: 6CAC2AE1
          • EnableWindow.USER32(?,00000001), ref: 6CAC2B40
          • GetWindowThreadProcessId.USER32(?,?), ref: 6CAC2B56
          • GetCurrentProcessId.KERNEL32 ref: 6CAC2B60
          • SendMessageW.USER32(?,00000376,00000000,00000000), ref: 6CAC2B76
          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 6CAC2C01
          • MessageBoxW.USER32(?,?,?,6CA921AE), ref: 6CAC2C23
          • EnableWindow.USER32(00000000,00000001), ref: 6CAC2C48
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Window$Enable$MessageProcess$ActiveCurrentEnabledFileLastModuleNameParentPopupSendThread
          • String ID:
          • API String ID: 1924968399-0
          • Opcode ID: 09ef24dda6af7ad40115c0960ef398f6f0fbf82a107e7b7386782a1c8f0d13e2
          • Instruction ID: 5a3934b3e2a174554a7bb12f631649148af792a47081581d3c0c169b48090e0c
          • Opcode Fuzzy Hash: 09ef24dda6af7ad40115c0960ef398f6f0fbf82a107e7b7386782a1c8f0d13e2
          • Instruction Fuzzy Hash: D8418075B5121E9FDB109F68CC8CBE977B8EB24308F2452A9E519E7640D7708EC08F52
          APIs
          • _ValidateLocalCookies.LIBCMT ref: 6CC1B787
          • ___except_validate_context_record.LIBVCRUNTIME ref: 6CC1B78F
          • _ValidateLocalCookies.LIBCMT ref: 6CC1B818
          • __IsNonwritableInCurrentImage.LIBCMT ref: 6CC1B843
          • _ValidateLocalCookies.LIBCMT ref: 6CC1B898
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
          • String ID: csm
          • API String ID: 1170836740-1018135373
          • Opcode ID: 5d2824b6b2a72506049c5fe2bcd4652080bfb4259344eff2df3a8ac2b956d18a
          • Instruction ID: 3aa1620d20f907513f49b2f60c31bc30534cb84ac8b6915c77b8a23e21cac22a
          • Opcode Fuzzy Hash: 5d2824b6b2a72506049c5fe2bcd4652080bfb4259344eff2df3a8ac2b956d18a
          • Instruction Fuzzy Hash: E641B474A042189BCF00CF6AC8A0A9EBBB5FF46318F148195E8149BF51E7319A56DFE0
          APIs
          • LoadLibraryW.KERNEL32(Comctl32.dll,00000000,00000000,00000002,Comctl32.dll,00000040), ref: 6CAB4A64
            • Part of subcall function 6CAB4816: GetProcAddress.KERNEL32(00000000,6CC57F64), ref: 6CAB4844
          • GetModuleFileNameW.KERNEL32(?,?,00000105,?,6CABBE5C,00000010,6CCA5C00,00000010,6CAB5A99,00000000,?,6CB29E87,?), ref: 6CAB497E
          • SetLastError.KERNEL32(0000006F,?,6CABBE5C,00000010,6CCA5C00,00000010,6CAB5A99,00000000,?,6CB29E87,?), ref: 6CAB4992
          • GetLastError.KERNEL32(00000020), ref: 6CAB49E9
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ErrorLast$AddressFileLibraryLoadModuleNameProc
          • String ID: Comctl32.dll$GetModuleHandleExW
          • API String ID: 3640817601-1171143627
          • Opcode ID: 693116701e974fb6c85fd00588f5c6630da212f98935a1d55cc10fbbc5038811
          • Instruction ID: 2bb9d98717bc713f7c74b8944deae6ea8b2b27b23d5a2b5798b891058efe7bae
          • Opcode Fuzzy Hash: 693116701e974fb6c85fd00588f5c6630da212f98935a1d55cc10fbbc5038811
          • Instruction Fuzzy Hash: 6141CC71A0162C9AEB20CB99CC88BDD76BCEB45754F24429AE414F2990EB74CAC4DF64
          APIs
          • std::_Lockit::_Lockit.LIBCPMT ref: 6CA9AFF3
          • std::_Lockit::_Lockit.LIBCPMT ref: 6CA9B016
          • std::_Lockit::~_Lockit.LIBCPMT ref: 6CA9B036
          • std::_Lockit::~_Lockit.LIBCPMT ref: 6CA9B0C3
          • Concurrency::cancel_current_task.LIBCPMT ref: 6CA9B0DB
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
          • String ID: Hzl
          • API String ID: 3053331623-270317925
          • Opcode ID: 1c77563ad045b7c932e52d45119d1e534672984de0c41006c7f600caa63c0305
          • Instruction ID: 819f14158d74ab19180dc51833ddbc50ad41517542d8e5317211f5f5b26e6e2b
          • Opcode Fuzzy Hash: 1c77563ad045b7c932e52d45119d1e534672984de0c41006c7f600caa63c0305
          • Instruction Fuzzy Hash: 7531EF71A14615CFCB20CF45D881BAEBBB0FB01728F184719D825A7B40E730AA85CBD1
          APIs
          • __EH_prolog3_catch_GS.LIBCMT ref: 6CB4927E
          • RegOpenKeyExW.ADVAPI32(?,00000010,00000000,0002001F,?,00000228,6CB45B2A,?,?,00000000,?,00000004,6CB45552,80000000,?,80000000), ref: 6CB49324
            • Part of subcall function 6CB03367: __EH_prolog3.LIBCMT ref: 6CB0336E
          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6CB49348
          • RegCloseKey.ADVAPI32(?,?,?,?,00000001,?,00000001), ref: 6CB493FD
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CloseEnumH_prolog3H_prolog3_catch_Open
          • String ID: Software\Classes\
          • API String ID: 854624316-1121929649
          • Opcode ID: ad8bb54b27140c841d19c5f23e3af83b73d2e206973938e9ee7fefebacf4110a
          • Instruction ID: 95d16c1e6fa9a0e80057461a35c4c6a053036c9a7600402a9556d5d5aad5b0ef
          • Opcode Fuzzy Hash: ad8bb54b27140c841d19c5f23e3af83b73d2e206973938e9ee7fefebacf4110a
          • Instruction Fuzzy Hash: 9E41D232905258EBDF11DBA4DE88BDE77B9EF45318F1480D9E405A3784DB30DA89DB11
          APIs
          • GetModuleHandleW.KERNEL32(user32.dll), ref: 6CAB8932
          • GetProcAddress.KERNEL32(00000000,GetTouchInputInfo), ref: 6CAB8967
          • GetProcAddress.KERNEL32(00000000,CloseTouchInputHandle), ref: 6CAB898F
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: AddressProc$HandleModule
          • String ID: CloseTouchInputHandle$GetTouchInputInfo$user32.dll
          • API String ID: 667068680-1853737257
          • Opcode ID: ca9fcfa9dd2f5e51478f4a2cd3f50de1741ca824ab9447a52a5958d76abb7230
          • Instruction ID: 037362b532c5b06b06d10b89b6f733c00905154291ce2561accfe905a786d5ad
          • Opcode Fuzzy Hash: ca9fcfa9dd2f5e51478f4a2cd3f50de1741ca824ab9447a52a5958d76abb7230
          • Instruction Fuzzy Hash: D431E474711706ABCF149F68DA089DA7FB9EB46B64718442EE815E3F40DB30E9A0DF10
          APIs
          • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6CAA3F70
            • Part of subcall function 6CB5C413: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6CB5C4AD
          • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6CAA3FBE
          • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6CAA3FF3
          • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6CAA4004
          • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6CAA4015
            • Part of subcall function 6CB56035: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6CB560B2
          • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6CAA404D
          • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6CAA4094
            • Part of subcall function 6CB2A822: DestroyMenu.USER32(?), ref: 6CB2A86B
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ContextExternal$BaseBase::~Concurrency::details::$DestroyMenu
          • String ID:
          • API String ID: 1488951477-0
          • Opcode ID: e1cae89eae69cfd6cdc72f28051bea04beef43e89ac4e3d10d0bfb55b4ef1f1b
          • Instruction ID: 6516d677c0f78c14ed558f17bf00a904ed8cc578993ff94bb3d56980bc999993
          • Opcode Fuzzy Hash: e1cae89eae69cfd6cdc72f28051bea04beef43e89ac4e3d10d0bfb55b4ef1f1b
          • Instruction Fuzzy Hash: 59410871200A429AC21DEF34C5A29EDF760BF15249B80062DC46A07BA0EF743AADCA95
          APIs
          • FillRect.USER32(?,?,-000000A0), ref: 6CAB34C6
          • InflateRect.USER32(?,000000FF,000000FF), ref: 6CAB34D4
          • PatBlt.GDI32(?,?,?,00000001,?,005A0049), ref: 6CAB34FA
          • PatBlt.GDI32(?,?,?,?,00000001,005A0049), ref: 6CAB3513
          • PatBlt.GDI32(?,00000000,?,00000001,?,005A0049), ref: 6CAB352C
          • PatBlt.GDI32(?,?,?,00000000,00000001,005A0049), ref: 6CAB3548
          • FillRect.USER32(?,?,-000000D0), ref: 6CAB356B
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Rect$Fill$Inflate
          • String ID:
          • API String ID: 2224923502-0
          • Opcode ID: d62b41c3a9cdee23bbdef35d865903f74b4cd7e08432c58e682cb855023e53b3
          • Instruction ID: 1e15b52eda08d9cda2dfb28e9873741eaf7dcf9c3b6ea10615a1a23ddc2b1e5a
          • Opcode Fuzzy Hash: d62b41c3a9cdee23bbdef35d865903f74b4cd7e08432c58e682cb855023e53b3
          • Instruction Fuzzy Hash: 00310C72210109EFEF01DF58CD49EAA3BBDFB05314F008114F925962A0D772ED60DB60
          APIs
          • FreeLibrary.KERNEL32(00000000,?,6CC35D9C,?,6CC2FDF6,00000000,00000000,00000008,?,6CC36006,00000022,FlsSetValue,6CC8E480,6CC8E488,00000000), ref: 6CC35D4E
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: FreeLibrary
          • String ID: api-ms-$ext-ms-
          • API String ID: 3664257935-537541572
          • Opcode ID: 850071c12432143186dda566fc2a14b5aa51e5dda1325e403638432cb5bdc5d0
          • Instruction ID: d4b5c90e80c176dea6afc97c02d25cb950298f5cfcc15c2b4b610bdd3df2679e
          • Opcode Fuzzy Hash: 850071c12432143186dda566fc2a14b5aa51e5dda1325e403638432cb5bdc5d0
          • Instruction Fuzzy Hash: 49210D35B01631A7DB128B25ED48A4A3778DF4336CF251655E91AB7A80F730EA44C7E0
          APIs
          • DeleteObject.GDI32(00000000), ref: 6CAAB9AF
          • GetObjectW.GDI32(0000005C,?), ref: 6CAAB9C2
            • Part of subcall function 6CABFA11: SystemParametersInfoW.USER32(00000029,?,?,00000000), ref: 6CABFA2D
          • CreateFontIndirectW.GDI32(?), ref: 6CAABA05
          • SendMessageW.USER32(?,00000030,?,00000001), ref: 6CAABA28
          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 6CAABA37
          • SendMessageW.USER32(?,00000030,?,00000001), ref: 6CAABA4B
          • SendMessageW.USER32(?,00000030,?,00000001), ref: 6CAABA5B
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: MessageSend$Object$CreateDeleteFontIndirectInfoParametersSystem
          • String ID:
          • API String ID: 2281635968-0
          • Opcode ID: c289232149323ed2948e0b5c0a5e9e5e1161cf7af63eda3176f82b0384429599
          • Instruction ID: 4cb583ef2fa9c398d700ffe621fbe2bb6978653956d7d1e38c85488483a7d03f
          • Opcode Fuzzy Hash: c289232149323ed2948e0b5c0a5e9e5e1161cf7af63eda3176f82b0384429599
          • Instruction Fuzzy Hash: 3F21F331310304AFDB259FA4DC44FDABBBDFB89344F000629FA18D6290DB719958CB91
          APIs
          • GetModuleHandleW.KERNEL32(?,?,?,?,user32.dll,?,?,00000000,?,6CAB7E77,00000000,00000000), ref: 6CAB977A
          • GetProcAddress.KERNEL32(00000000,RegisterTouchWindow), ref: 6CAB978C
          • GetProcAddress.KERNEL32(00000000,UnregisterTouchWindow), ref: 6CAB979A
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: AddressProc$HandleModule
          • String ID: RegisterTouchWindow$UnregisterTouchWindow$user32.dll
          • API String ID: 667068680-2470269259
          • Opcode ID: 7394e408b9efd23c79af2b822660ee03c8be2e65230813d89a73870c61d9d346
          • Instruction ID: b93914300ac460cdff6248dde19dc2dde13551be1ad98e2115b869c4bbda8b79
          • Opcode Fuzzy Hash: 7394e408b9efd23c79af2b822660ee03c8be2e65230813d89a73870c61d9d346
          • Instruction Fuzzy Hash: 7C112232701615ABCB011EB5DC88A5ABBBDFF55368B144126ED08A3E00DB71ECF08BE0
          APIs
          • RealChildWindowFromPoint.USER32(?,?,?), ref: 6CB95CC6
          • ClientToScreen.USER32(?,?), ref: 6CB95CE0
          • GetWindow.USER32(?,00000005), ref: 6CB95D32
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Window$ChildClientFromPointRealScreen
          • String ID:
          • API String ID: 2518355518-0
          • Opcode ID: 8573c0c6ceec2d8cbdd62984028b30b34a920061d1efea226d5b55930e6a7a06
          • Instruction ID: bdf6ed8e63282b81445a66b06682269ed4f43153856f5e7c5de831ada21c52de
          • Opcode Fuzzy Hash: 8573c0c6ceec2d8cbdd62984028b30b34a920061d1efea226d5b55930e6a7a06
          • Instruction Fuzzy Hash: 6911A231A1111AAFCB019FA88C08EEF7BB9EF4A305F514225F402E3240DB309A958BA5
          APIs
          • GetParent.USER32(?), ref: 6CAB5C30
          • GetWindowRect.USER32(?,?), ref: 6CAB5C4E
          • ScreenToClient.USER32(?,?), ref: 6CAB5C5B
          • ScreenToClient.USER32(?,?), ref: 6CAB5C68
          • EqualRect.USER32(?,?), ref: 6CAB5C73
          • DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 6CAB5C9A
          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 6CAB5CA4
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Window$ClientRectScreen$DeferEqualParent
          • String ID:
          • API String ID: 443303494-0
          • Opcode ID: 2d4260bc6e7998d6b371953434067633d1ce7b9b1436c9ca34d512b561119cee
          • Instruction ID: 3ad6797387a24ed522dc0daf8e876dd958e908c2b0882edb2aa74280546aa650
          • Opcode Fuzzy Hash: 2d4260bc6e7998d6b371953434067633d1ce7b9b1436c9ca34d512b561119cee
          • Instruction Fuzzy Hash: 3F214D72A10109EFCF01DFA4CD84EAEBBBDFF0A704B54815AE905BA154D730E991DBA0
          APIs
          • IsWindow.USER32(00000000), ref: 6CAB7B60
          • FindResourceW.KERNEL32(?,00000000,AFX_DIALOG_LAYOUT), ref: 6CAB7B88
          • SizeofResource.KERNEL32(?,00000000), ref: 6CAB7B9A
          • LoadResource.KERNEL32(?,00000000), ref: 6CAB7BA6
          • LockResource.KERNEL32(00000000), ref: 6CAB7BB1
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Resource$FindLoadLockSizeofWindow
          • String ID: AFX_DIALOG_LAYOUT
          • API String ID: 2582447065-2436846380
          • Opcode ID: 093384853ac6cda1f6d217f7029e43263668d336a9eb3e84ad8924db64e660f8
          • Instruction ID: a0461cebb25473db5926f1c17c5f922da7272a79abc809789637ba12fd06aced
          • Opcode Fuzzy Hash: 093384853ac6cda1f6d217f7029e43263668d336a9eb3e84ad8924db64e660f8
          • Instruction Fuzzy Hash: B511A571711604AFDB028BB4CC48EAF77BCEF45255B144425B916FA600EBB4C990CF70
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: H_prolog3
          • String ID: AQUA_$BLACK_$BLUE_$IDX_OFFICE2007_STYLE$SILVER_
          • API String ID: 431132790-2717817858
          • Opcode ID: ffc23c9c519e577d781fdfb0cfd11ca63633c1449f0dd60ef35ffb88f7f13454
          • Instruction ID: b81accc82df112fd2714973c07c1d7f3b5a84fa53e68aeeb821aefe3422615ea
          • Opcode Fuzzy Hash: ffc23c9c519e577d781fdfb0cfd11ca63633c1449f0dd60ef35ffb88f7f13454
          • Instruction Fuzzy Hash: D611B67290004D97CB04DFA9CA85AFE7BB5AF80258F144609E512ABF80DB709A8DC75A
          APIs
          • __EH_prolog3.LIBCMT ref: 6CB470C4
            • Part of subcall function 6CBE02D7: __EH_prolog3.LIBCMT ref: 6CBE02DE
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: H_prolog3
          • String ID: $File%d$PreviewPages$Recent File List$Settings
          • API String ID: 431132790-2750173842
          • Opcode ID: b79cf58e7c69438d32f8d7e45ed35cfcb6698ec4f4c769dea76425615d981e2e
          • Instruction ID: f0b63e74085814fba595b67ef864a0a2343ecc005b0ca6c6179ba8852310c1ce
          • Opcode Fuzzy Hash: b79cf58e7c69438d32f8d7e45ed35cfcb6698ec4f4c769dea76425615d981e2e
          • Instruction Fuzzy Hash: 9401DE30644244EBEB009F61C885F9C3AB1AB49724F10806AED10FBFC2EBB48984DB51
          APIs
          • __EH_prolog3.LIBCMT ref: 6CC19B53
          • std::_Lockit::_Lockit.LIBCPMT ref: 6CC19B5E
          • std::_Lockit::~_Lockit.LIBCPMT ref: 6CC19BCC
            • Part of subcall function 6CC19CB0: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6CC19CC8
          • std::locale::_Setgloballocale.LIBCPMT ref: 6CC19B79
          • _Yarn.LIBCPMT ref: 6CC19B8F
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
          • String ID: hVl
          • API String ID: 1088826258-291542059
          • Opcode ID: 72c347c58f713dd029da37a58222f03e8803ae2df3dc4a0cd566ae46da84ca71
          • Instruction ID: e5f1c292f67d38036b8c27a55a4763d99f4459dd82e9a8c2ae9f8642b571dadb
          • Opcode Fuzzy Hash: 72c347c58f713dd029da37a58222f03e8803ae2df3dc4a0cd566ae46da84ca71
          • Instruction Fuzzy Hash: 5901A775B085219BCB06DF22C890ABD77B1BF85654B544009D81297F80EF745F8AEBC1
          APIs
          • GetModuleHandleW.KERNEL32(uxtheme.dll,?,?,6CABEFB2,?,?,00000002,00000000,0000007D,00000001,00000000,?,6CAA42BA,?,50008200,0000E801), ref: 6CB94DE4
          • GetProcAddress.KERNEL32(00000000,BeginBufferedPaint), ref: 6CB94DF4
          • EncodePointer.KERNEL32(00000000,?,6CABEFB2,?,?,00000002,00000000,0000007D,00000001,00000000,?,6CAA42BA,?,50008200,0000E801,00000000), ref: 6CB94DFD
          • DecodePointer.KERNEL32(00000000,?,?,6CABEFB2,?,?,00000002,00000000,0000007D,00000001,00000000,?,6CAA42BA,?,50008200,0000E801), ref: 6CB94E0B
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
          • String ID: BeginBufferedPaint$uxtheme.dll
          • API String ID: 2061474489-1632326970
          • Opcode ID: 88fa929efc770837d5c7d4b0610b01ea4f318a01ca629ab7934859d9e6701f70
          • Instruction ID: 8bb0d238ac362ff54ba9e1459de9510d752270d5048ba8b1fcb763441bf8f6f0
          • Opcode Fuzzy Hash: 88fa929efc770837d5c7d4b0610b01ea4f318a01ca629ab7934859d9e6701f70
          • Instruction Fuzzy Hash: 36F09031A11A56EF8F125F60CC0885B3F78FB0B391740C520FD11E2A10D730C9A0AFA0
          APIs
          • GetModuleHandleW.KERNEL32(shell32.dll,?,?,6CBF18E4,?,00000000,6CC80AA0,6CBF1BB2), ref: 6CB95634
          • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 6CB95644
          • EncodePointer.KERNEL32(00000000,?,6CBF18E4,?,00000000,6CC80AA0,6CBF1BB2), ref: 6CB9564D
          • DecodePointer.KERNEL32(00000000,?,?,6CBF18E4,?,00000000,6CC80AA0,6CBF1BB2), ref: 6CB9565B
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
          • String ID: SHCreateItemFromParsingName$shell32.dll
          • API String ID: 2061474489-2320870614
          • Opcode ID: e82b8ba1aead5904de82c8422052eb0a131044e9747792de184affb284671a1e
          • Instruction ID: 7ca91f52dea1efd3ff139b4a60d3aae83cba7f8b2f6aad1f7369a0a4e04d48cb
          • Opcode Fuzzy Hash: e82b8ba1aead5904de82c8422052eb0a131044e9747792de184affb284671a1e
          • Instruction Fuzzy Hash: FBF0BE71A81616EBDF011F68CC0C85A3F7CEB073567004220FD09E7A10D730C8A0AFA8
          APIs
          • GetModuleHandleW.KERNEL32(user32.dll,?,?,6CAF7DEF,00000323,00000001,?,00000004,6CAA3C52,?,?,?,?,6CC43DA0,000000FF), ref: 6CB94EF3
          • GetProcAddress.KERNEL32(00000000,ChangeWindowMessageFilter), ref: 6CB94F03
          • EncodePointer.KERNEL32(00000000,?,?,6CAF7DEF,00000323,00000001,?,00000004,6CAA3C52,?,?,?,?,6CC43DA0,000000FF), ref: 6CB94F0C
          • DecodePointer.KERNEL32(00000000,?,?,6CAF7DEF,00000323,00000001,?,00000004,6CAA3C52,?,?,?,?,6CC43DA0,000000FF), ref: 6CB94F1A
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
          • String ID: ChangeWindowMessageFilter$user32.dll
          • API String ID: 2061474489-2498399450
          • Opcode ID: defcaae0cf3b518fdc9f0b5c4527b6bbf145220d42657c9c3f01bccd137683b0
          • Instruction ID: 469cbcc67aa37433847c3e729c46048c415b7c4401b87061ea4a740c1d7471a3
          • Opcode Fuzzy Hash: defcaae0cf3b518fdc9f0b5c4527b6bbf145220d42657c9c3f01bccd137683b0
          • Instruction Fuzzy Hash: 48F08234665616AB9F021B758C0C95A3EB8EB077953418131FC1AE7A00E730C9A09FA1
          APIs
          • GetModuleHandleW.KERNEL32(uxtheme.dll,?,?,6CABF20D,?,00000001), ref: 6CB9522C
          • GetProcAddress.KERNEL32(00000000,EndBufferedPaint), ref: 6CB9523C
          • EncodePointer.KERNEL32(00000000,?,?,6CABF20D,?,00000001), ref: 6CB95245
          • DecodePointer.KERNEL32(00000000,?,?,6CABF20D,?,00000001), ref: 6CB95253
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
          • String ID: EndBufferedPaint$uxtheme.dll
          • API String ID: 2061474489-2993015961
          • Opcode ID: 341f6dce7ea9a68cbee4e6a7345cb2395616e3067f918b1146c2e54190f7c066
          • Instruction ID: 5b81c51b17ba25a88f7bd50ab88512d79265c3751e001b527e1ac79f376e781e
          • Opcode Fuzzy Hash: 341f6dce7ea9a68cbee4e6a7345cb2395616e3067f918b1146c2e54190f7c066
          • Instruction Fuzzy Hash: BBF0B834A82611EB8F001B64880C80A3F7CEF063927008230FC05E7A20EB309891AFA6
          APIs
          • GetModuleHandleW.KERNEL32(uxtheme.dll,?,6CABF467,00000800,00000800,?,?,6CB2F71E,00000800,00000018,6CB2F703,00000800,00000000,?,0000007D), ref: 6CB94E9B
          • GetProcAddress.KERNEL32(00000000,BufferedPaintUnInit), ref: 6CB94EAB
          • EncodePointer.KERNEL32(00000000,?,6CABF467,00000800,00000800,?,?,6CB2F71E,00000800,00000018,6CB2F703,00000800,00000000,?,0000007D), ref: 6CB94EB4
          • DecodePointer.KERNEL32(00000000,?,6CABF467,00000800,00000800,?,?,6CB2F71E,00000800,00000018,6CB2F703,00000800,00000000,?,0000007D), ref: 6CB94EC2
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
          • String ID: BufferedPaintUnInit$uxtheme.dll
          • API String ID: 2061474489-1501038116
          • Opcode ID: 94b7fa2b9e4bbf66e62eb7f18156ca2e62d3a2c05b25f85ec43da695980ceee1
          • Instruction ID: 4b854317d64da6e1087a0341aee876515763cbda12f7d62d3a10101e6070298c
          • Opcode Fuzzy Hash: 94b7fa2b9e4bbf66e62eb7f18156ca2e62d3a2c05b25f85ec43da695980ceee1
          • Instruction Fuzzy Hash: 17E06D36711922EB9F112B34A80C95F3A78EB13656302C660FC12E3E00EB24C9D29FB1
          APIs
          • GetModuleHandleW.KERNEL32(uxtheme.dll,?,6CABEF84,00000001,00000000,?,6CAA42BA,?,50008200,0000E801,00000000,0000E828,0000E831,00000001,0000007E,?), ref: 6CB94E46
          • GetProcAddress.KERNEL32(00000000,BufferedPaintInit), ref: 6CB94E56
          • EncodePointer.KERNEL32(00000000,?,6CAA42BA,?,50008200,0000E801,00000000,0000E828,0000E831,00000001,0000007E,?,00000001,0000007D,?,00000800), ref: 6CB94E5F
          • DecodePointer.KERNEL32(00000000,?,6CABEF84,00000001,00000000,?,6CAA42BA,?,50008200,0000E801,00000000,0000E828,0000E831,00000001,0000007E,?), ref: 6CB94E6D
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
          • String ID: BufferedPaintInit$uxtheme.dll
          • API String ID: 2061474489-1331937065
          • Opcode ID: 207c49366a3678341c275141be0fff2d6935caa25135bbe850a25a5411c68d22
          • Instruction ID: d0603ffb3c700ede1dc485d64be8b25087d13e567adf15c37402b84fa0427422
          • Opcode Fuzzy Hash: 207c49366a3678341c275141be0fff2d6935caa25135bbe850a25a5411c68d22
          • Instruction Fuzzy Hash: D7E06D36711922ABDF156B74980C55B3A78DB432513018560FC11E3A00EB2488D29FA1
          APIs
          • GetModuleHandleW.KERNEL32(shell32.dll,?,6CAB5A3E,?,?,6CB49D91,000FC000,00000010,00000048,6CB49D36,00000000,6CAEF93B,?), ref: 6CB954D0
          • GetProcAddress.KERNEL32(00000000,InitNetworkAddressControl), ref: 6CB954E0
          • EncodePointer.KERNEL32(00000000,?,?,6CB49D91,000FC000,00000010,00000048,6CB49D36,00000000,6CAEF93B,?), ref: 6CB954E9
          • DecodePointer.KERNEL32(00000000,?,6CAB5A3E,?,?,6CB49D91,000FC000,00000010,00000048,6CB49D36,00000000,6CAEF93B,?), ref: 6CB954F7
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
          • String ID: InitNetworkAddressControl$shell32.dll
          • API String ID: 2061474489-1950653938
          • Opcode ID: 1c3bd345b19a593382317b06fe8cab6a5887fd63521ac64fa0b8bb794e47702f
          • Instruction ID: 5f4b0ae76d8b89df5b9487b8967d88c7dc8405845f0fda1a62348f702b2e67a4
          • Opcode Fuzzy Hash: 1c3bd345b19a593382317b06fe8cab6a5887fd63521ac64fa0b8bb794e47702f
          • Instruction Fuzzy Hash: A4E09B35B119229F9F112B749C0C55B3A78EF032563414660FC02E3A04EB34CDD5AFB5
          APIs
          • GetSysColor.USER32(0000000F), ref: 6CB81FF3
          • GetSysColor.USER32(00000010), ref: 6CB81FFE
          • GetSysColor.USER32(00000014), ref: 6CB82009
          • GetSysColor.USER32(00000012), ref: 6CB82014
          • GetSysColor.USER32(00000006), ref: 6CB8201F
          • GetSysColorBrush.USER32(0000000F), ref: 6CB8202A
          • GetSysColorBrush.USER32(00000006), ref: 6CB82035
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Color$Brush
          • String ID:
          • API String ID: 2798902688-0
          • Opcode ID: 0aca69814a48b4bbd681b95d357834d85d4cb71cb0ed00199e52a0fd5bb08044
          • Instruction ID: c30bd86f07a31375c138c99d7e6570e28e68bde2d84035be81f74002f1ffc0f2
          • Opcode Fuzzy Hash: 0aca69814a48b4bbd681b95d357834d85d4cb71cb0ed00199e52a0fd5bb08044
          • Instruction Fuzzy Hash: 64F09E71A507009BDB205FB1894D7567AF0FB09722F408D19E246AB981E776D090EF40
          APIs
            • Part of subcall function 6CABCC71: ShowWindow.USER32(?,6CBFEDF4,00000000,?,6CACA7D4,00000000,?,?,6CBFEDF4,?,00000000,?,?,6CACA374,00000000,000000FF), ref: 6CABCC82
          • GetDesktopWindow.USER32 ref: 6CACA808
          • GetWindow.USER32(00000000), ref: 6CACA80F
          • GetWindowLongW.USER32(00000000,000000F0), ref: 6CACA83D
          • ShowWindow.USER32(00000000,00000000,?,6CBFEDF4,6CBFEDF4,?,?,6CBFEDF4,?,00000000,?,?,6CACA374,00000000,000000FF,00000000), ref: 6CACA858
          • ShowWindow.USER32(00000000,00000004,?,6CBFEDF4,6CBFEDF4,?,?,6CBFEDF4,?,00000000,?,?,6CACA374,00000000,000000FF,00000000), ref: 6CACA879
          • GetWindow.USER32(00000000,00000002), ref: 6CACA886
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Window$Show$DesktopLong
          • String ID:
          • API String ID: 3178490500-0
          • Opcode ID: fd3badf72761ace0587870d60bce2bb9bdb8d4d3331906d3a43f4b59b951c6b0
          • Instruction ID: 6e8a669621238d3df1ea0b7cde4150b889ca5f83a470d9fc80455bee760518b6
          • Opcode Fuzzy Hash: fd3badf72761ace0587870d60bce2bb9bdb8d4d3331906d3a43f4b59b951c6b0
          • Instruction Fuzzy Hash: C0A116317016259BDB048F28C884BAA77B6FF45314F188269ED19EBB80DB30DDD58BD2
          APIs
          • FillRect.USER32(56010845,?,?), ref: 6CB6FDD3
          • FillRect.USER32(?,?,?), ref: 6CB6FE3A
          • FillRect.USER32(?,?,?), ref: 6CB6FEDD
            • Part of subcall function 6CABD46D: __EH_prolog3.LIBCMT ref: 6CABD474
            • Part of subcall function 6CABD46D: CreateSolidBrush.GDI32(?), ref: 6CABD48F
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: FillRect$BrushCreateH_prolog3Solid
          • String ID:
          • API String ID: 1242064992-0
          • Opcode ID: 95953d891da1caeb10e8897da46499f5a1541ee7ce0c8cb9d5a0c1b0904e427e
          • Instruction ID: cd3fa7553c658e4db3b1698d3354de4750cf923fbed7d815744210f3bbb4d40e
          • Opcode Fuzzy Hash: 95953d891da1caeb10e8897da46499f5a1541ee7ce0c8cb9d5a0c1b0904e427e
          • Instruction Fuzzy Hash: 2CA17271A1011ADFCF08CF99C9959EDBBB6FF48304F14811EE806BB694D731A959CBA0
          APIs
          • IsWindowVisible.USER32(?), ref: 6CB39DC4
          • IsWindowVisible.USER32(?), ref: 6CB39DD7
          • GetWindowRect.USER32(?,?), ref: 6CB39E38
          • IsZoomed.USER32(?), ref: 6CB39E47
          • SetWindowRgn.USER32(?,00000000,00000001), ref: 6CB39EB9
          • GetSystemMetrics.USER32(00000004), ref: 6CB39F3B
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Window$Visible$MetricsRectSystemZoomed
          • String ID:
          • API String ID: 3738653960-0
          • Opcode ID: 502c73b08e5599c24f32cfa018a83e34f2d172b72c28b209d3aec4756c280dac
          • Instruction ID: d41eeaad68de98b9ce6694d2843d7b24d174668b26ec66493086b4dd60b7fe77
          • Opcode Fuzzy Hash: 502c73b08e5599c24f32cfa018a83e34f2d172b72c28b209d3aec4756c280dac
          • Instruction Fuzzy Hash: E7A17D71E00669AFDF08DFA9C944BEEBBB9FF48308F144129E419A7650DB30A955CF81
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CBF450F
          • GetDC.USER32(?), ref: 6CBF4650
            • Part of subcall function 6CB5426F: __EH_prolog3.LIBCMT ref: 6CB54276
          • ReleaseDC.USER32(?,00000000), ref: 6CBF46BA
          • GetDeviceCaps.GDI32(?,00000058), ref: 6CBF46E1
          • GetDeviceCaps.GDI32(?,0000005A), ref: 6CBF46F5
          • ShowScrollBar.USER32(?,00000001,00000000,00000001,00000001,00000001,6CC81110,6CC81110), ref: 6CBF47AE
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CapsDevice$H_prolog3H_prolog3_ReleaseScrollShow
          • String ID:
          • API String ID: 3992271784-0
          • Opcode ID: a80041a1abc5427ceedc01b6f0140144e9bdd7d28c449a1a20d0f1b057c46da9
          • Instruction ID: e96c8459848e28932ca246826669dbc1b2dd44ab026b4f599b62332bcbaa5193
          • Opcode Fuzzy Hash: a80041a1abc5427ceedc01b6f0140144e9bdd7d28c449a1a20d0f1b057c46da9
          • Instruction Fuzzy Hash: CE912334A11210DFDB05CF28C984BAA7BB1FF49310F1541A9EC19EB3A5CB31A956DFA0
          APIs
          • SetRectEmpty.USER32(?), ref: 6CAA324C
          • SendMessageW.USER32(?,00001109,00000000,?), ref: 6CAA32A5
          • LoadBitmapW.USER32(?,-000000AF), ref: 6CAA334E
          • GetObjectW.GDI32(00000000,00000018,?), ref: 6CAA336A
          • ImageList_AddMasked.COMCTL32(?,00000000,00FF00FF,00000010,?,00000005,00000000,00000000,?,50402808,000000A9,00000000,?,00000004), ref: 6CAA33A3
          • SendMessageW.USER32(?,00001109,00000000,?), ref: 6CAA33C2
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: MessageSend$BitmapEmptyImageList_LoadMaskedObjectRect
          • String ID:
          • API String ID: 2800448286-0
          • Opcode ID: 1f01ea9d25c654eda537b63180b017a53b04b83cb74e1658b62b7a7a3b2995bb
          • Instruction ID: 28043ea961ad3a1a52fb93e698d7c10717e1fe53accb9883a83adc83549d1f1e
          • Opcode Fuzzy Hash: 1f01ea9d25c654eda537b63180b017a53b04b83cb74e1658b62b7a7a3b2995bb
          • Instruction Fuzzy Hash: 9151BF71740605AFDB159BA4CD45BAEB3B8FF08705F100228F615AB6D0CB70A9988B91
          APIs
          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 6CC1A5B2
          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 6CC1A61D
          • LCMapStringEx.KERNEL32(00000000,6CC92FD1,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6CC1A63A
          • LCMapStringEx.KERNEL32(00000000,6CC92FD1,00000000,00000000,?,?,00000000,00000000,00000000), ref: 6CC1A679
          • LCMapStringEx.KERNEL32(00000000,6CC92FD1,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 6CC1A6D8
          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6CC1A6FB
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ByteCharMultiStringWide
          • String ID:
          • API String ID: 2829165498-0
          • Opcode ID: b902fc804de33882e528e7e70220fbbcd299545ee6f7358b36069215700e4ca3
          • Instruction ID: 66db2d065c66a86a10f6954bddbdc20d0edaafc8628fb27accd072b8a136307e
          • Opcode Fuzzy Hash: b902fc804de33882e528e7e70220fbbcd299545ee6f7358b36069215700e4ca3
          • Instruction Fuzzy Hash: 9E51C372609206AFEF104F56CC44FAB7BB9EF85748F214029F914E6D90FB34C959AB90
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CB6E2CD
          • CreateCompatibleDC.GDI32(00000000), ref: 6CB6E351
          • CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 6CB6E381
          • SelectObject.GDI32(?,00000000), ref: 6CB6E3D4
            • Part of subcall function 6CB6FD99: FillRect.USER32(56010845,?,?), ref: 6CB6FDD3
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CompatibleCreate$BitmapFillH_prolog3_ObjectRectSelect
          • String ID:
          • API String ID: 527521954-0
          • Opcode ID: 0218bec8d984b17d3e51d3525506639acd18328b40646063c8326143f1a37450
          • Instruction ID: fb0ed1ba821dbe2b8d8d08cd1fac3dd39670735d611c8f7c4693407baed86f8d
          • Opcode Fuzzy Hash: 0218bec8d984b17d3e51d3525506639acd18328b40646063c8326143f1a37450
          • Instruction Fuzzy Hash: B9510372901249EFCF02DFE5CA45AEEBBB5EF08304F104015F904BBA60DB31AA59DB91
          APIs
          • FillRect.USER32(?,?,00000000), ref: 6CAAC957
          • GetParent.USER32(?), ref: 6CAAC978
          • GetWindowRect.USER32(?,?), ref: 6CAAC995
          • GetClientRect.USER32(?,?), ref: 6CAACA38
          • MapWindowPoints.USER32(?,?,?,00000002), ref: 6CAACA4A
          • DrawThemeBackground.UXTHEME(?,?,00000000,00000000,?,00000000), ref: 6CAACA72
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Rect$Window$BackgroundClientDrawFillParentPointsTheme
          • String ID:
          • API String ID: 2136005349-0
          • Opcode ID: d3950651bf8fa02457083415de7e57b7c7f5c3726077bd1c9ef948b00608d0ad
          • Instruction ID: 8322a8bca73be787a1d86507d3f381b911d544453c24a98912f7b8c48f8c70c9
          • Opcode Fuzzy Hash: d3950651bf8fa02457083415de7e57b7c7f5c3726077bd1c9ef948b00608d0ad
          • Instruction Fuzzy Hash: 83417E75A00209DFDF00DFA5C944AAEBBF9FF09318B184269E805E7610E731E995CBA0
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CB498A6
          • WSAStartup.WS2_32(00000101,?), ref: 6CB498EB
          • WSACleanup.WS2_32 ref: 6CB4993A
          • WSASetLastError.WS2_32(0000276C), ref: 6CB49945
          • WSACleanup.WS2_32 ref: 6CB499E5
          • FreeLibrary.KERNEL32(?,6CB49A00,?,6CB49A00,00000198,6CAA8564,00000000), ref: 6CB499EE
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Cleanup$ErrorFreeH_prolog3_LastLibraryStartup
          • String ID:
          • API String ID: 700773300-0
          • Opcode ID: d1d0d618b14738b413bee659b29943ce2fe9a048076770646c74a25dc4415c25
          • Instruction ID: 81a0df81fc9d7cc0936a16fce690d8cea11208e0bfd1c23c2f3571b576091def
          • Opcode Fuzzy Hash: d1d0d618b14738b413bee659b29943ce2fe9a048076770646c74a25dc4415c25
          • Instruction Fuzzy Hash: C2412630F0A392DBEF119FB58B447D976B8AF42758F10C169D0599BE84DB70C884EB52
          APIs
          • GetFocus.USER32 ref: 6CBF1B25
          • IsWindowEnabled.USER32(00000000), ref: 6CBF1B5B
          • EnableWindow.USER32(00000000,00000000), ref: 6CBF1B73
          • EnableWindow.USER32(00000000,00000001), ref: 6CBF1C14
          • IsWindow.USER32(00000000), ref: 6CBF1C1B
          • SetFocus.USER32(00000000), ref: 6CBF1C26
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Window$EnableFocus$Enabled
          • String ID:
          • API String ID: 1303138515-0
          • Opcode ID: 4c31a4d80394272ac589fc8e9b1fe9933113572ed56f630e44a92dec43465ebf
          • Instruction ID: 3481bc47a1af0c0b6d88332f00a2ae1b4887e349938fe506767b2b1aa24ccde4
          • Opcode Fuzzy Hash: 4c31a4d80394272ac589fc8e9b1fe9933113572ed56f630e44a92dec43465ebf
          • Instruction Fuzzy Hash: EE41CF70701201EFDB059FB4C898B99B7B5FF05308F148169E0299B7A1DB70E89ACB82
          APIs
          • __EH_prolog3.LIBCMT ref: 6CB364F0
            • Part of subcall function 6CAE8448: __EH_prolog3.LIBCMT ref: 6CAE844F
            • Part of subcall function 6CAE8448: SetRectEmpty.USER32 ref: 6CAE8539
            • Part of subcall function 6CAE8448: SetRectEmpty.USER32(?), ref: 6CAE8564
            • Part of subcall function 6CACC53E: __EH_prolog3.LIBCMT ref: 6CACC545
          • SetRectEmpty.USER32(?), ref: 6CB3665B
          • SetRectEmpty.USER32(?), ref: 6CB3666A
          • SetRectEmpty.USER32(?), ref: 6CB36671
          • SetRectEmpty.USER32(?), ref: 6CB36678
          • SetRectEmpty.USER32(?), ref: 6CB366A2
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: EmptyRect$H_prolog3
          • String ID:
          • API String ID: 3752103406-0
          • Opcode ID: b79fcfdba13c7cccb8a9791d77c0af43b4947e7a7fa726f9d5e17879112b1ddc
          • Instruction ID: 6ff37b7c36ba427dea6d5a719b9bbc4c96bd5cc9267b61bc534229081cb1598a
          • Opcode Fuzzy Hash: b79fcfdba13c7cccb8a9791d77c0af43b4947e7a7fa726f9d5e17879112b1ddc
          • Instruction Fuzzy Hash: 4851B2F09117018FC784CF29C588699BBE4BF99218F2885BEC65DDB222EB32514ACF14
          APIs
          • IsWindowVisible.USER32(?), ref: 6CAB9BF9
          • GetWindow.USER32(?,00000005), ref: 6CAB9C10
          • GetWindowRect.USER32(00000000,?), ref: 6CAB9C2B
            • Part of subcall function 6CABE5B6: ScreenToClient.USER32(?,?), ref: 6CABE5C5
            • Part of subcall function 6CABE5B6: ScreenToClient.USER32(?,?), ref: 6CABE5D2
          • SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015,?), ref: 6CAB9C51
          • GetWindow.USER32(00000000,00000002), ref: 6CAB9C5A
          • ScrollWindow.USER32(?,?,?,?,?), ref: 6CAB9C76
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Window$ClientScreen$RectScrollVisible
          • String ID:
          • API String ID: 1714389229-0
          • Opcode ID: 08c32485be41ceecd04ff1492293ac80a07c3e791c6e3d4177e29a39567379c2
          • Instruction ID: 4c9eaf17755167afd80c3d593da06d152cd9726e4d86feff676f9c0941056eb0
          • Opcode Fuzzy Hash: 08c32485be41ceecd04ff1492293ac80a07c3e791c6e3d4177e29a39567379c2
          • Instruction Fuzzy Hash: 9121BD36600609AFCB019F64CE84AAF7BBDFF8A718B158119F901B7610EB30ED909B50
          APIs
          • __EH_prolog3.LIBCMT ref: 6CBB5DD8
          • GetMenuItemCount.USER32(?), ref: 6CBB5DFE
          • GetMenuItemID.USER32(?,00000000), ref: 6CBB5E15
          • GetMenuState.USER32(?,00000000,00000400), ref: 6CBB5E2D
          • GetSubMenu.USER32(?,00000000), ref: 6CBB5EA0
            • Part of subcall function 6CAEBF88: GetMenuStringW.USER32(00000000,00000000,00000000,00000000,?), ref: 6CAEBF9C
            • Part of subcall function 6CAEBF88: GetMenuStringW.USER32(00000000,00000000,00000000,00000001,?), ref: 6CAEBFC0
            • Part of subcall function 6CBB5B4B: __EH_prolog3.LIBCMT ref: 6CBB5B52
          • ModifyMenuW.USER32(?,00000000,00000400,00000000,?), ref: 6CBB5E87
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Menu$H_prolog3ItemString$CountModifyState
          • String ID:
          • API String ID: 2436308985-0
          • Opcode ID: 8a879e6294026760873bfb44e2175cb7ad6ea8e67e8ab3d8dd0a7f8b7fad2aa5
          • Instruction ID: b34679ae0e4199f07c1b16fe53bb792e514d3e20736c3bee8596e8fcdb47502b
          • Opcode Fuzzy Hash: 8a879e6294026760873bfb44e2175cb7ad6ea8e67e8ab3d8dd0a7f8b7fad2aa5
          • Instruction Fuzzy Hash: 5E21B130511105ABCB019B60CD49BFEB6B5FF00258F104624F125B6AD0DF30D89CDB96
          APIs
          • __EH_prolog3.LIBCMT ref: 6CABF681
          • CreateRectRgnIndirect.GDI32(00000000), ref: 6CABF6A1
            • Part of subcall function 6CABE5F5: SelectClipRgn.GDI32(?,00000000), ref: 6CABE615
            • Part of subcall function 6CABE5F5: SelectClipRgn.GDI32(?,00000000), ref: 6CABE62B
          • GetParent.USER32(00000000), ref: 6CABF6C1
          • DrawThemeParentBackground.UXTHEME(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000018), ref: 6CABF6E2
          • MapWindowPoints.USER32(00000000,?,00000000,00000001), ref: 6CABF716
          • SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6CABF742
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ClipParentSelect$BackgroundCreateDrawH_prolog3IndirectMessagePointsRectSendThemeWindow
          • String ID:
          • API String ID: 935984306-0
          • Opcode ID: 6a918e1fd20f4d8389e6c9d65f0aa1397b18b09195104399b7cf89ad99ee31c3
          • Instruction ID: 59135a587565304c77ac52373d5ae487a74b4f941e1fcc9fae558887466d2a3b
          • Opcode Fuzzy Hash: 6a918e1fd20f4d8389e6c9d65f0aa1397b18b09195104399b7cf89ad99ee31c3
          • Instruction Fuzzy Hash: 26314E76A1020AEFCF00CFA4CD55BEE7BB8BF08315F144458E905BA660DB719998DBA0
          APIs
          • GetWindowLongW.USER32(?,000000F0), ref: 6CAC2A82
          • GetParent.USER32(?), ref: 6CAC2A90
          • GetParent.USER32(?), ref: 6CAC2AA7
          • GetLastActivePopup.USER32(?), ref: 6CAC2ABA
          • IsWindowEnabled.USER32(?), ref: 6CAC2ACE
          • EnableWindow.USER32(?,00000000), ref: 6CAC2AE1
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
          • String ID:
          • API String ID: 670545878-0
          • Opcode ID: 8d9967372cabf6cb7080b4dfa652e4a6c6a9c99ca97d9e6e6e7432d153003e3e
          • Instruction ID: 33e9709ce676435228245f4eeef4025a93e28e0be31996a8e2c57b9b045b8673
          • Opcode Fuzzy Hash: 8d9967372cabf6cb7080b4dfa652e4a6c6a9c99ca97d9e6e6e7432d153003e3e
          • Instruction Fuzzy Hash: E111D3327427299BD7315E5A4848B5B36BC6F5AB58B1B1354EC14B7A40DB20CC8187E2
          APIs
          • LoadMenuW.USER32(?,000000C8), ref: 6CBF0430
          • LoadAcceleratorsW.USER32(?,000000C8), ref: 6CBF043F
          • LoadMenuW.USER32(?,FFFFFFFF), ref: 6CBF0460
          • LoadAcceleratorsW.USER32(?,FFFFFFFF), ref: 6CBF046F
          • LoadMenuW.USER32(?,00000001), ref: 6CBF0490
          • LoadAcceleratorsW.USER32(?,00000001), ref: 6CBF049F
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Load$AcceleratorsMenu
          • String ID:
          • API String ID: 144087665-0
          • Opcode ID: 55789fcd2ce862d6c8d86e9fc9d96f64983aed2a310e21fcf58a7ce7e4b6fa12
          • Instruction ID: c356fdf2d2be888231471e8281725575f847a69c1a0ac08d02a5288a6ecd0050
          • Opcode Fuzzy Hash: 55789fcd2ce862d6c8d86e9fc9d96f64983aed2a310e21fcf58a7ce7e4b6fa12
          • Instruction Fuzzy Hash: C0212171601A66EFC7509F6698444F5F7B8FF05319304812BFE5193A10D734A8B5DFA2
          APIs
          • GetLastError.KERNEL32(00000001,?,6CC1CE3F,6CC17B79,6CC17E3C,?,6CC18072,?,00000001,?,?,00000001,?,6CCB5F78,0000000C,6CC1816B), ref: 6CC1CFF4
          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CC1D002
          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CC1D01B
          • SetLastError.KERNEL32(00000000,6CC18072,?,00000001,?,?,00000001,?,6CCB5F78,0000000C,6CC1816B,?,00000001,?), ref: 6CC1D06D
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ErrorLastValue___vcrt_
          • String ID:
          • API String ID: 3852720340-0
          • Opcode ID: 6005071e51ff64b65b2e9bf5e80784e09068e612dead99edc8d139171ff12fb8
          • Instruction ID: 83c55bb27b641d39e4ffb2eebf72d46e466ab35660c7817057b7b133c33cf03c
          • Opcode Fuzzy Hash: 6005071e51ff64b65b2e9bf5e80784e09068e612dead99edc8d139171ff12fb8
          • Instruction Fuzzy Hash: 5901D43321D6229EEB1225BBBC88A972A74EB0267D720032DF51093DD0FF514807F694
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: H_prolog3
          • String ID: Alt, $Execute$Press$Separator
          • API String ID: 431132790-3451492657
          • Opcode ID: 23f4ad0694f1b10a177e8e83e9105b72aa9bdc0d3ef2a57562b131f18e7167b5
          • Instruction ID: 485da1238cdc9b5f97050e01972917bec3e4bd44cd5fd21d2a9eb1495b1ea483
          • Opcode Fuzzy Hash: 23f4ad0694f1b10a177e8e83e9105b72aa9bdc0d3ef2a57562b131f18e7167b5
          • Instruction Fuzzy Hash: 0081A3356006059FDF15DF60C998BAE77B9BF44308F044469EC12ABB81DF34DA4ACB62
          APIs
            • Part of subcall function 6CB932A0: __EH_prolog3.LIBCMT ref: 6CB932A7
          • SendMessageW.USER32(?,00000433,00000000,?), ref: 6CAB8595
          • GetWindowLongW.USER32(?,000000FC), ref: 6CAB85A0
          • GetWindowLongW.USER32(?,000000FC), ref: 6CAB85B4
          • SetWindowLongW.USER32(?,000000FC,00000000), ref: 6CAB85DD
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: LongWindow$H_prolog3MessageSend
          • String ID: ,
          • API String ID: 4140968126-3772416878
          • Opcode ID: 5163fe33820bd61083cfc31c10858065946532815e6c870df8c6c1f525583921
          • Instruction ID: 860be47e439ba1ee8434a5fb7bb781565f01cd39c791111c64b3cbfa4bd3773b
          • Opcode Fuzzy Hash: 5163fe33820bd61083cfc31c10858065946532815e6c870df8c6c1f525583921
          • Instruction Fuzzy Hash: D171E335701616AFCF05AF78C984A9DBBB9BF48318B14416AE905F7B90DB30E984CB91
          APIs
          • std::_Lockit::_Lockit.LIBCPMT ref: 6CA9649A
          • __Getctype.LIBCPMT ref: 6CA96503
          • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6CA96537
          • std::_Lockit::~_Lockit.LIBCPMT ref: 6CA965CC
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_dtorLockit::_Lockit::~_
          • String ID: bad locale name
          • API String ID: 3327844093-1405518554
          • Opcode ID: 24b50973ac02dd6973b49036f544233e372036715cbaf1cfb6623c30a1f77943
          • Instruction ID: 7b266dbc3e5a53e9cc6bd26643de641f537f519ecfee4f429252a14d872ad8da
          • Opcode Fuzzy Hash: 24b50973ac02dd6973b49036f544233e372036715cbaf1cfb6623c30a1f77943
          • Instruction Fuzzy Hash: 0351A3B1C152489BEB10CFA5C945BCEBBF8AF14714F144154D854EBB84EB78D648C791
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CAAC727
          • DrawThemeBackground.UXTHEME(00000000,?,00000001,00000000,?,00000000,?,?,?,?,?,?,?,0000001C), ref: 6CAAC75B
          • InflateRect.USER32(?,000000FD,000000FD), ref: 6CAAC77D
          • DrawThemeBackground.UXTHEME(00000000,?,00000003,00000000,?,00000000,?,?,?,?,?,?,?,?,0000001C), ref: 6CAAC7B5
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: BackgroundDrawTheme$H_prolog3_InflateRect
          • String ID: %d%%
          • API String ID: 1553386484-1518462796
          • Opcode ID: cc834abf2f7ceaa6023b5f93e31292804ba667516c651f2d77dbe5aa60e711d8
          • Instruction ID: 479018f99ab89a69c13594191278164c3ffbcd8475e8cd81d9a170177dda043e
          • Opcode Fuzzy Hash: cc834abf2f7ceaa6023b5f93e31292804ba667516c651f2d77dbe5aa60e711d8
          • Instruction Fuzzy Hash: 29414576A102099BEF00DFA4C985BDE77B9BF48318F141458E901BB690DB71E985CBA0
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: String$FreeH_prolog3
          • String ID: @
          • API String ID: 315669285-2766056989
          • Opcode ID: 7ec362a3497bc2eb1f1f9870a32f73ee4935c125e8fde95f7abc3fd75afafe31
          • Instruction ID: d9173b1e15d0d1ebba8ed1761ec62a81630026c0350ae922de04a2d054c4b6ee
          • Opcode Fuzzy Hash: 7ec362a3497bc2eb1f1f9870a32f73ee4935c125e8fde95f7abc3fd75afafe31
          • Instruction Fuzzy Hash: 0B315B7590024AAFDF05CFE8CC85DEE7BB9EF08318F144129F925AA690DB30C9999B50
          APIs
          • SendMessageW.USER32(?,00000030,00000001,00000080), ref: 6CAA5868
          • SendMessageW.USER32(?,00000030,00000001), ref: 6CAA587A
          • SendMessageW.USER32(?,00000030,00000001), ref: 6CAA588C
          • RedrawWindow.USER32(?,00000000,00000000,00000585,?,6CAA449A,?,00000000,00000000,?,00000000,00000000,?,00000003,00000001,?), ref: 6CAA589A
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: MessageSend$RedrawWindow
          • String ID: ApplicationLook
          • API String ID: 648961319-3231287756
          • Opcode ID: b88b8597cecbf2f2db30ea24e7ced70f005f3242a57af67a526da801f705cd3c
          • Instruction ID: 069b45e9addf6877fca18c4b8d8d9f778a53b0f2dd165aa53c3400e22c01d4fc
          • Opcode Fuzzy Hash: b88b8597cecbf2f2db30ea24e7ced70f005f3242a57af67a526da801f705cd3c
          • Instruction Fuzzy Hash: 42312430394A04FBEA188BD4CD4AF98BB74BB06B58F004526B2057BED0D7B169D5EF49
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: __snprintf_s$ClassInfo
          • String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
          • API String ID: 1341824228-2801496823
          • Opcode ID: 073e1fce4823e18d4799247f1e4ad213307e5c5a37459a56426efe2d56a0d990
          • Instruction ID: 5bc28166d85c3cf1fd0f7b8fb9e139201687370b9790f4ac1048fe2ab662fdb2
          • Opcode Fuzzy Hash: 073e1fce4823e18d4799247f1e4ad213307e5c5a37459a56426efe2d56a0d990
          • Instruction Fuzzy Hash: F1314AB4900208AFCB11EFA9D844EDEBBF8EF49318F044456E914BB761E7749998CF61
          APIs
            • Part of subcall function 6CB309E8: KillTimer.USER32(?,?,00000000,00000800,?,?,?,?,?,00000058,00000040,6CAA42D4,6CCBCB3C,00000004,?,50008200), ref: 6CB30A13
          • GetIconInfo.USER32(00000000,00000001), ref: 6CB30B3A
          • GetObjectW.GDI32(4(@P,00000018,?), ref: 6CB30B49
          • DeleteObject.GDI32(00000001), ref: 6CB30B52
          • DeleteObject.GDI32(?), ref: 6CB30B5B
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Object$Delete$IconInfoKillTimer
          • String ID: 4(@P
          • API String ID: 3402499453-4081170755
          • Opcode ID: 3ff747a95a5c2f73fc84665117b7cfbfe0bf51c15fba7e60a1179df4ccfd7472
          • Instruction ID: 29d8509128a061dd17c4fca6ef2fb9583cbe4c05cfea526b8917180091fcc8f4
          • Opcode Fuzzy Hash: 3ff747a95a5c2f73fc84665117b7cfbfe0bf51c15fba7e60a1179df4ccfd7472
          • Instruction Fuzzy Hash: ED21BF30601254EBDF119FA0DD04FEE7BB9FF48718F005114F809A6A90DB30EA94DB61
          APIs
          • __EH_prolog3.LIBCMT ref: 6CB94835
          • GetClassNameW.USER32(?,00000000,00000400), ref: 6CB94866
          • GetWindowLongW.USER32(?,000000F0), ref: 6CB9489F
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ClassH_prolog3LongNameWindow
          • String ID: ComboBox$ComboBoxEx32
          • API String ID: 297531199-1907415764
          • Opcode ID: d0a1f1f953c86ceb12054a774434f0c6009c19914791ff28657994f150117798
          • Instruction ID: 57235925739bd382135c3d14db4066222e055fdc39cfeebc898a1d9cb13321ef
          • Opcode Fuzzy Hash: d0a1f1f953c86ceb12054a774434f0c6009c19914791ff28657994f150117798
          • Instruction Fuzzy Hash: B501C4364151129AEB049BA4CE54FEE73B4BF12329F200929E42162ED0EF30A95DCB65
          APIs
          • CopyRect.USER32(00000001,00000000), ref: 6CB2FC75
          • InflateRect.USER32(00000001,000000FF,000000FF), ref: 6CB2FC8C
          • InvalidateRect.USER32(00000000,00000001,00000000,?,00000001), ref: 6CB2FCA0
          • UpdateWindow.USER32(00000000), ref: 6CB2FCA9
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Rect$CopyInflateInvalidateUpdateWindow
          • String ID: 4(@P
          • API String ID: 1253262389-4081170755
          • Opcode ID: d8f1eaac16bb70602b42374f697eb8ea2a9abe4a9bcdd88675786379f48b536c
          • Instruction ID: a5b2cb56d7c1a5931f3e440e47b2d32c1ce60cda24f35154fac41cc6e34eb653
          • Opcode Fuzzy Hash: d8f1eaac16bb70602b42374f697eb8ea2a9abe4a9bcdd88675786379f48b536c
          • Instruction Fuzzy Hash: 7101B532511619ABCB01DFA8C908AAFB7F8FF09764F504629E815B2580DB34E940DB91
          APIs
          • FindResourceW.KERNEL32(00000000,?,PNG,?,?,?,6CC5BE30,?,6CAD0E95,?,?,?,00000038,6CACFA98), ref: 6CAD0002
          • LoadResource.KERNEL32(00000000,00000000,?,6CC5BE30,?,6CAD0E95,?,?,?,00000038,6CACFA98), ref: 6CAD0010
          • LockResource.KERNEL32(00000000,?,6CC5BE30,?,6CAD0E95,?,?,?,00000038,6CACFA98), ref: 6CAD001B
          • SizeofResource.KERNEL32(00000000,00000000,?,6CC5BE30,?,6CAD0E95,?,?,?,00000038,6CACFA98), ref: 6CAD0029
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Resource$FindLoadLockSizeof
          • String ID: PNG
          • API String ID: 3473537107-364855578
          • Opcode ID: 03824b7710d717f9e3f18ef39c6000ac67d0f03fd8519a5e93aa26e5f28616c9
          • Instruction ID: f0121a0fe5b0dcadb00d766b7ec2279f14bc0f0e82e17f856a3a0f085f0dadb0
          • Opcode Fuzzy Hash: 03824b7710d717f9e3f18ef39c6000ac67d0f03fd8519a5e93aa26e5f28616c9
          • Instruction Fuzzy Hash: 23F0F036701610BBDB135BA48C08C9F7B7CDF872A83558425FE01A3600EB30EA90C7B0
          APIs
          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,9380FC14,?,?,00000000,6CC45700,000000FF,?,6CC27DC6,00000000,?,6CC27D9A,?), ref: 6CC27E61
          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CC27E73
          • FreeLibrary.KERNEL32(00000000,?,?,00000000,6CC45700,000000FF,?,6CC27DC6,00000000,?,6CC27D9A,?), ref: 6CC27E95
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: AddressFreeHandleLibraryModuleProc
          • String ID: CorExitProcess$mscoree.dll
          • API String ID: 4061214504-1276376045
          • Opcode ID: edcfeebb89e28913a1bd55358fd41f04a7f11a8c775bdf6a51c7657e1ed4f211
          • Instruction ID: c02176e051a0b9663ffeb613a5da66f7185c301db2223acf57fa8240f0627095
          • Opcode Fuzzy Hash: edcfeebb89e28913a1bd55358fd41f04a7f11a8c775bdf6a51c7657e1ed4f211
          • Instruction Fuzzy Hash: 2C016231A11519EFDF01DB50CC44BAFBBB8FB05715F408625F821A2A90EB789944DB90
          APIs
          • GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled), ref: 6CB950B1
          • EncodePointer.KERNEL32(00000000,?,6CABFB85,6CCC3B8C,6CB3A39C), ref: 6CB950BA
          • DecodePointer.KERNEL32(00000000,?,?,6CABFB85,6CCC3B8C,6CB3A39C), ref: 6CB950C8
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Pointer$AddressDecodeEncodeProc
          • String ID: DwmIsCompositionEnabled$dwmapi.dll
          • API String ID: 2069163248-1198327662
          • Opcode ID: b8fdf41d7e231520296019355495f9154c9c0eef5f61a57ca356322cdb657827
          • Instruction ID: d9d961424bb00616f76c8ed49b7b823f21df88726ff32701238d0e7a525d1fd6
          • Opcode Fuzzy Hash: b8fdf41d7e231520296019355495f9154c9c0eef5f61a57ca356322cdb657827
          • Instruction Fuzzy Hash: FEF05E35655A169BDB111B64C808A5A3EBCDB07656B118261EC02E7E00EB30E9D89FE5
          APIs
          • GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 6CB95055
          • EncodePointer.KERNEL32(00000000,?,6CAC4DF0,00000450,?,00000000,?,00000004,?,?,?,?,?,?,?,6CB251BD), ref: 6CB9505E
          • DecodePointer.KERNEL32(00000000,?,?,6CAC4DF0,00000450,?,00000000,?,00000004), ref: 6CB9506C
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Pointer$AddressDecodeEncodeProc
          • String ID: DwmInvalidateIconicBitmaps$dwmapi.dll
          • API String ID: 2069163248-1901905683
          • Opcode ID: 1ef01b331984e94b9bd58095e5d3628e7d289f07669ec94d0f7de029f7064b5b
          • Instruction ID: dfc88ddade4afcc71e100ff3eac122101b8d306c91ccbb8e372d18e7fde7e4c0
          • Opcode Fuzzy Hash: 1ef01b331984e94b9bd58095e5d3628e7d289f07669ec94d0f7de029f7064b5b
          • Instruction Fuzzy Hash: 7AF0A735641A51AB8B1117748C0CC5A3A7C9B076567000330FD02F7F00DB22D9D45FE9
          APIs
          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?), ref: 6CA9FC4A
          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000000,?,?,?,?,?,?,?), ref: 6CA9FC8C
          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?), ref: 6CA9FCA1
          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6CA9FCD3
          • Concurrency::cancel_current_task.LIBCPMT ref: 6CA9FDA9
            • Part of subcall function 6CA94D00: ___std_exception_copy.LIBVCRUNTIME ref: 6CA94D3E
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ByteCharMultiWide$Concurrency::cancel_current_task___std_exception_copy
          • String ID:
          • API String ID: 4024204131-0
          • Opcode ID: 6c3e4c948c33decb2e26a8e22817fb78774bd4549cdfc986cb9d730c61afed95
          • Instruction ID: d3ebb71d78308e08a53426aba48702745a0b24e1087516ec2a11c7e31ceaa0ba
          • Opcode Fuzzy Hash: 6c3e4c948c33decb2e26a8e22817fb78774bd4549cdfc986cb9d730c61afed95
          • Instruction Fuzzy Hash: DBF1BF70D152499FCB04CFA8C851BEEFBF5AF8A314F28825EE854A7781D7345985CBA0
          APIs
          • __EH_prolog3.LIBCMT ref: 6CB5716D
          • IsRectEmpty.USER32(?), ref: 6CB572BD
          • RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 6CB57340
          • PtInRect.USER32(?,?,?), ref: 6CB5748D
          • GetParent.USER32(?), ref: 6CB574A9
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Rect$EmptyH_prolog3ParentRedrawWindow
          • String ID:
          • API String ID: 3997883630-0
          • Opcode ID: 722bdd20ac293f1c2d975c5ba86cc148693cb3e89e31f790511ef18cac21dd34
          • Instruction ID: b1ece896483ba26543289b5f87a6a09ceefaab9456b48e791833edd1055ec4c5
          • Opcode Fuzzy Hash: 722bdd20ac293f1c2d975c5ba86cc148693cb3e89e31f790511ef18cac21dd34
          • Instruction Fuzzy Hash: 71A17B31B102458FCF04DF68C9C8AAE77B6EF84304F5481BADC09EB645DBB0A895CB61
          APIs
            • Part of subcall function 6CABD51A: __EH_prolog3.LIBCMT ref: 6CABD521
            • Part of subcall function 6CABD51A: BeginPaint.USER32(?,?,00000004,6CA92711), ref: 6CABD54D
          • GetClientRect.USER32(?,?), ref: 6CA92726
          • FillRect.USER32(?,?), ref: 6CA9273C
            • Part of subcall function 6CABE6E0: SelectObject.GDI32(?,00000000), ref: 6CABE700
            • Part of subcall function 6CABE6E0: SelectObject.GDI32(?,00000000), ref: 6CABE716
            • Part of subcall function 6CABE39F: MoveToEx.GDI32(?,?,?,?), ref: 6CABE3C0
            • Part of subcall function 6CABE39F: MoveToEx.GDI32(?,?,?,?), ref: 6CABE3D6
            • Part of subcall function 6CABE36A: MoveToEx.GDI32(?,?,?,00000000), ref: 6CABE385
            • Part of subcall function 6CABE36A: LineTo.GDI32(?,?,?), ref: 6CABE394
            • Part of subcall function 6CABE74D: GetStockObject.GDI32(?), ref: 6CABE757
            • Part of subcall function 6CABE74D: SelectObject.GDI32(?,00000000), ref: 6CABE76B
            • Part of subcall function 6CABE74D: SelectObject.GDI32(?,00000000), ref: 6CABE77B
          • InflateRect.USER32(?,000000F6,00000000), ref: 6CA92849
            • Part of subcall function 6CABE7CC: SetBkMode.GDI32(?,6CA92858), ref: 6CABE7E0
            • Part of subcall function 6CABE7CC: SetBkMode.GDI32(?,6CA92858), ref: 6CABE7F2
            • Part of subcall function 6CABE919: SetTextColor.GDI32(?,?), ref: 6CABE92E
            • Part of subcall function 6CABE919: SetTextColor.GDI32(?,?), ref: 6CABE940
            • Part of subcall function 6CAC27B8: SetBkColor.GDI32(?,6CA928FC), ref: 6CAC27D4
            • Part of subcall function 6CAC27B8: ExtTextOutW.GDI32(?,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 6CAC27E9
          • InflateRect.USER32(?,000000EC,00000000), ref: 6CA92904
          • ImageList_Draw.COMCTL32(?,00000003,?,?,?,00000000), ref: 6CA9291F
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Object$RectSelect$ColorMoveText$InflateMode$BeginClientDrawFillH_prolog3ImageLineList_PaintStock
          • String ID:
          • API String ID: 429370534-0
          • Opcode ID: 862230f1a49a18b7aecf7bff62c968cb6b13ebaf272873860cea6acab933a6ce
          • Instruction ID: f89976e8548bc9c1db16b21b1a132170961e20f01575c7a9939fc520d8335b89
          • Opcode Fuzzy Hash: 862230f1a49a18b7aecf7bff62c968cb6b13ebaf272873860cea6acab933a6ce
          • Instruction Fuzzy Hash: CE916B31D10619ABDB11DFA4CD44FEDB7B9EF19304F144299E509B7691EB306AC8CB90
          APIs
          • __EH_prolog3.LIBCMT ref: 6CBE004D
          • StringFromCLSID.OLE32(00000000,?,00000018,6CBDFCE2,00000000,?,00000000,?,00000000,?,?,?,0000000A,00000008,6CB4DA29,?), ref: 6CBE005B
          • CoTaskMemFree.OLE32(?,00000001,?,00000000,?,?,00000001), ref: 6CBE008D
            • Part of subcall function 6CB9F6D0: GetModuleFileNameW.KERNEL32(?,?,00000104,?), ref: 6CB9F6F7
            • Part of subcall function 6CAC0D2B: MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,00000000,6CC7F854,?,?,6CBE00CA,6CC7F854), ref: 6CAC0D5A
            • Part of subcall function 6CAB5D68: _memcpy_s.LIBCMT ref: 6CAB5DD4
            • Part of subcall function 6CBDF90A: __EH_prolog3.LIBCMT ref: 6CBDF911
          • ExtractIconW.SHELL32(?,00000008,?), ref: 6CBE0139
          • DestroyIcon.USER32(00000000,?,00000001), ref: 6CBE0144
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: H_prolog3Icon$ByteCharDestroyExtractFileFreeFromModuleMultiNameStringTaskWide_memcpy_s
          • String ID:
          • API String ID: 2633863281-0
          • Opcode ID: aa747bc53e8afa32d802338d3e9b39e3e1fb47b918a9962f913d2d0af738becc
          • Instruction ID: c9a19432dd614019940dfaa2bca8803813a8de2d5736791f6455c3a2b4fe63e6
          • Opcode Fuzzy Hash: aa747bc53e8afa32d802338d3e9b39e3e1fb47b918a9962f913d2d0af738becc
          • Instruction Fuzzy Hash: D5818C71A01189AEDF04DBA0CD95EFEB7B8AF18748F100518E512A7AD1DF30AE4DDB61
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CB6D2A8
          • CreateCompatibleDC.GDI32(00000000), ref: 6CB6D362
          • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6CB6D398
          • SelectObject.GDI32(?,00000000), ref: 6CB6D3F1
          • DeleteObject.GDI32(?), ref: 6CB6D524
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CompatibleCreateObject$BitmapDeleteH_prolog3_Select
          • String ID:
          • API String ID: 3801890737-0
          • Opcode ID: b9e924274490066b83b47478112933fbeb099766228085e98f5e1e272d87472d
          • Instruction ID: badf0d608a1d11fe9ec683bd563af3d3cacefc644bb5f5858b422ed3f9cd5082
          • Opcode Fuzzy Hash: b9e924274490066b83b47478112933fbeb099766228085e98f5e1e272d87472d
          • Instruction Fuzzy Hash: 6791C072E012599FCF04CFA9C984ADDBBB5FF48318F24812AE415B7A54EB30A949CF50
          APIs
          • std::_Lockit::_Lockit.LIBCPMT ref: 6CA9AE1B
          • std::_Lockit::_Lockit.LIBCPMT ref: 6CA9AE3F
          • std::_Lockit::~_Lockit.LIBCPMT ref: 6CA9AE60
          • std::_Lockit::~_Lockit.LIBCPMT ref: 6CA9AEF4
          • Concurrency::cancel_current_task.LIBCPMT ref: 6CA9AFBE
            • Part of subcall function 6CA96250: ___std_exception_copy.LIBVCRUNTIME ref: 6CA9628E
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task___std_exception_copy
          • String ID:
          • API String ID: 1238493420-0
          • Opcode ID: e5dfe7da644efbc3c6eec107ef05fd2693718875af6d58f9e391395435be4c57
          • Instruction ID: 00f8c5ab0f1cd70edb65384cf56f3341110fc397c3541957264405ae2fb06fa1
          • Opcode Fuzzy Hash: e5dfe7da644efbc3c6eec107ef05fd2693718875af6d58f9e391395435be4c57
          • Instruction Fuzzy Hash: 4A713575A10204DFDB00CFA9C984BADBBF5FF49318F28815AE456ABB51DB30E945CB90
          APIs
          • SendMessageW.USER32(00000000,00000407,00000000,?), ref: 6CAD6B55
          • PostMessageW.USER32(?,0000001F,00000000,00000000), ref: 6CAD6B98
          • GetParent.USER32(?), ref: 6CAD6C5B
          • GetParent.USER32(?), ref: 6CAD6C8F
          • GetCapture.USER32 ref: 6CAD6CAE
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: MessageParent$CapturePostSend
          • String ID:
          • API String ID: 3593767962-0
          • Opcode ID: 5edce8dfe99be97d8d72013036045216973e16197e680164b7c48f16968e3661
          • Instruction ID: d34fa70c8f254d0a2798cfd358a234983bea4014ee56c8446a62ca05fe28b37b
          • Opcode Fuzzy Hash: 5edce8dfe99be97d8d72013036045216973e16197e680164b7c48f16968e3661
          • Instruction Fuzzy Hash: 2751CE303853029BEB015F24D958B693AB4FB4971CF2E4964E914EBBA1CB62F8C0CB51
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CB3903B
          • IsWindowVisible.USER32(?), ref: 6CB3923F
            • Part of subcall function 6CADBBF5: __EH_prolog3.LIBCMT ref: 6CADBBFC
            • Part of subcall function 6CABCC1D: IsWindow.USER32(00000000), ref: 6CABCC2C
            • Part of subcall function 6CABCC1D: SetWindowTextW.USER32(00000000,?), ref: 6CABCC48
          • GetWindowRect.USER32(?,?), ref: 6CB39154
          • GetSystemMetrics.USER32(00000010), ref: 6CB3915C
          • GetSystemMetrics.USER32(00000011), ref: 6CB3916B
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Window$MetricsSystem$H_prolog3H_prolog3_RectTextVisible
          • String ID:
          • API String ID: 4238341832-0
          • Opcode ID: 1dcc7348a6baa7b34737f351b30d67ba8a897f86b5be05abb17f0db34ff4f9ba
          • Instruction ID: 3d044de41003cd7c19e26fdb4ceb99566e0cba91c914c664635cb714e856d452
          • Opcode Fuzzy Hash: 1dcc7348a6baa7b34737f351b30d67ba8a897f86b5be05abb17f0db34ff4f9ba
          • Instruction Fuzzy Hash: BA61A835B002159BDF05DFA8C984BEDB7B6BF48314F18416AE906BB780DB31AD81DB91
          APIs
          • __EH_prolog3.LIBCMT ref: 6CB3C702
          • RedrawWindow.USER32(?,00000000,00000000,00000541), ref: 6CB3C906
            • Part of subcall function 6CABC609: GetWindowLongW.USER32(?,000000F0), ref: 6CABC616
          • GetSystemMenu.USER32(?,00000000,0000002C,6CB3A089), ref: 6CB3C73F
          • IsMenu.USER32(?), ref: 6CB3C758
          • IsMenu.USER32(?), ref: 6CB3C76A
            • Part of subcall function 6CBA24CE: SetRectEmpty.USER32(00000030), ref: 6CBA24FA
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Menu$Window$EmptyH_prolog3LongRectRedrawSystem
          • String ID:
          • API String ID: 477644042-0
          • Opcode ID: 1c051478adb3af17876282aef8460d9ba169e1fe4abc7356a2f9d252c07907d6
          • Instruction ID: aa68228e8d80620f100aef5f48516001b079c08078859891f894b171396789e3
          • Opcode Fuzzy Hash: 1c051478adb3af17876282aef8460d9ba169e1fe4abc7356a2f9d252c07907d6
          • Instruction Fuzzy Hash: CD516B71A002659BDB04DFF8C944BEEB7B6BF48318F205229E91AF7780DB349A45CB51
          APIs
          • __EH_prolog3.LIBCMT ref: 6CB48B43
          • lstrcmpW.KERNEL32(00000000,00000000,?,00000001,0014000C,00000000,?,6CB544B4,?), ref: 6CB48C06
          • lstrcmpW.KERNEL32(?,00000000,?,?,6CB544B4,?), ref: 6CB48C3B
          • lstrcmpW.KERNEL32(00000002,?,?,?,6CB544B4,?), ref: 6CB48C65
          • GlobalLock.KERNEL32(?), ref: 6CB48B65
            • Part of subcall function 6CBE349E: __EH_prolog3.LIBCMT ref: 6CBE34A5
            • Part of subcall function 6CBE3713: GlobalLock.KERNEL32(00000000), ref: 6CBE3726
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: lstrcmp$GlobalH_prolog3Lock
          • String ID:
          • API String ID: 1551776427-0
          • Opcode ID: 16047abe86602d3b7408dbf6b582b21ad5da236c95d8841891bacb5ae147af56
          • Instruction ID: 71c1342f8a27be4b9a89ea4c74e93751e21e4de0ab72eef8f78ce1a14c807c92
          • Opcode Fuzzy Hash: 16047abe86602d3b7408dbf6b582b21ad5da236c95d8841891bacb5ae147af56
          • Instruction Fuzzy Hash: E661D37090524ADFDB11CFA4C944BEDB7B4FF04318F20819AD155A7AA1D7329A88EF91
          APIs
          • SetRectEmpty.USER32(?), ref: 6CAA9F3C
          • SendMessageW.USER32(?,00000143,00000000,6CC956DC), ref: 6CAA9F81
          • SendMessageW.USER32(?,00000143,00000000,6CC956E8), ref: 6CAA9F95
          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 6CAA9FA6
          • GetClientRect.USER32(?,00000001), ref: 6CAA9FBB
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: MessageSend$Rect$ClientEmpty
          • String ID:
          • API String ID: 1272544524-0
          • Opcode ID: 51cea7cae62c5fc7efc3de95d82ac3e1fc6449a9d8da541e75f673e70ae2f199
          • Instruction ID: 2ecc45811a238b133d2627d0528bc4b9fe4d4e2f69ff5c1ff8f9412cae50e4fb
          • Opcode Fuzzy Hash: 51cea7cae62c5fc7efc3de95d82ac3e1fc6449a9d8da541e75f673e70ae2f199
          • Instruction Fuzzy Hash: A9419D31740201AFDB109F25CC89FAA77AAFF88710F180675FA19AF2D1D770AA548A51
          APIs
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: EmptyRect$H_prolog3
          • String ID:
          • API String ID: 3752103406-0
          • Opcode ID: 1e15ba418295b4589340ddaa32a930b4269b9fafc8a1a39d3fabd1bb05811f1e
          • Instruction ID: 00a3c25a2cb889a4d1110e034096cea7d3afac5af3bcae8a13ff3709c2100817
          • Opcode Fuzzy Hash: 1e15ba418295b4589340ddaa32a930b4269b9fafc8a1a39d3fabd1bb05811f1e
          • Instruction Fuzzy Hash: 295105B09043818FCB54CF68C884BEEBBF0BF19304F5484BED84A9B642EB74A549CB50
          APIs
          • __EH_prolog3.LIBCMT ref: 6CBF5C7C
            • Part of subcall function 6CABD5B9: __EH_prolog3.LIBCMT ref: 6CABD5C0
            • Part of subcall function 6CABD5B9: GetWindowDC.USER32(00000000,00000004,6CAC05D3,00000000), ref: 6CABD5EC
            • Part of subcall function 6CABE810: SetMapMode.GDI32(?,FFFFFEFF), ref: 6CABE824
            • Part of subcall function 6CABE810: SetMapMode.GDI32(?,FFFFFEFF), ref: 6CABE836
          • LPtoDP.GDI32(?,?,00000001), ref: 6CBF5CE0
          • LPtoDP.GDI32(?,?,00000001), ref: 6CBF5CFF
          • LPtoDP.GDI32(?,?,00000001), ref: 6CBF5D1E
          • InvalidateRect.USER32(?,00000000,00000001), ref: 6CBF5DE2
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: H_prolog3Mode$InvalidateRectWindow
          • String ID:
          • API String ID: 1124340077-0
          • Opcode ID: 2065105d9de591500e43af19e9cb9fb926e4cf6394714c3701f2ce2775532a0d
          • Instruction ID: 923bd7b7c533569ca9119dd7a3391983d3e810594c0d6e4c2e8a5ab7e45d8431
          • Opcode Fuzzy Hash: 2065105d9de591500e43af19e9cb9fb926e4cf6394714c3701f2ce2775532a0d
          • Instruction Fuzzy Hash: A541E274A01705DFDB24CF69C484B9AB7F1BF4A314F10891DE5AADB790EB70A849CB21
          APIs
          • __EH_prolog3.LIBCMT ref: 6CAADBA1
          • GetTextColor.GDI32(?), ref: 6CAADBAC
          • OffsetRect.USER32(?,00000001,00000001), ref: 6CAADBF6
          • FillRect.USER32(?,?,-000000D0), ref: 6CAADC42
          • OffsetRect.USER32(?,00000001,00000001), ref: 6CAADC73
            • Part of subcall function 6CB6D54F: __EH_prolog3_GS.LIBCMT ref: 6CB6D556
            • Part of subcall function 6CB6D54F: CreateCompatibleDC.GDI32(00000000), ref: 6CB6D5BA
            • Part of subcall function 6CB6D54F: CreateCompatibleBitmap.GDI32(?,?,?), ref: 6CB6D5F0
            • Part of subcall function 6CB6D54F: SelectObject.GDI32(?,00000000), ref: 6CB6D644
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Rect$CompatibleCreateOffset$BitmapColorFillH_prolog3H_prolog3_ObjectSelectText
          • String ID:
          • API String ID: 4029571948-0
          • Opcode ID: d115b1a075af7b057a9f91867bdbd3685208d53c13ac1b7c1a0d1573b3ee7957
          • Instruction ID: 3458442b87767c107768901e8f7a773934ca86b8ce0940618cbefede244d9062
          • Opcode Fuzzy Hash: d115b1a075af7b057a9f91867bdbd3685208d53c13ac1b7c1a0d1573b3ee7957
          • Instruction Fuzzy Hash: DC414F72A00109ABDB04EFA4C944FEE73BDAF04319F518151F815ABAE0DB759AC9CB91
          APIs
          • std::_Lockit::_Lockit.LIBCPMT ref: 6CA9A983
          • std::_Lockit::_Lockit.LIBCPMT ref: 6CA9A9A6
          • std::_Lockit::~_Lockit.LIBCPMT ref: 6CA9A9C6
          • std::_Lockit::~_Lockit.LIBCPMT ref: 6CA9AA53
          • Concurrency::cancel_current_task.LIBCPMT ref: 6CA9AA6B
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
          • String ID:
          • API String ID: 3053331623-0
          • Opcode ID: 1973777f55120f9f9b9ba7dd087fc1d14edf4ab7369eb8aaf2bc0e22932f0b5d
          • Instruction ID: 4854b75c709596947f6a94a479a55108a11ce981c8218fa4f4287ce344c4c1a7
          • Opcode Fuzzy Hash: 1973777f55120f9f9b9ba7dd087fc1d14edf4ab7369eb8aaf2bc0e22932f0b5d
          • Instruction Fuzzy Hash: 1431E171D14619DFCB10CF45C981BAEBBB5FB01324F19461AD84567B40EB30AE85CBD1
          APIs
          • std::_Lockit::_Lockit.LIBCPMT ref: 6CA9B663
          • std::_Lockit::_Lockit.LIBCPMT ref: 6CA9B686
          • std::_Lockit::~_Lockit.LIBCPMT ref: 6CA9B6A6
          • std::_Lockit::~_Lockit.LIBCPMT ref: 6CA9B733
          • Concurrency::cancel_current_task.LIBCPMT ref: 6CA9B74B
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
          • String ID:
          • API String ID: 3053331623-0
          • Opcode ID: 4891707cab679bf361bea894d11ef367bb399c479b2ebaa7f9f24484bfd73618
          • Instruction ID: cdb1b9395e8a7969b69999a719aa3de1c831f997563533ce9eede1f75b311295
          • Opcode Fuzzy Hash: 4891707cab679bf361bea894d11ef367bb399c479b2ebaa7f9f24484bfd73618
          • Instruction Fuzzy Hash: A931CF71A14515CFCB20CF5AE981BAEBBB4FB41728F184719D905A7B40E730AA85CBD1
          APIs
          • std::_Lockit::_Lockit.LIBCPMT ref: 6CA9B113
          • std::_Lockit::_Lockit.LIBCPMT ref: 6CA9B136
          • std::_Lockit::~_Lockit.LIBCPMT ref: 6CA9B156
          • std::_Lockit::~_Lockit.LIBCPMT ref: 6CA9B1E3
          • Concurrency::cancel_current_task.LIBCPMT ref: 6CA9B1FB
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
          • String ID:
          • API String ID: 3053331623-0
          • Opcode ID: 10bf74a6d9a490e52649fcdc9505e4726af822ba1faee4412b5d60d7fcbe48d5
          • Instruction ID: d70178ec7ce15be28f00075aaa19fd6f7fc78f1c119cbf608ae8ca3b1968f39f
          • Opcode Fuzzy Hash: 10bf74a6d9a490e52649fcdc9505e4726af822ba1faee4412b5d60d7fcbe48d5
          • Instruction Fuzzy Hash: 4D31DE71A14615DFCB20CF49D981BAEBBB4FF41728F284319D849A7B40E730AA85CBD1
          APIs
          • IsWindow.USER32(?), ref: 6CBA1347
          • SendMessageW.USER32(?,00000439,00000000,?), ref: 6CBA138C
          • SendMessageW.USER32(?,00000410,00000000,?), ref: 6CBA13D0
          • ScreenToClient.USER32(00000000,?), ref: 6CBA13F8
          • SendMessageW.USER32(?,00000407,00000000,?), ref: 6CBA1420
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: MessageSend$ClientScreenWindow
          • String ID:
          • API String ID: 4074774880-0
          • Opcode ID: cc5aab7280dc0cc12e82bd65a331dc32d992a21c43db11d68a9a5af3d296bdf2
          • Instruction ID: 4ecce61d8caf4d05e2ed3f427d90569e066bcd54753441a36580a85f1ee0c2bb
          • Opcode Fuzzy Hash: cc5aab7280dc0cc12e82bd65a331dc32d992a21c43db11d68a9a5af3d296bdf2
          • Instruction Fuzzy Hash: 4D31A472A01218BBDF04DFA5C844AEFBBB8FF48314F104155EA55B7680D770E955CBA4
          APIs
            • Part of subcall function 6CABC609: GetWindowLongW.USER32(?,000000F0), ref: 6CABC616
            • Part of subcall function 6CACB177: GetParent.USER32(?), ref: 6CACB17A
            • Part of subcall function 6CACB177: GetParent.USER32(00000000), ref: 6CACB181
          • SendMessageW.USER32(?,00000234,00000000,00000000), ref: 6CACAD64
          • SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6CACAD8D
          • SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6CACADAC
          • SendMessageW.USER32(?,00000222,?,00000000), ref: 6CACADC6
          • SendMessageW.USER32(?,00000222,00000000,?), ref: 6CACADEF
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: MessageSend$Parent$LongWindow
          • String ID:
          • API String ID: 4191550487-0
          • Opcode ID: 7fa7da87a61fc0a3c2355d94965ebea2fd2495ca345a931ccaefa86cff47d6eb
          • Instruction ID: ed3e55d0b29bd13031e41a9edb51ae10fcbbd60a94208895a5cd5c086a7e0a4d
          • Opcode Fuzzy Hash: 7fa7da87a61fc0a3c2355d94965ebea2fd2495ca345a931ccaefa86cff47d6eb
          • Instruction Fuzzy Hash: 6A21A331310604BFEB025B65CC88FEE76BEFB08359F040618F151A6A90DB759DD4D661
          APIs
          • __EH_prolog3.LIBCMT ref: 6CABA10E
          • GetTopWindow.USER32(?), ref: 6CABA13B
          • GetDlgCtrlID.USER32(00000000), ref: 6CABA14D
          • SendMessageW.USER32(?,00000087,00000000,00000000), ref: 6CABA1A8
          • GetWindow.USER32(00000000,00000002), ref: 6CABA1EA
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Window$CtrlH_prolog3MessageSend
          • String ID:
          • API String ID: 849854284-0
          • Opcode ID: 13703a5033a16beff12ce755a8472f7eb367d115f6ce14c2ba372f0a5d71a062
          • Instruction ID: 4bf7137f22a51ee72c29f65229655bb2fcd4d1e25fa1bdcb3927a79b3218bc37
          • Opcode Fuzzy Hash: 13703a5033a16beff12ce755a8472f7eb367d115f6ce14c2ba372f0a5d71a062
          • Instruction Fuzzy Hash: 83210275901214AADF119F25EE41FEE767EEF41308F14015AE869F2A80EF308ED8DB21
          APIs
          • FillRect.USER32(?,?,00000000), ref: 6CAB30B5
          • GetParent.USER32(?), ref: 6CAB30C7
          • GetClientRect.USER32(?,?), ref: 6CAB30DA
          • GetParent.USER32(?), ref: 6CAB30E3
          • MapWindowPoints.USER32(?,?,?,00000002), ref: 6CAB30FB
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ParentRect$ClientFillPointsWindow
          • String ID:
          • API String ID: 3058756167-0
          • Opcode ID: 6bd8296c01a8a9307bd23789635907f3f606f030fab6bbe836fa21de3d0a09b1
          • Instruction ID: e5a1ef6bfc3b505e72ca300a5939f2f16b5df424efa630f01f689da9ff61f1a0
          • Opcode Fuzzy Hash: 6bd8296c01a8a9307bd23789635907f3f606f030fab6bbe836fa21de3d0a09b1
          • Instruction Fuzzy Hash: 2F21A432A10119AFCF04DFA4C948CAEBBB9FF0A304B554159F505B7621DB71A994DBE0
          APIs
          • __EH_prolog3.LIBCMT ref: 6CB65487
          • SendMessageW.USER32(00000000,0000007F,00000000,00000000), ref: 6CB654AA
          • SendMessageW.USER32(00000000,0000007F,00000001,00000000), ref: 6CB654BE
          • GetClassLongW.USER32(00000000,000000DE), ref: 6CB6551B
          • GetClassLongW.USER32(00000000,000000F2), ref: 6CB6552C
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ClassLongMessageSend$H_prolog3
          • String ID:
          • API String ID: 350087385-0
          • Opcode ID: 0a857b53aa881efe240fdf0efcb4916f92da3ae26fd2394c8f22d28b1c182efb
          • Instruction ID: f9206eab2e87dbbdec792f077b711faa8e957fd01c1014b535c40b736deea3e5
          • Opcode Fuzzy Hash: 0a857b53aa881efe240fdf0efcb4916f92da3ae26fd2394c8f22d28b1c182efb
          • Instruction Fuzzy Hash: FD110671A55226BBDB214B61CC48FDE7636FB04768F110320F85476EE0EB719C6896D1
          APIs
          • GetMapMode.GDI32(?), ref: 6CAC28AD
          • GetDeviceCaps.GDI32(?,00000058), ref: 6CAC28F5
          • GetDeviceCaps.GDI32(?,0000005A), ref: 6CAC2902
            • Part of subcall function 6CABE301: MulDiv.KERNEL32(?,00000000,00000000), ref: 6CABE33A
            • Part of subcall function 6CABE301: MulDiv.KERNEL32(?,00000000,00000000), ref: 6CABE35B
          • MulDiv.KERNEL32(?,00000060,000009EC), ref: 6CAC2924
          • MulDiv.KERNEL32(?,00000060,000009EC), ref: 6CAC2931
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CapsDevice$Mode
          • String ID:
          • API String ID: 696222070-0
          • Opcode ID: a67423607a3f690ac0e19ea37e2732fc632767a5240f6cd147ade4896c036fb2
          • Instruction ID: d7834c521ec48cb6c804ae388ae17c06017c8261c80389d79729021c07eebcb8
          • Opcode Fuzzy Hash: a67423607a3f690ac0e19ea37e2732fc632767a5240f6cd147ade4896c036fb2
          • Instruction Fuzzy Hash: D8119439300614AFCF115F65C84892EBFBAFF8A3617549115ED05A3740CB319CE1AF91
          APIs
          • GetMapMode.GDI32(?), ref: 6CAC237B
          • GetDeviceCaps.GDI32(?,00000058), ref: 6CAC23C3
          • GetDeviceCaps.GDI32(?,0000005A), ref: 6CAC23D0
            • Part of subcall function 6CABDFC0: MulDiv.KERNEL32(?,00000000,00000000), ref: 6CABDFF9
            • Part of subcall function 6CABDFC0: MulDiv.KERNEL32(?,00000000,00000000), ref: 6CABE01A
          • MulDiv.KERNEL32(?,000009EC,00000060), ref: 6CAC23F2
          • MulDiv.KERNEL32(?,000009EC,00000060), ref: 6CAC23FF
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CapsDevice$Mode
          • String ID:
          • API String ID: 696222070-0
          • Opcode ID: 2382c19b6908149aa68d7f350613dcbc4829da0770c429fb5a5f9ead051ff978
          • Instruction ID: 9d97399ecf82fd834fd7952b8e590e161f6ccabfd929094a089e150f2000ceb7
          • Opcode Fuzzy Hash: 2382c19b6908149aa68d7f350613dcbc4829da0770c429fb5a5f9ead051ff978
          • Instruction Fuzzy Hash: 21119139300610AFCF015F65C84892EBFBAFB8A3617549119F916A3B50DB31ACE1DF91
          APIs
          • DrawThemeBackground.UXTHEME(00000000,?,00000001,00000000,?,00000000), ref: 6CAB3C0A
          • GetThemeColor.UXTHEME(00000000,00000001,00000000,00000EDB,?), ref: 6CAB3C1D
          • GetThemeColor.UXTHEME(00000000,00000001,00000000,00000EDF,?), ref: 6CAB3C32
          • GetSysColorBrush.USER32(00000018), ref: 6CAB3C3C
          • FillRect.USER32(?,?,00000000), ref: 6CAB3C53
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ColorTheme$BackgroundBrushDrawFillRect
          • String ID:
          • API String ID: 3021913306-0
          • Opcode ID: 4d845663e2a61b67caa32d45ce59b70b38a1da719be49685caa219da34b99767
          • Instruction ID: c1ed824f699fcd84f73dd376e8ccf37d1a36f64997d5f1fea6ee23600ce33d2d
          • Opcode Fuzzy Hash: 4d845663e2a61b67caa32d45ce59b70b38a1da719be49685caa219da34b99767
          • Instruction Fuzzy Hash: 0F115E722A1214FBEB158B98CD46F9A77BCEB09B00F044419B745B7590CBB1B8A0DBA0
          APIs
          • GlobalLock.KERNEL32(00000000), ref: 6CBE35B2
          • GlobalLock.KERNEL32(?), ref: 6CBE35C2
          • CreateDCW.GDI32(?,?,?,00000000), ref: 6CBE35E8
          • GlobalUnlock.KERNEL32(00000000), ref: 6CBE35F3
          • GlobalUnlock.KERNEL32(?), ref: 6CBE35FE
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Global$LockUnlock$Create
          • String ID:
          • API String ID: 2536725124-0
          • Opcode ID: f9edcc3f5c2305887f9183eabf556e2a12b088315d08fbb46eda6e69d757d180
          • Instruction ID: 0991424cfb9d53057358ad343516496f15ba924eb31290f145a72296b19897b4
          • Opcode Fuzzy Hash: f9edcc3f5c2305887f9183eabf556e2a12b088315d08fbb46eda6e69d757d180
          • Instruction Fuzzy Hash: 0401A731115D16ABCB218B68C80497A7BB8FF49B957508011FC05D3610D734E961DFD0
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID:
          • String ID: h-i
          • API String ID: 0-2915156121
          • Opcode ID: 594a288c1c590791145fd22ae74b9037924e7b86537709054ef5f2570193ebb6
          • Instruction ID: 2712ea5959db70e0bea7771c7cbf64b26409417fe9185f055824b8ff732b0a86
          • Opcode Fuzzy Hash: 594a288c1c590791145fd22ae74b9037924e7b86537709054ef5f2570193ebb6
          • Instruction Fuzzy Hash: 57A188347006559FDB04CF20C884BA9B7B1FB49319F1480AAE816EBB91CB74AE85DF91
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CAB0C91
          • CreateRectRgnIndirect.GDI32(?), ref: 6CAB0DB6
            • Part of subcall function 6CABD46D: __EH_prolog3.LIBCMT ref: 6CABD474
            • Part of subcall function 6CABD46D: CreateSolidBrush.GDI32(?), ref: 6CABD48F
          • FillRect.USER32(?,00000000,?), ref: 6CAB0CE4
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CreateRect$BrushFillH_prolog3H_prolog3_IndirectSolid
          • String ID: %d%%
          • API String ID: 2254786338-1518462796
          • Opcode ID: 9487db8e79a6d3aa5a56e1be0d7b4a8dc93fc3c67eafb43763adabd79ded3415
          • Instruction ID: 05dc7572a41b6822857bb5672fc863a46309f2d74b41cd129f1b2406c0a2045c
          • Opcode Fuzzy Hash: 9487db8e79a6d3aa5a56e1be0d7b4a8dc93fc3c67eafb43763adabd79ded3415
          • Instruction Fuzzy Hash: 29516971A10248DBCF00DFA4C995EDE77B9BF49318F144159F812B7690DB30AE59CBA0
          APIs
          • std::_Lockit::_Lockit.LIBCPMT ref: 6CA9CEB0
          • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6CA9CF3C
          • std::_Lockit::~_Lockit.LIBCPMT ref: 6CA9CFD1
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: std::_$Lockit$Locinfo::_Locinfo_dtorLockit::_Lockit::~_
          • String ID: bad locale name
          • API String ID: 3553999535-1405518554
          • Opcode ID: 824524c6a3333b55defb995326a41985b4bf1c749e6e6ac3e78a9b15a1f11d50
          • Instruction ID: b5510cf5e50c514e00d45771396bb1eb628202475cadd6a992f61f3bc122d4ab
          • Opcode Fuzzy Hash: 824524c6a3333b55defb995326a41985b4bf1c749e6e6ac3e78a9b15a1f11d50
          • Instruction Fuzzy Hash: F5419FB1D157189FEB00DFA9C955BCEBBF4AF04318F140128E815A7B80E738DA48CB91
          APIs
          • std::_Lockit::_Lockit.LIBCPMT ref: 6CA9D070
          • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6CA9D0FC
          • std::_Lockit::~_Lockit.LIBCPMT ref: 6CA9D191
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: std::_$Lockit$Locinfo::_Locinfo_dtorLockit::_Lockit::~_
          • String ID: bad locale name
          • API String ID: 3553999535-1405518554
          • Opcode ID: e3d289c6c36291fd3d51062422aa0b55bad0b99714e7ac87ccb216620b3a45e4
          • Instruction ID: 02424212479679fb999bd474ec835883fdb60ca16d7162ccf00bea9313505713
          • Opcode Fuzzy Hash: e3d289c6c36291fd3d51062422aa0b55bad0b99714e7ac87ccb216620b3a45e4
          • Instruction Fuzzy Hash: 4941B4B1D117189BEF00CFA4C9457CEBBF4AF05318F240128E854A7B80E738D989CBA1
          APIs
          • std::_Lockit::_Lockit.LIBCPMT ref: 6CA9F7A0
          • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6CA9F82C
          • std::_Lockit::~_Lockit.LIBCPMT ref: 6CA9F8C1
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: std::_$Lockit$Locinfo::_Locinfo_dtorLockit::_Lockit::~_
          • String ID: bad locale name
          • API String ID: 3553999535-1405518554
          • Opcode ID: c5dddb3f6b22ee6578bf340904e0ae212cb5cd3755ac1c0a86fd32ab89579952
          • Instruction ID: 1d545550c36f5fd7c759e395a3a50b32a94f1c2413784a1c7e4cb1a044dd78f1
          • Opcode Fuzzy Hash: c5dddb3f6b22ee6578bf340904e0ae212cb5cd3755ac1c0a86fd32ab89579952
          • Instruction Fuzzy Hash: 8B51A5B1D112189FEB00CFA9CD59BCEBBF4AF14318F144529E854A7B80E778D648CB91
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CAADDAB
          • InflateRect.USER32(?,00000005,00000005), ref: 6CAADDE9
          • Ellipse.GDI32(00000000,?,00000000,?,?), ref: 6CAADEB4
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: EllipseH_prolog3_InflateRect
          • String ID: Gu,
          • API String ID: 3279685039-3926172423
          • Opcode ID: 86bdb1a5d764f21e262b3c77f2e350a22e0fff292a9ea6c718afef111137b59b
          • Instruction ID: 587b29382f21deeaa4eba0f6731e5d5cd8e54d93f329700e8f46f7cdb6f0f0af
          • Opcode Fuzzy Hash: 86bdb1a5d764f21e262b3c77f2e350a22e0fff292a9ea6c718afef111137b59b
          • Instruction Fuzzy Hash: 79412E31E001089FCB10DFA4C945AEE77B5EF48308F154169E905B7B90DB35AE9ADFA1
          APIs
          • KillTimer.USER32(?,?,00000000,00000800,?,?,?,?,?,00000058,00000040,6CAA42D4,6CCBCB3C,00000004,?,50008200), ref: 6CB30A13
          • DestroyIcon.USER32(00000000,?,000000FF,00000000,?,00000000,00000001,0000001C,00000020,000000FF,00000001,00000001,?,0000001C,00000020,?), ref: 6CB30AA0
          • SetTimer.USER32(?,?,0000007D,00000000), ref: 6CB30ADE
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Timer$DestroyIconKill
          • String ID: 4(@P
          • API String ID: 1879703730-4081170755
          • Opcode ID: 16cd1b605d205f60c27d59a7b845099999101e42e09ecc3dd8ec8a7a83038d44
          • Instruction ID: c4c958f2f291d9d71aef66ef8fe8f047b991c64242077b715d7b631420c95f9d
          • Opcode Fuzzy Hash: 16cd1b605d205f60c27d59a7b845099999101e42e09ecc3dd8ec8a7a83038d44
          • Instruction Fuzzy Hash: 54310231601650EFCF028F14EC80AAE3F7AFF84314B105066FC192A661CB71C995EF80
          APIs
          • ___std_exception_copy.LIBVCRUNTIME ref: 6CA968DF
            • Part of subcall function 6CC1B8AE: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,6CC19415,?,6CCB6060,?,?), ref: 6CC1B90F
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ExceptionRaise___std_exception_copy
          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
          • API String ID: 3109751735-1866435925
          • Opcode ID: 5d78fb8c6e5be7f5c3afb45d8070c0f12722b9743dbcbbdbc32e70c7684721d7
          • Instruction ID: 941856adff8a4360dfdf66f900cb726574706b14cc9d512937cedad25a472cda
          • Opcode Fuzzy Hash: 5d78fb8c6e5be7f5c3afb45d8070c0f12722b9743dbcbbdbc32e70c7684721d7
          • Instruction Fuzzy Hash: 6511F0B29107046BC700CF68C807BC6B7E8AF45250F18892AFA64CBF80F730E8588B91
          APIs
          • __EH_prolog3.LIBCMT ref: 6CADCACE
            • Part of subcall function 6CBA9A09: __EH_prolog3.LIBCMT ref: 6CBA9A10
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: H_prolog3
          • String ID: %TsMFCToolBarParameters$LargeIcons$MFCToolBars
          • API String ID: 431132790-953485693
          • Opcode ID: 744e7badc3f705a64da9883e93c63c95f9655d5b9b44e2c8d51955333c44900f
          • Instruction ID: 07d7b2dcb137211dec086febb0bf5687b5b3d9d800287016b5b88f8c897166dc
          • Opcode Fuzzy Hash: 744e7badc3f705a64da9883e93c63c95f9655d5b9b44e2c8d51955333c44900f
          • Instruction Fuzzy Hash: 25217175A003499BCF00DFA0C981AFEB7B5BF45308F144429D501B7781DB35994ADB51
          APIs
          • __EH_prolog3.LIBCMT ref: 6CABFCF4
          • LoadCursorW.USER32(00000000,00007F00), ref: 6CABFD18
          • GetClassInfoW.USER32(?,?,?), ref: 6CABFD53
            • Part of subcall function 6CAB5A70: GetClassInfoW.USER32(?,?,?), ref: 6CAB5A89
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ClassInfo$CursorH_prolog3Load
          • String ID: %Ts:%x:%x:%x:%x
          • API String ID: 1242006032-4057404147
          • Opcode ID: f46d193b63ca444df8b6a7cf3bd6a8ba6faea9f3f0d417ef9110c04f75c4cc40
          • Instruction ID: bc5a1927f4473f48096305d9ce9b506ce25a4e680a39a9d64cff265f0e6516c1
          • Opcode Fuzzy Hash: f46d193b63ca444df8b6a7cf3bd6a8ba6faea9f3f0d417ef9110c04f75c4cc40
          • Instruction Fuzzy Hash: B9211D75A01208AFDB40DFA5C984BDDBBF4BF08318F54842AE548F7740E7745588CB65
          APIs
            • Part of subcall function 6CB95D74: EnterCriticalSection.KERNEL32(6CCC5378,?,00000000,?,?,6CB9325E,00000010,00000008,6CAC313A,6CAC317D,6CAB6C9B,6CAC3149,6CABEB35,00000004,6CABE0A4,00000000), ref: 6CB95DA5
            • Part of subcall function 6CB95D74: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,6CB9325E,00000010,00000008,6CAC313A,6CAC317D,6CAB6C9B,6CAC3149,6CABEB35,00000004,6CABE0A4,00000000), ref: 6CB95DBB
            • Part of subcall function 6CB95D74: LeaveCriticalSection.KERNEL32(6CCC5378,?,00000000,?,?,6CB9325E,00000010,00000008,6CAC313A,6CAC317D,6CAB6C9B,6CAC3149,6CABEB35,00000004,6CABE0A4,00000000), ref: 6CB95DC9
            • Part of subcall function 6CB95D74: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,6CB9325E,00000010,00000008,6CAC313A,6CAC317D,6CAB6C9B,6CAC3149,6CABEB35,00000004,6CABE0A4,00000000,?), ref: 6CB95DD6
          • GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 6CAB59DF
          • FreeLibrary.KERNEL32(?,?,Function_00026C9B,?,?,?,6CB49E65,?,6CAEF93B,?), ref: 6CAB59EF
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CriticalSection$Enter$AddressFreeInitializeLeaveLibraryProc
          • String ID: HtmlHelpW$hhctrl.ocx
          • API String ID: 3484705245-3773518134
          • Opcode ID: e968036f36ac1f0fb1bbfb31faca64f88436bc4977b67ceec37c433f362da75c
          • Instruction ID: f1a248c2d30db04f766da64d01ef4c0388164ac4b0635e654d3e56fd0933bf8c
          • Opcode Fuzzy Hash: e968036f36ac1f0fb1bbfb31faca64f88436bc4977b67ceec37c433f362da75c
          • Instruction Fuzzy Hash: 3401F73264071AABDB115FA1CC08E4A7FB8AF02765F048929E956B6E50EB30D4F89B51
          APIs
          • GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,00000010,?,?,6CB493BB,?,00000010,?,?,?,00000001,?,00000001), ref: 6CB45A51
          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6CB45A61
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: AddressHandleModuleProc
          • String ID: Advapi32.dll$RegDeleteKeyTransactedW
          • API String ID: 1646373207-2168864297
          • Opcode ID: 3ed77b892579241ca0be06fe5801314d3c327ea15a265d92586119ab0aae6770
          • Instruction ID: 59378b2781fd68cdc6912101e323d902461daf4c768034ac281762759f6781fd
          • Opcode Fuzzy Hash: 3ed77b892579241ca0be06fe5801314d3c327ea15a265d92586119ab0aae6770
          • Instruction Fuzzy Hash: 41F0B433219A5AAFEF005E95DCC4C67BBBDFB812A9310C83BF55492C10D6318C69EB65
          APIs
          • GetWindowLongW.USER32(?,000000F0), ref: 6CB95C55
          • GetClassNameW.USER32(?,?,0000000A), ref: 6CB95C6A
          • CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF,?,6CAB777F,?,?), ref: 6CB95C81
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ClassCompareLongNameStringWindow
          • String ID: combobox
          • API String ID: 1414938635-2240613097
          • Opcode ID: 7cb876f9a1db445baf3a589007fa1b78669194b33119cfaf14b0400bd4022344
          • Instruction ID: 1a433b8d056f25028a48b56207c1bc122cb27bc79d6daa9d3c5d1b74db42dfc9
          • Opcode Fuzzy Hash: 7cb876f9a1db445baf3a589007fa1b78669194b33119cfaf14b0400bd4022344
          • Instruction Fuzzy Hash: ECF022326A5119ABCF00EB788C46EEE37B8DB07724F500322F422E61C0DB20E5059795
          APIs
          • GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,?,?,6CB457EA,?,?,?,00000000,00000008,00000000,00000008,6CBDFB15,80000000,CLSID,00000000), ref: 6CB45AAE
          • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6CB45ABE
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: AddressHandleModuleProc
          • String ID: Advapi32.dll$RegOpenKeyTransactedW
          • API String ID: 1646373207-3913318428
          • Opcode ID: 8ace698ce8ca3f2e717a48ffdd9bfa01f2c47a2a6713492d0a0a67a1f4f2d5b3
          • Instruction ID: a09686cd16b0129005f2405be01026867d8e708e9488f9b57fd215bb7caa3f14
          • Opcode Fuzzy Hash: 8ace698ce8ca3f2e717a48ffdd9bfa01f2c47a2a6713492d0a0a67a1f4f2d5b3
          • Instruction Fuzzy Hash: 0DF0F63334490AABCF015F94CC04BA63BB5EB85352F10C835F92091850DBB1C4B5FB92
          APIs
          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6CC1E0E3,00000001,?,00000001,?,?,?,6CC1E1D2,00000001,FlsFree,6CC8BB04,FlsFree), ref: 6CC1E13F
          • GetLastError.KERNEL32(?,6CC1E0E3,00000001,?,00000001,?,?,?,6CC1E1D2,00000001,FlsFree,6CC8BB04,FlsFree,00000001,?,6CC1D0F3), ref: 6CC1E149
          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6CC1E171
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: LibraryLoad$ErrorLast
          • String ID: api-ms-
          • API String ID: 3177248105-2084034818
          • Opcode ID: 384c7cf7269a689528c7c4bc741efaa04f501d6f75af6ca89b1b51e2f8327b76
          • Instruction ID: d9af4b79478b3bce371cb5ad16a71178a2d8ab45074173b4a3de8e54f0074662
          • Opcode Fuzzy Hash: 384c7cf7269a689528c7c4bc741efaa04f501d6f75af6ca89b1b51e2f8327b76
          • Instruction Fuzzy Hash: 9FE09230648204B7EB000A62CC0AF493F39AB00B58F644420F90DE4CD1F76194A4AAC4
          APIs
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Object$Delete$H_prolog3
          • String ID:
          • API String ID: 487261545-0
          • Opcode ID: 2694bf3b0bf91bf00302d07b8b66de4491bc34fd12f2f22b248bfdc3cdd68cb8
          • Instruction ID: b19d6a30345fcc5ed23a81fc868b2c4bb5a71e98e2822e3b9a81b34f9cf99f03
          • Opcode Fuzzy Hash: 2694bf3b0bf91bf00302d07b8b66de4491bc34fd12f2f22b248bfdc3cdd68cb8
          • Instruction Fuzzy Hash: 18123770E007198FDB15CFA9C890BAEFBB5BF09314F15826AE519B7650EB30A985CF50
          APIs
          • GetBkColor.GDI32(?), ref: 6CAB2C30
          • GetTextColor.GDI32(?), ref: 6CAB2CDC
          • GetBkColor.GDI32(?), ref: 6CAB2ECE
          • DrawIconEx.USER32(?,?,?,?,?,?,00000000,00000000,00000003), ref: 6CAB2FE7
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Color$DrawIconText
          • String ID:
          • API String ID: 2759393849-0
          • Opcode ID: 2ee5467715212322fd822834f377d9e8943b1192d7d99b3014ce83061196dcc2
          • Instruction ID: 64a48c567dd8283f5981ff5254a344b7b479a2c0ee99b686bb1500d085482120
          • Opcode Fuzzy Hash: 2ee5467715212322fd822834f377d9e8943b1192d7d99b3014ce83061196dcc2
          • Instruction Fuzzy Hash: 93E13F35A00619DFCF04DFA8C988ADDB7B6BF49314F14416AE815BB790C771AD85CB90
          APIs
          • GetConsoleOutputCP.KERNEL32(9380FC14,00000000,00000000,00000000), ref: 6CC34ACC
            • Part of subcall function 6CC3A918: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CC39427,?,00000000,-00000008), ref: 6CC3A979
          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6CC34D1E
          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CC34D64
          • GetLastError.KERNEL32 ref: 6CC34E07
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
          • String ID:
          • API String ID: 2112829910-0
          • Opcode ID: 8cba37d03e1e5ae085bd33e11474b4629f659b63cac423c6facacdd4fbc4d48e
          • Instruction ID: 34f1ef5252d1cf7635abca7809e9d672f6602f74532f0c632f656eb79f3d163e
          • Opcode Fuzzy Hash: 8cba37d03e1e5ae085bd33e11474b4629f659b63cac423c6facacdd4fbc4d48e
          • Instruction Fuzzy Hash: 2BD19D75E042589FCF05CFA8D880ADDBBB5FF09314F24456AE42AEB741E731A946CB50
          APIs
          • __EH_prolog3.LIBCMT ref: 6CB25E81
          • SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6CB25EB4
          • GetWindow.USER32(?,00000005), ref: 6CB25FC3
            • Part of subcall function 6CB2615D: BringWindowToTop.USER32(?), ref: 6CB261FD
            • Part of subcall function 6CB2615D: RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 6CB26251
            • Part of subcall function 6CB2615D: RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 6CB2625D
          • GetWindow.USER32(?,00000002), ref: 6CB2601D
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Window$Redraw$BringH_prolog3MessageSend
          • String ID:
          • API String ID: 259967589-0
          • Opcode ID: eaf36997a00edb2ff7a1aa4f91f471f64d02e026944cb031636cdc54624daca0
          • Instruction ID: 80075ea6b7c5a7fa78de1001c5f3186fa60dc83dbad1ef7c1ecf001c6138a488
          • Opcode Fuzzy Hash: eaf36997a00edb2ff7a1aa4f91f471f64d02e026944cb031636cdc54624daca0
          • Instruction Fuzzy Hash: AC81B035B002559BDF159FA0C998BFE77B5EF49318F140029EC09ABB80DF789948DB91
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CBF10AD
          • GetVersionExW.KERNEL32(?), ref: 6CBF1129
          • CoInitializeEx.OLE32(00000000,00000002), ref: 6CBF12B9
          • CoCreateInstance.OLE32(6CC89C08,00000000,00000001,6CC80CE4,?), ref: 6CBF1300
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CreateH_prolog3_InitializeInstanceVersion
          • String ID:
          • API String ID: 1117250964-0
          • Opcode ID: 4312ac71a81c658b2d1cbf06f1da32c604c621d3f0901b4be59f1cb8169c4e9c
          • Instruction ID: fdeeaec8ba8306419196151c6f80b486ce5c3f87d31dbd33a8c39c74d8898712
          • Opcode Fuzzy Hash: 4312ac71a81c658b2d1cbf06f1da32c604c621d3f0901b4be59f1cb8169c4e9c
          • Instruction Fuzzy Hash: 69814AB1B02656AFD744CF24C840BDAB7F4BF09314F00465AE958D7740DB30A9A9CF95
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CAAF8CD
          • InflateRect.USER32(?,000000FF,00000000), ref: 6CAAF8ED
          • InflateRect.USER32(?,000000FF,000000FE), ref: 6CAAF912
          • FillRect.USER32(?,?,?), ref: 6CAAF933
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Rect$Inflate$FillH_prolog3_
          • String ID:
          • API String ID: 3515757206-0
          • Opcode ID: 58a5211ad80f2410bafe8860c09c2d0b72a9440635e2976dd9896ffc318a3e28
          • Instruction ID: e95f2517b55eba91a0cedad2793a4907d30cfb48954d7f930e8187052d3a7c77
          • Opcode Fuzzy Hash: 58a5211ad80f2410bafe8860c09c2d0b72a9440635e2976dd9896ffc318a3e28
          • Instruction Fuzzy Hash: 91614A71A0110DAFCF05DFA4C984AEE77BAEF08218F104169F815A77A0DB359D99DBA0
          APIs
          • __EH_prolog3.LIBCMT ref: 6CB307B6
          • SelectObject.GDI32(?,?), ref: 6CB30983
            • Part of subcall function 6CABD4B1: __EH_prolog3.LIBCMT ref: 6CABD4B8
            • Part of subcall function 6CABD4B1: GetDC.USER32(00000000), ref: 6CABD4E4
          • SelectObject.GDI32(?,00000000), ref: 6CB30874
          • GetSystemMetrics.USER32(00000000), ref: 6CB30948
            • Part of subcall function 6CB2FBA7: GetTextExtentPoint32W.GDI32(?,?,0000007D,00000800), ref: 6CB2FBB9
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: H_prolog3ObjectSelect$ExtentMetricsPoint32SystemText
          • String ID:
          • API String ID: 182195805-0
          • Opcode ID: b672591e779f4393f5a33ba92440b511a8cffbdc2add4bd1065ef5e3f9223ae1
          • Instruction ID: e3ab6746c12cd437cc42a24781edf57ffab3fd756d0955db15f8dacdcb2fcd63
          • Opcode Fuzzy Hash: b672591e779f4393f5a33ba92440b511a8cffbdc2add4bd1065ef5e3f9223ae1
          • Instruction Fuzzy Hash: E271D270A002998FDB04CF69C894AEEBBF5FF84314F20516EE419AB791DB70D949CB51
          APIs
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: EmptyRect$Window
          • String ID:
          • API String ID: 1945993337-0
          • Opcode ID: 16ad6bec734dbc2bc43519dfcb2f714b016dc0dc32604172dd24bc0bf90a1069
          • Instruction ID: c91b39282c029c43803f331c355c081c7bf7d24ae755c4ac51bdb495c1ac6393
          • Opcode Fuzzy Hash: 16ad6bec734dbc2bc43519dfcb2f714b016dc0dc32604172dd24bc0bf90a1069
          • Instruction Fuzzy Hash: 4A618C71A016048FDB05CF69C980BAA73F9FF49318F1441A9ED19AF686DB31AA45CF50
          APIs
          • __EH_prolog3.LIBCMT ref: 6CAD0D82
          • LoadImageW.USER32(?,?,00000000,00000000,00000000,00002000), ref: 6CAD0ED8
          • GetObjectW.GDI32(00000000,00000018,?), ref: 6CAD0EEA
          • DeleteObject.GDI32(00000000), ref: 6CAD0F42
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Object$DeleteH_prolog3ImageLoad
          • String ID:
          • API String ID: 91933946-0
          • Opcode ID: 095873b2eb20fa144628a709b76f46c5bd598149c76e951f293d2b8525fa12db
          • Instruction ID: fb90d9525678ccaf9c8932f3d111905e58404f05ef1108a7adfd6747d99843b4
          • Opcode Fuzzy Hash: 095873b2eb20fa144628a709b76f46c5bd598149c76e951f293d2b8525fa12db
          • Instruction Fuzzy Hash: 0861FD31901605CBDF01CF64C9807EE77B5BF49314F268269EC64AF686DB30A9C9CBA1
          APIs
          • GlobalLock.KERNEL32(00000000), ref: 6CB49E49
          • DestroyWindow.USER32(00000000,?,00000000,00000000,6CB49B41,00000000,?,6CAEF93B,?), ref: 6CB49F32
          • GlobalUnlock.KERNEL32(00000000), ref: 6CB49F3F
          • GlobalFree.KERNEL32(00000000), ref: 6CB49F46
            • Part of subcall function 6CBE6326: GetStockObject.GDI32(00000011), ref: 6CBE6348
            • Part of subcall function 6CBE6326: GetStockObject.GDI32(0000000D), ref: 6CBE6354
            • Part of subcall function 6CBE6326: GetObjectW.GDI32(00000000,0000005C,?), ref: 6CBE6365
            • Part of subcall function 6CBE6326: GetDC.USER32(00000000), ref: 6CBE6374
            • Part of subcall function 6CBE6326: GetDeviceCaps.GDI32(00000000,0000005A), ref: 6CBE638B
            • Part of subcall function 6CBE6326: MulDiv.KERNEL32(?,00000048,00000000), ref: 6CBE6397
            • Part of subcall function 6CBE6326: ReleaseDC.USER32(00000000,00000000), ref: 6CBE63A3
            • Part of subcall function 6CBE6010: GlobalFree.KERNEL32 ref: 6CBE6017
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Global$Object$FreeStock$CapsDestroyDeviceLockReleaseUnlockWindow
          • String ID:
          • API String ID: 191377077-0
          • Opcode ID: a0e812816ab922efb8a8e3866af9cab874c7eee7c1f89efaf6186f9ecec9fe12
          • Instruction ID: 62fa5114bdd0479b34ad34fe47b18e32c902f7e8c9cb5f246cb613a4548629ac
          • Opcode Fuzzy Hash: a0e812816ab922efb8a8e3866af9cab874c7eee7c1f89efaf6186f9ecec9fe12
          • Instruction Fuzzy Hash: 7A518030E052599FCF01DFA4CA84AEEBBB8FF09318F148159E901B7754DB34AA49DB91
          APIs
          • SetMenu.USER32(?,?), ref: 6CACA45D
          • GetMenu.USER32(?), ref: 6CACA4CC
          • SetMenu.USER32(?,00000000), ref: 6CACA4F1
          • SendMessageW.USER32(?,00000362,?,00000000), ref: 6CACA582
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Menu$MessageSend
          • String ID:
          • API String ID: 3482896889-0
          • Opcode ID: 65305115d2cb05e980e3c040bb765c292d31d38f5e0cb5070711d08b7f082cc9
          • Instruction ID: 71874831d4d0bbeca3b9649bfd76367548bf52563c19e18b9d364a7c280c0649
          • Opcode Fuzzy Hash: 65305115d2cb05e980e3c040bb765c292d31d38f5e0cb5070711d08b7f082cc9
          • Instruction Fuzzy Hash: F541B236700109AFCB058F69C948AB9BBBAFF49314F14C126EA19C7A00D731EDD1CB92
          APIs
          • ScreenToClient.USER32(?,?), ref: 6CA947F7
          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 6CA94824
          • LoadMenuW.USER32(?,000000AD), ref: 6CA94855
          • GetSubMenu.USER32(00000000,00000000), ref: 6CA94869
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Menu$ClientLoadMessageScreenSend
          • String ID:
          • API String ID: 688987412-0
          • Opcode ID: ee46652b71b3413d045037b0d2b5523a8f7cd9aea261c60557bf6d3df43d98ba
          • Instruction ID: 1e67dfcfaefa35933a8cb8ae33410f82fff44bd7f859a434a89f49b2f7b9407b
          • Opcode Fuzzy Hash: ee46652b71b3413d045037b0d2b5523a8f7cd9aea261c60557bf6d3df43d98ba
          • Instruction Fuzzy Hash: 6841D671A00245AFDF01DFA4C949BEE7BF9EF48304F108619F925A7B90EB748994DB90
          APIs
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: EmptyRect
          • String ID:
          • API String ID: 2270935405-0
          • Opcode ID: e809cf128086e45c1306903d2506599a3fe4e4fe534d39f64b6392e47bda9d2a
          • Instruction ID: d6caa39c658f06ab5e424e54bb4361a2846fd3ac6fd6493350419db26f8dc80b
          • Opcode Fuzzy Hash: e809cf128086e45c1306903d2506599a3fe4e4fe534d39f64b6392e47bda9d2a
          • Instruction Fuzzy Hash: 3D51E7B09212218FCB248F1985846E53BB8FB09B54F0842BBED5C8F64AC7B15186DFA1
          APIs
          • EnableMenuItem.USER32(?,?,00000403), ref: 6CAC33A9
          • GetFocus.USER32 ref: 6CAC33C3
          • GetParent.USER32(?), ref: 6CAC33CE
          • SendMessageW.USER32(?,00000028,00000000,00000000), ref: 6CAC33E3
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: EnableFocusItemMenuMessageParentSend
          • String ID:
          • API String ID: 2297321873-0
          • Opcode ID: 5368cac41f7079a03b6ee699204af3bf278ba7288621c5c16d5418747031485f
          • Instruction ID: 3e9ea49a9557cb1b16fb36410565dab25f5befe6caedfcee7b6e8ff307e16ae2
          • Opcode Fuzzy Hash: 5368cac41f7079a03b6ee699204af3bf278ba7288621c5c16d5418747031485f
          • Instruction Fuzzy Hash: AE411535701600EFCB109F1AC848B9ABBB5FF84315F148129E55697B90CB70E9C4CB91
          APIs
          • __EH_prolog3.LIBCMT ref: 6CABEF03
          • GetClientRect.USER32(6CC593EC,?), ref: 6CABEF52
            • Part of subcall function 6CAB7552: GetScrollPos.USER32(6CC593EC,00000800), ref: 6CAB757E
            • Part of subcall function 6CB94E37: GetModuleHandleW.KERNEL32(uxtheme.dll,?,6CABEF84,00000001,00000000,?,6CAA42BA,?,50008200,0000E801,00000000,0000E828,0000E831,00000001,0000007E,?), ref: 6CB94E46
            • Part of subcall function 6CB94E37: GetProcAddress.KERNEL32(00000000,BufferedPaintInit), ref: 6CB94E56
            • Part of subcall function 6CB94E37: EncodePointer.KERNEL32(00000000,?,6CAA42BA,?,50008200,0000E801,00000000,0000E828,0000E831,00000001,0000007E,?,00000001,0000007D,?,00000800), ref: 6CB94E5F
          • CreateCompatibleDC.GDI32(?), ref: 6CABEFEE
          • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6CABF014
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CompatibleCreate$AddressBitmapClientEncodeH_prolog3HandleModulePointerProcRectScroll
          • String ID:
          • API String ID: 1015973060-0
          • Opcode ID: e2d2874214cb75d91cfe15432802a25accdf495eb6b4f4bbeb2d2a3359ea99eb
          • Instruction ID: 52e75bfec82cee94c5e63524e88225067df41c25099f26f1cfcc42a5f0bca6a5
          • Opcode Fuzzy Hash: e2d2874214cb75d91cfe15432802a25accdf495eb6b4f4bbeb2d2a3359ea99eb
          • Instruction Fuzzy Hash: 484131B0A00606AFD700CF65C984A99BBB8BF04308F15C56DE41997E50E771E9A9CF90
          APIs
            • Part of subcall function 6CABC609: GetWindowLongW.USER32(?,000000F0), ref: 6CABC616
          • GetClientRect.USER32(?,?), ref: 6CAB795A
          • IsMenu.USER32(00000000), ref: 6CAB7996
          • AdjustWindowRectEx.USER32(?,00000000,00000000,?), ref: 6CAB79AE
          • GetClientRect.USER32(?,?), ref: 6CAB79F6
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Rect$ClientWindow$AdjustLongMenu
          • String ID:
          • API String ID: 3435883281-0
          • Opcode ID: 5e47b1007772d11e0451244dad4b871d52bff3419c02ceb2b7f8a3d2a10195ff
          • Instruction ID: fef1cc02115d0dafb6d141570f2b29c8c6f41d44a24a05a955fa3175e84e1ef9
          • Opcode Fuzzy Hash: 5e47b1007772d11e0451244dad4b871d52bff3419c02ceb2b7f8a3d2a10195ff
          • Instruction Fuzzy Hash: 87317231A00209AFDB01DBA5C988EBFBBBDEF45218F144519E901F7640EB709994CBA0
          APIs
          • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 6CABC9EA
          • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 6CABCA4B
          • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 6CABCA95
          • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 6CABCAC4
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: MessageSend
          • String ID:
          • API String ID: 3850602802-0
          • Opcode ID: 09dc8cf2691c1fb436ae9eafc47923d44bcac13c53892c1da2b2b57cbe6afde8
          • Instruction ID: d7a6564c030ecdadf41e6a5bc24af99e720c705dd823af3c920063859bab2bd4
          • Opcode Fuzzy Hash: 09dc8cf2691c1fb436ae9eafc47923d44bcac13c53892c1da2b2b57cbe6afde8
          • Instruction Fuzzy Hash: 2E31657164060AFFEB15EA61C984F6A72BEFB0138CF14406DE512B3A90C771ADC5E694
          APIs
          • InflateRect.USER32(?,000000FF,000000FF), ref: 6CAAE4E6
          • InflateRect.USER32(?,000000FF,000000FF), ref: 6CAAE527
          • InflateRect.USER32(?,?,?), ref: 6CAAE558
          • InflateRect.USER32(?,00000001,00000001), ref: 6CAAE583
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: InflateRect
          • String ID:
          • API String ID: 2073123975-0
          • Opcode ID: 9c5e5b6a56eb30c9fd04de1d89619cdb2ae3875b021dc016f0fb0b264fefd4b9
          • Instruction ID: 719e14788f8b1110964603d75264965e363a98bbf3de3cb6ff221f7599e10b48
          • Opcode Fuzzy Hash: 9c5e5b6a56eb30c9fd04de1d89619cdb2ae3875b021dc016f0fb0b264fefd4b9
          • Instruction Fuzzy Hash: 5F315072604119AFCB00EFE8DD44DDA73ACAF08228B054666F520E7690DB75E89DC7A0
          APIs
          • SetRectEmpty.USER32(00000000), ref: 6CB94037
          • GetClientRect.USER32(?,00000000), ref: 6CB94057
          • GetParent.USER32(?), ref: 6CB94076
          • OffsetRect.USER32(00000000,00000000,00000000), ref: 6CB940F8
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Rect$ClientEmptyOffsetParent
          • String ID:
          • API String ID: 3819956977-0
          • Opcode ID: 46ea9eaf8afd05c9cd644c4462577d1e625deb53b82e015888131daba99ef7a2
          • Instruction ID: 71cde59d972dd3f66dbdd74c10c7c8a36c158ae330714b35588933d69b709828
          • Opcode Fuzzy Hash: 46ea9eaf8afd05c9cd644c4462577d1e625deb53b82e015888131daba99ef7a2
          • Instruction Fuzzy Hash: 99318171204602AFDB08CF65C984E6AB7F8FF45314B10826DE42ADBA40EB71EC50CFA1
          APIs
          • RedrawWindow.USER32(?,00000000,00000000,00000585,?,?,00000000,00000800,6CAB418C,00000002,00000000,?,?,?,6CAA5846,6CC60964), ref: 6CAB3EC0
          • RedrawWindow.USER32(?,00000000,00000000,00000585,?,00000000,00000800,6CAB418C,00000002,00000000,?,?,?,6CAA5846,6CC60964,?), ref: 6CAB3EED
          • RedrawWindow.USER32(?,00000000,00000000,00000185,?,00000000,00000800,6CAB418C,00000002,00000000,?,?,?,6CAA5846,6CC60964,?), ref: 6CAB3F2A
          • RedrawWindow.USER32(?,00000000,00000000,00000585,?,?,6CAA5846,6CC60964,?,?,00000000,6CC43E9D,000000FF,?,6CAA449A,?), ref: 6CB6A873
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: RedrawWindow
          • String ID:
          • API String ID: 2219533335-0
          • Opcode ID: 81a768d63b2e1d211c0831afdb7f1f0e50b4da8de3417d9ac9535afa20902ddc
          • Instruction ID: e1e98acc9170cc24b95a26ad322163831bc8a7e3ed6c20d52d1341cd4a9d5bef
          • Opcode Fuzzy Hash: 81a768d63b2e1d211c0831afdb7f1f0e50b4da8de3417d9ac9535afa20902ddc
          • Instruction Fuzzy Hash: C521D632352A22B7EB210A15DD01B5A77B8BF45B14F290155BD887BEA0EF70F8D58B90
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 003b61bdd390499f48c391add53d19448766b8c1f2f804b93573416c2ba03725
          • Instruction ID: b3615b460cc257720322b5a3e303b1aeab7ba5e2bb6e00dddc0c04e04010f9a8
          • Opcode Fuzzy Hash: 003b61bdd390499f48c391add53d19448766b8c1f2f804b93573416c2ba03725
          • Instruction Fuzzy Hash: CB11D671714204ABDB205B669C08F5A3BB8FF92B79F140655F910E7A90F778C940D7A8
          APIs
          • GetDC.USER32(00000000), ref: 6CBFED84
          • EnumFontFamiliesExW.GDI32(00000000,?,6CBFED1B,?,00000000,?,?,?,?,?,00000000,00000000), ref: 6CBFED9F
          • ReleaseDC.USER32(00000000,00000000), ref: 6CBFEDA7
          • __EH_prolog3.LIBCMT ref: 6CBFEDCB
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: EnumFamiliesFontH_prolog3Release
          • String ID:
          • API String ID: 1064023238-0
          • Opcode ID: 3058609e5c818e87ed95d4f852e13fbb14f2e427c65229273e549a0d9b7a464e
          • Instruction ID: e407508a3f0f5f75095d150395f43acddcf5790ae24382bbed18f6225df56ddf
          • Opcode Fuzzy Hash: 3058609e5c818e87ed95d4f852e13fbb14f2e427c65229273e549a0d9b7a464e
          • Instruction Fuzzy Hash: 7021C676A01368ABCB10DBA48C04DEF77B9EF45718F500419F904EBB40EB349A4987E5
          APIs
          • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6CAB94BC
          • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6CAB94E6
          • GetCapture.USER32 ref: 6CAB94FC
          • SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6CAB950B
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: MessageSend$Capture
          • String ID:
          • API String ID: 1665607226-0
          • Opcode ID: 91dc374105e0d75f0b8a285b5ce6119755da1deea0f96546b67f5108bb1821ba
          • Instruction ID: a80dc7a623c3a4db8be0d9209c3971233eef21edd9e6ada972692ee535241c48
          • Opcode Fuzzy Hash: 91dc374105e0d75f0b8a285b5ce6119755da1deea0f96546b67f5108bb1821ba
          • Instruction Fuzzy Hash: F51193313502097FEE111B248D88FBA7A7EFB48798F044020F60576A91CB719DE4A7A0
          APIs
          • SHAppBarMessage.SHELL32(00000007,?), ref: 6CB3952C
          • SHAppBarMessage.SHELL32(00000007,?), ref: 6CB39546
          • SHAppBarMessage.SHELL32(00000007,?), ref: 6CB3955D
          • SHAppBarMessage.SHELL32(00000007,?), ref: 6CB39577
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Message
          • String ID:
          • API String ID: 2030045667-0
          • Opcode ID: 060d3c4ae5dadeed9771e3ba79cde644e9708c9e9cd002e1f4534397697087c3
          • Instruction ID: 06b5173f7ab195929f8153073bd0de087b4e43b6fd39325e5f09f9aa15d5df44
          • Opcode Fuzzy Hash: 060d3c4ae5dadeed9771e3ba79cde644e9708c9e9cd002e1f4534397697087c3
          • Instruction Fuzzy Hash: 96215171F15209AFEB04DF61C845BEABBF8FF08314F505029D419E2280DB74A594CFA1
          APIs
          • FindResourceW.KERNEL32(?,?,00000006), ref: 6CA91F48
          • LoadResource.KERNEL32(?,00000000), ref: 6CA91F5C
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Resource$FindLoad
          • String ID:
          • API String ID: 2619053042-0
          • Opcode ID: 3bd633a263d252a79038946a2dbbe11a841e579da01e50b74b75ae6f16aa87f0
          • Instruction ID: 8136c0495c769726656bb9eeb8d9d932a96eacc54c42a3c5d171d2f37ad3dc9a
          • Opcode Fuzzy Hash: 3bd633a263d252a79038946a2dbbe11a841e579da01e50b74b75ae6f16aa87f0
          • Instruction Fuzzy Hash: 08012633B246295BCB201A6AEC4447AB3FCEB8176A7844527FE0FD3100E731D89047A0
          APIs
          • BeginDeferWindowPos.USER32(00000000), ref: 6CB944E3
          • IsWindow.USER32(?), ref: 6CB944FE
          • DeferWindowPos.USER32(00000000,?,00000000,?,?,?,?,00000000), ref: 6CB94547
          • EndDeferWindowPos.USER32(00000000), ref: 6CB94552
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Window$Defer$Begin
          • String ID:
          • API String ID: 2880567340-0
          • Opcode ID: ca84c7dcfcd098aa8d975bd31530ba09fdf21ed290c4a0ff51453c1a9e60a8ee
          • Instruction ID: bc1f0127111097eea6d6be091ac526be4506c4ac65d52acf8c789f8b28dd3673
          • Opcode Fuzzy Hash: ca84c7dcfcd098aa8d975bd31530ba09fdf21ed290c4a0ff51453c1a9e60a8ee
          • Instruction Fuzzy Hash: E5113A71A10209AFDF01DFA9C844AAEBBF9FF09318F504529A511F7650DB30A990DBA1
          APIs
          • FindResourceW.KERNEL32(?,?,00000005,?,00000000,00000000,00000000,?,6CB966FC,00000000,?,00000000,?,00000000,?,?), ref: 6CB977D4
          • LoadResource.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,6CB966FC,00000000,?,00000000,?,00000000,?,?), ref: 6CB977E9
          • LockResource.KERNEL32(00000000,?,00000000,00000000,00000000,?,6CB966FC,00000000,?,00000000,?,00000000,?,?), ref: 6CB977FB
          • GlobalFree.KERNEL32(?), ref: 6CB9783A
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Resource$FindFreeGlobalLoadLock
          • String ID:
          • API String ID: 3898064442-0
          • Opcode ID: 46d366acd697f12574766e78626a01ee469c26e9ac9570d258d8149046e8ad11
          • Instruction ID: 5949ff5a8e2104ec17384e6eaeb4432eebba7a9471031410bf88c97335d55eb1
          • Opcode Fuzzy Hash: 46d366acd697f12574766e78626a01ee469c26e9ac9570d258d8149046e8ad11
          • Instruction Fuzzy Hash: BC11D631A01611ABCB125B56C888BDABBF4FF06369F558178E809B7B00DBB09C54DBD1
          APIs
          • GetWindowTextW.USER32(?,?,00000100), ref: 6CB95A6F
          • lstrcmpW.KERNEL32(?,?,?,00000000), ref: 6CB95A81
          • SetWindowTextW.USER32(?,?), ref: 6CB95A8D
          • GetLastError.KERNEL32(?,00000000), ref: 6CB95AAA
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: TextWindow$ErrorLastlstrcmp
          • String ID:
          • API String ID: 1997968240-0
          • Opcode ID: c22ec78b470528c7322e492b0af92c7d4dc3b42f22467cf9bb6606c27af24dbf
          • Instruction ID: 15ca0c578b9196faaa0b9c1ea12c0ba866de798c040f1d108e85f3a83c71a3f0
          • Opcode Fuzzy Hash: c22ec78b470528c7322e492b0af92c7d4dc3b42f22467cf9bb6606c27af24dbf
          • Instruction Fuzzy Hash: FF11CAB17012186BDB00AF648C88AFFB3BCEF45205F50457AE516D3601EB34DA4897A5
          APIs
          • __EH_prolog3.LIBCMT ref: 6CAB0202
          • IsRectEmpty.USER32(?), ref: 6CAB0224
            • Part of subcall function 6CB6D54F: __EH_prolog3_GS.LIBCMT ref: 6CB6D556
            • Part of subcall function 6CB6D54F: CreateCompatibleDC.GDI32(00000000), ref: 6CB6D5BA
            • Part of subcall function 6CB6D54F: CreateCompatibleBitmap.GDI32(?,?,?), ref: 6CB6D5F0
            • Part of subcall function 6CB6D54F: SelectObject.GDI32(?,00000000), ref: 6CB6D644
          • IsRectEmpty.USER32(?), ref: 6CAB0268
          • FillRect.USER32(?,?,-000000A0), ref: 6CAB0289
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Rect$CompatibleCreateEmpty$BitmapFillH_prolog3H_prolog3_ObjectSelect
          • String ID:
          • API String ID: 2706196367-0
          • Opcode ID: 1d0124dfd95557f676ff500a6dc81f8a0ce6b82044f5046b86d87bef8703c021
          • Instruction ID: 87d36c51dc491bfdb0dc884ffb8e4c8c4f49cc253509f31ab5664d03aab86701
          • Opcode Fuzzy Hash: 1d0124dfd95557f676ff500a6dc81f8a0ce6b82044f5046b86d87bef8703c021
          • Instruction Fuzzy Hash: 05117C726001899BDB00DFE4CA04EEE33BCAF0431CF584255E114B7AA0EB35D99CCB61
          APIs
          • GetParent.USER32(?), ref: 6CAC3F78
          • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6CAC3FBB
          • RedrawWindow.USER32(?,00000000,00000000,00000185,?,?,?,?,?,?,00000000), ref: 6CAC3FCB
          • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6CAC3FA3
            • Part of subcall function 6CACACF0: SendMessageW.USER32(?,00000234,00000000,00000000), ref: 6CACAD64
            • Part of subcall function 6CACACF0: SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6CACAD8D
            • Part of subcall function 6CACACF0: SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6CACADAC
            • Part of subcall function 6CACACF0: SendMessageW.USER32(?,00000222,?,00000000), ref: 6CACADC6
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: MessageSend$ParentRedrawWindow
          • String ID:
          • API String ID: 2139789815-0
          • Opcode ID: 36aa625164b95571c2284c163b254e887e79c31a25177525bb1fef57ce0efcde
          • Instruction ID: 5621628aed0276818e9f7acb9cd2a4c50c45ca6d68703ab484feb37a2d785c44
          • Opcode Fuzzy Hash: 36aa625164b95571c2284c163b254e887e79c31a25177525bb1fef57ce0efcde
          • Instruction Fuzzy Hash: B3110431310600BFEB151A60CC58FAA76BEFF8874DF144029F545AA990DB719CD4DBA5
          APIs
          • GetObjectW.GDI32(?,0000000C,?), ref: 6CAB778A
          • SetBkColor.GDI32(?,?), ref: 6CAB7794
          • GetSysColor.USER32(00000008), ref: 6CAB77A4
          • SetTextColor.GDI32(?,?), ref: 6CAB77AC
            • Part of subcall function 6CB95C3A: GetWindowLongW.USER32(?,000000F0), ref: 6CB95C55
            • Part of subcall function 6CB95C3A: GetClassNameW.USER32(?,?,0000000A), ref: 6CB95C6A
            • Part of subcall function 6CB95C3A: CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF,?,6CAB777F,?,?), ref: 6CB95C81
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Color$ClassCompareLongNameObjectStringTextWindow
          • String ID:
          • API String ID: 3274569906-0
          • Opcode ID: 91faaba50b1942cd94663e23b36400e4a45ea464587d2b97d9c9ee4ae02aa442
          • Instruction ID: 904e89a82372e9456ba3576294c6084cccfb6181f92cfaea8973ec35e4562d33
          • Opcode Fuzzy Hash: 91faaba50b1942cd94663e23b36400e4a45ea464587d2b97d9c9ee4ae02aa442
          • Instruction Fuzzy Hash: 25018031601108ABDB029F688C509AF37BCAF1A318F644516F922F2A80DBB1D9D197B1
          APIs
            • Part of subcall function 6CABD51A: __EH_prolog3.LIBCMT ref: 6CABD521
            • Part of subcall function 6CABD51A: BeginPaint.USER32(?,?,00000004,6CA92711), ref: 6CABD54D
          • GetWindowRect.USER32(?,?), ref: 6CA94B1F
            • Part of subcall function 6CABE5B6: ScreenToClient.USER32(?,?), ref: 6CABE5C5
            • Part of subcall function 6CABE5B6: ScreenToClient.USER32(?,?), ref: 6CABE5D2
          • InflateRect.USER32(?,00000001,00000001), ref: 6CA94B38
          • GetSysColor.USER32(00000010), ref: 6CA94B46
          • GetSysColor.USER32(00000010), ref: 6CA94B4B
            • Part of subcall function 6CABD6AE: EndPaint.USER32(?,?,9380FC14,?,?,Function_001B504C,000000FF,?,6CA92998), ref: 6CABD6E0
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ClientColorPaintRectScreen$BeginH_prolog3InflateWindow
          • String ID:
          • API String ID: 3025975366-0
          • Opcode ID: 90827129689cdb2ee307fd4f490b915acbcb123fba77f08e5180b7deeb3b2fd8
          • Instruction ID: bcb32e28feda99725a9500295bb6409720a16c7100ce20b3670d833ad71cc6a2
          • Opcode Fuzzy Hash: 90827129689cdb2ee307fd4f490b915acbcb123fba77f08e5180b7deeb3b2fd8
          • Instruction Fuzzy Hash: 2C018471D10618ABCB21DBA0CD44FEEB7BCFB04714F00822AE415B3680DB742589CB90
          APIs
            • Part of subcall function 6CABD51A: __EH_prolog3.LIBCMT ref: 6CABD521
            • Part of subcall function 6CABD51A: BeginPaint.USER32(?,?,00000004,6CA92711), ref: 6CABD54D
          • GetWindowRect.USER32(?,?), ref: 6CAA395F
            • Part of subcall function 6CABE5B6: ScreenToClient.USER32(?,?), ref: 6CABE5C5
            • Part of subcall function 6CABE5B6: ScreenToClient.USER32(?,?), ref: 6CABE5D2
          • InflateRect.USER32(?,00000001,00000001), ref: 6CAA3978
          • GetSysColor.USER32(00000010), ref: 6CAA3986
          • GetSysColor.USER32(00000010), ref: 6CAA398B
            • Part of subcall function 6CABD6AE: EndPaint.USER32(?,?,9380FC14,?,?,Function_001B504C,000000FF,?,6CA92998), ref: 6CABD6E0
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ClientColorPaintRectScreen$BeginH_prolog3InflateWindow
          • String ID:
          • API String ID: 3025975366-0
          • Opcode ID: eaf091f74ee2a094a515ce54cb608714f3e98b2e5f1c96f6a3778a51eede5f5b
          • Instruction ID: 54fd3fb162f38f6768ecb73700389a1393a89eb0ec69503b6c40052ac66f0562
          • Opcode Fuzzy Hash: eaf091f74ee2a094a515ce54cb608714f3e98b2e5f1c96f6a3778a51eede5f5b
          • Instruction Fuzzy Hash: 80018471D10618ABCB21DBA0CD44FEEB77CFB04714F00822AF415B3680DB742589CB90
          APIs
          • __EH_prolog3.LIBCMT ref: 6CAAD66E
          • FillRect.USER32(?,?,-000000D0), ref: 6CAAD693
          • CreateSolidBrush.GDI32(000000FF), ref: 6CAAD6AE
          • FillRect.USER32(00000000,00000000,00000000), ref: 6CAAD6C7
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: FillRect$BrushCreateH_prolog3Solid
          • String ID:
          • API String ID: 1242064992-0
          • Opcode ID: 114bbb894771c969deafe596324d261db2bd8a1135c021615c4dfc1bfafe4e36
          • Instruction ID: 61fc9612ec9ea52bd693b2f1cf966f420413eb8cc578b3d12a52cf8334b646bb
          • Opcode Fuzzy Hash: 114bbb894771c969deafe596324d261db2bd8a1135c021615c4dfc1bfafe4e36
          • Instruction Fuzzy Hash: 0F118F72910209DBCB00DF94CA04AEE7778BF04328F194216E464B76A0D7319A99DBA1
          APIs
          • GetTopWindow.USER32(?), ref: 6CAB9CFE
          • GetTopWindow.USER32(00000000), ref: 6CAB9D41
          • GetWindow.USER32(00000000,00000002), ref: 6CAB9D63
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Window
          • String ID:
          • API String ID: 2353593579-0
          • Opcode ID: 8d8237d2fff675e32489f50dc5cd2daa3a33787a6bba5f0eed5846147d5d375e
          • Instruction ID: 3c6f16a834af2ebb3dd722bfa29281bd8dd2795ef2848f65cb9718c4c92cddf9
          • Opcode Fuzzy Hash: 8d8237d2fff675e32489f50dc5cd2daa3a33787a6bba5f0eed5846147d5d375e
          • Instruction Fuzzy Hash: 6001D33210111AABCF125FA6CE04ADE3B3EBF2A356F048400FA1560460CB36C6B5EBA1
          APIs
          • GetDlgItem.USER32(?,?), ref: 6CAB722D
          • GetTopWindow.USER32(00000000), ref: 6CAB723A
            • Part of subcall function 6CAB7223: GetWindow.USER32(00000000,00000002), ref: 6CAB7289
          • GetTopWindow.USER32(?), ref: 6CAB726E
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Window$Item
          • String ID:
          • API String ID: 369458955-0
          • Opcode ID: 0ce0d0079eb508e44a03bc4e47c565ec2e70e7ec3b2d3d981a658689c2e6e8c0
          • Instruction ID: 4672b25435d2493d70ae981eea0b0e05ad5c3bbd23c92396fa3bed68f894f7e9
          • Opcode Fuzzy Hash: 0ce0d0079eb508e44a03bc4e47c565ec2e70e7ec3b2d3d981a658689c2e6e8c0
          • Instruction Fuzzy Hash: AB014B31605A15ABDF121E669D08EDE3B7DAF02398F0C8121FD18F8A50DFB1C9A597B1
          APIs
          • InvalidateRect.USER32(00000000,00000030,00000001,?,6CB5C8D4,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6CB62F07
          • InvalidateRect.USER32(00000000,?,00000001,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6CB62F2C
          • InvalidateRect.USER32(00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6CB62F55
          • UpdateWindow.USER32(00000000), ref: 6CB62F69
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: InvalidateRect$UpdateWindow
          • String ID:
          • API String ID: 488614814-0
          • Opcode ID: 00cee93b02c0e5bce120aad937b5f4ef11e6ca179aecd8c50c255dec55915759
          • Instruction ID: 1cc7b95c634e9ad92720ec2b50b1cf0ecbb043256fd7427a79e6080bc6714653
          • Opcode Fuzzy Hash: 00cee93b02c0e5bce120aad937b5f4ef11e6ca179aecd8c50c255dec55915759
          • Instruction Fuzzy Hash: 87015A72221600DFEB108B1ACD48F82B7F5FF08301F1585A9F59AE7AA0C371E891CB41
          APIs
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: Parent$Focus
          • String ID:
          • API String ID: 384096180-0
          • Opcode ID: 8689fb7fd770a8bdfdc6df957ffaacbae1716ada6ff59285d82940cc4f306606
          • Instruction ID: 4ee8e7bbbb0e83174951d4499366b07c77d04a12dd6bccae230423878ff32b33
          • Opcode Fuzzy Hash: 8689fb7fd770a8bdfdc6df957ffaacbae1716ada6ff59285d82940cc4f306606
          • Instruction Fuzzy Hash: DBF06D32B103009BCE112B70DD08D5E76FDBF892067080469A68AF3B20DF75E899DB70
          APIs
          • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,6CC3FFD4,00000000,00000001,0000000C,00000000,?,6CC34E5B,00000000,00000000,00000000), ref: 6CC41E43
          • GetLastError.KERNEL32(?,6CC3FFD4,00000000,00000001,0000000C,00000000,?,6CC34E5B,00000000,00000000,00000000,00000000,00000000,?,6CC35435,00000000), ref: 6CC41E4F
            • Part of subcall function 6CC41E15: CloseHandle.KERNEL32(FFFFFFFE,6CC41E5F,?,6CC3FFD4,00000000,00000001,0000000C,00000000,?,6CC34E5B,00000000,00000000,00000000,00000000,00000000), ref: 6CC41E25
          • ___initconout.LIBCMT ref: 6CC41E5F
            • Part of subcall function 6CC41DD7: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CC41E06,6CC3FFC1,00000000,?,6CC34E5B,00000000,00000000,00000000,00000000), ref: 6CC41DEA
          • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,6CC3FFD4,00000000,00000001,0000000C,00000000,?,6CC34E5B,00000000,00000000,00000000,00000000), ref: 6CC41E74
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
          • String ID:
          • API String ID: 2744216297-0
          • Opcode ID: caf68b91a55f37b9c3f5c2785697e10ec5f13d260f8a5bb5254cdd174a31012c
          • Instruction ID: 9c23ae2c6a8d928672e88aac8d0dd987e46f02b279f5d6fde08767b278cc29a3
          • Opcode Fuzzy Hash: caf68b91a55f37b9c3f5c2785697e10ec5f13d260f8a5bb5254cdd174a31012c
          • Instruction Fuzzy Hash: 6FF01C3A610115BBCF221FD6DC08D993F3AFB0A3A5B44C010FA5896520DB32C870EB95
          APIs
          • ___std_exception_copy.LIBVCRUNTIME ref: 6CA968DF
            • Part of subcall function 6CC1B8AE: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,6CC19415,?,6CCB6060,?,?), ref: 6CC1B90F
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: ExceptionRaise___std_exception_copy
          • String ID: ios_base::badbit set$ios_base::failbit set
          • API String ID: 3109751735-1240500531
          • Opcode ID: 0fd8fcc9b9af4e25339fef1565e3b5685595b30106528e435747fc3ea0ac235c
          • Instruction ID: f943a65c49a4ca0b3b9e98f9b988e6d341dcec841fbce8d2ce2fe5e59d0c2c55
          • Opcode Fuzzy Hash: 0fd8fcc9b9af4e25339fef1565e3b5685595b30106528e435747fc3ea0ac235c
          • Instruction Fuzzy Hash: 8F41E7B2D14204ABC704CF69CC46B9AF7F8EF45714F14861AE954D7B80E731A954CBE1
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 6CBDFAA8
          • RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,00000000,?,?,?,?,?,?,?,?,0000022C,6CBDFCF7), ref: 6CBDFC4A
            • Part of subcall function 6CB4576F: __EH_prolog3.LIBCMT ref: 6CB45776
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CloseH_prolog3H_prolog3_
          • String ID: CLSID
          • API String ID: 237612280-910414637
          • Opcode ID: d8ef35c6c063f2edb25f8d05714f0c07ea05a9211ab1eec2ee8848e767737532
          • Instruction ID: 9def239499d8e6e803a7dfef171bfa71bd333424b81e82ba3598753828bc8cfd
          • Opcode Fuzzy Hash: d8ef35c6c063f2edb25f8d05714f0c07ea05a9211ab1eec2ee8848e767737532
          • Instruction Fuzzy Hash: 56519C75D442199BDB14CF64DC98AEEB3B5AF58308F1581D9E809A3710EB30AE858F60
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: EmptyH_prolog3_Rect
          • String ID: Afx:ToolBar
          • API String ID: 2941628838-177727192
          • Opcode ID: 69239b1c4c26843cc2a12906b8993932c760a5a29e8867c6879b2c89e4bcd91e
          • Instruction ID: beee550c9da2d94a30ad6ce5718f342a74288d05150c6e8ccf8d3b3616c8dd88
          • Opcode Fuzzy Hash: 69239b1c4c26843cc2a12906b8993932c760a5a29e8867c6879b2c89e4bcd91e
          • Instruction Fuzzy Hash: 23218371A105189BCF08CF68C9859EE76A5EF0C314F15422EF805F7780DB34AD949BA4
          APIs
          • __EH_prolog3.LIBCMT ref: 6CB45776
          • RegOpenKeyExW.ADVAPI32(?,?,?,00000000,00000008,00000000,00000008,6CBDFB15,80000000,CLSID,00000000,00020019,?,00000000,0000022C,6CBDFCF7), ref: 6CB457EC
            • Part of subcall function 6CB03367: __EH_prolog3.LIBCMT ref: 6CB0336E
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: H_prolog3$Open
          • String ID: Software\Classes\
          • API String ID: 1097726706-1121929649
          • Opcode ID: 858d9cc212f715e1202ef01291171c89a0d298f710cc333f837ba0d6d6e1bae3
          • Instruction ID: 7b09fb6b2efe83f64fe7946cafd0726f2d7ac00d50ad03ea50d06508373c5f9a
          • Opcode Fuzzy Hash: 858d9cc212f715e1202ef01291171c89a0d298f710cc333f837ba0d6d6e1bae3
          • Instruction Fuzzy Hash: A711A57290515DEFCF00DF90C940AEE7B74BF14358F108419E81163A40DB319A9DEBA2
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CopyInfoMonitorRect
          • String ID: (
          • API String ID: 2119610155-3887548279
          • Opcode ID: e8e00ec814fbbf9d0e3baee67cb3680d35dcbb9b032e7565255d0d91485be114
          • Instruction ID: 1165701432b10f5cdfe6656ecf909d544427ad556d25cd4d8f10e6bda3bbfd62
          • Opcode Fuzzy Hash: e8e00ec814fbbf9d0e3baee67cb3680d35dcbb9b032e7565255d0d91485be114
          • Instruction Fuzzy Hash: 9D11F371A00709DFCB10DFA9C58498AB7F8FF08704B50882EE4AAE3650E730EA85CF50
          APIs
          • __EH_prolog3.LIBCMT ref: 6CB45895
          • RegSetValueW.ADVAPI32(?,?,?,00000000,00000008), ref: 6CB458F9
            • Part of subcall function 6CB03367: __EH_prolog3.LIBCMT ref: 6CB0336E
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: H_prolog3$Value
          • String ID: Software\Classes\
          • API String ID: 2677715340-1121929649
          • Opcode ID: 128f5d60dbe0aea3e1aa3adb74615a9b0ea1af29a6e801eeafa49a89fcaafd1b
          • Instruction ID: 00432b5ea3a5754ed346a9c270c0c860adca36dccd74d1ede8f86010f091e64a
          • Opcode Fuzzy Hash: 128f5d60dbe0aea3e1aa3adb74615a9b0ea1af29a6e801eeafa49a89fcaafd1b
          • Instruction Fuzzy Hash: 2A01713290401EAFCF01DBA0CD40AEE7B79BF14318F144505E911A3A90DB319A9DE7A2
          APIs
          • __EH_prolog3.LIBCMT ref: 6CB45810
          • RegQueryValueW.ADVAPI32(?,?,?,00000000), ref: 6CB45871
            • Part of subcall function 6CB03367: __EH_prolog3.LIBCMT ref: 6CB0336E
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: H_prolog3$QueryValue
          • String ID: Software\Classes\
          • API String ID: 3057600494-1121929649
          • Opcode ID: 81dab3ccf44c34341ff2cbc4f5ceffe5fe25de3b9daf843662ef56017293c067
          • Instruction ID: e7d42d5a1f97589bc8333a6431d7bba4ccce8df375c57d5b122ba67a920be567
          • Opcode Fuzzy Hash: 81dab3ccf44c34341ff2cbc4f5ceffe5fe25de3b9daf843662ef56017293c067
          • Instruction Fuzzy Hash: 2D01217291405E9BCF01DBA4C940AEE7B74BF14318F144509E511A7A80DB319A9D9BA2
          APIs
          • __EH_prolog3.LIBCMT ref: 6CB1495A
          • FindResourceW.KERNEL32(?,0000007D,STYLE_XML,0000007D,00000800,00000004,6CAA583C,00000000,00000000,?,?,00000000,6CC43E9D,000000FF,?,6CAA449A), ref: 6CB14998
          Strings
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: FindH_prolog3Resource
          • String ID: STYLE_XML
          • API String ID: 3036663282-3909253476
          • Opcode ID: d9d2b1b4f9980e50f52774666a2bf8af7aa71b637a8900ae0712ae8aa4eb28f7
          • Instruction ID: 101378edd629c90f6b58414628bb65cbadea95cbd0e8ea560870f4286fc13a97
          • Opcode Fuzzy Hash: d9d2b1b4f9980e50f52774666a2bf8af7aa71b637a8900ae0712ae8aa4eb28f7
          • Instruction Fuzzy Hash: 86F0CDB2A081959FCF00DBA08C80DFEB3B8BF42258B508516E122ABF44DB7085489F29
          APIs
            • Part of subcall function 6CA91F00: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,6CBFE061,?,6CA92BB6,80004005,?,6CB96181,00000004,6CB95966,6CBFE061,6CBFE061,00000010,6CAB717D,6CBFE061), ref: 6CA91F05
            • Part of subcall function 6CA91F00: GetLastError.KERNEL32(?,00000000,00000000,6CBFE061,?,6CA92BB6,80004005,?,6CB96181,00000004,6CB95966,6CBFE061,6CBFE061,00000010,6CAB717D,6CBFE061), ref: 6CA91F0F
          • IsDebuggerPresent.KERNEL32(?,?,?,6CA91CBD), ref: 6CC19032
          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,6CA91CBD), ref: 6CC19041
          Strings
          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 6CC1903C
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
          • API String ID: 3511171328-631824599
          • Opcode ID: 294c076cf140d0aceca0977cc7dc13cc03c914b853e19c0a4dbd3ee5d7a90363
          • Instruction ID: 70466ea5e0c2fd6bdc9e838c42d097ada4403b405e00e412da8d133579c11dec
          • Opcode Fuzzy Hash: 294c076cf140d0aceca0977cc7dc13cc03c914b853e19c0a4dbd3ee5d7a90363
          • Instruction Fuzzy Hash: 4DE06D702057418FD7208F29D9053467AF8AF09348F04895DE496C3F00FBB6E489CB51
          APIs
          • EnterCriticalSection.KERNEL32(6CCC5378,?,00000000,?,?,6CB9325E,00000010,00000008,6CAC313A,6CAC317D,6CAB6C9B,6CAC3149,6CABEB35,00000004,6CABE0A4,00000000), ref: 6CB95DA5
          • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,6CB9325E,00000010,00000008,6CAC313A,6CAC317D,6CAB6C9B,6CAC3149,6CABEB35,00000004,6CABE0A4,00000000), ref: 6CB95DBB
          • LeaveCriticalSection.KERNEL32(6CCC5378,?,00000000,?,?,6CB9325E,00000010,00000008,6CAC313A,6CAC317D,6CAB6C9B,6CAC3149,6CABEB35,00000004,6CABE0A4,00000000), ref: 6CB95DC9
          • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,6CB9325E,00000010,00000008,6CAC313A,6CAC317D,6CAB6C9B,6CAC3149,6CABEB35,00000004,6CABE0A4,00000000,?), ref: 6CB95DD6
            • Part of subcall function 6CB95D50: InitializeCriticalSection.KERNEL32(6CCC5378,6CB95D8E,?,?,6CB9325E,00000010,00000008,6CAC313A,6CAC317D,6CAB6C9B,6CAC3149,6CABEB35,00000004,6CABE0A4,00000000,?), ref: 6CB95D68
          Memory Dump Source
          • Source File: 00000005.00000002.2539781218.000000006CA91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA90000, based on PE: true
          • Associated: 00000005.00000002.2539755904.000000006CA90000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539940364.000000006CC57000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2539985793.000000006CCBB000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540006536.000000006CCBD000.00000008.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540024536.000000006CCC1000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540044011.000000006CCC3000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CCC7000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000005.00000002.2540065086.000000006CD03000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_5_2_6ca90000_ShellExperienceHosts.jbxd
          Similarity
          • API ID: CriticalSection$EnterInitialize$Leave
          • String ID:
          • API String ID: 713024617-0
          • Opcode ID: fe3e1b09951c1fb8c5651e4029f95f00039e38430d79eabb436f361242204fac
          • Instruction ID: 4aa0657f798b8f71984f76db6ad7c5d59be6c2c82083be7aeb0cfb1803934d4f
          • Opcode Fuzzy Hash: fe3e1b09951c1fb8c5651e4029f95f00039e38430d79eabb436f361242204fac
          • Instruction Fuzzy Hash: 8CF062B2B00228AFDE001F688C4DB59B63CEF47356FD81122E501A2911D7758A89AA96