Edit tour

Windows Analysis Report
TEKujpTgCK.exe

Overview

General Information

Sample name:	TEKujpTgCK.exe renamed because original name is a hash value
Original sample name:	c84ddc7daab32f1835872b0afe99f3691d7ced32cbd253af31ea8a2f121afc15.exe
Analysis ID:	1558461
MD5:	65c23b196d8c066197b3d6e9fc3282a2
SHA1:	7a2412047c4c9d9bd3648600240482122173cb44
SHA256:	c84ddc7daab32f1835872b0afe99f3691d7ced32cbd253af31ea8a2f121afc15
Tags:	27-124-18-16exeuser-JAMESWT_MHT
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Bypasses PowerShell execution policy

Loading BitLocker PowerShell Module

Sigma detected: Execution from Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: Suspicious Program Location with Network Connections

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

TEKujpTgCK.exe (PID: 4832 cmdline: "C:\Users\user\Desktop\TEKujpTgCK.exe" MD5: 65C23B196D8C066197B3D6E9FC3282A2)

cmd.exe (PID: 4712 cmdline: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Downloads\program\ShellExperienceHosts.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ShellExperienceHosts.exe (PID: 1680 cmdline: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe MD5: 0922B22053A6D5D9516EA910D34A4771)

cmd.exe (PID: 7044 cmdline: cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6008 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 4028 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 2700 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 7040 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 3848 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 1252 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 6972 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 3788 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

ShellExperienceHosts.exe (PID: 3208 cmdline: "C:\Users\Public\Downloads\program\ShellExperienceHosts.exe" MD5: 0922B22053A6D5D9516EA910D34A4771)

timeout.exe (PID: 3056 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 6172 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 2124 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 5888 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cmd.exe (PID: 6552 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6528 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 2788 cmdline: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6592 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cleanup

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe, CommandLine: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe, NewProcessName: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe, OriginalFileName: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Downloads\program\ShellExperienceHosts.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4712, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe, ProcessId: 1680, ProcessName: ShellExperienceHosts.exe

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe, ParentImage: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe, ParentProcessId: 1680, ParentProcessName: ShellExperienceHosts.exe, ProcessCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 6552, ProcessName: cmd.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 27.124.18.16, DestinationIsIpv6: false, DestinationPort: 18852, EventID: 3, Image: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe, Initiated: true, ProcessId: 1680, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49718

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6552, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 6528, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6552, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 6528, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C844E30 CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,	4_2_6C844E30
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C844F50 CryptStringToBinaryA,CryptAcquireContextW,CryptDestroyHash,CryptReleaseContext,	4_2_6C844F50
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C8452A0 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,	4_2_6C8452A0
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C854E30 CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,	24_2_6C854E30
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C854F50 CryptStringToBinaryA,CryptAcquireContextW,CryptDestroyHash,CryptReleaseContext,	24_2_6C854F50
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C8552A0 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,	24_2_6C8552A0

Source: TEKujpTgCK.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.3010744824.0000000006E00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.3010259870.0000000006DE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\buildslave\unity\build\artifacts\WindowsPlayer\Win32_VS2019_nondev_i_r\WindowsPlayer_Master_il2cpp_x86.pdb source: ShellExperienceHosts.exe, ShellExperienceHosts.exe, 00000018.00000000.3480911780.000000000040C000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.3017814528.0000000007EDA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbE source: powershell.exe, 00000012.00000002.3017814528.0000000007EDA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Release\yyzyBase.pdb source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmp, ShellExperienceHosts.exe, 00000018.00000002.3949001935.000000006CA17000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbt source: powershell.exe, 00000012.00000002.3010259870.0000000006DE4000.00000004.00000020.00020000.00000000.sdmp

Source: global traffic

TCP traffic: 192.168.2.5:49718 -> 27.124.18.16:18852

Source: Joe Sandbox View

ASN Name: BCPL-SGBGPNETGlobalASNSG BCPL-SGBGPNETGlobalASNSG

Source: unknown	TCP traffic detected without corresponding DNS query: 27.124.18.16
Source: unknown	TCP traffic detected without corresponding DNS query: 27.124.18.16
Source: unknown	TCP traffic detected without corresponding DNS query: 27.124.18.16
Source: unknown	TCP traffic detected without corresponding DNS query: 27.124.18.16
Source: unknown	TCP traffic detected without corresponding DNS query: 27.124.18.16

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe

Code function: 4_2_6C856130 CreateThread,CreateThread,WSAStartup,getaddrinfo,closesocket,connect,socket,connect,closesocket,freeaddrinfo,recv,recv,VirtualAlloc,WSACleanup,WSACleanup,

4_2_6C856130

Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000011.00000002.3024932884.0000000008934000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.T
Source: powershell.exe, 00000011.00000002.3025196023.000000000893E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m2
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: powershell.exe, 00000011.00000002.3011201303.0000000006160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.3001331600.00000000052D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000012.00000002.2990788974.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000011.00000002.2991030343.0000000005256000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2991030343.00000000058C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2990788974.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000011.00000002.2991030343.0000000005101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2990788974.0000000004271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000011.00000002.2991030343.0000000005256000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2991030343.00000000058C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2990788974.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000012.00000002.2990788974.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: powershell.exe, 00000011.00000002.2991030343.0000000005101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2990788974.0000000004271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBsq
Source: powershell.exe, 00000012.00000002.2990788974.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000012.00000002.3001331600.00000000052D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000012.00000002.3001331600.00000000052D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000012.00000002.3001331600.00000000052D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000012.00000002.2990788974.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: tsetup-x64.5.4.0.exe.0.dr	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: powershell.exe, 00000011.00000002.3011201303.0000000006160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.3001331600.00000000052D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C86834F GetKeyState,GetKeyState,GetKeyState,SendMessageW,		4_2_6C86834F
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C87834F GetKeyState,GetKeyState,GetKeyState,SendMessageW,		24_2_6C87834F

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C8452A0 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,		4_2_6C8452A0
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C8552A0 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,		24_2_6C8552A0

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C8500A0	4_2_6C8500A0
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C9CCED0	4_2_6C9CCED0
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C89E837	4_2_6C89E837
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C868A35	4_2_6C868A35
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C9C8A54	4_2_6C9C8A54
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C91EBD1	4_2_6C91EBD1
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C9E0428	4_2_6C9E0428
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C9D6000	4_2_6C9D6000
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C9EC378	4_2_6C9EC378
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C91BD12	4_2_6C91BD12
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C9D3FCB	4_2_6C9D3FCB
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C9D1B54	4_2_6C9D1B54
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C9A1501	4_2_6C9A1501
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C84D680	4_2_6C84D680
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C9D17F5	4_2_6C9D17F5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_028212DD	18_2_028212DD
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C9DCED0	24_2_6C9DCED0
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C8AE837	24_2_6C8AE837
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C878A35	24_2_6C878A35
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C9D8A54	24_2_6C9D8A54
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C92EBD1	24_2_6C92EBD1
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C9F0428	24_2_6C9F0428
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C8600A0	24_2_6C8600A0
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C9E6000	24_2_6C9E6000
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C9FC378	24_2_6C9FC378
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C92BD12	24_2_6C92BD12
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C9E3FCB	24_2_6C9E3FCB
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C9E1B54	24_2_6C9E1B54
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C9B1501	24_2_6C9B1501
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C85D680	24_2_6C85D680
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C9E17F5	24_2_6C9E17F5

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: String function: 6C9C8290 appears 74 times
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: String function: 6C9D7DCB appears 72 times
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: String function: 6C88135E appears 39 times
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: String function: 6C9C81E5 appears 53 times
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: String function: 6C9D8290 appears 74 times
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: String function: 6C882C67 appears 45 times
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: String function: 6C87135E appears 39 times
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: String function: 6C9D81E5 appears 53 times
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: String function: 6C9C81B2 appears 228 times
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: String function: 6C872C67 appears 45 times
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: String function: 6C9D81B2 appears 228 times
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: String function: 6C9C7DCB appears 72 times

Source: TEKujpTgCK.exe, 00000000.00000000.2098546816.000000000041A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs TEKujpTgCK.exe
Source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002DF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMFCApplication4.exe8 vs TEKujpTgCK.exe
Source: TEKujpTgCK.exe	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs TEKujpTgCK.exe

Source: TEKujpTgCK.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ShellExperienceHosts.exe.0.dr

Static PE information: Section: .tp6 ZLIB complexity 1.000637755102041

Source: classification engine

Classification label: mal64.evad.winEXE@45/25@0/1

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe

Code function: 4_2_6C857560 CreateToolhelp32Snapshot,Process32FirstW,WideCharToMultiByte,Process32NextW,CloseHandle,Sleep,

4_2_6C857560

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe

Code function: 4_2_6C857850 GetFileAttributesA,SHGetFolderPathA,GetFileAttributesA,CoInitialize,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,CoUninitialize,

4_2_6C857850

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe

Code function: 4_2_6C857210 GetModuleHandleA,FindResourceW,LoadResource,SizeofResource,LockResource,

4_2_6C857210

Source: C:\Users\user\Desktop\TEKujpTgCK.exe

File created: C:\Users\Public\Downloads\program

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3480:120:WilError_03

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe

File created: C:\Users\user\AppData\Local\Temp\monitor.bat

Jump to behavior

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe

Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"

Source: TEKujpTgCK.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SHELLEXPERIENCEHOSTS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SHELLEXPERIENCEHOSTS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SHELLEXPERIENCEHOSTS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SHELLEXPERIENCEHOSTS.EXE'

Source: C:\Users\user\Desktop\TEKujpTgCK.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\TEKujpTgCK.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: TEKujpTgCK.exe	String found in binary or memory: cc-add-resource
Source: TEKujpTgCK.exe	String found in binary or memory: (cc-add-resource gold 100)

Source: C:\Users\user\Desktop\TEKujpTgCK.exe

File read: C:\Users\user\Desktop\TEKujpTgCK.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TEKujpTgCK.exe "C:\Users\user\Desktop\TEKujpTgCK.exe"
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Downloads\program\ShellExperienceHosts.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe C:\Users\Public\Downloads\program\ShellExperienceHosts.exe
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe "C:\Users\Public\Downloads\program\ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe "C:\Users\Public\Downloads\program\ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior

Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: yyzybase.dll	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: yyzybase.dll
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: msimg32.dll
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: uxtheme.dll
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: oledlg.dll
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: oleacc.dll
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"

Source: tsetup-x64.5.4.0.exe.lnk.4.dr

LNK file: ..\..\Public\Downloads\tsetup-x64.5.4.0.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: TEKujpTgCK.exe

Static file information: File size 47407259 > 1048576

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.3010744824.0000000006E00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.3010259870.0000000006DE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\buildslave\unity\build\artifacts\WindowsPlayer\Win32_VS2019_nondev_i_r\WindowsPlayer_Master_il2cpp_x86.pdb source: ShellExperienceHosts.exe, ShellExperienceHosts.exe, 00000018.00000000.3480911780.000000000040C000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.3017814528.0000000007EDA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbE source: powershell.exe, 00000012.00000002.3017814528.0000000007EDA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Release\yyzyBase.pdb source: TEKujpTgCK.exe, 00000000.00000003.2160518996.0000000002B71000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmp, ShellExperienceHosts.exe, 00000018.00000002.3949001935.000000006CA17000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbt source: powershell.exe, 00000012.00000002.3010259870.0000000006DE4000.00000004.00000020.00020000.00000000.sdmp

Source: initial sample

Static PE information: section where entry point is pointing to: .tp6d

Source: yyzyBase.dll.0.dr

Static PE information: real checksum: 0x2d0cdc should be: 0x2d37bd

Source: ShellExperienceHosts.exe.0.dr	Static PE information: section name: .tp6
Source: ShellExperienceHosts.exe.0.dr	Static PE information: section name: .tp6a
Source: ShellExperienceHosts.exe.0.dr	Static PE information: section name: .tp6
Source: ShellExperienceHosts.exe.0.dr	Static PE information: section name: .tp6
Source: ShellExperienceHosts.exe.0.dr	Static PE information: section name: .tp6d
Source: tsetup-x64.5.4.0.exe.0.dr	Static PE information: section name: .didata

Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Code function: 0_2_00950E38 push C00095BAh; retf	0_2_00950E3D
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Code function: 0_2_0095D3CB pushfd ; ret	0_2_0095D3E2
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C85AC77 push edi; ret	4_2_6C85AC79
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C85AD23 push edi; ret	4_2_6C85AD25
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C85AE3E push edi; ret	4_2_6C85AE40
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C85AF02 push edi; ret	4_2_6C85AF04
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C85A93B push edi; ret	4_2_6C85A93D
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C85AA17 push edi; ret	4_2_6C85AA19
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C85AB16 push edi; ret	4_2_6C85AB18
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C85A44F push esi; ret	4_2_6C85A451
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C85A5E9 push esi; ret	4_2_6C85A5EB
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C85A68F push edi; ret	4_2_6C85A691
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C85A7E2 push edi; ret	4_2_6C85A7E4
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C9C8180 push ecx; ret	4_2_6C9C8193
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C85A20F push esi; ret	4_2_6C85A211
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C85A358 push esi; ret	4_2_6C85A35A
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C85B804 push esi; ret	4_2_6C85B806
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C85B579 push esi; ret	4_2_6C85B57B
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C85B6B9 push esi; ret	4_2_6C85B6BB
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C85B093 push edi; ret	4_2_6C85B095
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C85B1E4 push edi; ret	4_2_6C85B1E6
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C85B2A8 push edi; ret	4_2_6C85B2AA
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C85B359 push edi; ret	4_2_6C85B35B
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C86AC77 push edi; ret	24_2_6C86AC79
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C86AD23 push edi; ret	24_2_6C86AD25
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C86AE3E push edi; ret	24_2_6C86AE40
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C86AF02 push edi; ret	24_2_6C86AF04
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C86A93B push edi; ret	24_2_6C86A93D
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C86AA17 push edi; ret	24_2_6C86AA19
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C86AB16 push edi; ret	24_2_6C86AB18
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C86A44F push esi; ret	24_2_6C86A451

Source: ShellExperienceHosts.exe.0.dr	Static PE information: section name: .tp6 entropy: 7.9916235972250025
Source: ShellExperienceHosts.exe.0.dr	Static PE information: section name: .tp6d entropy: 7.90195668192099

Source: C:\Users\user\Desktop\TEKujpTgCK.exe	File created: C:\Users\Public\Downloads\program\yyzyBase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	File created: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Jump to dropped file
Source: C:\Users\user\Desktop\TEKujpTgCK.exe	File created: C:\Users\Public\Downloads\tsetup-x64.5.4.0.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C87400C SetForegroundWindow,IsIconic,PostMessageW,IsIconic,	4_2_6C87400C
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C87400C SetForegroundWindow,IsIconic,PostMessageW,IsIconic,	4_2_6C87400C
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C8EA161 IsWindowVisible,IsWindowVisible,GetWindowRect,IsIconic,CopyRect,MonitorFromPoint,GetMonitorInfoW,CopyRect,CopyRect,SystemParametersInfoW,OffsetRect,GetSystemMetrics,GetSystemMetrics,	4_2_6C8EA161
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C859DE0 IsIconic,GetClientRect,	4_2_6C859DE0
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C869A46 IsIconic,	4_2_6C869A46
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C87741B IsWindowVisible,IsIconic,	4_2_6C87741B
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C8E935C IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	4_2_6C8E935C
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C8E935C IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	4_2_6C8E935C
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C8E935C IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	4_2_6C8E935C
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C88400C SetForegroundWindow,IsIconic,PostMessageW,IsIconic,	24_2_6C88400C
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C88400C SetForegroundWindow,IsIconic,PostMessageW,IsIconic,	24_2_6C88400C
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C8FA161 IsWindowVisible,IsWindowVisible,GetWindowRect,IsIconic,CopyRect,MonitorFromPoint,GetMonitorInfoW,CopyRect,CopyRect,SystemParametersInfoW,OffsetRect,GetSystemMetrics,GetSystemMetrics,	24_2_6C8FA161
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C869DE0 IsIconic,GetClientRect,	24_2_6C869DE0
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C879A46 IsIconic,	24_2_6C879A46
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C88741B IsWindowVisible,IsIconic,	24_2_6C88741B
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C8F935C IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	24_2_6C8F935C
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C8F935C IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	24_2_6C8F935C
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C8F935C IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	24_2_6C8F935C

Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4026	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7686	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1892	Jump to behavior

Source: C:\Users\user\Desktop\TEKujpTgCK.exe

Dropped PE file which has not been started: C:\Users\Public\Downloads\tsetup-x64.5.4.0.exe

Jump to dropped file

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	API coverage: 7.3 %
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	API coverage: 3.9 %

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe TID: 4984	Thread sleep time: -73000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe TID: 1220	Thread sleep time: -78000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe TID: 2448	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 1048	Thread sleep count: 266 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1240	Thread sleep count: 4026 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2436	Thread sleep count: 331 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6324	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6456	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1516	Thread sleep count: 7686 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 572	Thread sleep count: 1892 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6192	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 5020	Thread sleep count: 264 > 30	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe TID: 3008	Thread sleep time: -73000s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 3964	Thread sleep count: 268 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 4196	Thread sleep count: 150 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Thread delayed: delay time: 73000	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Thread delayed: delay time: 73000

Source: powershell.exe, 00000012.00000002.2990788974.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000012.00000002.2990788974.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: tsetup-x64.5.4.0.exe.0.dr	Binary or memory string: qemU]a0\LS
Source: tsetup-x64.5.4.0.exe.0.dr	Binary or memory string: IHGfs
Source: powershell.exe, 00000012.00000002.2990788974.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: ShellExperienceHosts.exe, 00000004.00000002.3181115549.00000000005EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe

Code function: 4_2_6C9C8D8D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_6C9C8D8D

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe

Code function: 4_2_6C86479B OutputDebugStringA,GetLastError,

4_2_6C86479B

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C9C8D8D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6C9C8D8D
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C9D2A72 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6C9D2A72
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 4_2_6C9C84AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6C9C84AC
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C9D8D8D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_6C9D8D8D
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C9E2A72 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_6C9E2A72
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: 24_2_6C9D84AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_6C9D84AC

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1

Source: C:\Users\user\Desktop\TEKujpTgCK.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe "C:\Users\Public\Downloads\program\ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	4_2_6C9EEEAC
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,	4_2_6C9E602C
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_6C9EF821
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: EnumSystemLocalesW,	4_2_6C9E5AC0
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,	4_2_6C9EF51C
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_6C9EF645
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,	4_2_6C9EF74B
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,	4_2_6C9EF0B1
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: EnumSystemLocalesW,	4_2_6C9EF1A3
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: EnumSystemLocalesW,	4_2_6C9EF158
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_6C9EF2C9
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: EnumSystemLocalesW,	4_2_6C9EF23E
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	24_2_6C9FEEAC
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,	24_2_6C9F602C
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	24_2_6C9FF821
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: EnumSystemLocalesW,	24_2_6C9F5AC0
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,	24_2_6C9FF51C
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	24_2_6C9FF645
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,	24_2_6C9FF74B
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,	24_2_6C9FF0B1
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: EnumSystemLocalesW,	24_2_6C9FF1A3
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: EnumSystemLocalesW,	24_2_6C9FF158
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	24_2_6C9FF2C9
Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Code function: EnumSystemLocalesW,	24_2_6C9FF23E

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe

Code function: 4_2_6C9C8EAA GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_6C9C8EAA

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe

Code function: 4_2_6C8F666D __EH_prolog3_GS,GetCurrentThread,GetCurrentThreadId,GetVersionExW,

4_2_6C8F666D

Source: C:\Users\Public\Downloads\program\ShellExperienceHosts.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Windows Management Instrumentation	1 Scripting	11 Process Injection	1 Masquerading	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	11 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	25 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TEKujpTgCK.exe	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\Public\Downloads\program\ShellExperienceHosts.exe	0%	ReversingLabs
C:\Users\Public\Downloads\program\yyzyBase.dll	3%	ReversingLabs
C:\Users\Public\Downloads\tsetup-x64.5.4.0.exe	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://crl.m2	0%	Avira URL Cloud	safe
http://crl.T	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	tsetup-x64.5.4.0.exe.0.dr	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000011.00000002.3011201303.0000000006160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.3001331600.00000000052D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000012.00000002.2990788974.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000012.00000002.2990788974.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000011.00000002.2991030343.0000000005256000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2991030343.00000000058C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2990788974.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.m2	powershell.exe, 00000011.00000002.3025196023.000000000893E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000012.00000002.2990788974.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000011.00000002.2991030343.0000000005256000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2991030343.00000000058C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2990788974.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000012.00000002.3001331600.00000000052D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000011.00000002.3011201303.0000000006160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.3001331600.00000000052D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000012.00000002.3001331600.00000000052D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000012.00000002.3001331600.00000000052D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.T	powershell.exe, 00000011.00000002.3024932884.0000000008934000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000011.00000002.2991030343.0000000005101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2990788974.0000000004271000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lBsq	powershell.exe, 00000011.00000002.2991030343.0000000005101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2990788974.0000000004271000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000012.00000002.2990788974.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
27.124.18.16	unknown	Singapore		64050	BCPL-SGBGPNETGlobalASNSG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558461
Start date and time:	2024-11-19 13:59:50 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TEKujpTgCK.exe renamed because original name is a hash value
Original Sample Name:	c84ddc7daab32f1835872b0afe99f3691d7ced32cbd253af31ea8a2f121afc15.exe
Detection:	MAL
Classification:	mal64.evad.winEXE@45/25@0/1
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 96% Number of executed functions: 73 Number of non-executed functions: 293
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com
Execution Graph export aborted for target TEKujpTgCK.exe, PID 4832 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 6528 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6592 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: TEKujpTgCK.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BCPL-SGBGPNETGlobalASNSG	wFg25zfjIL.dll	Get hash	malicious	Unknown	Browse	192.253.235.75
	wFg25zfjIL.dll	Get hash	malicious	Unknown	Browse	192.253.235.75
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	27.124.9.52
	qkbfi86.elf	Get hash	malicious	Mirai	Browse	118.107.53.186
	DsQEFiMzra.exe	Get hash	malicious	GhostRat, Nitol	Browse	27.124.47.7
	http://shoutout.wix.com	Get hash	malicious	Unknown	Browse	202.79.161.103
	#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe	Get hash	malicious	Unknown	Browse	137.220.137.85
	#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe	Get hash	malicious	Unknown	Browse	137.220.137.85
	ppc.elf	Get hash	malicious	Unknown	Browse	134.122.132.94
	libcurl64.dll.bin.dll	Get hash	malicious	Unknown	Browse	27.124.45.155

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\Public\Downloads\tsetup-x64.5.4.0.exe	http://successguilddi.info/	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\Public\Downloads\program\IOVAS

Download File

Process:	C:\Users\user\Desktop\TEKujpTgCK.exe
File Type:	openssl enc'd data with salted password, base64 encoded
Category:	dropped
Size (bytes):	56
Entropy (8bit):	5.173251796980338
Encrypted:	false
SSDEEP:	3:iqk94GNUUxkiuNS8:ilNNJH8
MD5:	3534422D0B85476052455B2D51291AED
SHA1:	AA9DBBE75FAB93AFD7E830EE8E743D9F9E12794F
SHA-256:	BB6EB6543FF1435FD5259ACEDAA08EBDE27A53418F55464BAA9D160197D67364
SHA-512:	E7599A845308EB7CEA6978F4FA9F6C837ECFF373C5D9AACC96573087163380E6B112AF125E6195868A3B8AE5E67C6C1F1C588D2364FBD9F723788392B5ECD62D
Malicious:	false
Preview:	U2FsdGVkX18ZrUfJM1q4htGAqi0PFxwUl2He6tG8HSioTpsLh6QV7g==

C:\Users\Public\Downloads\program\ShellExperienceHosts.exe

Download File

Process:	C:\Users\user\Desktop\TEKujpTgCK.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	649416
Entropy (8bit):	6.182028963232553
Encrypted:	false
SSDEEP:	12288:zohLz8nnnnntnnnnnnnnnnnnnnnxnMvnnnnPZnnnnPxnnnnnnnnqshJSLnk41mCL:zshQmC5Bz5CLgBFqGI1yi/UQeZndsqro
MD5:	0922B22053A6D5D9516EA910D34A4771
SHA1:	784D3ED35D040091AE209792E2FA8FC97EE6A071
SHA-256:	41F413DEBFE785B95D852A396AEFE1C814F3C13BDEDF85526F2DC4E83127D6CA
SHA-512:	909EC8B2C1045CC11C03C6B82B7ED6AD96BC8E93F9C98CB8A668572C84CBBCE778C12365B2B2EB547218783A830BE41458E0AE21939E99339F54921D98D944D8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.....U..U..U]..T..U]..T..U]..T..U]..T..U...T#.U...T..U...T..U...T..U..UW.U...T..U...T..U..[U..U...T..URich..U........................PE..L......d..........".......... ....../.............@.......................... ..................................................(....@...................\..............T........................... ...@............................................tp6............b.................. ..`.tp6.a..nZ.......\...f..............@..@.tp6......... ......................@..@.tp6.........@......................@..@.tp6d...5%.......&...f.............. ...................................................................................................................................................................................................................................................................................

C:\Users\Public\Downloads\program\yyzyBase.dll

Download File

Process:	C:\Users\user\Desktop\TEKujpTgCK.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2934784
Entropy (8bit):	6.677264152867375
Encrypted:	false
SSDEEP:	49152:JCeuTwfSCMj8ctcrWLGFt3cai8e8jRJVJmfrO0jbjjeDXjRD6i+uSwZPSCdDS+Ok:JCeuEKCMj8XrW6z3caiYRJArO0jLeDXb
MD5:	BBC7F7FACC3667AF1B57D80FD6D12839
SHA1:	6CAC9DA94670F0A04ED7A4539C8FC2E71BD93563
SHA-256:	C8E901576C91D2CE6821B4F807E3ACE7F28A81E5491C7779B89171E8187B76C6
SHA-512:	928F7EF931D4B6F12717C42031C3B82E2594A38909DE5D2D1E9CD0F5314959AEF6BB123941A0C37CCB04799C3EFF6FED0E0BACEC1F2D0A69F5DF34CC1C85FBD5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............._..._..._...^..._...^..._...^..._...^..._...^..._..._..._.T.^..._.T.^..._.T.^P.._HT.^..._HT.^..._HT._..._..p_..._HT.^..._Rich..._................PE..L....^<g...........!....T...p......O........p...............................@-.......-...@......................... j".L...lj"......p#..<.....................\....p .p....................p .....Po .@............p...............................text....S.......T.................. ..`.rdata...5...p...6...X..............@..@.data...H....."..n....".............@....rsrc....<...p#..>....".............@..@.reloc..\...........:.............@..B................................................................................................................................................................................................................................................................................

C:\Users\Public\Downloads\tsetup-x64.5.4.0.exe

Download File

Process:	C:\Users\user\Desktop\TEKujpTgCK.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	45728224
Entropy (8bit):	7.9979617231953934
Encrypted:	true
SSDEEP:	786432:nDiGFUGfCK7mtYVMprAcknQyI1PnRbKPkBE25MmXeVYg9n:n1CLtYVMdAcYjGPnpfi25Mj5
MD5:	45177991CB1978D5CB3C06461AE8BE12
SHA1:	C2AA0581C86EAE32CC3D7DA720BF5E7B6E019E0E
SHA-256:	B9C5F836DCBEF426B53B882FA4CD0CBEBD9C43F1734FC20B5001AB9823B8A318
SHA-512:	1B56141CE39B0CBE585574B7C314ACBD7011B4352BF481B80D3C24863198974E885D61E4B92F9E26429E02AF5D3E8D467AF117EA38A2ACB22E8A836E5E7219A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................R...........^.......p....@..........................@......O....@......@...................@....... .......p..<...............+...................................`......................."..T....0.......................text....9.......:.................. ..`.itext.......P.......>.............. ..`.data....7...p...8...V..............@....bss.....m...............................idata....... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc...<....p......................@..@....................................@..@........................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	5.407676655132095
Encrypted:	false
SSDEEP:	24:3vWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9tXt/NK3R88bJ02raW3b1:fWSU4xymI4RfoUeW+mZ9tlNWR832Oab1
MD5:	1A0E2627D1A4A2F7155D77FB0F659CDC
SHA1:	26AADC0A5CDDB72C6DCC5B8F9798D50DA82C470A
SHA-256:	AF045D0688C1DA168D42FE8E6F35398BDE8AB7A880C6132C9D0DC5AF4D6C024F
SHA-512:	30A47CEA4533781E63730B28B49CA40635563A5B05F2F10A3B1128210C8A8B26008776C8BC35B965688E94379304479998D5367D93FC6B835CDF82F598F37911
Malicious:	false
Preview:	@...e...........................................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\PolicyManagement.xml

Download File

Process:	C:\Users\Public\Downloads\program\ShellExperienceHosts.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1893
Entropy (8bit):	5.212287775015203
Encrypted:	false
SSDEEP:	48:c55XzDl4Q2ZbXL6Q0QFdOFQOzN33O4OiDdKrKsTLXbGMv:O5XzDl4Q2ZbGQhFdOFQOzBdKrKsTLXbV
MD5:	E3FB2ECD2AD10C30913339D97E0E9042
SHA1:	A004CE2B3D398312B80E2955E76BDA69EF9B7203
SHA-256:	1BD6DB55FFF870C9DF7A0AAC11B895B50F57774F20A5744E63BBC3BD40D11F28
SHA-512:	9D6F0C1E344F1DC5A0EF4CAAD86281F92A6C108E1085BACD8D6143F9C742198C2F759CA5BDFFAD4D9E40203E6B0460E84896D1C6B8B1759350452E1DE809B716
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2006-11-10T14:29:55.5851926</Date>. <Author>Microsoft Corporation</Author>. <Description>????? AD RMS ?????????????????? Web ?????????,???????????</Description>. <URI>\AS AMD updata</URI>. <SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>. </RegistrationInfo>. <Triggers>. <LogonTrigger id="06b3f632-87ad-4ac0-9737-48ea5ddbaf11">. <Enabled>true</Enabled>. <Delay>PT30S</Delay>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="AllUsers">. <GroupId>S-1-1-0</GroupId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2xb4kfq5.vpr.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4r3lguwj.zcu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ewunkjvh.ae3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fv4aiqk2.zvy.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ifi3etrm.vt5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qo05mrg1.m0b.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tayoekha.3p0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zxjtqi0w.tuo.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\monitor.bat

Download File

Process:	C:\Users\Public\Downloads\program\ShellExperienceHosts.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	331
Entropy (8bit):	5.087441810176568
Encrypted:	false
SSDEEP:	6:hZalWFWdVWCbi4WMkAIvWWdVW+KIaH9JZ1UhojWMkAIvEsDm1XWWChSwsFdWWCqJ:NFWdVWCeqlWdVW+EJzbSDm1BChSwkPCs
MD5:	AB66A4F9D5D452803EA922D20618A4A3
SHA1:	AC16D30EF88CF2211A01A7CC0C4F6BEB087346CE
SHA-256:	C9291DC8A6270465AB76414712A2A96C83A6D05B0EC537B43BCE67ACE4332E2D
SHA-512:	D7397E4F1997E090B7A76DC4F99A0BC52BC570D667FB6DD00F713FB6DCA224803C9F7C2510CED1F3EC9273D932E44F96E90F340EC569E6E441E9D0101D7D64C4
Malicious:	false
Preview:	@echo off..:CheckProcess..set "ProcessName=ShellExperienceHosts.exe"..set "ProcessPath=C:\Users\Public\Downloads\program\ShellExperienceHosts.exe"..tasklist /FI "IMAGENAME eq %ProcessName%" \| findstr /I "%ProcessName%" >nul..if %ERRORLEVEL% neq 0 (.. start "" "%ProcessPath%"..)..timeout /t 30 /nobreak >nul..goto CheckProcess..

C:\Users\user\AppData\Local\Temp\monitor.pid

Download File

Process:	C:\Users\Public\Downloads\program\ShellExperienceHosts.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:mRR:m3
MD5:	782086ACBE9F48126642E093BF6BA151
SHA1:	295C439DE6A7CCD326761A140E1084810E081BC1
SHA-256:	285506A8469E1A75E8DDC9AC00E52D72AF03D35D8923B1B199C45D7C770B1E14
SHA-512:	1A386F77962FB6C84A3682E5D65018EC08F20CAFB4B7E4233C3E5B7459DA36E4E48E40790AA0A845FC37D2FBA795BF29EE89FF0F5411C33E84C9CDB1C26D3BB3
Malicious:	false
Preview:	7044

C:\Users\user\AppData\Local\updated.ps1

Download File

Process:	C:\Users\Public\Downloads\program\ShellExperienceHosts.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.741657013789009
Encrypted:	false
SSDEEP:	3:41Ai+PBoAwnLFsI2FIERMJyjqLWAfXIhS/ytIEFMEQVGdAn:4yi+5dwnLFsI2F5KJy0fXnMFFQhn
MD5:	AA0E1012D3B7C24FAD1BE4806756C2CF
SHA1:	FE0D130AF9105D9044FF3D657D1ABEAF0B750516
SHA-256:	FC47E1FA89397C3139D9047DC667531A9153A339F8E29AC713E518D51A995897
SHA-512:	15FAE192951747A0C71059F608700F88548F3E60BB5C708B206BF793A7E3D059A278F2058D4AC86B86781B202037401A29602EE4D6C0CBAAFF532CEF311975F4
Malicious:	true
Preview:	$xmlPath = "XML??".$taskName = "????".$xmlContent = Get-Content -Path $xmlPath \| Out-String.Register-ScheduledTask -Xml $xmlContent -TaskName $taskName

C:\Users\user\Desktop\tsetup-x64.5.4.0.exe.lnk

Download File

Process:	C:\Users\Public\Downloads\program\ShellExperienceHosts.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Nov 19 12:00:47 2024, mtime=Tue Nov 19 12:00:51 2024, atime=Wed Aug 28 17:05:37 2024, length=45728224, window=hide
Category:	dropped
Size (bytes):	1138
Entropy (8bit):	4.678118947622308
Encrypted:	false
SSDEEP:	12:8UW/EKUYTCECHqXC/A4Xx3ACm6f2UmXM9CFrldLHbIAjAyzJ5SRTQ/azMXwCLCgv:81V1nn7IUAyzbSRkCAXwm1qygm
MD5:	F637FAE116583F66B72B832799144C81
SHA1:	23D66332D6308872556ADE88B9695E5559BD147A
SHA-256:	5EC67F864CFFF137712B1C247B0E5B6D00E980AD9D8CBCBB2F14FB0B5CABBBCC
SHA-512:	BC28A2139A990AFAEB3C308D22D04B872BB18DDF3B3184CFF6953A98B6933A3F1F9010DFBE4D16AE6F1464790F7452D3753B6E017CE0F87069899EF7A6FC9004
Malicious:	false
Preview:	L..................F.... ...f....:.......:..k9..t................................P.O. .:i.....+00.../C:\...................x.1.....DW(m..Users.d......OwHsY.h....................:.....NvM.U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....\|.1.....CW!H..Public..f......O.IsY.h....+...............<.....r.E.P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.......1.....sY.h..Downloads.l......O.IsY.h....................B.........D.o.w.n.l.o.a.d.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.0.8.....v.2......Y.. .TSETUP~1.EXE..Z......sY.hsY.h............................I.t.s.e.t.u.p.-.x.6.4...5...4...0...e.x.e.......]...............-.......\...........P..j.....C:\Users\Public\Downloads\tsetup-x64.5.4.0.exe..+.....\.....\.P.u.b.l.i.c.\.D.o.w.n.l.o.a.d.s.\.t.s.e.t.u.p.-.x.6.4...5...4...0...e.x.e..........Ld=..0O.E.p#_y.....`.......X.......760639...........hT..CrF.f4... ..\|2=.b...,...W..hT..CrF.f4... ..\|2=.b...,...W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	118
Entropy (8bit):	4.231779304291169
Encrypted:	false
SSDEEP:	3:hYFRZARcWmFsFJQZ/ctXvY/4to/9uF8cttEfYhnQUW:hYFRamFSQZ0lv5y/9JctESnQUW
MD5:	EA4370C6D3E1915502DEABAFCFE379F1
SHA1:	B32FFD2D69DF742E47EA86D0D739717CF6B147D3
SHA-256:	A8DFD19D19766FFD7DBEE9742F933099850C2594A81BDD38CA900A8255FD3B92
SHA-512:	C66EC971096851DF7A923F0602F6760AA544B84D474515E1A10B31FC44A473A7A3CA66370475084931A920BA45558EEE5BCCAEB82A4781FEF302CDF68AF00266
Malicious:	false
Preview:	..Waiting for 30 seconds, press CTRL+C to quit .....29..28..27..26..25..24..23..22..21..20..19..18..17..16..15..14..13

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.999165933604983
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	TEKujpTgCK.exe
File size:	47'407'259 bytes
MD5:	65c23b196d8c066197b3d6e9fc3282a2
SHA1:	7a2412047c4c9d9bd3648600240482122173cb44
SHA256:	c84ddc7daab32f1835872b0afe99f3691d7ced32cbd253af31ea8a2f121afc15
SHA512:	1c98f3ee1262af666c22411c18e08b0175887468bf1c186e19fa5ddd845083f36006ded99e11878f303910547bee3324dcc730628cd1b3214d382c37042831f2
SSDEEP:	786432:pOq/jN3x1O1e7yR4mUsc4dtCO6eZST5u3TzmFIlgkAAXSo8K2ZdTq87JEE+cL1QE:L/ZB17y+tVq6eAc3T6FpkAjozKdTDlxR
TLSH:	42A733283398F069E27AC875C75342FE0C526D1AC926F4AA62753E4E7AF8D44F17B341
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................................0....@..........................p.......,.......................................P.............................

File Icon


Icon Hash:	55497933cc61714d

Static PE Info

General

Entrypoint:	0x411def
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b5a014d7eeb4c2042897567e1288a095

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00414C50h
push 00411F80h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00413184h]
pop ecx
or dword ptr [00419924h], FFFFFFFFh
or dword ptr [00419928h], FFFFFFFFh
call dword ptr [00413188h]
mov ecx, dword ptr [0041791Ch]
mov dword ptr [eax], ecx
call dword ptr [0041318Ch]
mov ecx, dword ptr [00417918h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00413190h]
mov eax, dword ptr [eax]
mov dword ptr [00419920h], eax
call 00007FAA3CF3C4B2h
cmp dword ptr [00417710h], ebx
jne 00007FAA3CF3C39Eh
push 00411F78h
call dword ptr [00413194h]
pop ecx
call 00007FAA3CF3C484h
push 00417048h
push 00417044h
call 00007FAA3CF3C46Fh
mov eax, dword ptr [00417914h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00417910h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041319Ch]
push 00417040h
push 00417000h
call 00007FAA3CF3C43Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x150dc	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x6cb00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x310	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11317	0x11400	797279c5ab1a163aed1f2a528f9fe3ce	False	0.6174988677536232	data	6.576987441854239	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x30ea	0x3200	1359639b02bcb8f0a8743e6ead1c0030	False	0.43828125	data	5.549434098115495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17000	0x292c	0x800	9415c9c8dea3245d6d73c23393e27d8e	False	0.431640625	data	3.6583182363171756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a000	0x6cb00	0x6cc00	bbd437e4641c3885ad89fc27ee6f1626	False	0.14299119971264368	data	5.721209360114448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x1c600	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"			0.35714285714285715
RT_CURSOR	0x1c734	0x134	data			0.44155844155844154
RT_CURSOR	0x1c868	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"			0.40584415584415584
RT_CURSOR	0x1c99c	0x134	Targa image data 64 x 65536 x 1 +32 "\001"			0.5746753246753247
RT_CURSOR	0x1cad0	0x134	AmigaOS bitmap font "(", fc_YSize 4294966287, 3840 elements, 2nd "\376\017\340\377\377\017\341\377\377\217\343\377\377\337\367\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd			0.4642857142857143
RT_CURSOR	0x1cc04	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"			0.32142857142857145
RT_CURSOR	0x1cd38	0x134	data			0.3409090909090909
RT_CURSOR	0x1ce6c	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"			0.4837662337662338
RT_CURSOR	0x1cfa0	0x134	AmigaOS bitmap font "(", fc_YSize 4294935297, 3840 elements, 2nd "\200\003\377\201\300\007\377\203\300\017\377\003\340\037\376\007\360\037\370\017\370\003\300\037\374", 3rd			0.711038961038961
RT_CURSOR	0x1d0d4	0x134	data			0.6038961038961039
RT_CURSOR	0x1d208	0x134	Targa image data 64 x 65536 x 1 +32 "\001"			0.36038961038961037
RT_CURSOR	0x1d33c	0x134	Targa image data 64 x 65536 x 1 +32 "\001"			0.3474025974025974
RT_CURSOR	0x1d470	0x134	AmigaOS bitmap font "(", fc_YSize 4294967040, 3840 elements, 2nd "\376", 3rd			0.4383116883116883
RT_CURSOR	0x1d5a4	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"			0.35064935064935066
RT_CURSOR	0x1d6d8	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"			0.4512987012987013
RT_CURSOR	0x1d80c	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"			0.39285714285714285
RT_CURSOR	0x1d940	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_CURSOR	0x1da74	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"			0.32142857142857145
RT_CURSOR	0x1dba8	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"			0.38636363636363635
RT_CURSOR	0x1dcdc	0x134	data			0.4642857142857143
RT_CURSOR	0x1de10	0x134	data			0.4805194805194805
RT_CURSOR	0x1df44	0x134	data			0.38311688311688313
RT_CURSOR	0x1e078	0x134	data			0.36038961038961037
RT_CURSOR	0x1e1ac	0x134	data			0.4090909090909091
RT_CURSOR	0x1e2e0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_BITMAP	0x1e414	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0x1e5e4	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380			0.46487603305785125
RT_BITMAP	0x1e7c8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0x1e998	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39870689655172414
RT_BITMAP	0x1eb68	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.4245689655172414
RT_BITMAP	0x1ed38	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5021551724137931
RT_BITMAP	0x1ef08	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5064655172413793
RT_BITMAP	0x1f0d8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0x1f2a8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5344827586206896
RT_BITMAP	0x1f478	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0x1f648	0xc0	Device independent bitmap graphic, 11 x 11 x 4, image size 88	Russian	Russia	0.40625
RT_BITMAP	0x1f708	0xc0	Device independent bitmap graphic, 11 x 11 x 4, image size 88	Russian	Russia	0.40625
RT_BITMAP	0x1f7c8	0xa8	Device independent bitmap graphic, 10 x 8 x 4, image size 64			0.49404761904761907
RT_BITMAP	0x1f870	0x134	Device independent bitmap graphic, 18 x 17 x 4, image size 204			0.37337662337662336
RT_BITMAP	0x1f9a4	0xb8	Device independent bitmap graphic, 10 x 10 x 4, image size 80	Russian	Russia	0.41304347826086957
RT_BITMAP	0x1fa5c	0xb8	Device independent bitmap graphic, 11 x 10 x 4, image size 80	Russian	Russia	0.45652173913043476
RT_BITMAP	0x1fb14	0xb8	Device independent bitmap graphic, 10 x 10 x 4, image size 80	Russian	Russia	0.42391304347826086
RT_BITMAP	0x1fbcc	0xb8	Device independent bitmap graphic, 11 x 10 x 4, image size 80	Russian	Russia	0.44565217391304346
RT_BITMAP	0x1fc84	0x90	Device independent bitmap graphic, 8 x 10 x 4, image size 40			0.4861111111111111
RT_BITMAP	0x1fd14	0x11c	Device independent bitmap graphic, 38 x 9 x 4, image size 180			0.4507042253521127
RT_BITMAP	0x1fe30	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.5208333333333334
RT_BITMAP	0x1fef0	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.42857142857142855
RT_BITMAP	0x1ffd0	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.4955357142857143
RT_BITMAP	0x200b0	0x8c	Device independent bitmap graphic, 5 x 9 x 4, image size 36			0.5285714285714286
RT_BITMAP	0x2013c	0xc8	Device independent bitmap graphic, 12 x 12 x 4, image size 96	Russian	Russia	0.41
RT_BITMAP	0x20204	0xc8	Device independent bitmap graphic, 12 x 12 x 4, image size 96	Russian	Russia	0.39
RT_BITMAP	0x202cc	0x8c	Device independent bitmap graphic, 5 x 9 x 4, image size 36			0.45
RT_BITMAP	0x20358	0x238	Device independent bitmap graphic, 29 x 29 x 4, image size 464			0.25
RT_BITMAP	0x20590	0x238	Device independent bitmap graphic, 29 x 29 x 4, image size 464			0.20950704225352113
RT_BITMAP	0x207c8	0x8c	Device independent bitmap graphic, 5 x 9 x 4, image size 36			0.5071428571428571
RT_BITMAP	0x20854	0x8c	Device independent bitmap graphic, 5 x 9 x 4, image size 36			0.5142857142857142
RT_BITMAP	0x208e0	0x8c	Device independent bitmap graphic, 5 x 9 x 4, image size 36			0.4857142857142857
RT_BITMAP	0x2096c	0x238	Device independent bitmap graphic, 29 x 29 x 4, image size 464			0.21654929577464788
RT_BITMAP	0x20ba4	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.3232758620689655
RT_BITMAP	0x20c8c	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.28448275862068967
RT_BITMAP	0x20d74	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.2629310344827586
RT_BITMAP	0x20e5c	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.33189655172413796
RT_BITMAP	0x20f44	0x4ac	Device independent bitmap graphic, 11 x 11 x 8, image size 132			0.4498327759197324
RT_BITMAP	0x213f0	0x4ac	Device independent bitmap graphic, 11 x 11 x 8, image size 132			0.459866220735786
RT_BITMAP	0x2189c	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256			0.5280303030303031
RT_BITMAP	0x21dc4	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.38392857142857145
RT_BITMAP	0x21ea4	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.4947916666666667
RT_BITMAP	0x21f64	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.484375
RT_BITMAP	0x22024	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.42410714285714285
RT_BITMAP	0x22104	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.5104166666666666
RT_BITMAP	0x221c4	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.5
RT_BITMAP	0x222a4	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.4870689655172414
RT_BITMAP	0x2238c	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.4895833333333333
RT_BITMAP	0x2244c	0x378	Device independent bitmap graphic, 110 x 14 x 4, image size 784	German	Germany	0.23085585585585586
RT_BITMAP	0x227c4	0xd8	Device independent bitmap graphic, 15 x 14 x 4, image size 112, resolution 2834 x 2834 px/m	Serbian	Cyrillic	0.4675925925925926
RT_BITMAP	0x2289c	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.3794642857142857
RT_ICON	0x2297c	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0			0.21341463414634146
RT_ICON	0x22fe4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0			0.34139784946236557
RT_ICON	0x232cc	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0			0.5202702702702703
RT_ICON	0x233f4	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.47334754797441364
RT_ICON	0x2429c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.6101083032490975
RT_ICON	0x24b44	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.596820809248555
RT_ICON	0x250ac	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.2932572614107884
RT_ICON	0x27654	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0			0.4343339587242026
RT_ICON	0x286fc	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.7198581560283688
RT_DIALOG	0x28b64	0x52	data			0.7682926829268293
RT_STRING	0x28bb8	0x6c	data			0.6851851851851852
RT_STRING	0x28c24	0x2d0	data			0.46111111111111114
RT_STRING	0x28ef4	0x250	data			0.49155405405405406
RT_STRING	0x29144	0x214	data			0.4567669172932331
RT_STRING	0x29358	0x180	data			0.5286458333333334
RT_STRING	0x294d8	0x1a4	data			0.5428571428571428
RT_STRING	0x2967c	0x3c0	data			0.3489583333333333
RT_STRING	0x29a3c	0x6a4	data			0.36
RT_STRING	0x2a0e0	0x48c	data			0.38230240549828176
RT_STRING	0x2a56c	0x19c	data			0.5145631067961165
RT_STRING	0x2a708	0xec	data			0.597457627118644
RT_STRING	0x2a7f4	0x1a8	data			0.5
RT_STRING	0x2a99c	0x2b8	data			0.4454022988505747
RT_STRING	0x2ac54	0x414	data			0.36398467432950193
RT_STRING	0x2b068	0x3b4	data			0.37658227848101267
RT_STRING	0x2b41c	0x340	data			0.3762019230769231
RT_STRING	0x2b75c	0x354	data			0.35563380281690143
RT_STRING	0x2bab0	0x2d0	data			0.4513888888888889
RT_STRING	0x2bd80	0xd8	data			0.5694444444444444
RT_STRING	0x2be58	0xf0	data			0.55
RT_STRING	0x2bf48	0x350	data			0.4033018867924528
RT_STRING	0x2c298	0x384	data			0.37444444444444447
RT_STRING	0x2c61c	0x2d8	data			0.375
RT_RCDATA	0x2c8f4	0x10	data			1.5
RT_RCDATA	0x2c904	0x590	data			0.6327247191011236
RT_RCDATA	0x2ce94	0x133db	Delphi compiled form 'TCreatePluginForm'			0.09238558069305046
RT_RCDATA	0x40270	0x2f1a	Delphi compiled form 'TdxBarCustomizingForm'			0.25543207828827336
RT_RCDATA	0x4318c	0x4b0	Delphi compiled form 'TdxBarItemAddEditor'			0.4608333333333333
RT_RCDATA	0x4363c	0x287	Delphi compiled form 'TdxBarNameEd'			0.6058732612055642
RT_RCDATA	0x438c4	0x171	Delphi compiled form 'TdxBarSubMenuEditor'			0.7100271002710027
RT_RCDATA	0x43a38	0x1491	Delphi compiled form 'TFindForm'			0.2641975308641975
RT_RCDATA	0x44ecc	0x49c	Delphi compiled form 'TfrmAddGroupItems'			0.4610169491525424
RT_RCDATA	0x45368	0x1595	Delphi compiled form 'THintForm'			0.11782805429864253
RT_RCDATA	0x46900	0x1aaf	Delphi compiled form 'TInputStringForm'			0.2577953447518665
RT_RCDATA	0x483b0	0x36a23	Delphi compiled form 'TMainForm'			0.09694832848479974
RT_RCDATA	0x7edd4	0x751e	Delphi compiled form 'TPageForm'			0.1721032619571743
RT_GROUP_CURSOR	0x862f4	0x14	data			1.35
RT_GROUP_CURSOR	0x86308	0x14	data			1.3
RT_GROUP_CURSOR	0x8631c	0x14	data			1.4
RT_GROUP_CURSOR	0x86330	0x14	data			1.4
RT_GROUP_CURSOR	0x86344	0x14	data			1.4
RT_GROUP_CURSOR	0x86358	0x14	data			1.4
RT_GROUP_CURSOR	0x8636c	0x14	data			1.4
RT_GROUP_CURSOR	0x86380	0x14	data			1.4
RT_GROUP_CURSOR	0x86394	0x14	data			1.4
RT_GROUP_CURSOR	0x863a8	0x14	data			1.4
RT_GROUP_CURSOR	0x863bc	0x14	data			1.4
RT_GROUP_CURSOR	0x863d0	0x14	data			1.4
RT_GROUP_CURSOR	0x863e4	0x14	data			1.4
RT_GROUP_CURSOR	0x863f8	0x14	data			1.4
RT_GROUP_CURSOR	0x8640c	0x14	data			1.4
RT_GROUP_CURSOR	0x86420	0x14	data			1.4
RT_GROUP_CURSOR	0x86434	0x14	data			1.4
RT_GROUP_CURSOR	0x86448	0x14	data			1.4
RT_GROUP_CURSOR	0x8645c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x86470	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x86484	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x86498	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x864ac	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x864c0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x864d4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0x864e8	0x84	data			0.6363636363636364
RT_VERSION	0x8656c	0x350	data	English	United States	0.47523584905660377
RT_MANIFEST	0x868bc	0x244	XML 1.0 document, ASCII text, with CRLF line terminators	Chinese	China	0.453448275862069

Imports

DLL	Import
COMCTL32.dll
KERNEL32.dll	GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
USER32.dll	CharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
GDI32.dll	GetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
SHELL32.dll	SHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
ole32.dll	CoInitialize, CreateStreamOnHGlobal, CoCreateInstance
OLEAUT32.dll	VariantClear, OleLoadPicture, SysAllocString
MSVCRT.dll	__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
German	Germany
Serbian	Cyrillic
English	United States
Chinese	China

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 14:02:04.909483910 CET	49718	18852	192.168.2.5	27.124.18.16
Nov 19, 2024 14:02:05.921706915 CET	49718	18852	192.168.2.5	27.124.18.16
Nov 19, 2024 14:02:07.937192917 CET	49718	18852	192.168.2.5	27.124.18.16
Nov 19, 2024 14:02:11.937329054 CET	49718	18852	192.168.2.5	27.124.18.16
Nov 19, 2024 14:02:19.939273119 CET	49718	18852	192.168.2.5	27.124.18.16

Target ID:	0
Start time:	08:00:46
Start date:	19/11/2024
Path:	C:\Users\user\Desktop\TEKujpTgCK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TEKujpTgCK.exe"
Imagebase:	0x400000
File size:	47'407'259 bytes
MD5 hash:	65C23B196D8C066197B3D6E9FC3282A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:00:53
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Downloads\program\ShellExperienceHosts.exe
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:00:53
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:00:53
Start date:	19/11/2024
Path:	C:\Users\Public\Downloads\program\ShellExperienceHosts.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Downloads\program\ShellExperienceHosts.exe
Imagebase:	0x400000
File size:	649'416 bytes
MD5 hash:	0922B22053A6D5D9516EA910D34A4771
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:02:03
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	08:02:04
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	08:02:04
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Imagebase:	0xdb0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:02:04
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "ShellExperienceHosts.exe"
Imagebase:	0x4d0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:02:04
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0x810000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:02:04
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:02:04
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:02:04
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:02:04
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:02:04
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Imagebase:	0x4e0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	08:02:04
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Imagebase:	0x4e0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	08:02:34
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Imagebase:	0xdb0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	08:02:34
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "ShellExperienceHosts.exe"
Imagebase:	0x4d0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	08:02:34
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0x810000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	08:03:04
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Imagebase:	0xdb0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	08:03:04
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "ShellExperienceHosts.exe"
Imagebase:	0x4d0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	08:03:04
Start date:	19/11/2024
Path:	C:\Users\Public\Downloads\program\ShellExperienceHosts.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Downloads\program\ShellExperienceHosts.exe"
Imagebase:	0x400000
File size:	649'416 bytes
MD5 hash:	0922B22053A6D5D9516EA910D34A4771
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	08:03:04
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0x810000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	08:03:34
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Imagebase:	0xdb0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	08:03:34
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "ShellExperienceHosts.exe"
Imagebase:	0x4d0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	08:03:34
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0x810000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	5.8%
Dynamic/Decrypted Code Coverage:	0.1%
Signature Coverage:	18.5%
Total number of Nodes:	1895
Total number of Limit Nodes:	47

Executed Functions

Function 6C8500A0 Relevance: 178.5, APIs: 8, Strings: 93, Instructions: 1729sleepprocessCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 6C85014C
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,?), ref: 6C850621
Sleep.KERNELBASE(000000C8,?,?,00000000,00000000,00000000,00000000,00000000), ref: 6C850A4A
Sleep.KERNELBASE(000000C8,?,?), ref: 6C851472
WinExec.KERNEL32(00000000,00000000), ref: 6C8515EA
WinExec.KERNEL32(00000000,00000000), ref: 6C85173B
Sleep.KERNELBASE(00007530,?,?,65776F70), ref: 6C851742

Part of subcall function 6C850090: DeleteFileA.KERNEL32(00000000,6C85175A,?,?,65776F70), ref: 6C850091

Concurrency::cancel_current_task.LIBCPMT ref: 6C851A90

Strings

a05h, xrefs: 6C850206
powe, xrefs: 6C85147E
File, xrefs: 6C851652
emen, xrefs: 6C8507B1
PSAi, xrefs: 6C85021A
dCA9, xrefs: 6C850274
IHwg, xrefs: 6C8502D8
T3V0, xrefs: 6C8502E2
Igok, xrefs: 6C8501F2
onPo, xrefs: 6C8514DA
Unr, xrefs: 6C8514EE
rshe, xrefs: 6C85148F
\Pol, xrefs: 6C85079A
icte, xrefs: 6C851502
5Yqh, xrefs: 6C85022E
IC1Q, xrefs: 6C8502A6
icyM, xrefs: 6C8507A3
LVRh, xrefs: 6C85038C
rshe, xrefs: 6C8515F6
dGVu, xrefs: 6C85026A
dGFz, xrefs: 6C8501FC
estr, xrefs: 6C8514F8
bWUg, xrefs: 6C850210
ll -, xrefs: 6C851606
5Lu7, xrefs: 6C850224
b250, xrefs: 6C850292
Bypa, xrefs: 6C851641
ZWdp, xrefs: 6C85030A
bnQg, xrefs: 6C850382
ss -, xrefs: 6C85164B
bWxQ, xrefs: 6C8502C4
56ew, xrefs: 6C850242
ZHVs, xrefs: 6C850332
bFBh, xrefs: 6C8501B6
cmlu, xrefs: 6C8502F6
ZwpS, xrefs: 6C850300
"Set, xrefs: 6C8514BC
ICR0, xrefs: 6C8503AA
cuti, xrefs: 6C8514D0
t.xm, xrefs: 6C8507B8
.30320, xrefs: 6C850120
5ZCN, xrefs: 6C850238
exe , xrefs: 6C85168E
ZQ==, xrefs: 6C8503C8
Igok, xrefs: 6C85024C
Exec, xrefs: 6C851614
utio, xrefs: 6C851623
dGgg, xrefs: 6C8501C0
powe, xrefs: 6C8515EC
YXRo, xrefs: 6C8502CE
LVN0, xrefs: 6C8502EC
TmFt, xrefs: 6C8503BE
JHht, xrefs: 6C8501AC
5b6E, xrefs: 6C8501E8
ci1T, xrefs: 6C85031E
YXNr, xrefs: 6C850346
nPol, xrefs: 6C85162D
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+CjxUYXNrIHZlcnNpb249IjEuMyIgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZG93cy8yMDA0LzAyL21pdC90YXNrIj4KICA8UmVnaXN0cmF0aW9uSW5mbz4KICAgIDxEYXRlPjIwMDYtMTEtMTBUMTQ6Mjk6NTUuNTg1MTkyNjwvRGF0ZT4KICAgIDxB, xrefs: 6C85043F
YXRo, xrefs: 6C8502B0
Comm, xrefs: 6C8514A8
-Exe, xrefs: 6C8514C6
eG1s, xrefs: 6C850256
JHht, xrefs: 6C850364
c2tO, xrefs: 6C850396
bENv, xrefs: 6C85036E
Cur, xrefs: 6C851520
dC1D, xrefs: 6C850288
bWwg, xrefs: 6C85035A
bnRl, xrefs: 6C850378
YXNr, xrefs: 6C8503B4
cope, xrefs: 6C851516
IC1Y, xrefs: 6C850350
YW1l, xrefs: 6C8503A0
IEdl, xrefs: 6C85027E
WE1M, xrefs: 6C8501D4
ZW50, xrefs: 6C85029C
anag, xrefs: 6C8507AA
User, xrefs: 6C851534
rent, xrefs: 6C85152A
PSAi, xrefs: 6C8501CA
ZWRU, xrefs: 6C85033C
ll -, xrefs: 6C85149E
c3Rl, xrefs: 6C850314
icy , xrefs: 6C851637
licy, xrefs: 6C8514E4
6Lev, xrefs: 6C8501DE
Q29u, xrefs: 6C850260
cmd., xrefs: 6C851683
Y2hl, xrefs: 6C850328
and , xrefs: 6C8514B2
ICR4, xrefs: 6C8502BA
d -S, xrefs: 6C85150C
Error retrieving folder path, xrefs: 6C850674

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Sleep$ExecFile$Concurrency::cancel_current_taskDeleteFolderModuleNamePath
String ID: Cur$ Unr$"Set$-Exe$.30320$56ew$5Lu7$5Yqh$5ZCN$5b6E$6Lev$Bypa$Comm$Error retrieving folder path$Exec$File$IC1Q$IC1Y$ICR0$ICR4$IEdl$IHwg$Igok$Igok$JHht$JHht$LVN0$LVRh$PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+CjxUYXNrIHZlcnNpb249IjEuMyIgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZG93cy8yMDA0LzAyL21pdC90YXNrIj4KICA8UmVnaXN0cmF0aW9uSW5mbz4KICAgIDxEYXRlPjIwMDYtMTEtMTBUMTQ6Mjk6NTUuNTg1MTkyNjwvRGF0ZT4KICAgIDxB$PSAi$PSAi$Q29u$T3V0$TmFt$User$WE1M$Y2hl$YW1l$YXNr$YXNr$YXRo$YXRo$ZHVs$ZQ==$ZW50$ZWRU$ZWdp$ZwpS$\Pol$a05h$anag$and $b250$bENv$bFBh$bWUg$bWwg$bWxQ$bnQg$bnRl$c2tO$c3Rl$ci1T$cmd.$cmlu$cope$cuti$d -S$dC1D$dCA9$dGFz$dGVu$dGgg$eG1s$emen$estr$exe $icte$icy $icyM$licy$ll -$ll -$nPol$onPo$powe$powe$rent$rshe$rshe$ss -$t.xm$utio
API String ID: 1974682518-963388687
Opcode ID: b5be79af9e76442d18040a77862b21f7c1cc2d356b19823ac6c1ec425b80e506
Instruction ID: b5a2718541d0880724677857ca8381001f4f0dbb578c3e50f848bcd389330cad
Opcode Fuzzy Hash: b5be79af9e76442d18040a77862b21f7c1cc2d356b19823ac6c1ec425b80e506
Instruction Fuzzy Hash: 88F2F271D012588BDB25CF24CE987DDBBB1AF51308F6486E8D0486BB91DBB49B88CF51

Function 6C844E30 Relevance: 31.6, APIs: 2, Strings: 16, Instructions: 98
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6C844E89
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6C844F0A

Strings

Failed to hash data., xrefs: 6C845272
Failed to acquire cryptographic context., xrefs: 6C8456D9
`nt, xrefs: 6C844E74, 6C844EDB
Failed to calculate base64 decoded size., xrefs: 6C844F2A
Failed to decrypt data., xrefs: 6C84551C
Salt, xrefs: 6C845310
Failed to set cipher mode., xrefs: 6C84548C
Failed to import key., xrefs: 6C845424
Failed to get hash value., xrefs: 6C84520F
Failed to set IV., xrefs: 6C845456
Failed to get hash length., xrefs: 6C84522A
Failed to create hash object., xrefs: 6C84523C
Failed to decode base64 string., xrefs: 6C844F10
ed__, xrefs: 6C84531C
wi65, xrefs: 6C845387
Invalid encrypted data header., xrefs: 6C8456C2

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: BinaryCryptString
String ID: Failed to acquire cryptographic context.$Failed to calculate base64 decoded size.$Failed to create hash object.$Failed to decode base64 string.$Failed to decrypt data.$Failed to get hash length.$Failed to get hash value.$Failed to hash data.$Failed to import key.$Failed to set IV.$Failed to set cipher mode.$Invalid encrypted data header.$Salt$`nt$ed__$wi65
API String ID: 80407269-2278120152
Opcode ID: 936f203e3d98c94ccbb2fadfaa69464c7497ceaf8dfe7b90567d8910ad38e475
Instruction ID: 59298fe12a29c2fd444a88fef95c9a774947132b3cc8aa5b9b153f692936ba8e
Opcode Fuzzy Hash: 936f203e3d98c94ccbb2fadfaa69464c7497ceaf8dfe7b90567d8910ad38e475
Instruction Fuzzy Hash: E531A471A00209EBEB10CF58DD85BAEBBB8FB44714F208569F514EB7C0D7B4A944CBA1

Function 6C856130 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 378
networkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 6C8562CF
getaddrinfo.WS2_32(6CA6CB64,6CA6CB4C,00000000,00000000), ref: 6C8564BC
socket.WS2_32(?,?,?), ref: 6C8564E9
connect.WS2_32(00000000,?,?), ref: 6C856504
closesocket.WS2_32 ref: 6C856511
freeaddrinfo.WS2_32(00000000), ref: 6C856528
recv.WS2_32(005EC0B0,00001000,00000000), ref: 6C856563
VirtualAlloc.KERNEL32(00000000,00003000,00000040), ref: 6C8565AE
WSACleanup.WS2_32 ref: 6C8565D6
WSACleanup.WS2_32 ref: 6C8565F5

Strings

IOVA, xrefs: 6C856391, 6C856458, 6C8563BB, 6C856482
, xrefs: 6C85616F, 6C85620B, 6C85628C

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Cleanup$AllocStartupVirtualclosesocketconnectfreeaddrinfogetaddrinforecvsocket
String ID: $IOVA
API String ID: 2484549806-670572268
Opcode ID: faa562d619d856c6b7fd531fe23a27fbe61aae09e5bd9242e79a628b1c101ca3
Instruction ID: 5b4531b045e17b0b208db765082a00f56135a302539e2a07a362ac3b422240dd
Opcode Fuzzy Hash: faa562d619d856c6b7fd531fe23a27fbe61aae09e5bd9242e79a628b1c101ca3
Instruction Fuzzy Hash: 7AD14370B007158FCF299F38C9547B9BBB1BB46308F508A6CE410DBB91D7B0999ACB91

Function 6C857850 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 377
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(?), ref: 6C857968
SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?), ref: 6C857986
GetFileAttributesA.KERNELBASE(?,00000004,00000000,.lnk,00000004,?), ref: 6C857BC9
CoInitialize.OLE32(00000000), ref: 6C857C47
CoCreateInstance.OLE32(6CA39BD8,00000000,00000001,6CA44A88,?), ref: 6C857C5F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 6C857C9A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 6C857CDF
CoUninitialize.COMBASE ref: 6C857D05

Strings

load, xrefs: 6C85789D
Down, xrefs: 6C857890
.lnk, xrefs: 6C857A93

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: AttributesByteCharFileMultiWide$CreateFolderInitializeInstancePathUninitialize
String ID: .lnk$Down$load
API String ID: 120116150-380299436
Opcode ID: 4751bbc896243b835280e133e9e2ab12d050c980fd35d057fb0f0ac736357b96
Instruction ID: 4c241217844ecc9f887af4e86945a3a3f638efb6511e18db5588706f38aced1c
Opcode Fuzzy Hash: 4751bbc896243b835280e133e9e2ab12d050c980fd35d057fb0f0ac736357b96
Instruction Fuzzy Hash: 3BE12570E102489FDB15CF64CD84BEDBBB1FF45308F60C298E019ABA91D7B1AA85CB51

Function 6C857210 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(yyzyBase.dll,?,00000000), ref: 6C857218
FindResourceW.KERNEL32(00000000,CONFIG,AFX_DIALOG_LAYOUT), ref: 6C85722B
LoadResource.KERNEL32(00000000,00000000), ref: 6C857239
SizeofResource.KERNEL32(00000000,00000000), ref: 6C857243
LockResource.KERNEL32(00000000), ref: 6C85724C

Strings

CONFIG, xrefs: 6C857225
yyzyBase.dll, xrefs: 6C857213
AFX_DIALOG_LAYOUT, xrefs: 6C85721E

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Resource$FindHandleLoadLockModuleSizeof
String ID: AFX_DIALOG_LAYOUT$CONFIG$yyzyBase.dll
API String ID: 1601749889-1902995937
Opcode ID: 5790e06dfc6854ad84b9d99a00ccccd12d51e62bbf6a61fccaf3754bbc295af2
Instruction ID: b3258376107e630a22949d5ec84ded6cbc3af0ea7c0f0439edc96fde4d3e8fa7
Opcode Fuzzy Hash: 5790e06dfc6854ad84b9d99a00ccccd12d51e62bbf6a61fccaf3754bbc295af2
Instruction Fuzzy Hash: 5CF0C8727017126BE75616F64C88EFB3A6CDF9619D704843CF502C2600EF65DC0786B6

Function 6C8452A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C844E30: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6C844E89
Part of subcall function 6C844E30: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6C844F0A

CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000), ref: 6C8453BA
CryptImportKey.ADVAPI32(00000000,00000208,00000014,00000000,00000000,?), ref: 6C84540F
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6C84541E

Strings

Salt, xrefs: 6C845310
ed__, xrefs: 6C84531C
wi65, xrefs: 6C845387
Failed to import key., xrefs: 6C845424

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Crypt$BinaryContextString$AcquireImportRelease
String ID: Failed to import key.$Salt$ed__$wi65
API String ID: 552557845-1924075180
Opcode ID: 869f5e1d6a8c0403f1a4672384f6bf6b347ce6bea8910be6bfd89428c4684865
Instruction ID: d678ac9fa3a2972079eb143b65a79a9a44065226fc96b1a46a821d5b255241c0
Opcode Fuzzy Hash: 869f5e1d6a8c0403f1a4672384f6bf6b347ce6bea8910be6bfd89428c4684865
Instruction Fuzzy Hash: 7751717190030C9FEB14CFA4CD58BDEBBB8FF01308F248528E555AB680DB75A949CBA1

Function 6C857560 Relevance: 9.2, APIs: 6, Instructions: 199processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?), ref: 6C8575CF
Process32FirstW.KERNEL32(00000000,?), ref: 6C857611
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 6C85763D
Process32NextW.KERNEL32(?,0000022C), ref: 6C857747
CloseHandle.KERNELBASE(00000000,?,?), ref: 6C857756

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Process32$ByteCharCloseCreateFirstHandleMultiNextSnapshotToolhelp32Wide
String ID:
API String ID: 4013288513-0
Opcode ID: 4f71460264d732ec7a6e5450bb37a515d00e30d0f6fb8723ce5088fab1f79ea2
Instruction ID: 7e2001eb5dc6f7d9155c3223227da0263ca32ca0ecca9b33f27f6afdb9b279ed
Opcode Fuzzy Hash: 4f71460264d732ec7a6e5450bb37a515d00e30d0f6fb8723ce5088fab1f79ea2
Instruction Fuzzy Hash: 2E716570E102089FDB14CF64CD94BEDBBB9EF06318F64C358E415A7A81D7B06A85CB91

Function 6C844F50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 66encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,74E96E60), ref: 6C844FA2
CryptDestroyHash.ADVAPI32(?,?,6CA668B4,Failed to acquire cryptographic context.), ref: 6C845261
CryptReleaseContext.ADVAPI32(?,00000000), ref: 6C84526C

Strings

Failed to acquire cryptographic context., xrefs: 6C845243
Failed to hash data., xrefs: 6C845272

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Crypt$Context$AcquireDestroyHashRelease
String ID: Failed to acquire cryptographic context.$Failed to hash data.
API String ID: 2937476097-442885999
Opcode ID: c15e1bd028af755f89ddd1b8c19553607166984e7206e5feb00466ef724317bf
Instruction ID: 114fa611f1e938159167c3e8ff3218e4c4fe69528f8cc1e07ec82fab619646f3
Opcode Fuzzy Hash: c15e1bd028af755f89ddd1b8c19553607166984e7206e5feb00466ef724317bf
Instruction Fuzzy Hash: AD11F5B1D00259AEDF10DFE8CD45BDEBBF8BB18700F20492AE114F6A40EB745A498B61

Function 6C87004E Relevance: 68.6, APIs: 34, Strings: 5, Instructions: 356
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 6C870058

Part of subcall function 6C86D5B9: __EH_prolog3.LIBCMT ref: 6C86D5C0
Part of subcall function 6C86D5B9: GetWindowDC.USER32(00000000,00000004,6C8705D3,00000000), ref: 6C86D5EC

GetDeviceCaps.GDI32(?,00000058), ref: 6C870078
DeleteObject.GDI32(00000000), ref: 6C8700D4
DeleteObject.GDI32(00000000), ref: 6C8700F2
DeleteObject.GDI32(00000000), ref: 6C870110
DeleteObject.GDI32(00000000), ref: 6C87012E
DeleteObject.GDI32(00000000), ref: 6C87014C
DeleteObject.GDI32(00000000), ref: 6C87016A
DeleteObject.GDI32(00000000), ref: 6C870188
DeleteObject.GDI32(00000000), ref: 6C8701A6
DeleteObject.GDI32(00000000), ref: 6C8701C4
DeleteObject.GDI32(00000000), ref: 6C8701E2
GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 6C87021A
lstrcpyW.KERNEL32(?,?), ref: 6C87026F
EnumFontFamiliesW.GDI32(?,00000000,6C86F89C,Segoe UI), ref: 6C870296
lstrcpyW.KERNEL32(?,Segoe UI), ref: 6C8702A9
EnumFontFamiliesW.GDI32(?,00000000,6C86F89C,Tahoma), ref: 6C8702C7
lstrcpyW.KERNEL32(?,MS Sans Serif), ref: 6C8702E1
CreateFontIndirectW.GDI32(?), ref: 6C8702EB
CreateFontIndirectW.GDI32(?), ref: 6C870333
CreateFontIndirectW.GDI32(?), ref: 6C870372
CreateFontIndirectW.GDI32(?), ref: 6C87039E
CreateFontIndirectW.GDI32(?), ref: 6C8703BF
GetSystemMetrics.USER32(00000048), ref: 6C8703DE
lstrcpyW.KERNEL32(?,Marlett), ref: 6C8703F1
CreateFontIndirectW.GDI32(?), ref: 6C8703FB
GetStockObject.GDI32(00000011), ref: 6C870427
GetObjectW.GDI32(00000000,0000005C,?), ref: 6C870442
lstrcpyW.KERNEL32(?,Arial), ref: 6C870483
CreateFontIndirectW.GDI32(?), ref: 6C87048D
CreateFontIndirectW.GDI32(?), ref: 6C8704A6
GetObjectW.GDI32(?,0000005C,?), ref: 6C8704C4
CreateFontIndirectW.GDI32(?), ref: 6C8704D2
CreateFontIndirectW.GDI32(?), ref: 6C8704F3

Part of subcall function 6C87098B: __EH_prolog3_GS.LIBCMT ref: 6C870992
Part of subcall function 6C87098B: GetTextMetricsW.GDI32(?,?), ref: 6C8709C7
Part of subcall function 6C87098B: GetTextMetricsW.GDI32(?,?), ref: 6C870A07

Strings

Tahoma, xrefs: 6C8702B5, 6C8702D4
MS Sans Serif, xrefs: 6C8702DB
Segoe UI, xrefs: 6C870284, 6C8702A0
Marlett, xrefs: 6C8703EB
Arial, xrefs: 6C870473

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Object$Font$CreateDeleteIndirect$lstrcpy$MetricsText$EnumFamiliesH_prolog3_$CapsCharsetDeviceH_prolog3InfoStockSystemWindow
String ID: Arial$MS Sans Serif$Marlett$Segoe UI$Tahoma
API String ID: 2837096512-1395034203
Opcode ID: f77024a678303ec4aa83481e38749ab72d872954be8693b3b7e9dbf9279e5ca3
Instruction ID: e8423bf8a43030cf164db843f544eb565d225a8578ded561f5f2e93c7598e8c1
Opcode Fuzzy Hash: f77024a678303ec4aa83481e38749ab72d872954be8693b3b7e9dbf9279e5ca3
Instruction Fuzzy Hash: BFE17071A013499BDF25DFB4CE48BDEB7B8BF05349F008969E05AE7640EB34954ACB21

Function 6C87056D Relevance: 64.8, APIs: 43, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6C870574
GetSysColor.USER32(00000016), ref: 6C87057D
GetSysColor.USER32(0000000F), ref: 6C870590
GetSysColor.USER32(00000015), ref: 6C8705A7
GetSysColor.USER32(0000000F), ref: 6C8705B3
GetDeviceCaps.GDI32(?,0000000C), ref: 6C8705DB
GetSysColor.USER32(0000000F), ref: 6C8705E9
GetSysColor.USER32(00000010), ref: 6C8705F7
GetSysColor.USER32(00000015), ref: 6C870605
GetSysColor.USER32(00000016), ref: 6C870613
GetSysColor.USER32(00000014), ref: 6C870621
GetSysColor.USER32(00000012), ref: 6C87062F
GetSysColor.USER32(00000011), ref: 6C87063D
GetSysColor.USER32(00000006), ref: 6C870648
GetSysColor.USER32(0000000D), ref: 6C870653
GetSysColor.USER32(0000000E), ref: 6C87065E
GetSysColor.USER32(00000005), ref: 6C870669
GetSysColor.USER32(00000008), ref: 6C870677
GetSysColor.USER32(00000009), ref: 6C870682
GetSysColor.USER32(00000007), ref: 6C87068D
GetSysColor.USER32(00000002), ref: 6C870698
GetSysColor.USER32(00000003), ref: 6C8706A3
GetSysColor.USER32(0000001B), ref: 6C8706B1
GetSysColor.USER32(0000001C), ref: 6C8706BF
GetSysColor.USER32(0000000A), ref: 6C8706CD
GetSysColor.USER32(0000000B), ref: 6C8706DB
GetSysColor.USER32(00000013), ref: 6C8706E9
GetSysColor.USER32(0000001A), ref: 6C870712
GetSysColorBrush.USER32(00000010), ref: 6C870723
GetSysColorBrush.USER32(00000014), ref: 6C870736
GetSysColorBrush.USER32(00000005), ref: 6C870749
CreateSolidBrush.GDI32(?), ref: 6C87076A
CreateSolidBrush.GDI32(?), ref: 6C870788
CreateSolidBrush.GDI32(00000006), ref: 6C8707A6
CreateSolidBrush.GDI32(?), ref: 6C8707C7
CreateSolidBrush.GDI32(?), ref: 6C8707E5
CreateSolidBrush.GDI32(?), ref: 6C870803
CreateSolidBrush.GDI32(?), ref: 6C870821
CreatePen.GDI32(00000000,00000001,00000000), ref: 6C870847
CreatePen.GDI32(00000000,00000001,00000000), ref: 6C87086B
CreatePen.GDI32(00000000,00000001,00000000), ref: 6C87088F
CreateSolidBrush.GDI32(?), ref: 6C87090D
CreatePatternBrush.GDI32(00000000), ref: 6C87094B

Part of subcall function 6C86E03F: DeleteObject.GDI32(00000000), ref: 6C86E04E

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
String ID:
API String ID: 3754413814-0
Opcode ID: 5cd4c9d80e3f5e6cbe087070d5f7d52f0fe6d33686def40d3751ff4055b2ec7e
Instruction ID: d52d33baee548aaf536eff6509433e10ac4187fa219e03fd82763d510bbdac64
Opcode Fuzzy Hash: 5cd4c9d80e3f5e6cbe087070d5f7d52f0fe6d33686def40d3751ff4055b2ec7e
Instruction Fuzzy Hash: 14C1B271B00702AFDB199FB589087ACBBB0BF19349F008529E515D7A80DB35A95BCFE1

Function 6C846970 Relevance: 39.2, APIs: 10, Strings: 12, Instructions: 734
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,?,75920F10,00000000), ref: 6C8469B7
OpenProcess.KERNEL32(00000410,00000000,00000000,00000000,?,00000001,?,?,?,?,00000002,?,?), ref: 6C846FF6
CloseHandle.KERNEL32(00000000), ref: 6C847001
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00000001,?,?,?,?), ref: 6C84702F
CloseHandle.KERNEL32(?,?,00000002,?,?,?,?,?,monitor.pid,0000000B,?,?), ref: 6C84722A
CloseHandle.KERNEL32(?,?,?,?,?,?,monitor.pid,0000000B,?,?), ref: 6C847232
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C8472A2
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C847318
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C847391

Part of subcall function 6C84B8A0: Concurrency::cancel_current_task.LIBCPMT ref: 6C84B9E7

Part of subcall function 6C846840: ___std_exception_copy.LIBVCRUNTIME ref: 6C8468DF

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C847437

Strings

timeout /t 30 /nobreak >nul, xrefs: 6C846C04
\monitor.bat, xrefs: 6C846A0C, 6C846CA9
set "ProcessPath=, xrefs: 6C846B91
start "" "%ProcessPath%", xrefs: 6C846BE4
if %ERRORLEVEL% neq 0 (, xrefs: 6C846BD4
goto CheckProcess, xrefs: 6C846C14
set "ProcessName=, xrefs: 6C846B5E
tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul, xrefs: 6C846BC4
@echo off, xrefs: 6C846B3E
cmd.exe /B /c "%s", xrefs: 6C846D31
monitor.pid, xrefs: 6C846E5F, 6C847089
:CheckProcess, xrefs: 6C846B4E

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_$CloseHandle$Process$Concurrency::cancel_current_taskCreateOpenPathTemp___std_exception_copy
String ID: start "" "%ProcessPath%"$:CheckProcess$@echo off$\monitor.bat$cmd.exe /B /c "%s"$goto CheckProcess$if %ERRORLEVEL% neq 0 ($monitor.pid$set "ProcessName=$set "ProcessPath=$tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul$timeout /t 30 /nobreak >nul
API String ID: 1691980302-515577167
Opcode ID: f6dc7dccee37814a5e1b6131b7c861faf868bb93a0b8029e714bc3f6c06116c3
Instruction ID: 88e1cbcaf739ae1c4650f23b2c27ad19b29b9562064481303327fb8235acd8de
Opcode Fuzzy Hash: f6dc7dccee37814a5e1b6131b7c861faf868bb93a0b8029e714bc3f6c06116c3
Instruction Fuzzy Hash: 5062D170D0025C8FDB25CF68CD84BEEBBB5BF55308F1486A9D408AB651DB31AA89CF51

Function 6C856620 Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 492
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C856C30
Concurrency::cancel_current_task.LIBCPMT ref: 6C856C85
Concurrency::cancel_current_task.LIBCPMT ref: 6C856C8A
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C856D07

Strings

re41, xrefs: 6C856669
IP=, xrefs: 6C8569A0
Port=, xrefs: 6C856A52
Port: , xrefs: 6C856B3D
IP: , xrefs: 6C856B02
vi65, xrefs: 6C85665F
vwer, xrefs: 6C856671

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Concurrency::cancel_current_taskIos_base_dtorstd::ios_base::_
String ID: IP: $IP=$Port: $Port=$re41$vi65$vwer
API String ID: 4106036149-4278047753
Opcode ID: 1b1faac752712a9536cdd070e1299053f2638b2bea7054b791a61f991cee5ca5
Instruction ID: ece75995a0871ee655f1c84503cdd6dd33c433dbd1ae2f33a6fa7f7d1c3d277e
Opcode Fuzzy Hash: 1b1faac752712a9536cdd070e1299053f2638b2bea7054b791a61f991cee5ca5
Instruction Fuzzy Hash: BC12B171E00258CFDB24CF68C994BDDB7B1FF45308F1486A9E405AB791DB70AA85CB51

Function 6C858130 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 267
threadsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastInputInfo.USER32 ref: 6C858154
GetTickCount.KERNEL32 ref: 6C85815A
MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 6C858493

Part of subcall function 6C857DD0: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 6C857E17

Part of subcall function 6C856D30: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C85702F

CreateThread.KERNELBASE(00000000,00000000,6C857560,6CA6CB7C,00000000,00000000), ref: 6C8583C2
CreateThread.KERNELBASE(00000000,00000000,6C8572A0,00000000,00000000,00000000), ref: 6C8583D3
WaitForSingleObject.KERNEL32(00000000,00011170), ref: 6C8583E1
CloseHandle.KERNEL32(00000000), ref: 6C8583EF

Part of subcall function 6C857F60: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 6C857FA7

Part of subcall function 6C857D70: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 6C857D8D

Part of subcall function 6C846970: GetTempPathA.KERNEL32(00000104,?,75920F10,00000000), ref: 6C8469B7

Part of subcall function 6C857210: GetModuleHandleA.KERNEL32(yyzyBase.dll,?,00000000), ref: 6C857218
Part of subcall function 6C857210: FindResourceW.KERNEL32(00000000,CONFIG,AFX_DIALOG_LAYOUT), ref: 6C85722B
Part of subcall function 6C857210: LoadResource.KERNEL32(00000000,00000000), ref: 6C857239
Part of subcall function 6C857210: SizeofResource.KERNEL32(00000000,00000000), ref: 6C857243
Part of subcall function 6C857210: LockResource.KERNEL32(00000000), ref: 6C85724C

CreateThread.KERNELBASE(00000000,00000000,6C857290,00000000,00000000,00000000), ref: 6C858469

Part of subcall function 6C8562B0: WSAStartup.WS2_32(00000202,?), ref: 6C8562CF

Strings

S, xrefs: 6C85817B
IOVA, xrefs: 6C858187, 6C85818B
IOVAS, xrefs: 6C85829F, 6C8582B5

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ModuleResource$CreateFileNameThread$Handle$CloseCountFindInfoInputIos_base_dtorLastLoadLockMessageObjectPathSingleSizeofStartupTempTickWaitstd::ios_base::_
String ID: IOVA$IOVAS$S
API String ID: 1854476981-1164367841
Opcode ID: f2e938a9aa97a02bfbae806102142d314a40c5147f0890b009fee5d5121e4b00
Instruction ID: cecf48b562ac24e1b5d9cbce761559e8d44ccc82ea304a4ffb721ed222484ab2
Opcode Fuzzy Hash: f2e938a9aa97a02bfbae806102142d314a40c5147f0890b009fee5d5121e4b00
Instruction Fuzzy Hash: C19122306547419BD324CF28CD44BAEB7E1BF95308F508E1EF1849BA91DBB0E5998B93

Function 6C8572B0 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 410
sleepprocessfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathA.SHELL32(00000000,00000010,00000000,00000000,?,?), ref: 6C8572F4
DeleteFileA.KERNEL32(?,00000004,00000000,.lnk,00000004,?), ref: 6C85750C
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?), ref: 6C8575CF
Process32FirstW.KERNEL32(00000000,?), ref: 6C857611
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 6C85763D
Process32NextW.KERNEL32(?,0000022C), ref: 6C857747
CloseHandle.KERNELBASE(00000000,?,?), ref: 6C857756
Sleep.KERNELBASE(00000BB8,?,?,?,?,?), ref: 6C8577A8
CloseHandle.KERNEL32(?,00000000,?,?), ref: 6C8577B4

Strings

.lnk, xrefs: 6C8573F8

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CloseHandleProcess32$ByteCharCreateDeleteFileFirstFolderMultiNextPathSleepSnapshotToolhelp32Wide
String ID: .lnk
API String ID: 775680180-24824748
Opcode ID: a731997171a131f88a841b1971c1689b46732ea7e657da61379c9d9e5a7cbece
Instruction ID: 058d73d659c0948428adab8ab485342d0ff1fd2fd1689813ccec1878e7399664
Opcode Fuzzy Hash: a731997171a131f88a841b1971c1689b46732ea7e657da61379c9d9e5a7cbece
Instruction Fuzzy Hash: 00F17730D102488FDB15CF68CD94BEDBBB1AF05308F64C758E454AB6C1D7B0AA86CB91

Function 6C8562B0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195
networkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 6C8562CF
getaddrinfo.WS2_32(6CA6CB64,6CA6CB4C,00000000,00000000), ref: 6C8564BC
socket.WS2_32(?,?,?), ref: 6C8564E9
connect.WS2_32(00000000,?,?), ref: 6C856504
closesocket.WS2_32 ref: 6C856511
freeaddrinfo.WS2_32(00000000), ref: 6C856528
recv.WS2_32(005EC0B0,00001000,00000000), ref: 6C856563
VirtualAlloc.KERNEL32(00000000,00003000,00000040), ref: 6C8565AE
WSACleanup.WS2_32 ref: 6C8565D6
WSACleanup.WS2_32 ref: 6C8565F5

Strings

IOVA, xrefs: 6C856391, 6C856458, 6C8563BB, 6C856482

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Cleanup$AllocStartupVirtualclosesocketconnectfreeaddrinfogetaddrinforecvsocket
String ID: IOVA
API String ID: 2484549806-1369737602
Opcode ID: c2d2d23889d5e7c29764e2ab2368dbec68aa362007a133673fcdfb827c052180
Instruction ID: 2f44907280dbd09573d038063360081ceb73708a41fd968ba84f67785983a759
Opcode Fuzzy Hash: c2d2d23889d5e7c29764e2ab2368dbec68aa362007a133673fcdfb827c052180
Instruction Fuzzy Hash: 43710171B017118FCF29EF39CA5476ABBB1BB06308F50C608E451D7B95D7B0A996CB50

Function 6C9F1693 Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C9F134C: CreateFileW.KERNELBASE(?,00000000,?,6C9F173C,?,?,00000000,?,6C9F173C,?,0000000C), ref: 6C9F1369

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C9F17A7
__dosmaperr.LIBCMT ref: 6C9F17AE
GetFileType.KERNELBASE(00000000), ref: 6C9F17BA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C9F17C4
__dosmaperr.LIBCMT ref: 6C9F17CD
CloseHandle.KERNEL32(00000000), ref: 6C9F17ED
CloseHandle.KERNEL32(6C9EB9DE), ref: 6C9F193A
GetLastError.KERNEL32 ref: 6C9F196C
__dosmaperr.LIBCMT ref: 6C9F1973

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 59e1f5f077c35fe25e9497741bd94f9276f5e4c473a1d94c72653df72816fbc9
Instruction ID: f4abd1c73574e273f16673493336a361aa7db07625301abef3a8cdc70fd4ecf2
Opcode Fuzzy Hash: 59e1f5f077c35fe25e9497741bd94f9276f5e4c473a1d94c72653df72816fbc9
Instruction Fuzzy Hash: 0BA145B2A046198FCF09CF68C854BAD3BB5AB17328F18425DE821EB790C731D957CB91

Function 6C9C7F6B Relevance: 10.6, APIs: 7, Instructions: 135
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6C9C7FB2
___scrt_uninitialize_crt.LIBCMT ref: 6C9C7FCC

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: a33ac27b2111afcf68c6e136c9fd5d56c22e62145f4e2db61d687b2cd6d0808b
Instruction ID: e8aa0ea8a9e438c8e5564a5d846a678196221159405269bf8ba6f5fa060c9445
Opcode Fuzzy Hash: a33ac27b2111afcf68c6e136c9fd5d56c22e62145f4e2db61d687b2cd6d0808b
Instruction Fuzzy Hash: BC41F472B05615EFDB19CF65CC40BEE7BB9EB657A8F10451AE80467A40C730CA058BA7

Function 6C95BC7A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6C95BC81

Part of subcall function 6C945D74: EnterCriticalSection.KERNEL32(6CA75378,?,00000000,?,?,6C94325E,00000010,00000008,6C87313A,6C87317D,6C866C9B,6C873149,6C86EB35,00000004,6C86E0A4,00000000), ref: 6C945DA5
Part of subcall function 6C945D74: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,6C94325E,00000010,00000008,6C87313A,6C87317D,6C866C9B,6C873149,6C86EB35,00000004,6C86E0A4,00000000), ref: 6C945DBB
Part of subcall function 6C945D74: LeaveCriticalSection.KERNEL32(6CA75378,?,00000000,?,?,6C94325E,00000010,00000008,6C87313A,6C87317D,6C866C9B,6C873149,6C86EB35,00000004,6C86E0A4,00000000), ref: 6C945DC9
Part of subcall function 6C945D74: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,6C94325E,00000010,00000008,6C87313A,6C87317D,6C866C9B,6C873149,6C86EB35,00000004,6C86E0A4,00000000,?), ref: 6C945DD6

GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6C95BCD4
GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6C95BCEA

Strings

DragMinDist, xrefs: 6C95BCC9
DragDelay, xrefs: 6C95BCDF
windows, xrefs: 6C95BCCE, 6C95BCD3, 6C95BCE4

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
String ID: DragDelay$DragMinDist$windows
API String ID: 3965097884-2101198082
Opcode ID: 1115a265582c649f78c1b8b1f4e5bcc1ee1dc3d8f1118287cedfb929ee8eb707
Instruction ID: c40ac5cf4c68fee43ba922016341e49504e5ee142b81d1f52e8f0dc44c44481b
Opcode Fuzzy Hash: 1115a265582c649f78c1b8b1f4e5bcc1ee1dc3d8f1118287cedfb929ee8eb707
Instruction Fuzzy Hash: F301BCB0A01751DFDBA1CF78890674A7AF4BF18704F44992EE049DBF40D774A0868B65

Function 6C9E6CE9 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f18d4d80ce40b5fd64e80b3f35957d7d56958943513319e1aca9a1ca4f0f9e7
Instruction ID: e44fe0597c7d3a9b204be116595cea76bfac1cf3778c741d6c1a5a307fb3917a
Opcode Fuzzy Hash: 6f18d4d80ce40b5fd64e80b3f35957d7d56958943513319e1aca9a1ca4f0f9e7
Instruction Fuzzy Hash: 3AB1F570A04609AFDB02CFA8C844BAD7BB5BF7E309F148658E510E7781C771E946CB61

Function 6C86FAB5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000001,6CA73990), ref: 6C86FB12
VerSetConditionMask.KERNEL32(00000000), ref: 6C86FB1A
VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6C86FB2B
GetSystemMetrics.USER32(00001000), ref: 6C86FB3C

Part of subcall function 6C87056D: __EH_prolog3.LIBCMT ref: 6C870574
Part of subcall function 6C87056D: GetSysColor.USER32(00000016), ref: 6C87057D
Part of subcall function 6C87056D: GetSysColor.USER32(0000000F), ref: 6C870590
Part of subcall function 6C87056D: GetSysColor.USER32(00000015), ref: 6C8705A7
Part of subcall function 6C87056D: GetSysColor.USER32(0000000F), ref: 6C8705B3
Part of subcall function 6C87056D: GetDeviceCaps.GDI32(?,0000000C), ref: 6C8705DB
Part of subcall function 6C87056D: GetSysColor.USER32(0000000F), ref: 6C8705E9
Part of subcall function 6C87056D: GetSysColor.USER32(00000010), ref: 6C8705F7
Part of subcall function 6C87056D: GetSysColor.USER32(00000015), ref: 6C870605
Part of subcall function 6C87056D: GetSysColor.USER32(00000016), ref: 6C870613
Part of subcall function 6C87056D: GetSysColor.USER32(00000014), ref: 6C870621
Part of subcall function 6C87056D: GetSysColor.USER32(00000012), ref: 6C87062F
Part of subcall function 6C87056D: GetSysColor.USER32(00000011), ref: 6C87063D
Part of subcall function 6C87056D: GetSysColor.USER32(00000006), ref: 6C870648
Part of subcall function 6C87056D: GetSysColor.USER32(0000000D), ref: 6C870653
Part of subcall function 6C87056D: GetSysColor.USER32(0000000E), ref: 6C87065E
Part of subcall function 6C87056D: GetSysColor.USER32(00000005), ref: 6C870669
Part of subcall function 6C87056D: GetSysColor.USER32(00000008), ref: 6C870677
Part of subcall function 6C87056D: GetSysColor.USER32(00000009), ref: 6C870682
Part of subcall function 6C87056D: GetSysColor.USER32(00000007), ref: 6C87068D
Part of subcall function 6C87056D: GetSysColor.USER32(00000002), ref: 6C870698
Part of subcall function 6C87056D: GetSysColor.USER32(00000003), ref: 6C8706A3
Part of subcall function 6C87056D: GetSysColor.USER32(0000001B), ref: 6C8706B1
Part of subcall function 6C87056D: GetSysColor.USER32(0000001C), ref: 6C8706BF
Part of subcall function 6C87056D: GetSysColor.USER32(0000000A), ref: 6C8706CD

Part of subcall function 6C87004E: __EH_prolog3_GS.LIBCMT ref: 6C870058
Part of subcall function 6C87004E: GetDeviceCaps.GDI32(?,00000058), ref: 6C870078
Part of subcall function 6C87004E: DeleteObject.GDI32(00000000), ref: 6C8700D4
Part of subcall function 6C87004E: DeleteObject.GDI32(00000000), ref: 6C8700F2
Part of subcall function 6C87004E: DeleteObject.GDI32(00000000), ref: 6C870110
Part of subcall function 6C87004E: DeleteObject.GDI32(00000000), ref: 6C87012E
Part of subcall function 6C87004E: DeleteObject.GDI32(00000000), ref: 6C87014C
Part of subcall function 6C87004E: DeleteObject.GDI32(00000000), ref: 6C87016A
Part of subcall function 6C87004E: DeleteObject.GDI32(00000000), ref: 6C870188
Part of subcall function 6C87004E: DeleteObject.GDI32(00000000), ref: 6C8701A6

Part of subcall function 6C86FC21: GetSystemMetrics.USER32(00000031), ref: 6C86FC2F
Part of subcall function 6C86FC21: GetSystemMetrics.USER32(00000032), ref: 6C86FC3D
Part of subcall function 6C86FC21: SetRectEmpty.USER32(6CA73AFC), ref: 6C86FC50
Part of subcall function 6C86FC21: EnumDisplayMonitors.USER32(00000000,00000000,6C86FA37,6CA73AFC), ref: 6C86FC60
Part of subcall function 6C86FC21: SystemParametersInfoW.USER32(00000030,00000000,6CA73AFC,00000000), ref: 6C86FC6F
Part of subcall function 6C86FC21: SystemParametersInfoW.USER32(00001002,00000000,6CA73B20,00000000), ref: 6C86FC9C
Part of subcall function 6C86FC21: SystemParametersInfoW.USER32(00001012,00000000,6CA73B24,00000000), ref: 6C86FCB0
Part of subcall function 6C86FC21: SystemParametersInfoW.USER32(0000100A,00000000,6CA73B34,00000000), ref: 6C86FCD6

Strings

\sx, xrefs: 6C86FABE

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Color$DeleteObject$System$Info$Parameters$Metrics$CapsConditionDeviceMask$DisplayEmptyEnumH_prolog3H_prolog3_MonitorsRectVerifyVersion
String ID: \sx
API String ID: 2442922003-995570312
Opcode ID: b37e2dafd915c59496be91e77da1446bc2d5aa523d6eea99354730bbb0572399
Instruction ID: 5e1dcaeae054b9f603f0f814e817b4dfc75fd6d66639f661cc9e2aa49281fa88
Opcode Fuzzy Hash: b37e2dafd915c59496be91e77da1446bc2d5aa523d6eea99354730bbb0572399
Instruction Fuzzy Hash: B711CAB0B00318ABDB249F758C59FEF77BCEB89708F00445DA146D6281CBB44A458FA1

Function 6C9C8019 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 6C9C8056
dllmain_crt_dispatch.LIBCMT ref: 6C9C806D
dllmain_raw.LIBCMT ref: 6C9C80B5
dllmain_crt_dispatch.LIBCMT ref: 6C9C80C8
dllmain_raw.LIBCMT ref: 6C9C80DB

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 1044b108a1eb1b4acbf071d66075949e6beeb6a8a4f4fdfafdc31e11d25f8267
Instruction ID: 57584acb0e71d47b919d3f7348d1c707cd4ffcf8fe40cb12bbf5d62b293e5324
Opcode Fuzzy Hash: 1044b108a1eb1b4acbf071d66075949e6beeb6a8a4f4fdfafdc31e11d25f8267
Instruction Fuzzy Hash: DF21A172F05615FBDB268F15CC40AAF3ABDEB95B98F014526F81467A50C331CE418BA7

Function 6C8F8711 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Shell32,?,?,6C84113C,MFCApplication4.AppID.NoVersion,00000001,?,Function_001B32D0,000000FF), ref: 6C8F871C
GetProcAddress.KERNEL32(00000000,SetCurrentProcessExplicitAppUserModelID), ref: 6C8F872D

Strings

SetCurrentProcessExplicitAppUserModelID, xrefs: 6C8F8727
Shell32, xrefs: 6C8F8715

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: SetCurrentProcessExplicitAppUserModelID$Shell32
API String ID: 1646373207-2658420654
Opcode ID: d50f9e489765b63aa73a8709ec25099fef56d7b8a0397aea68b0d1b59fab2698
Instruction ID: df5d1de9be3df554a0a92b84478e59763cdb097df41982041efbb9e970bab8ac
Opcode Fuzzy Hash: d50f9e489765b63aa73a8709ec25099fef56d7b8a0397aea68b0d1b59fab2698
Instruction Fuzzy Hash: 83E04F71705716AB87181BA69818D5E7F68EA826E5301842BF915D7A00DB35D913C6F0

Function 6C9E4F15 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,00000000,?,6C9E54BE,00000000,?,00000000,?,00000000,00000000), ref: 6C9E4FB1
GetLastError.KERNEL32(?,6C9E54BE,00000000,?,00000000,?,00000000,00000000,0000000C,00000000,00000000,6CA66658,00000014,6C9D7014,00000000,00000000), ref: 6C9E4FD7

Strings

\sx, xrefs: 6C9E4F24

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: \sx
API String ID: 442123175-995570312
Opcode ID: 4e634632b5bc193b701e622e871e57af7f59af53da1e2d592bc05beb252f107b
Instruction ID: e0e2be17e9474c9a9c63bb0a1b2b147c1f0091767cfebc0b2b0c8cac2a917e4e
Opcode Fuzzy Hash: 4e634632b5bc193b701e622e871e57af7f59af53da1e2d592bc05beb252f107b
Instruction Fuzzy Hash: C5219130A002199BCB1ACF59C880AE9B7B9EF5D709F1445A9E906D7200D730DE52CF61

Function 6C9E56D3 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,CF830579,?,6C9E55BA,00000000,CF830579,6CA66678,0000000C,6C9E5676,6C9D6A25,?), ref: 6C9E5729
GetLastError.KERNEL32(?,6C9E55BA,00000000,CF830579,6CA66678,0000000C,6C9E5676,6C9D6A25,?), ref: 6C9E5733

Strings

0%^, xrefs: 6C9E56ED

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID: 0%^
API String ID: 918212764-3205140630
Opcode ID: 197722d67d77f0ccf26b9379be8b169703d23c690dcdcfcf90d2501c82dfbfdd
Instruction ID: e910c65448abf3d6bc2699d657b958155097408116e6e0dfd67c17af12eaa887
Opcode Fuzzy Hash: 197722d67d77f0ccf26b9379be8b169703d23c690dcdcfcf90d2501c82dfbfdd
Instruction Fuzzy Hash: 3A11593260562096C7064276C44579E77AD8FBBF3CF298609E818D6BC1DB72E9478150

Function 6C9E7420 Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(6C9D80D8,?,6C9D80D8,00000000), ref: 6C9E7428
GetLastError.KERNEL32(?,6C9D80D8,00000000), ref: 6C9E7432
__dosmaperr.LIBCMT ref: 6C9E7439

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: DeleteErrorFileLast__dosmaperr
String ID:
API String ID: 1545401867-0
Opcode ID: f045de0c52753f467bdcc134c3b094f936e081964c33383546a43cd77fd57f8f
Instruction ID: b44081df2a94d111f365fafc1384c8d2a48e33fdcda9534c462fa17b983641b0
Opcode Fuzzy Hash: f045de0c52753f467bdcc134c3b094f936e081964c33383546a43cd77fd57f8f
Instruction Fuzzy Hash: 66D0A731204609278B041AB69C0C4063B6DAB512783148618F42CC1580EB31D4425111

Function 6C9D7DA0 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,6C9D7D9A,?,?,?,00000000,78E4735C,?,00000000), ref: 6C9D7DB1
TerminateProcess.KERNEL32(00000000,?,6C9D7D9A,?,?,?,00000000,78E4735C,?,00000000), ref: 6C9D7DB8
ExitProcess.KERNEL32 ref: 6C9D7DCA

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e5f4ee2f49764fd208496804985c22cbac02ba593d0df3975d531ccc01b46a5
Instruction ID: 12332b02e7e559d0baf50af7529ace34427b625d6d24d611fdbc6d31690c4c0a
Opcode Fuzzy Hash: 5e5f4ee2f49764fd208496804985c22cbac02ba593d0df3975d531ccc01b46a5
Instruction Fuzzy Hash: 2BD01731200A0AABCF042F60CC088893F3AAB15288B11C018B814AA030CF31E893DAA0

Function 6C8AA01F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C8AA026

Part of subcall function 6C8F666D: __EH_prolog3_GS.LIBCMT ref: 6C8F6677
Part of subcall function 6C8F666D: GetCurrentThread.KERNEL32 ref: 6C8F66D6
Part of subcall function 6C8F666D: GetCurrentThreadId.KERNEL32 ref: 6C8F66DF
Part of subcall function 6C8F666D: GetVersionExW.KERNEL32 ref: 6C8F677B

Part of subcall function 6C8AA549: __EH_prolog3.LIBCMT ref: 6C8AA550

Strings

Workspace, xrefs: 6C8AA090

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CurrentH_prolog3Thread$H_prolog3_Version
String ID: Workspace
API String ID: 3621167777-258310842
Opcode ID: 80843000fa9dd68371e3c91974346dd59341271a6e6c452a18bb82dc9c249ffb
Instruction ID: 0db508eb1c3bec3a40472bb0da6887ab7b01a224a2c85639acc8d75f25c47899
Opcode Fuzzy Hash: 80843000fa9dd68371e3c91974346dd59341271a6e6c452a18bb82dc9c249ffb
Instruction Fuzzy Hash: FF2104B0A00A16AFC758CF78C5407E9FAA4BF18704F508B2AD47DE7740D77066658BD1

Function 6C96ECC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(00000004), ref: 6C96ECE0

Strings

\sx, xrefs: 6C96ED07

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Malloc
String ID: \sx
API String ID: 2696272793-995570312
Opcode ID: e79b763d1b92508f6306b64d339901068103cdeceed2a7b8196f55d3a6a3b054
Instruction ID: 89a485a5a66d21a8bc8c67b032dbcfc9088befa420faf5b3af22cdfdf67ab460
Opcode Fuzzy Hash: e79b763d1b92508f6306b64d339901068103cdeceed2a7b8196f55d3a6a3b054
Instruction Fuzzy Hash: 5B11A1727043259FEB18CF09D804B56B7F8FB09B29F10852EE415C3A80D738E841CB90

Function 6C9E5353 Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C9E4A69: GetConsoleOutputCP.KERNEL32(78E4735C,00000000,00000000,00000000), ref: 6C9E4ACC

WriteFile.KERNELBASE(?,00000000,?,00000000,00000000,00000000,00000000,0000000C,00000000,00000000,6CA66658,00000014,6C9D7014,00000000,00000000,00000000), ref: 6C9E54D8
GetLastError.KERNEL32 ref: 6C9E54E2

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: e60db3a80de32912c535d1232b97cc58ba065235c1096f5ec9a947216513959f
Instruction ID: c8c3ebc01db733e58bc9951c953a52c529cbbf1e34150851f4140de24ccfebc6
Opcode Fuzzy Hash: e60db3a80de32912c535d1232b97cc58ba065235c1096f5ec9a947216513959f
Instruction Fuzzy Hash: 5661B771D04219AFDF02CFE8C844AEEBBBABF6D308F144549E814A7652D772D905CB60

Function 6C847A80 Relevance: 3.2, APIs: 2, Instructions: 194COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 6C847C2D
__fread_nolock.LIBCMT ref: 6C847C4F

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: b7820042098da492085148a100d4a16174ee2d72cef90cd5d92ceb65b6c8a3ac
Instruction ID: a5cf845f853e1858cc65d65d157d439762227c48e5e4497167c0ce866615d63d
Opcode Fuzzy Hash: b7820042098da492085148a100d4a16174ee2d72cef90cd5d92ceb65b6c8a3ac
Instruction Fuzzy Hash: 5C619F326052099FCB14CF2DC98095AB7E1EF89324F15CAA9FC18CB754E731D909CB91

Function 6C9C7E64 Relevance: 3.1, APIs: 2, Instructions: 76COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6C9C7EB1

Part of subcall function 6C9C8F42: InitializeSListHead.KERNEL32(6CA75960,6C9C7EBB,6CA65F30,00000010,6C9C7E4C,?,?,?,6C9C8072,?,00000001,?,?,00000001,?,6CA65F78), ref: 6C9C8F47

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6C9C7F1B

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 360281a7b3ee15f0e13a80641cd9915d801dc877348a6b7bd4758d31d1b7dcbc
Instruction ID: bcd62a7ec6be0723a7fb4a3475e012017139f2f12deb374a7f9cf90c4fbc0011
Opcode Fuzzy Hash: 360281a7b3ee15f0e13a80641cd9915d801dc877348a6b7bd4758d31d1b7dcbc
Instruction Fuzzy Hash: CB21013234A3029ADB09ABB094007DC37B5AF3636DF24444AC04497FC1CB31D599C6B7

Function 6C9E7199 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,?,6C9E72D3,00000000,00000000,00000000,00000002,00000000), ref: 6C9E71D5
GetLastError.KERNEL32(00000000,?,6C9E72D3,00000000,00000000,00000000,00000002,00000000,?,6C9E53F8,00000000,00000000,00000000,00000002,00000000,00000000), ref: 6C9E71E2

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 96708031251126b8b0fbcad8187d30b8460d8974b4eb537920f6b5a36c3acf68
Instruction ID: 833e62ed5d26200861398beff3cc7fc32f50de39710a7b74d4a7faf2979b5551
Opcode Fuzzy Hash: 96708031251126b8b0fbcad8187d30b8460d8974b4eb537920f6b5a36c3acf68
Instruction Fuzzy Hash: 74010832710615AFCB0A8F59CC45C8D3B69EF99324B244648F810DB291EB71EA428B90

Function 6C9E1598 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,6C9DFDF6), ref: 6C9E15AE
GetLastError.KERNEL32(?,?,6C9DFDF6), ref: 6C9E15B9

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 277cc111f1b97744dda70b0a7562e745918ff2291df3c7efd2c7188a537f1628
Instruction ID: c53b40213ce002c9c2ba9a3495da5a006ab6254bc5e2f56f3e16056f6330a31e
Opcode Fuzzy Hash: 277cc111f1b97744dda70b0a7562e745918ff2291df3c7efd2c7188a537f1628
Instruction Fuzzy Hash: C2E04F312007146ACB121BA1990CB893A68AB56699F118465F509D6950DB30E952D794

Function 6C856D30 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C85702F

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: b4190fb6cec371b4b23e29e00d682af346b083ad23795241f4566b4fc38f7056
Instruction ID: dca6901788a7223bea04c642753f583a40594ec66343b8a7f521b41ceb7919c0
Opcode Fuzzy Hash: b4190fb6cec371b4b23e29e00d682af346b083ad23795241f4566b4fc38f7056
Instruction Fuzzy Hash: F3912C71900298CBDB60CF68C944B9EBBF4BF14318F14C9A9D44EA7751DB75AA88CF90

Function 6C9DE7C9 Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df54314a5c26285104c7cfa84f2afe779e9003d31bb2eeb6b20019d207464f60
Instruction ID: 4be75969deb12bae20d1019e0003ff94ed7e9eaf9abe3a4d2d79696126ddee40
Opcode Fuzzy Hash: df54314a5c26285104c7cfa84f2afe779e9003d31bb2eeb6b20019d207464f60
Instruction Fuzzy Hash: 4A51C570A00A04AFCB05CF58C880A9DBBB5EF5A368F26C159F8486B751D371EE81CBD0

Function 6C86ECCF Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C86ECD6

Part of subcall function 6C86FAB5: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000001,6CA73990), ref: 6C86FB12
Part of subcall function 6C86FAB5: VerSetConditionMask.KERNEL32(00000000), ref: 6C86FB1A
Part of subcall function 6C86FAB5: VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6C86FB2B
Part of subcall function 6C86FAB5: GetSystemMetrics.USER32(00001000), ref: 6C86FB3C

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ConditionMask$H_prolog3InfoMetricsSystemVerifyVersion
String ID:
API String ID: 2710481357-0
Opcode ID: bbe5fb487c6d4d9ce629daade1102018cb531d856f955264de5bf9adafd9d6e8
Instruction ID: 3c191b546f277bedcc915f6d1610befda680eb29976381ffd25ed7fc83cf4131
Opcode Fuzzy Hash: bbe5fb487c6d4d9ce629daade1102018cb531d856f955264de5bf9adafd9d6e8
Instruction Fuzzy Hash: C051DEB0905F458FD3A9CF3A85417C6FAE0BF89300F108A2E91AED6660EB716184CF55

Function 6C84FE80 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C84FF8A

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: 302f5c4788d6ef1c1b654547d340b4673163a46b988f14f69e9299f643723ab8
Instruction ID: 1c60c355d54857f526cb1b2fcf7f33807970e04cac774cfeb5d95006737d269d
Opcode Fuzzy Hash: 302f5c4788d6ef1c1b654547d340b4673163a46b988f14f69e9299f643723ab8
Instruction Fuzzy Hash: CA312971A01258DFDB20DF58DE95F99B7B8FB04308F1486A9E8099B791E735AD48CF40

Function 6C9EBA22 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 6C9EB9D9

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 5f9ff44c075ffd694e43ed6839986c6d553e01da718ae4262b3c0dc1131da23b
Instruction ID: bde51af65e4578d7ac0329f7425787920a82935f26685a59d8cbc2e89ae7b5d5
Opcode Fuzzy Hash: 5f9ff44c075ffd694e43ed6839986c6d553e01da718ae4262b3c0dc1131da23b
Instruction Fuzzy Hash: C8114C71A0420AAFCF06DF58E9459DF7BF9EF49318F154069F818AB301D670E911CBA4

Function 6C9432A0 Relevance: 1.6, APIs: 1, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9432A7

Part of subcall function 6C942F70: TlsAlloc.KERNEL32(?,6C9432D3,00000004,6C873120,6C866C9B,6C873149,6C86EB35,00000004,6C86E0A4,00000000,?,?,6C86E04D,6C842126,?,?), ref: 6C942F8F
Part of subcall function 6C942F70: InitializeCriticalSection.KERNEL32(6CA7515C), ref: 6C942FA0

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: AllocCriticalH_prolog3InitializeSection
String ID:
API String ID: 2369468792-0
Opcode ID: eddd46f3c90b876d15188630d0c4bebb69147f16b54523a4a30dc02c5aa310ef
Instruction ID: 795c895b89661ac4e1785fa8375777b6da7b9deb3f8be109b16ad4e494950e83
Opcode Fuzzy Hash: eddd46f3c90b876d15188630d0c4bebb69147f16b54523a4a30dc02c5aa310ef
Instruction Fuzzy Hash: 89117C34B016128BEF199F79C85569D77BABF20689FA086289811CBF80DF30CA02CB50

Function 6C9E47AC Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6C9E2B50,00000001,00000364,00000000,FFFFFFFF,000000FF,?,?,6C9DFDF6), ref: 6C9E47ED

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 753902100f8d78ef8e2939151e49ea08145251f681a45019055fe6f43c760b9e
Instruction ID: f8b585d15b31c43e3b25b3df356d98cc0d7138e8555541476003256d4787de7e
Opcode Fuzzy Hash: 753902100f8d78ef8e2939151e49ea08145251f681a45019055fe6f43c760b9e
Instruction Fuzzy Hash: C5F0593160162656EB030AA38C04B9B376CBF7BF78F108122AC14E6A80CF32D8018EF0

Function 6C9F134C Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000000,?,6C9F173C,?,?,00000000,?,6C9F173C,?,0000000C), ref: 6C9F1369

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9d5d8ffed56cf7b70a199dd71324f307333fde7baf38fe1f4d2c6b598dfa5020
Instruction ID: 510e23a99c4ff8725022b6ac6564869506dffaed744d24759a64e2aeb5dc799e
Opcode Fuzzy Hash: 9d5d8ffed56cf7b70a199dd71324f307333fde7baf38fe1f4d2c6b598dfa5020
Instruction Fuzzy Hash: 15D06C3214024DBBDF029E84DD06EDA3FAAFB48754F018050BA1896020C732E822AB91

Function 6C86E03F Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 6C86E04E

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: DeleteObject
String ID:
API String ID: 1531683806-0
Opcode ID: c6e38fa65332817917c14c8697e85f8c400fb719a4f30a3b5a06ba78465fd85e
Instruction ID: 12982b7e35a13424458cab3bd00ad4c55c4fb52eaf6fda8cab73d925bbc67465
Opcode Fuzzy Hash: c6e38fa65332817917c14c8697e85f8c400fb719a4f30a3b5a06ba78465fd85e
Instruction Fuzzy Hash: ACB09260A02211EADF205A329F0831A29646B4530EF58DCA8F044C2D04DF39C44B86A1

Function 6C8572A0 Relevance: 1.3, APIs: 1, Instructions: 4sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00011D28), ref: 6C8572A5

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: fa1cc754c6b5efb938fac0f1b2993fef920e2bdfde96f803b27e07e4b254e2d8
Instruction ID: a32586b38cb02191ef3c6d975ec2321e97a48d24e72c5115db8488da512afd30
Opcode Fuzzy Hash: fa1cc754c6b5efb938fac0f1b2993fef920e2bdfde96f803b27e07e4b254e2d8
Instruction Fuzzy Hash: C9A022303002000203088338080E88228E80FB8302300C0203300C8000CF3000028220

Function 004A152F Relevance: 1.0, Instructions: 1003COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3181055019.000000000049F000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3180911974.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3180934718.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3180955468.000000000040C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3180955468.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3180955468.0000000000456000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ShellExperienceHosts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eda3440530c695fabe89684c08ced21f14d361cbd0f309897fafc30276024117
Instruction ID: 43da5d217c0980cd259a2d2a29eecca7fa398e6e45ce52ccb5a58d6b0a96cd39
Opcode Fuzzy Hash: eda3440530c695fabe89684c08ced21f14d361cbd0f309897fafc30276024117
Instruction Fuzzy Hash:

Non-executed Functions

Function 6C91BD12 Relevance: 40.5, APIs: 26, Instructions: 1490windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C91BD1C
CreateCompatibleDC.GDI32(00000000), ref: 6C91BDA1
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C91BDDE
SelectObject.GDI32(?,00000000), ref: 6C91BE44
__floor_pentium4.LIBCMT ref: 6C91BF84
__floor_pentium4.LIBCMT ref: 6C91C045
__floor_pentium4.LIBCMT ref: 6C91C17D
__floor_pentium4.LIBCMT ref: 6C91C204
__floor_pentium4.LIBCMT ref: 6C91C5D8
__floor_pentium4.LIBCMT ref: 6C91C86F
DeleteObject.GDI32(?), ref: 6C91CA63
__EH_prolog3.LIBCMT ref: 6C91CAA1
CreateCompatibleDC.GDI32(00000000), ref: 6C91CAF6
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C91CB24

Part of subcall function 6C91BA66: CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 6C91BADD

SelectObject.GDI32(?,00000000), ref: 6C91CB83
BitBlt.GDI32(?,00000000,00000000,?,?,00000001,?,?,00CC0020), ref: 6C91CBA8
OffsetRect.USER32(?,?,?), ref: 6C91CBBE
InflateRect.USER32(?,000000FF,000000FF), ref: 6C91D1D0

Part of subcall function 6C86D46D: __EH_prolog3.LIBCMT ref: 6C86D474
Part of subcall function 6C86D46D: CreateSolidBrush.GDI32(?), ref: 6C86D48F

Part of subcall function 6C86E6E0: SelectObject.GDI32(?,00000000), ref: 6C86E700
Part of subcall function 6C86E6E0: SelectObject.GDI32(?,00000000), ref: 6C86E716

Part of subcall function 6C86E74D: GetStockObject.GDI32(?), ref: 6C86E757
Part of subcall function 6C86E74D: SelectObject.GDI32(?,00000000), ref: 6C86E76B
Part of subcall function 6C86E74D: SelectObject.GDI32(?,00000000), ref: 6C86E77B

Ellipse.GDI32(?,?,?,?,000000FF), ref: 6C91CD83
Ellipse.GDI32(?,?,?,?,000000FF), ref: 6C91CDA6
Ellipse.GDI32(?,?,?,?,000000FF), ref: 6C91CDC2
Ellipse.GDI32(?,?,?,?,?), ref: 6C91CDFF
Ellipse.GDI32(?,?,?,?,000000FF), ref: 6C91CE1B
Rectangle.GDI32(?,?,?,?,000000FF), ref: 6C91CE43
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 6C91D23B

Part of subcall function 6C86E681: SelectObject.GDI32(00000048,?), ref: 6C86E68A

DeleteObject.GDI32(?), ref: 6C91D258

Part of subcall function 6C86D662: DeleteDC.GDI32(00000000), ref: 6C86D696

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Object$Select$Create__floor_pentium4$Ellipse$Compatible$Delete$BitmapH_prolog3Rect$BrushH_prolog3_InflateOffsetRectangleSectionSolidStock
String ID:
API String ID: 2862932853-0
Opcode ID: 819c5a1757538aa21c748793278092d86f61450808aa6a42c8530eeed4cb0a22
Instruction ID: 35b86ab46d0c52cdaf6606144e07a4a85547075cd42a845c8d6fe609523cd5c3
Opcode Fuzzy Hash: 819c5a1757538aa21c748793278092d86f61450808aa6a42c8530eeed4cb0a22
Instruction Fuzzy Hash: 6FD2B271D14A1C9ECB17CFB8C8516EDFBB9AF5A384F10835AE419B7651EB309982CB10

Function 6C8EA161 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 213windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6C8EA19E
IsWindowVisible.USER32(?), ref: 6C8EA1B9
GetWindowRect.USER32(?,?), ref: 6C8EA21B
IsIconic.USER32(?), ref: 6C8EA22A
CopyRect.USER32(?,?), ref: 6C8EA258
MonitorFromPoint.USER32(?,?,00000002), ref: 6C8EA28F
GetMonitorInfoW.USER32(00000000), ref: 6C8EA296
CopyRect.USER32(?,?), ref: 6C8EA2A8
CopyRect.USER32(?,?), ref: 6C8EA2B6
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6C8EA2EC
OffsetRect.USER32(?,?,?), ref: 6C8EA31B
GetSystemMetrics.USER32(00000022), ref: 6C8EA3A2
GetSystemMetrics.USER32(00000023), ref: 6C8EA3AD

Strings

\sx, xrefs: 6C8EA16A
,, xrefs: 6C8EA241
(, xrefs: 6C8EA26D

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$CopySystemWindow$InfoMetricsMonitorVisible$FromIconicOffsetParametersPoint
String ID: ($,$\sx
API String ID: 388708526-2141389120
Opcode ID: d1c536a0c2a19a388783f00b87639b8f6589d663a61ed912f446b83ba8b44f31
Instruction ID: 01f16d95a2cfd3659e5f69c494203039d040b8f22fd6f6e86fc79e4319b38522
Opcode Fuzzy Hash: d1c536a0c2a19a388783f00b87639b8f6589d663a61ed912f446b83ba8b44f31
Instruction Fuzzy Hash: D4816E71E0121A9BDB14CFB8CA88BEEBBB9FF09708F104569E415E7641DB30E945CB90

Function 6C91EBD1 Relevance: 19.9, APIs: 13, Instructions: 419windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C91EBD8
CreateCompatibleDC.GDI32(00000000), ref: 6C91EC5E
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C91EC95
SelectObject.GDI32(?,00000000), ref: 6C91ECF4
BitBlt.GDI32(?,00000000,00000000,?,?,00000001,?,?,00CC0020), ref: 6C91ED1C
MulDiv.KERNEL32(?,00000048,00000064), ref: 6C91EF0E
MulDiv.KERNEL32(?,00000048,00000064), ref: 6C91EF29
MulDiv.KERNEL32(6C85F46A,00000048,00000064), ref: 6C91EF45
MulDiv.KERNEL32(6C85F46A,00000048,00000064), ref: 6C91EF60
MulDiv.KERNEL32(?,00000048,00000064), ref: 6C91EF79
MulDiv.KERNEL32(?,00000048,00000064), ref: 6C91EF93
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 6C91EFF2
DeleteObject.GDI32(?), ref: 6C91F009

Part of subcall function 6C87F3FD: FillRect.USER32(?,?,-000000A8), ref: 6C87F419

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CompatibleCreateObject$BitmapDeleteFillH_prolog3RectSelect
String ID:
API String ID: 3910664508-0
Opcode ID: 49747aa634412d00c7b4ab428a3474be234ed8624e0c767afce0efe021dc5312
Instruction ID: 8e5f23c5aeb0b6c907e808962d4f71a6165fca7151a50c383cbfa5864c741569
Opcode Fuzzy Hash: 49747aa634412d00c7b4ab428a3474be234ed8624e0c767afce0efe021dc5312
Instruction Fuzzy Hash: 7FF1BE31A0421E9FCF18CF69C956AAE7BB4EF49308F14861AF915B7E81D730D945CBA0

Function 6C8E935C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C915431: IsWindow.USER32(00000000), ref: 6C915450

IsIconic.USER32(?), ref: 6C8E9390
GetWindowRect.USER32(?,6C8EC845), ref: 6C8E93C9
IsIconic.USER32(?), ref: 6C8E93EA
GetSystemMetrics.USER32(00000004), ref: 6C8E93F6
OffsetRect.USER32(6C8EC845,00000000,00000000), ref: 6C8E9406
GetSystemMetrics.USER32(00000004), ref: 6C8E940E
IsIconic.USER32(?), ref: 6C8E9444
GetSystemMetrics.USER32(00000021), ref: 6C8E9451
GetSystemMetrics.USER32(00000020), ref: 6C8E945C

Part of subcall function 6C86C609: GetWindowLongW.USER32(?,000000F0), ref: 6C86C616

Strings

\sx, xrefs: 6C8E9362

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: MetricsSystem$IconicWindow$Rect$LongOffset
String ID: \sx
API String ID: 812917121-995570312
Opcode ID: 396b27f5b06417b5aa5b9cc6a9c980c5d3f4f38c7849f63e11a62dfb4016e1de
Instruction ID: b7eb4dd8f8ae52089fef033d214510738e13ce3b89b0e888cbe11fb8df4ce4e2
Opcode Fuzzy Hash: 396b27f5b06417b5aa5b9cc6a9c980c5d3f4f38c7849f63e11a62dfb4016e1de
Instruction Fuzzy Hash: 9A311C71B0030A9FCB14DFA9C988BAAB7F5FF09308F148559E505E7251D770A986CB51

Function 6C9A1501 Relevance: 15.6, APIs: 10, Instructions: 599windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9A1508
_memcpy_s.LIBCMT ref: 6C9A1699
_memcpy_s.LIBCMT ref: 6C9A1708
PathRemoveFileSpecW.SHLWAPI(?,?,00000000), ref: 6C9A183C
GetFocus.USER32 ref: 6C9A1B25
IsWindowEnabled.USER32(00000000), ref: 6C9A1B5B
EnableWindow.USER32(00000000,00000000), ref: 6C9A1B73
EnableWindow.USER32(00000000,00000001), ref: 6C9A1C14
IsWindow.USER32(00000000), ref: 6C9A1C1B
SetFocus.USER32(00000000), ref: 6C9A1C26

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$EnableFocus_memcpy_s$EnabledFileH_prolog3PathRemoveSpec
String ID:
API String ID: 2321674057-0
Opcode ID: 9e8c63deb7bbe95609cf4a79e8dc6d6cf0ac89837919dce9105d92f72ab22826
Instruction ID: 71793e19060dac134d07328dd876d3d08a10aac9e4812b72e0626ac87329e816
Opcode Fuzzy Hash: 9e8c63deb7bbe95609cf4a79e8dc6d6cf0ac89837919dce9105d92f72ab22826
Instruction Fuzzy Hash: A1329D31A0161ADFDB04CFA8C980AEEB7B5FF49314F154669E815EB691DB30ED06CB90

Function 6C89E837 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 438COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6C89E86A
SetRectEmpty.USER32(?), ref: 6C89E877
InflateRect.USER32(00000000,00000000,?), ref: 6C89E974

Strings

\sx, xrefs: 6C89E83D

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Empty$Inflate
String ID: \sx
API String ID: 3025764292-995570312
Opcode ID: 611527d75dd8426048adc533a26360393b40d624b47142616b7c4886e8ac7e05
Instruction ID: ccd95b582f8317af67e181b90de16b79bae7f143b6881f828b25b1c10c1ca1cc
Opcode Fuzzy Hash: 611527d75dd8426048adc533a26360393b40d624b47142616b7c4886e8ac7e05
Instruction Fuzzy Hash: 31F1A131A0060AEFDF19CF68C944BDEBBB1FF49318F144629E815A7690DB71A856CB90

Function 6C9EC378 Relevance: 12.0, APIs: 1, Strings: 5, Instructions: 1473COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 6C9EC58F

Strings

\sx, xrefs: 6C9EC383
1#SNAN, xrefs: 6C9EC484
1#QNAN, xrefs: 6C9EC48B
1#INF, xrefs: 6C9EC4AE
1#IND, xrefs: 6C9EC47D

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$\sx
API String ID: 4168288129-1106195145
Opcode ID: eb252b0823daa3f0a91ee90f224fe578d23fe35e170d6e78e5c2fd698eb6d1f5
Instruction ID: 7bcc4c523ec51b1496e4c76e7014026643818cebc7f575bc7d7235bb6fac8ca8
Opcode Fuzzy Hash: eb252b0823daa3f0a91ee90f224fe578d23fe35e170d6e78e5c2fd698eb6d1f5
Instruction Fuzzy Hash: EDD24A72E092298FDB65CE28CC407D9B7B9EF99308F1441EAD44DE7640E778EA858F41

Function 6C9EF821 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C9E29B2: GetLastError.KERNEL32(00000000,?,6C9EB277), ref: 6C9E29B6
Part of subcall function 6C9E29B2: SetLastError.KERNEL32(00000000,?,?,00000028,6C9E130E), ref: 6C9E2A58

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6C9EF929
IsValidCodePage.KERNEL32(00000000), ref: 6C9EF967
IsValidLocale.KERNEL32(?,00000001), ref: 6C9EF97A
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6C9EF9C2
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6C9EF9DD

Strings

\sx, xrefs: 6C9EF829

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: \sx
API String ID: 415426439-995570312
Opcode ID: ca7fae4d26cebddbdb04a52a1081c208b5a336285ceacd1f4a49d14e92802ebf
Instruction ID: 9287ab6697faf21a3d1fe931c3647b45fd6b6bf2d7b6c9d0a622c12a2a481b1c
Opcode Fuzzy Hash: ca7fae4d26cebddbdb04a52a1081c208b5a336285ceacd1f4a49d14e92802ebf
Instruction Fuzzy Hash: 17519372A0120AABEF02CFA5EC40AEA73BCEF7D70CF10446AE555E7540E770DA458761

Function 6C9EEEAC Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C9E29B2: GetLastError.KERNEL32(00000000,?,6C9EB277), ref: 6C9E29B6
Part of subcall function 6C9E29B2: SetLastError.KERNEL32(00000000,?,?,00000028,6C9E130E), ref: 6C9E2A58

GetACP.KERNEL32(?,?,?,?,?,?,6C9E33E2,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 6C9EEF6B
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6C9E33E2,?,?,?,00000055,?,-00000050,?,?), ref: 6C9EEFA2
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6C9EF105

Strings

\sx, xrefs: 6C9EF0BC
utf8, xrefs: 6C9EF074

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: \sx$utf8
API String ID: 607553120-1747617328
Opcode ID: 539e7c597e6a1752bc59a308495a2d81f1fa0895137b38b8e75e3bbd015bf2aa
Instruction ID: 8e800401091a14034d5cd6e38c368d6a6d21520d0c9c9ec696605560f8fb840e
Opcode Fuzzy Hash: 539e7c597e6a1752bc59a308495a2d81f1fa0895137b38b8e75e3bbd015bf2aa
Instruction Fuzzy Hash: 39713231601606EAE716AF35DC41BEA73ACEF7D70CF10456AE915DBA80FB30E94587A0

Function 6C9EF645 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,6C9EF957,00000002,00000000,?,?,?,6C9EF957,?,00000000), ref: 6C9EF6DE
GetLocaleInfoW.KERNEL32(?,20001004,6C9EF957,00000002,00000000,?,?,?,6C9EF957,?,00000000), ref: 6C9EF707
GetACP.KERNEL32(?,?,6C9EF957,?,00000000), ref: 6C9EF71C

Strings

ACP, xrefs: 6C9EF663
OCP, xrefs: 6C9EF699

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: acc1b08a1f0a5e7606fe02de73637cc1b8731bfc27f464fe2628e3df07265aa4
Instruction ID: 9706df126ab296c74a87a08ca3dbf087d4d38c5adf87fa86383cae2bc7922647
Opcode Fuzzy Hash: acc1b08a1f0a5e7606fe02de73637cc1b8731bfc27f464fe2628e3df07265aa4
Instruction Fuzzy Hash: B321F462705105A7EB168F6AE900A8773BEEF6CF5CB66816AE809C7920F733D941C350

Function 6C9EF2C9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 6C9E29B2: GetLastError.KERNEL32(00000000,?,6C9EB277), ref: 6C9E29B6
Part of subcall function 6C9E29B2: SetLastError.KERNEL32(00000000,?,?,00000028,6C9E130E), ref: 6C9E2A58

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6C9EF31D
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6C9EF367
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6C9EF42D

Strings

\sx, xrefs: 6C9EF2D4

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID: \sx
API String ID: 661929714-995570312
Opcode ID: cd8e1191deeeea0667ec1af999341e1433d3c036ccd0186cc61e3acf2b67f267
Instruction ID: 53d7189d127155a48c73effe8c6234003e446e9b693472aea0230e13abc57817
Opcode Fuzzy Hash: cd8e1191deeeea0667ec1af999341e1433d3c036ccd0186cc61e3acf2b67f267
Instruction Fuzzy Hash: 6F61D5725102079BEB1A8F28DC85BAA73B8FF2830CF2441ABDD05C6A84FB34D945CB54

Function 6C9D2A72 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6C9D2B6A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6C9D2B74
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6C9D2B81

Strings

\sx, xrefs: 6C9D2A7D

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID: \sx
API String ID: 3906539128-995570312
Opcode ID: 782acba21b92ad2d4171779b7d0460f220a60220a782ac5f5cd350cdb1ec9f4e
Instruction ID: 710efce9f51f3d4899d22a97a90070169d41a4edfd749d1f10987c97ae0ef563
Opcode Fuzzy Hash: 782acba21b92ad2d4171779b7d0460f220a60220a782ac5f5cd350cdb1ec9f4e
Instruction Fuzzy Hash: 9231D374A01319ABCB25DF25C8887DDBBB8BF18314F5081EAE41CA7250E7749B858F45

Function 6C9D6000 Relevance: 6.5, APIs: 4, Instructions: 455COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31143bf70f31fe54bb0b7b911e31a5d3aba014327072bf311d4d32eaeb942acb
Instruction ID: 170b477125c5c8d80dfd9b85e2491c3093131edcbd315233700d041311ad8d8b
Opcode Fuzzy Hash: 31143bf70f31fe54bb0b7b911e31a5d3aba014327072bf311d4d32eaeb942acb
Instruction Fuzzy Hash: E0025B71E016199BDB14CFA9C8806AEFBF5FF48318F25866AD919F7740D731AA05CB80

Function 6C8F666D Relevance: 6.1, APIs: 4, Instructions: 84threadCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8F6677

Part of subcall function 6C895C4C: __EH_prolog3.LIBCMT ref: 6C895C53

GetCurrentThread.KERNEL32 ref: 6C8F66D6
GetCurrentThreadId.KERNEL32 ref: 6C8F66DF
GetVersionExW.KERNEL32 ref: 6C8F677B

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CurrentThread$H_prolog3H_prolog3_Version
String ID:
API String ID: 786120064-0
Opcode ID: 683fdcf91af5266602a3f66769441289bcb598c1bc865602a93a16f0a6bcaf5c
Instruction ID: 825e1e4582064476b5eadaa5971646c4494577892dfecef2484c622071374e0b
Opcode Fuzzy Hash: 683fdcf91af5266602a3f66769441289bcb598c1bc865602a93a16f0a6bcaf5c
Instruction Fuzzy Hash: F0419EB0901B04CFD7218F2A8A8468AFAF4BB59744F908A6ED1AEC7B10DB30A545CF55

Function 6C9C8D8D Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000001), ref: 6C9C8D99
IsDebuggerPresent.KERNEL32 ref: 6C9C8E65
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C9C8E7E
UnhandledExceptionFilter.KERNEL32(?), ref: 6C9C8E88

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: b9cf2123b669975c021aabee2f220ed7f7e7e7db35cb5db2ee7601b668a49acf
Instruction ID: 19b3d357cda965449503649b7568761370581faf076e66c47bd94440dda1bb00
Opcode Fuzzy Hash: b9cf2123b669975c021aabee2f220ed7f7e7e7db35cb5db2ee7601b668a49acf
Instruction Fuzzy Hash: A8310875E013199BDF21EFA4C9497CDBBB8AF18304F1041EAE50DAB240EB709B858F46

Function 6C87400C Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON

Download Yara Rule

APIs

SetForegroundWindow.USER32(?), ref: 6C874042
IsIconic.USER32(?), ref: 6C87404B

Part of subcall function 6C86CC71: ShowWindow.USER32(?,6C9AEDF4,00000000,?,6C87A7D4,00000000,?,?,6C9AEDF4,?,00000000,?,?,6C87A374,00000000,000000FF), ref: 6C86CC82

PostMessageW.USER32(?,00000000,?,00000005), ref: 6C874073
IsIconic.USER32(?), ref: 6C87407C

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: IconicWindow$ForegroundMessagePostShow
String ID:
API String ID: 675533722-0
Opcode ID: dc6dc4e8e59c3788992ff20ba4c5c1b24c7e284e7765f4a64cd704f19b359fee
Instruction ID: a13789f25920ce1730b61ca15fc91a6ab3c887092d3f9d065979e01f33e2fba9
Opcode Fuzzy Hash: dc6dc4e8e59c3788992ff20ba4c5c1b24c7e284e7765f4a64cd704f19b359fee
Instruction Fuzzy Hash: 4701F932300611BFDF291739CD5CE6A3B75FFCA369B11062DF509C6A90DB218802CAA0

Function 6C86834F Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C86C609: GetWindowLongW.USER32(?,000000F0), ref: 6C86C616

GetKeyState.USER32(00000010), ref: 6C86836C
GetKeyState.USER32(00000011), ref: 6C868379
GetKeyState.USER32(00000012), ref: 6C868386
SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 6C8683A0

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 1754b221dbca50e4f8155432dc5ce5172bdc24839e3f973e3e0b58a7382a0111
Instruction ID: c12afc179027177155b3015ead02caf2c22e6eaf9cec17232c0e697200915b92
Opcode Fuzzy Hash: 1754b221dbca50e4f8155432dc5ce5172bdc24839e3f973e3e0b58a7382a0111
Instruction Fuzzy Hash: 8EF0B43139534B1BE9342636CF05BA925609F03BC9F451D2AA506EFDC0CBA08443A361

Function 6C9C8EAA Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000001), ref: 6C9C8EBC
GetCurrentThreadId.KERNEL32 ref: 6C9C8ECB
GetCurrentProcessId.KERNEL32 ref: 6C9C8ED4
QueryPerformanceCounter.KERNEL32(?), ref: 6C9C8EE1

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: af324f737a8dda01a48f338230739fdb556d94999143db00647f7b9e941e47bc
Instruction ID: 77dd52ec3534236ed8e246bda3f4fd0a758294cbd0326dcb2cd38d57fcc0d85f
Opcode Fuzzy Hash: af324f737a8dda01a48f338230739fdb556d94999143db00647f7b9e941e47bc
Instruction Fuzzy Hash: 60F06774E1020DEBCF04DBB4C54999EBBF8FF1D244B918596A412E7100E730AB46DB50

Function 6C9C84AC Relevance: 6.0, APIs: 4, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,6C9C85CC,6CA39B40), ref: 6C9C84B1
UnhandledExceptionFilter.KERNEL32(6C9C85CC,?,6C9C85CC,6CA39B40), ref: 6C9C84BA
GetCurrentProcess.KERNEL32(C0000409,?,6C9C85CC,6CA39B40), ref: 6C9C84C5
TerminateProcess.KERNEL32(00000000,?,6C9C85CC,6CA39B40), ref: 6C9C84CC

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: fae2067265b0b750433c924712ce27409701a6725b2695d84e85b7a2f67c085e
Instruction ID: dd3fe96d44c4f85f83f8c0d12f3dea184b3a9d7685a1d2fef50bd9dae4add98c
Opcode Fuzzy Hash: fae2067265b0b750433c924712ce27409701a6725b2695d84e85b7a2f67c085e
Instruction Fuzzy Hash: 12D0123130030AABEF092BE0CC0CA183F38EB0A28AF00C01CFB09C1042CF3144938BA2

Function 6C86479B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup,?,?,6C86BE5C,00000010,6CA55C00,00000010,6C865A99,00000000,?,6C8D9E87,?), ref: 6C8647AF
GetLastError.KERNEL32(?,?,?,6C86BE5C,00000010,6CA55C00,00000010,6C865A99,00000000,?,6C8D9E87,?), ref: 6C8647E6

Part of subcall function 6C8648CE: GetModuleFileNameW.KERNEL32(?,?,00000105,?,6C86BE5C,00000010,6CA55C00,00000010,6C865A99,00000000,?,6C8D9E87,?), ref: 6C86497E
Part of subcall function 6C8648CE: SetLastError.KERNEL32(0000006F,?,6C86BE5C,00000010,6CA55C00,00000010,6C865A99,00000000,?,6C8D9E87,?), ref: 6C864992

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 6C8647AA

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorLast$DebugFileModuleNameOutputString
String ID: IsolationAware function called after IsolationAwareCleanup
API String ID: 3265401609-2690750368
Opcode ID: e59cf95677a87680d08b3ef9515be64c9467a6148f5515ef3bed74ef1a17b991
Instruction ID: c8d05080f9675510130877121ef825b8030914ae1808f1e246c16b13b8bc0133
Opcode Fuzzy Hash: e59cf95677a87680d08b3ef9515be64c9467a6148f5515ef3bed74ef1a17b991
Instruction Fuzzy Hash: 9AF0F435715276474B38EBABCB6066E76A8B7C3B8C7204D35EE16D1E00DB20C4428AA1

Function 6C9EF51C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 6C9E29B2: GetLastError.KERNEL32(00000000,?,6C9EB277), ref: 6C9E29B6
Part of subcall function 6C9E29B2: SetLastError.KERNEL32(00000000,?,?,00000028,6C9E130E), ref: 6C9E2A58

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6C9EF570

Strings

\sx, xrefs: 6C9EF527

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID: \sx
API String ID: 3736152602-995570312
Opcode ID: c219c8f968f424918df5243804f4b8619d401623035608ee57938919d9bc529e
Instruction ID: 4fb98f1990bf297a9af53df37557212746d0b0c6389e45382dca777df1a40c67
Opcode Fuzzy Hash: c219c8f968f424918df5243804f4b8619d401623035608ee57938919d9bc529e
Instruction Fuzzy Hash: A321B332625206ABDB19CE29D841ABB73ACEF7931CB10416BED01D6A40EF35E945C750

Function 6C9EF0B1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 6C9E29B2: GetLastError.KERNEL32(00000000,?,6C9EB277), ref: 6C9E29B6
Part of subcall function 6C9E29B2: SetLastError.KERNEL32(00000000,?,?,00000028,6C9E130E), ref: 6C9E2A58

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6C9EF105

Strings

\sx, xrefs: 6C9EF0BC
utf8, xrefs: 6C9EF074

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID: \sx$utf8
API String ID: 3736152602-1747617328
Opcode ID: a4977d7263f608bbad8f1ad467c92c388a54509266505d8f9bb2ec5e6c5bca15
Instruction ID: 99b643cdfbe4b6d56eb5ae1805871922f61ca7af160a17a0bb2a79f1a72227f1
Opcode Fuzzy Hash: a4977d7263f608bbad8f1ad467c92c388a54509266505d8f9bb2ec5e6c5bca15
Instruction Fuzzy Hash: 52F0A432B01206ABDB199E28D849AFA73ACDF7931CF1141BEA502D7640DB74EE068754

Function 6C9E5AC0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C9E0A15: EnterCriticalSection.KERNEL32(-6CA75F28,?,6C9D7BCF,?,6CA663C8,00000008,6C9D7D7F,?,?,00000000,78E4735C,?,00000000), ref: 6C9E0A24

EnumSystemLocalesW.KERNEL32(6C9E5AB3,00000001,6CA666B8,0000000C,6C9E5F28,00000000), ref: 6C9E5AF8

Strings

\sx, xrefs: 6C9E5B00

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID: \sx
API String ID: 1272433827-995570312
Opcode ID: 61004db08d1df58222d23d0289354a99b5284e95eccbcd3eec3e726326dc75b5
Instruction ID: 8d5515d4de3a1b51c46a39445f7417168b08e2b18b2420681142edd5a5115b3f
Opcode Fuzzy Hash: 61004db08d1df58222d23d0289354a99b5284e95eccbcd3eec3e726326dc75b5
Instruction Fuzzy Hash: DFF03C76B00216DFDB05DF58D541B9977B0FB69329F00811AE410DBB90CB759945CF50

Function 6C868A35 Relevance: 3.4, APIs: 2, Instructions: 404COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C868A3F

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 32ab6f4b200ab8bbd79e3ab9f3c45c81036daa508e632f880b3cee9d3bd2ed8f
Instruction ID: 5d27e3c118abc7bbf3f3138616970199f739d1a926e270c428487a5912e7b951
Opcode Fuzzy Hash: 32ab6f4b200ab8bbd79e3ab9f3c45c81036daa508e632f880b3cee9d3bd2ed8f
Instruction Fuzzy Hash: CDE1A170A00209DFDF25CF66CA54BAE77B5AF46318F14482AE819EBF90DB34D941CB91

Function 6C859DE0 Relevance: 3.1, APIs: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 6C859E2F
GetClientRect.USER32(00000000,?), ref: 6C859E4D

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ClientIconicRect
String ID:
API String ID: 1086547473-0
Opcode ID: 77b12299f0bce5860e8c4cc4ec1f68b132cb160e855f760257b780ec12e1a91f
Instruction ID: 5a59f6df568b4abc25fa6b099f0e6bb9e9490e2016e8ac2b46bb4fa81e9e8216
Opcode Fuzzy Hash: 77b12299f0bce5860e8c4cc4ec1f68b132cb160e855f760257b780ec12e1a91f
Instruction Fuzzy Hash: AF314C71304305AFD714CF28C988BAAB7E9FF88348F004A2DF959D76A1DB70E955CA91

Function 6C87741B Relevance: 3.0, APIs: 2, Instructions: 36windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6C87742D
IsIconic.USER32(?), ref: 6C87743F

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: IconicVisibleWindow
String ID:
API String ID: 1797901696-0
Opcode ID: 0e2ba16f6310b129d548663666a49d1a0a71a7e863e80fbd248767cc81ec38a9
Instruction ID: e31144ee481b6b189afc590f23b4d32d1504004f076243dab7f073888135f7b5
Opcode Fuzzy Hash: 0e2ba16f6310b129d548663666a49d1a0a71a7e863e80fbd248767cc81ec38a9
Instruction Fuzzy Hash: FEF0E93330492067D936163D9D44DAE76ADEB862787040336EA15D2AE0FBA08862D2E0

Function 6C9D1B54 Relevance: 2.9, Strings: 2, Instructions: 385COMMONLIBRARYCODE

Download Yara Rule

Strings

\sx, xrefs: 6C9D1B5C
0, xrefs: 6C9D1CE5

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID:
String ID: 0$\sx
API String ID: 0-1367868080
Opcode ID: d0bff9b4e82e5d2ef01fb15534e83e38768ded5c21f52c9b63e1a6805efb3afa
Instruction ID: 93bc954f6ff8ad0c095fe5b160dda56d94d42813eb0e8a3ba4be687036f8f888
Opcode Fuzzy Hash: d0bff9b4e82e5d2ef01fb15534e83e38768ded5c21f52c9b63e1a6805efb3afa
Instruction Fuzzy Hash: E2D1D032A05E068FCB14CF68C5806AAB7B5FF47338B22C619D466BBA90D730F941CB50

Function 6C84D680 Relevance: 2.2, Strings: 1, Instructions: 909COMMON

Download Yara Rule

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 6C84D701

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 593203224-2799312399
Opcode ID: f331ca7a41750e2659c09bdb13d996c053c5f06dd14eeb836f708beb9587cdef
Instruction ID: 8faaf651d349772c2f2fe13115aea4def81c82c719fb8f0b7baa81a9494b54ae
Opcode Fuzzy Hash: f331ca7a41750e2659c09bdb13d996c053c5f06dd14eeb836f708beb9587cdef
Instruction Fuzzy Hash: D982B430505249CFDB21CF28C650BAABBF1AF56308F24CD9ED4A49BB92D335E946CB51

Function 6C9E0428 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6C9E0423,?,?,00000008,?,?,6C9F084D,00000000), ref: 6C9E0655

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 65396a68110582ff3133dbdf86541b936c0009bac919d7ce0163cf45c909446a
Instruction ID: a333d922b4a6ffcf6b160d7f593ecfdf58757e011c4677c151b48e56e36c6bc3
Opcode Fuzzy Hash: 65396a68110582ff3133dbdf86541b936c0009bac919d7ce0163cf45c909446a
Instruction Fuzzy Hash: 21B18A32210648DFD706CF28C486B547BE0FF59368F259658E8E9CF6A1CB35E992DB40

Function 6C9C8A54 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C9C8A6A

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 67f92ee076de8ebd646337517756def189e7d4fc4964581d533b18fb9344fa10
Instruction ID: 047156c63f67778fe1fb87397ca9d78eeddeec7971dc66b8c8d0357da43733fc
Opcode Fuzzy Hash: 67f92ee076de8ebd646337517756def189e7d4fc4964581d533b18fb9344fa10
Instruction Fuzzy Hash: 03A1ACB1B127428FDF0CCF55C6817ADBBB4FB49328F25822AD515EB680C3349845CB91

Function 6C9D17F5 Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

\sx, xrefs: 6C9D17FD

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID:
String ID: \sx
API String ID: 0-995570312
Opcode ID: bae7715eaeb42bbf7e64a335280fa2093b986532caf06dab5e95025153763c6a
Instruction ID: dd55adccf54f6a6c8a6b4b1ac6c8da2e5dc9e25b59db82a45265df8d653f1bd9
Opcode Fuzzy Hash: bae7715eaeb42bbf7e64a335280fa2093b986532caf06dab5e95025153763c6a
Instruction Fuzzy Hash: 1CC1E236905F468FC714CE69C5806AAB7BAAF07338F26C699C462B7E51D730F985CB10

Function 6C9EF1A3 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C9E29B2: GetLastError.KERNEL32(00000000,?,6C9EB277), ref: 6C9E29B6
Part of subcall function 6C9E29B2: SetLastError.KERNEL32(00000000,?,?,00000028,6C9E130E), ref: 6C9E2A58

EnumSystemLocalesW.KERNEL32(6C9EF2C9,00000001,00000000,?,-00000050,?,6C9EF8FD,00000000,?,?,?,00000055,?), ref: 6C9EF215

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: b9e0605bc52c7a7e7022b6301023d9ebb928cedcea34701c624fb1a403ff6900
Instruction ID: 516ada47c6d830b09c2f4bd69af6f19c6e65ffe8bb56f66fe89f80753114dc23
Opcode Fuzzy Hash: b9e0605bc52c7a7e7022b6301023d9ebb928cedcea34701c624fb1a403ff6900
Instruction Fuzzy Hash: E011293B2047059FDB199F79D8945AAB7A1FF9835CB18492ED98687F00D731A543C740

Function 6C9EF74B Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 6C9E29B2: GetLastError.KERNEL32(00000000,?,6C9EB277), ref: 6C9E29B6
Part of subcall function 6C9E29B2: SetLastError.KERNEL32(00000000,?,?,00000028,6C9E130E), ref: 6C9E2A58

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,6C9EF4E5,00000000,00000000,?), ref: 6C9EF777

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 45d99c3d560c8eb0b39159d14b06c038418a15eb5983ca92e2a59f8120b1c406
Instruction ID: 43f0916999e4cf4264228bd7fb5b805fe47eb16293f0f41c12eaebe706d8818c
Opcode Fuzzy Hash: 45d99c3d560c8eb0b39159d14b06c038418a15eb5983ca92e2a59f8120b1c406
Instruction Fuzzy Hash: 47019933700213ABDB1A4A629805BFA3769EF25B1CF10842EDC56E3680EB31FD41C6D0

Function 6C9EF23E Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C9E29B2: GetLastError.KERNEL32(00000000,?,6C9EB277), ref: 6C9E29B6
Part of subcall function 6C9E29B2: SetLastError.KERNEL32(00000000,?,?,00000028,6C9E130E), ref: 6C9E2A58

EnumSystemLocalesW.KERNEL32(6C9EF51C,00000001,?,?,-00000050,?,6C9EF8C5,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 6C9EF288

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: cb19d0833b604fa23220c5197ea87752684a643393bfd32a5c405848f4b62308
Instruction ID: 561627f5b37a3603520ee8d4752ba9cd69bcebc8a68b7a10ea6a0efe70711d43
Opcode Fuzzy Hash: cb19d0833b604fa23220c5197ea87752684a643393bfd32a5c405848f4b62308
Instruction Fuzzy Hash: D0F0463A3003441FDB065F35E884AAA7BA5EF9836CB18452EF9418BB80C771E803CB50

Function 6C9EF158 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C9E29B2: GetLastError.KERNEL32(00000000,?,6C9EB277), ref: 6C9E29B6
Part of subcall function 6C9E29B2: SetLastError.KERNEL32(00000000,?,?,00000028,6C9E130E), ref: 6C9E2A58

EnumSystemLocalesW.KERNEL32(6C9EF0B1,00000001,?,?,?,6C9EF91F,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 6C9EF18F

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 0528df72f141c8382d0c366dcedb20092c37954f4afd694d913a036a0f0d8f73
Instruction ID: 5f2c2eefd8565c7932ca5f31dfbcf2d855f2196d88307350de118700488744d8
Opcode Fuzzy Hash: 0528df72f141c8382d0c366dcedb20092c37954f4afd694d913a036a0f0d8f73
Instruction Fuzzy Hash: 4EF0E53630024A67CB06AF36D94466A7FA4EFD5758B0A4099EA058BA41C631D983C790

Function 6C9E602C Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,6C9E3F58,?,20001004,00000000,00000002,?,?,6C9E354A), ref: 6C9E6060

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 89ea941eaff8bfecbd0d8d384498c1bfc1b740ce81470db3a0c54a701509da24
Instruction ID: d24f2c56711b78b966e8c3c4e6b6699af77912d7e54d3fcc0368568335489f3d
Opcode Fuzzy Hash: 89ea941eaff8bfecbd0d8d384498c1bfc1b740ce81470db3a0c54a701509da24
Instruction Fuzzy Hash: ADE01A7160062DBBCF272F61CC08BAE3E29AF69795F004014FE04A5A518B32CA22DA91

Function 6C869A46 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 6C869A52

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: ad0b8c0486c1dda8ce39966795d5f9ce798a4488d207a233aacafa3a097aae7d
Instruction ID: 2dd91373776d1822e1382019a35c2c765d5b5297689df9a39859592ba51256c7
Opcode Fuzzy Hash: ad0b8c0486c1dda8ce39966795d5f9ce798a4488d207a233aacafa3a097aae7d
Instruction Fuzzy Hash: 8AD0C9322547608BC7256E16A448BC673F8AB4571AF05492D904A81DA1E7B098C1CA40

Function 6C9D3FCB Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef94c5ceef2588835928cee1bf75ae9265365b8a71d49d51b82c9171d563b4c
Instruction ID: c227640bb5b7d3457ab30e0702162f93852e7eea6196cc81a4a126f2bfa81693
Opcode Fuzzy Hash: 7ef94c5ceef2588835928cee1bf75ae9265365b8a71d49d51b82c9171d563b4c
Instruction Fuzzy Hash: 80515B72D00519EFDB04CF99C940AEEBBB6EF98304F1A8459E914AB201D734EA51DF90

Function 6C9CCED0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: cd864999476ba43a6613facce47641066c205bde5ae47458f2989a5f9795449a
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: CC1108B734604243D700AF2DD4B06BABF9DEBC622CB79436AE1628BE54D123E1659603

Function 6C8641D9 Relevance: 66.7, APIs: 19, Strings: 19, Instructions: 195COMMON

Download Yara Rule

APIs

OpenThemeData.UXTHEME(?,WINDOW,?,?,6C85BD10,?,6C85BD2A,00000004,6C842450,00000000), ref: 6C8641F5
OpenThemeData.UXTHEME(?,TOOLBAR,?,?,6C85BD10,?,6C85BD2A,00000004,6C842450,00000000), ref: 6C864214
OpenThemeData.UXTHEME(?,BUTTON,?,?,6C85BD10,?,6C85BD2A,00000004,6C842450,00000000), ref: 6C864233
OpenThemeData.UXTHEME(?,STATUS,?,?,6C85BD10,?,6C85BD2A,00000004,6C842450,00000000), ref: 6C864252
OpenThemeData.UXTHEME(?,REBAR,?,?,6C85BD10,?,6C85BD2A,00000004,6C842450,00000000), ref: 6C864271
OpenThemeData.UXTHEME(?,COMBOBOX,?,?,6C85BD10,?,6C85BD2A,00000004,6C842450,00000000), ref: 6C864290
OpenThemeData.UXTHEME(?,PROGRESS,?,?,6C85BD10,?,6C85BD2A,00000004,6C842450,00000000), ref: 6C8642AF
OpenThemeData.UXTHEME(?,HEADER,?,?,6C85BD10,?,6C85BD2A,00000004,6C842450,00000000), ref: 6C8642CE
OpenThemeData.UXTHEME(?,SCROLLBAR,?,?,6C85BD10,?,6C85BD2A,00000004,6C842450,00000000), ref: 6C8642ED
OpenThemeData.UXTHEME(?,EXPLORERBAR,?,?,6C85BD10,?,6C85BD2A,00000004,6C842450,00000000), ref: 6C86430C
OpenThemeData.UXTHEME(?,TREEVIEW,?,?,6C85BD10,?,6C85BD2A,00000004,6C842450,00000000), ref: 6C86432B
OpenThemeData.UXTHEME(?,STARTPANEL,?,?,6C85BD10,?,6C85BD2A,00000004,6C842450,00000000), ref: 6C86434A
OpenThemeData.UXTHEME(?,TASKBAND,?,?,6C85BD10,?,6C85BD2A,00000004,6C842450,00000000), ref: 6C864369
OpenThemeData.UXTHEME(?,TASKBAR,?,?,6C85BD10,?,6C85BD2A,00000004,6C842450,00000000), ref: 6C864388
OpenThemeData.UXTHEME(?,SPIN,?,?,6C85BD10,?,6C85BD2A,00000004,6C842450,00000000), ref: 6C8643A7
OpenThemeData.UXTHEME(?,TAB,?,?,6C85BD10,?,6C85BD2A,00000004,6C842450,00000000), ref: 6C8643C6
OpenThemeData.UXTHEME(?,TOOLTIP,?,?,6C85BD10,?,6C85BD2A,00000004,6C842450,00000000), ref: 6C8643E5
OpenThemeData.UXTHEME(?,TRACKBAR,?,?,6C85BD10,?,6C85BD2A,00000004,6C842450,00000000), ref: 6C864404
OpenThemeData.UXTHEME(00000000,MENU,?,?,6C85BD10,?,6C85BD2A,00000004,6C842450,00000000), ref: 6C86441F

Strings

STARTPANEL, xrefs: 6C864344
SCROLLBAR, xrefs: 6C8642E7
STATUS, xrefs: 6C86424C
BUTTON, xrefs: 6C86422D
TRACKBAR, xrefs: 6C8643FE
COMBOBOX, xrefs: 6C86428A
WINDOW, xrefs: 6C8641EF
TOOLTIP, xrefs: 6C8643DF
PROGRESS, xrefs: 6C8642A9
MENU, xrefs: 6C864419
TAB, xrefs: 6C8643C0
HEADER, xrefs: 6C8642C8
EXPLORERBAR, xrefs: 6C864306
SPIN, xrefs: 6C8643A1
TASKBAND, xrefs: 6C864363
REBAR, xrefs: 6C86426B
TASKBAR, xrefs: 6C864382
TOOLBAR, xrefs: 6C86420E
TREEVIEW, xrefs: 6C864325

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: DataOpenTheme
String ID: BUTTON$COMBOBOX$EXPLORERBAR$HEADER$MENU$PROGRESS$REBAR$SCROLLBAR$SPIN$STARTPANEL$STATUS$TAB$TASKBAND$TASKBAR$TOOLBAR$TOOLTIP$TRACKBAR$TREEVIEW$WINDOW
API String ID: 1744092376-1233129369
Opcode ID: f0ccff9e2383dcb3a1603e2f781d05065b839f9a007849ccb7c2cac5eba0fe62
Instruction ID: a7544d4c687474df0468b1cb188451df126b086f7ba01f8a80e897fa7f4a579a
Opcode Fuzzy Hash: f0ccff9e2383dcb3a1603e2f781d05065b839f9a007849ccb7c2cac5eba0fe62
Instruction Fuzzy Hash: 2C615D74744B569FC7649BBA9F18C1EBAA8BB8A38C7058D6AED01C7F00F734D4058B64

Function 6C8443E0 Relevance: 45.8, APIs: 3, Strings: 23, Instructions: 317windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C87135E: SendMessageW.USER32(?,00001132,00000000,?), ref: 6C8713A8

Part of subcall function 6C871561: SendMessageW.USER32(?,0000113F,00000000,00000000), ref: 6C8715A5

SendMessageW.USER32(?,00001102,00000002,00000000), ref: 6C84447C
SendMessageW.USER32(75FF0000,00001102,00000002,00000000), ref: 6C844644
SendMessageW.USER32(75FF0000,00001102,00000002,00000000), ref: 6C844778

Strings

OnNewDocument(), xrefs: 6C84458E
theFakeApp, xrefs: 6C84475B
CFakeApp(), xrefs: 6C8444B1
m_wndMenuBar, xrefs: 6C8446C7
m_wndToolBar, xrefs: 6C8446EC
OnAppAbout(), xrefs: 6C8444FB
CFakeAppView, xrefs: 6C8445B0
CFakeAppDoc(), xrefs: 6C844544
CFakeAppFrame, xrefs: 6C844656
~CFakeAppDoc(), xrefs: 6C844569
CFakeAboutDlg(), xrefs: 6C84445A
CFakeAppFrame(), xrefs: 6C84467D
~CFakeAppFrame(), xrefs: 6C8446A2
~CFakeAppView(), xrefs: 6C8445FC
FakeApp , xrefs: 6C8443FD
CFakeAboutDlg, xrefs: 6C84443C
CFakeAppDoc, xrefs: 6C84451D
CFakeApp, xrefs: 6C84448E
CFakeAppView(), xrefs: 6C8445D7
Globals, xrefs: 6C844733
InitInstance(), xrefs: 6C8444D6
GetDocument(), xrefs: 6C844621
m_wndStatusBar, xrefs: 6C844711

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: MessageSend
String ID: CFakeAboutDlg$CFakeAboutDlg()$CFakeApp$CFakeApp()$CFakeAppDoc$CFakeAppDoc()$CFakeAppFrame$CFakeAppFrame()$CFakeAppView$CFakeAppView()$FakeApp $GetDocument()$Globals$InitInstance()$OnAppAbout()$OnNewDocument()$m_wndMenuBar$m_wndStatusBar$m_wndToolBar$theFakeApp$~CFakeAppDoc()$~CFakeAppFrame()$~CFakeAppView()
API String ID: 3850602802-4118746453
Opcode ID: 120ae8d9d7cb434c0a3678c094729d4215ad8044ae5b7f22bcaebd90c5365a2b
Instruction ID: eaff6846988eb7f3c05f9cb2d51ab17001baf8c0121fa869fa3bcf6426859580
Opcode Fuzzy Hash: 120ae8d9d7cb434c0a3678c094729d4215ad8044ae5b7f22bcaebd90c5365a2b
Instruction Fuzzy Hash: FCA169307C03147AF634CA148D6BFDA6665AB00F14F748624B3493EBD5DAE63F898668

Function 6C87FB41 Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 327fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C87FB4B
GetModuleFileNameW.KERNEL32(00000000,?,00000104,6CA0BE48,00000000,6CA0BE44,00000000,6CA088E0,00000000,?,?,00000A88,6C880E2B,?,00000000,00000038), ref: 6C87FBEA
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,6CA088E0,00000000,?,?,00000A88,6C880E2B,?,00000000,00000038), ref: 6C87FC9D

Strings

, xrefs: 6C87FF88

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: File$CreateH_prolog3_ModuleName
String ID:
API String ID: 3408945735-3916222277
Opcode ID: 828b5070a9a2df61067021222537483e1cc46ed5b992adf36b6dd61839d1ba01
Instruction ID: a44dde08a033acedcacd3c6363d1bfbb37d47e3715673d531e8fa7c4f56346a1
Opcode Fuzzy Hash: 828b5070a9a2df61067021222537483e1cc46ed5b992adf36b6dd61839d1ba01
Instruction Fuzzy Hash: A2C19072A00218AFDB319F65CD44FEE7778AF5A354F1049A9F909E2940EB309E85CF61

Function 6C8416B7 Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 42registryclipboardCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatW.USER32(Native), ref: 6C8FEBB0
RegisterClipboardFormatW.USER32(OwnerLink), ref: 6C8FEBBD
RegisterClipboardFormatW.USER32(ObjectLink), ref: 6C8FEBCB
RegisterClipboardFormatW.USER32(Embedded Object), ref: 6C8FEBD9
RegisterClipboardFormatW.USER32(Embed Source), ref: 6C8FEBE7
RegisterClipboardFormatW.USER32(Link Source), ref: 6C8FEBF5
RegisterClipboardFormatW.USER32(Object Descriptor), ref: 6C8FEC03
RegisterClipboardFormatW.USER32(Link Source Descriptor), ref: 6C8FEC11
RegisterClipboardFormatW.USER32(FileName), ref: 6C8FEC1F
RegisterClipboardFormatW.USER32(FileNameW), ref: 6C8FEC2D
RegisterClipboardFormatW.USER32(Rich Text Format), ref: 6C8FEC3B
RegisterClipboardFormatW.USER32(RichEdit Text and Objects), ref: 6C8FEC49

Strings

Embedded Object, xrefs: 6C8FEBD1
RichEdit Text and Objects, xrefs: 6C8FEC41
FileName, xrefs: 6C8FEC17
Object Descriptor, xrefs: 6C8FEBFB
Native, xrefs: 6C8FEBA9
FileNameW, xrefs: 6C8FEC25
Link Source Descriptor, xrefs: 6C8FEC09
Rich Text Format, xrefs: 6C8FEC33
Embed Source, xrefs: 6C8FEBDF
Link Source, xrefs: 6C8FEBED
ObjectLink, xrefs: 6C8FEBC3
OwnerLink, xrefs: 6C8FEBB6

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ClipboardFormatRegister
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1228543026-2889995556
Opcode ID: 3e06c73b0e89ec598c8ed3a7d0a17cc6220f8c8dba3a50e8ea5193da64c126e7
Instruction ID: 7d6738ef24a0fcc51888985305abe1a18c4852e6827fb0ae7bf90f53b4d37ffb
Opcode Fuzzy Hash: 3e06c73b0e89ec598c8ed3a7d0a17cc6220f8c8dba3a50e8ea5193da64c126e7
Instruction Fuzzy Hash: B9111375A047119FCF659FB29A0C4967BF4BA0A796300CE1DA156D7E00D73491CBCFA4

Function 6C853470 Relevance: 40.5, APIs: 3, Strings: 20, Instructions: 278windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C87135E: SendMessageW.USER32(?,00001132,00000000,?), ref: 6C8713A8

Part of subcall function 6C871561: SendMessageW.USER32(?,0000113F,00000000,00000000), ref: 6C8715A5

SendMessageW.USER32(?,00001102,00000002,?), ref: 6C853764
SendMessageW.USER32(?,00001102,00000002,00000000), ref: 6C853777
SendMessageW.USER32(?,00001102,00000002,00000000), ref: 6C853787

Strings

FakeAppDoc.cpp, xrefs: 6C85352D
FakeAppDoc.ico, xrefs: 6C853717
FakeApp.ico, xrefs: 6C8536CD
pch.cpp, xrefs: 6C853587
pch.h, xrefs: 6C853681
FakeApp.cpp, xrefs: 6C8534F3
MainFrm.h, xrefs: 6C85365C
FakeAppView.h, xrefs: 6C853612
FakeApp , xrefs: 6C8534D1
FakeAppDoc.h, xrefs: 6C8535ED
FakeApp , xrefs: 6C85348F
FakeAppView.cpp, xrefs: 6C85354B
FakeApp.rc2, xrefs: 6C8536F2
MainFrm.cpp, xrefs: 6C853569
FakeApp.h, xrefs: 6C8535C8
FakeToolbar.bmp, xrefs: 6C85373C
Resource.h, xrefs: 6C853637
FakeApp , xrefs: 6C8536A6
FakeApp.rc, xrefs: 6C85350F
FakeApp , xrefs: 6C8535A5

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: MessageSend
String ID: FakeApp $FakeApp $FakeApp $FakeApp $FakeApp.cpp$FakeApp.h$FakeApp.ico$FakeApp.rc$FakeApp.rc2$FakeAppDoc.cpp$FakeAppDoc.h$FakeAppDoc.ico$FakeAppView.cpp$FakeAppView.h$FakeToolbar.bmp$MainFrm.cpp$MainFrm.h$Resource.h$pch.cpp$pch.h
API String ID: 3850602802-2747208130
Opcode ID: 66d89a7514b8b520432300023ca853757723dc9b78cc5d400b639b5f00d56b0d
Instruction ID: ecdf5f4a657e0ba5dd06b263090f52c29de6da43d398d29dbbbaee9fab67b8bb
Opcode Fuzzy Hash: 66d89a7514b8b520432300023ca853757723dc9b78cc5d400b639b5f00d56b0d
Instruction Fuzzy Hash: 33814E307C03147AFA34D6148D6BFAD6A26AB44F04FB48564B3483FFD6DAD63E458268

Function 6C8F52B5 Relevance: 40.5, APIs: 18, Strings: 5, Instructions: 228registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8F52BF
LoadRegTypeLib.OLEAUT32(?,?,?,000000FF,?), ref: 6C8F52EC
StringFromGUID2.OLE32(?,00000001,00000027,00000694,6C858763,6CA42F78,00000001,00000000,00000000,00000003,00000000,00000000,00000000,?,?,00000001), ref: 6C8F5303
swprintf.LIBCMT ref: 6C8F534C
RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6C8F5399
RegOpenKeyExW.ADVAPI32(?,?,00000000,00030019,?,?,?,?,00000001,?,00000001), ref: 6C8F53CD
CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,HELPDIR,000000FF,?,?,?,00000001,?,00000001), ref: 6C8F5403
CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,FLAGS,000000FF,?,?,?,00000001,?,00000001), ref: 6C8F5427
RegOpenKeyExW.ADVAPI32(?,?,00000000,00030019,?,?,?,?,00000001,?,00000001), ref: 6C8F5457
RegOpenKeyExW.ADVAPI32(?,win64,00000000,00020000,?,?,?,?,00000001,?,00000001), ref: 6C8F5479
RegCloseKey.ADVAPI32 ref: 6C8F54B9
RegCloseKey.ADVAPI32(?,?,?,?,00000001,?,00000001), ref: 6C8F548D

Part of subcall function 6C8F5B01: __EH_prolog3.LIBCMT ref: 6C8F5B08

RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6C8F54D3
RegCloseKey.ADVAPI32(?,?,?,?,00000001,?,00000001), ref: 6C8F54E7
RegEnumKeyW.ADVAPI32(?,00000001,?,00000104), ref: 6C8F5518
RegCloseKey.ADVAPI32(?,?,?,?,00000001,?,00000001), ref: 6C8F5532
LoadRegTypeLib.OLEAUT32(?,?,?,000000FF,?), ref: 6C8F558E
RegCloseKey.ADVAPI32(?,?,?,?,00000001,?,00000001), ref: 6C8F55AC

Strings

FLAGS, xrefs: 6C8F5415
TYPELIB\%Ts, xrefs: 6C8F5341
win32, xrefs: 6C8F5493
win64, xrefs: 6C8F546E
HELPDIR, xrefs: 6C8F53F1

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Close$EnumOpenString$CompareLoadType$FromH_prolog3H_prolog3_swprintf
String ID: FLAGS$HELPDIR$TYPELIB\%Ts$win32$win64
API String ID: 3736468143-1045325687
Opcode ID: 29bf69b6e8cfbaebabb42d0e9cad92e26d2e6f79b4f14b9e04d6f0449897b59c
Instruction ID: fcba01c4aa996ea20e91757b7b89e6ce6d21fe6b4bd5dafd8c3cf9182101c365
Opcode Fuzzy Hash: 29bf69b6e8cfbaebabb42d0e9cad92e26d2e6f79b4f14b9e04d6f0449897b59c
Instruction Fuzzy Hash: 63919170A05229AFDF218F14CD44BDA7B7AEB45398F0086D5F529E2550DB328E96CF60

Function 6C86677E Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 179windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C86C609: GetWindowLongW.USER32(?,000000F0), ref: 6C86C616

GetParent.USER32(?), ref: 6C8667BF
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 6C8667E1
GetWindowRect.USER32(?,?), ref: 6C866805
GetWindowLongW.USER32(00000000,000000F0), ref: 6C866825
MonitorFromWindow.USER32(00000000,00000001), ref: 6C86685E
GetMonitorInfoW.USER32(00000000), ref: 6C866865
CopyRect.USER32(?,?), ref: 6C866873
GetWindowRect.USER32(00000000,?), ref: 6C866880
MonitorFromWindow.USER32(00000000,00000002), ref: 6C86688D
GetMonitorInfoW.USER32(00000000), ref: 6C866894
CopyRect.USER32(?,?), ref: 6C8668A2
GetParent.USER32(?), ref: 6C8668AC
GetClientRect.USER32(00000000,?), ref: 6C8668B9
GetClientRect.USER32(00000000,?), ref: 6C8668C4
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 6C8668D2

Strings

\sx, xrefs: 6C866784
(, xrefs: 6C866840

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$Rect$Monitor$ClientCopyFromInfoLongParent$MessagePointsSend
String ID: ($\sx
API String ID: 3610148278-4275447854
Opcode ID: c5f20629164b734175a28279b49610cbcc4b72801a51b84436ff9af0f698c9be
Instruction ID: a3c100d45ee1ae53de54316d47a7ad92e38203f5b503c4d3ef1606f2b9ca925d
Opcode Fuzzy Hash: c5f20629164b734175a28279b49610cbcc4b72801a51b84436ff9af0f698c9be
Instruction Fuzzy Hash: 93617571A0021AAFCF05CFA9CE88AEEB7B9FF45359F154618E511F7640DB30A946CB60

Function 6C86D84F Relevance: 30.3, APIs: 20, Instructions: 265windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C86D856
CreateCompatibleDC.GDI32(00000000), ref: 6C86D8AB
CreateCompatibleDC.GDI32(00000000), ref: 6C86D8C3
CreateCompatibleDC.GDI32(00000000), ref: 6C86D8DB
GetObjectW.GDI32(00000004,00000018,?), ref: 6C86D8FB
CreateBitmap.GDI32(?,?,?,?,00000000), ref: 6C86D921
CreateBitmap.GDI32(00000008,00000008,00000001,00000001,6CA0971C), ref: 6C86D944
CreatePatternBrush.GDI32(?), ref: 6C86D956
DeleteObject.GDI32(?), ref: 6C86D985
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 6C86D996
GetPixel.GDI32(?,00000000,00000000), ref: 6C86D9DE
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C86DA04
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 6C86DA2C
FillRect.USER32(?,?,?), ref: 6C86DA8E

Part of subcall function 6C86EB24: __EH_prolog3.LIBCMT ref: 6C86EB2B

BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 6C86DABC
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 6C86DAD7
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 6C86DAEE
DeleteDC.GDI32(00000000), ref: 6C86DB5B
DeleteDC.GDI32(00000000), ref: 6C86DB77
DeleteDC.GDI32(00000000), ref: 6C86DB96

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Create$Delete$BitmapCompatible$Object$BrushFillH_prolog3H_prolog3_PatternPixelRect
String ID:
API String ID: 308707564-0
Opcode ID: c7a49ac39cffd2c0f3f1552d2fdb406720fed29e1ad5160485babc33381a3081
Instruction ID: 34882a1e5e8734575c24fde053ad8b36cd1c97f51a3023eac3ae39a55dbe6246
Opcode Fuzzy Hash: c7a49ac39cffd2c0f3f1552d2fdb406720fed29e1ad5160485babc33381a3081
Instruction Fuzzy Hash: 00B10471D01208AFDF218FA5CE84AEEBB79FF08348F608429F515A6A61DB314D46DF60

Function 6C87F525 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 254COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C87F52F
CreateCompatibleDC.GDI32(00000000), ref: 6C87F577
GetObjectW.GDI32(?,00000018,?), ref: 6C87F598
SelectObject.GDI32(?,?), ref: 6C87F5D3
CreateCompatibleDC.GDI32(?), ref: 6C87F600
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 6C87F668
SelectObject.GDI32(?,00000000), ref: 6C87F67F
SelectObject.GDI32(?,00000000), ref: 6C87F691
SelectObject.GDI32(?,00000000), ref: 6C87F6A8
DeleteObject.GDI32(?), ref: 6C87F6B4

Strings

, xrefs: 6C87F6F3
(, xrefs: 6C87F63E

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Object$Select$Create$Compatible$DeleteH_prolog3_Section
String ID: $(
API String ID: 1429849173-55695022
Opcode ID: a2192ac4d2a23a9ad8ebfc057519cfa8aa34bb3e702332a5f9107f1ea50aab1c
Instruction ID: dd038055d4cdc9eb8edd95a5210f03ad290be73435dfc902b55106c14154bf52
Opcode Fuzzy Hash: a2192ac4d2a23a9ad8ebfc057519cfa8aa34bb3e702332a5f9107f1ea50aab1c
Instruction Fuzzy Hash: 80B15C30E00269DFDB25CF25CD44BDEBBB5BF59304F0082EAE549A6651EB309A85CF60

Function 6C87249E Relevance: 28.7, APIs: 19, Instructions: 239windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8724A5
CreateRectRgnIndirect.GDI32(?), ref: 6C8724DD
CopyRect.USER32(?,?), ref: 6C8724F1
InflateRect.USER32(?,?,?), ref: 6C872507
IntersectRect.USER32(?,?,?), ref: 6C872513
CreateRectRgnIndirect.GDI32(?), ref: 6C87251D
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C872532
CombineRgn.GDI32(?,?,?,00000003), ref: 6C87254C
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C872593
SetRectRgn.GDI32(?,?,00000004,?,?), ref: 6C8725B0
CopyRect.USER32(?,?), ref: 6C8725BB
InflateRect.USER32(?,?,?), ref: 6C8725D1
IntersectRect.USER32(?,?,?), ref: 6C8725DD
SetRectRgn.GDI32(?,?,?,?,?), ref: 6C8725F2
CombineRgn.GDI32(?,?,?,00000003), ref: 6C872603
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C872617
CombineRgn.GDI32(?,?,?,00000003), ref: 6C872631

Part of subcall function 6C8727FA: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 6C872841
Part of subcall function 6C8727FA: CreatePatternBrush.GDI32(00000000), ref: 6C87284E
Part of subcall function 6C8727FA: DeleteObject.GDI32(00000000), ref: 6C87285A

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 6C87268F

Part of subcall function 6C86E6E0: SelectObject.GDI32(?,00000000), ref: 6C86E700
Part of subcall function 6C86E6E0: SelectObject.GDI32(?,00000000), ref: 6C86E716

Part of subcall function 6C86E5F5: SelectClipRgn.GDI32(?,00000000), ref: 6C86E615
Part of subcall function 6C86E5F5: SelectClipRgn.GDI32(?,00000000), ref: 6C86E62B

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 6C8726F2

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Create$Select$CombineObject$ClipCopyIndirectInflateIntersect$BitmapBrushDeleteH_prolog3_Pattern
String ID:
API String ID: 770706554-0
Opcode ID: 86708c1fe2df6aa81c5ed3555e6b16e634be278e2d8d2e3bd8e4d55cbd5c2a13
Instruction ID: 612d18a7ee6431b4e67edb328002702996dbc7ebc987267c45f3d53b4b0a9280
Opcode Fuzzy Hash: 86708c1fe2df6aa81c5ed3555e6b16e634be278e2d8d2e3bd8e4d55cbd5c2a13
Instruction Fuzzy Hash: 7E91F471A00219AFCF19DFA8D998DEEBBB9FF48304B144529F506E3650DB34A906DB60

Function 6C85C117 Relevance: 28.6, APIs: 19, Instructions: 80COMMON

Download Yara Rule

APIs

CloseThemeData.UXTHEME(00000000), ref: 6C85C123
CloseThemeData.UXTHEME(00000000), ref: 6C85C132
CloseThemeData.UXTHEME(00000000), ref: 6C85C141
CloseThemeData.UXTHEME(00000000), ref: 6C85C150
CloseThemeData.UXTHEME(00000000), ref: 6C85C15F
CloseThemeData.UXTHEME(00000000), ref: 6C85C16E
CloseThemeData.UXTHEME(00000000), ref: 6C85C17D
CloseThemeData.UXTHEME(00000000), ref: 6C85C18C
CloseThemeData.UXTHEME(00000000), ref: 6C85C19B
CloseThemeData.UXTHEME(00000000), ref: 6C85C1AA
CloseThemeData.UXTHEME(00000000), ref: 6C85C1B9
CloseThemeData.UXTHEME(00000000), ref: 6C85C1C8
CloseThemeData.UXTHEME(00000000), ref: 6C85C1D7
CloseThemeData.UXTHEME(00000000), ref: 6C85C1E6
CloseThemeData.UXTHEME(00000000), ref: 6C85C1F5
CloseThemeData.UXTHEME(00000000), ref: 6C85C204
CloseThemeData.UXTHEME(00000000), ref: 6C85C213
CloseThemeData.UXTHEME(00000000), ref: 6C85C222
CloseThemeData.UXTHEME(00000000), ref: 6C85C231

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CloseDataTheme
String ID:
API String ID: 2797872399-0
Opcode ID: b23303946f6faa62f88af64ad8ffcdc782357f6b8419b4485875bafebdb7ae24
Instruction ID: 77b8d72320da421b6e22ad64bd3e24bd5d346c777acd0d29178bf77596a6550a
Opcode Fuzzy Hash: b23303946f6faa62f88af64ad8ffcdc782357f6b8419b4485875bafebdb7ae24
Instruction Fuzzy Hash: E1316030142B02DFDBB66F59C9087567AB2BF0578EF90591CE0A790CB1C7B5A896DF40

Function 6C86A4EB Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 154COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C86A4F5

Part of subcall function 6C9432A0: __EH_prolog3.LIBCMT ref: 6C9432A7

CallNextHookEx.USER32(?,?,?,?), ref: 6C86A52D
SetWindowLongW.USER32(?,000000FC,6C865D08), ref: 6C86A5D1
CallNextHookEx.USER32(?,00000003,?,?), ref: 6C86A6E1
UnhookWindowsHookEx.USER32(?), ref: 6C86A6F5

Strings

#32768, xrefs: 6C86A61F, 6C86A625, 6C86A65E
AfxOldWndProc423, xrefs: 6C86A68F, 6C86A6A0, 6C86A6AC, 6C86A6BC

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Hook$CallNext$H_prolog3H_prolog3_LongUnhookWindowWindows
String ID: #32768$AfxOldWndProc423
API String ID: 1591070667-2141921550
Opcode ID: 93885008c27b8463edda10ca690b48c352a2a181d653fb3847bb9f3e3e5df6b6
Instruction ID: 8e7ae902ece32898bffbe1dd49c45d4e41c23fac4158677ec95ea56199e5fae8
Opcode Fuzzy Hash: 93885008c27b8463edda10ca690b48c352a2a181d653fb3847bb9f3e3e5df6b6
Instruction Fuzzy Hash: E451E5306002399BCB259F55CD88BEA3B74EF15399F104999F805E7E80DB34DE82DBA5

Function 6C87D7E4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C87D7EE
GetObjectW.GDI32(00000000,00000018,?), ref: 6C87D82C
CreateCompatibleDC.GDI32(00000000), ref: 6C87D86B
SelectObject.GDI32(?,00000000), ref: 6C87D88E
GetObjectW.GDI32(?,00000054,?), ref: 6C87D8DB
CreateDIBSection.GDI32(?,?), ref: 6C87D93D
CreateCompatibleDC.GDI32(?), ref: 6C87D977
SelectObject.GDI32(?,00000000), ref: 6C87D990

Strings

(, xrefs: 6C87D926

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Object$Create$CompatibleSelect$H_prolog3_Section
String ID: (
API String ID: 1338481308-3887548279
Opcode ID: 48b03344b3e3928bc3a5212ce43fae9a4222410b5dd94759062f60e0d305353c
Instruction ID: 5391eb724803e85c5020741ddf99a7c0eb3cea979c18d34e0fc930f1da4455fe
Opcode Fuzzy Hash: 48b03344b3e3928bc3a5212ce43fae9a4222410b5dd94759062f60e0d305353c
Instruction Fuzzy Hash: C7A12A70A00719DFDB65CF24CD84B9AB7B5BF09304F1085AAE85DE7651EB30AA85CF20

Function 6C854EC0 Relevance: 24.3, APIs: 16, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da00c3fd9ce266efc286f3efcb13a08381cd648bb02fb262048e749ab61c0a90
Instruction ID: 126ac0db38f3d107d29b44f45800b3d47b05719b02c0764462a1a073839fb413
Opcode Fuzzy Hash: da00c3fd9ce266efc286f3efcb13a08381cd648bb02fb262048e749ab61c0a90
Instruction Fuzzy Hash: D0B18230B40305AFEB109BA8CD49FAE77B8FF05719F148568BA05EB6D1DBB09945CB60

Function 6C86DBA4 Relevance: 22.7, APIs: 15, Instructions: 212windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C86DBAB
GetSysColor.USER32(00000014), ref: 6C86DBE2

Part of subcall function 6C86D46D: __EH_prolog3.LIBCMT ref: 6C86D474
Part of subcall function 6C86D46D: CreateSolidBrush.GDI32(?), ref: 6C86D48F

GetSysColor.USER32(00000010), ref: 6C86DBF7
CreateCompatibleDC.GDI32(00000000), ref: 6C86DC0B
CreateCompatibleDC.GDI32(00000000), ref: 6C86DC23
GetObjectW.GDI32(00000004,00000018,?), ref: 6C86DC46
CreateBitmap.GDI32(?,?,?,?,00000000), ref: 6C86DC67
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 6C86DC88

Part of subcall function 6C86E681: SelectObject.GDI32(00000048,?), ref: 6C86E68A

GetPixel.GDI32(?,00000000,00000000), ref: 6C86DCD0

Part of subcall function 6C86E79A: SetBkColor.GDI32(?,?), ref: 6C86E7AF
Part of subcall function 6C86E79A: SetBkColor.GDI32(?,?), ref: 6C86E7C1

BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C86DCF9
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,001100A6), ref: 6C86DD23
BitBlt.GDI32(?,00000001,00000001,?,?,?,00000000,00000000,00E20746), ref: 6C86DD8E
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00E20746), ref: 6C86DDB7
DeleteDC.GDI32(00000000), ref: 6C86DE2C
DeleteDC.GDI32(00000000), ref: 6C86DE4B

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Create$Color$BitmapCompatibleDeleteH_prolog3Object$BrushPixelSelectSolid
String ID:
API String ID: 2254850417-0
Opcode ID: dff1c081572b693a67d27fad1c61d7b4ba4f001bd3fc1fe2d6477a9a8dafd82a
Instruction ID: 3da40c1571ca9dd588c67521a34ab2fbab049613475efff8d787364aec168993
Opcode Fuzzy Hash: dff1c081572b693a67d27fad1c61d7b4ba4f001bd3fc1fe2d6477a9a8dafd82a
Instruction Fuzzy Hash: 0D813971E00209BFDF119FE5DE45AEEBB79BF08348F204429F501A69A0DB315A46DB60

Function 6C9AE5AF Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 216COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9AE5B6

Part of subcall function 6C97D5EB: __EH_prolog3.LIBCMT ref: 6C97D5F2

Strings

MFCMenuButton, xrefs: 6C9AE734
MFCButton, xrefs: 6C9AE5D5
MFCShellTree, xrefs: 6C9AE7DB
MFCVSListBox, xrefs: 6C9AE80E
MFCMaskedEdit, xrefs: 6C9AE6FA
MFCFontComboBox, xrefs: 6C9AE686
MFCLink, xrefs: 6C9AE6C0
MFCShellList, xrefs: 6C9AE7A8
MFCEditBrowse, xrefs: 6C9AE64C
MFCPropertyGrid, xrefs: 6C9AE76E
MFCColorButton, xrefs: 6C9AE612

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: H_prolog3
String ID: MFCButton$MFCColorButton$MFCEditBrowse$MFCFontComboBox$MFCLink$MFCMaskedEdit$MFCMenuButton$MFCPropertyGrid$MFCShellList$MFCShellTree$MFCVSListBox
API String ID: 431132790-2110171958
Opcode ID: 604270da646f23fb405718d37710413467806a0c9d62c8c5f79316a1188f23da
Instruction ID: 321ec97a7c04c028bf30a6415be1ce7d26b8149f2c45ce5ad6a6dbc329dd8082
Opcode Fuzzy Hash: 604270da646f23fb405718d37710413467806a0c9d62c8c5f79316a1188f23da
Instruction Fuzzy Hash: 9661C52194930699EF19D6FC9614BEE37E89F5121CF74086AD810EBEC0EF35C689C2A1

Function 6C859770 Relevance: 19.7, APIs: 13, Instructions: 233windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6C8597AB

Part of subcall function 6C906E53: __EH_prolog3.LIBCMT ref: 6C906E5A

SendMessageW.USER32(?,00000030,00000001), ref: 6C85985C
SendMessageW.USER32(?,00000030,00000001), ref: 6C85986E
SendMessageW.USER32(?,00000030,00000001), ref: 6C859880
SendMessageW.USER32(?,00000180,00000000,6CA45020), ref: 6C85992B
SendMessageW.USER32(?,00000180,00000000,6CA45038), ref: 6C85993F
SendMessageW.USER32(?,00000180,00000000,6CA45054), ref: 6C859953
SendMessageW.USER32(?,00000180,00000000,6CA4507C), ref: 6C859967
SendMessageW.USER32(?,00000180,00000000,6CA45038), ref: 6C85997B
SendMessageW.USER32(?,00000180,00000000,6CA45054), ref: 6C85998F
SendMessageW.USER32(?,00000180,00000000,6CA45094), ref: 6C8599A3
SendMessageW.USER32(?,00000180,00000000,6CA45038), ref: 6C8599B7
SendMessageW.USER32(?,00000180,00000000,6CA45054), ref: 6C8599CB

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: MessageSend$EmptyH_prolog3Rect
String ID:
API String ID: 3306255916-0
Opcode ID: 501332e71a98436242e0ae6cfa0dae2ef838f73a5209c8c67b49fd8cf05c90fd
Instruction ID: 5dd7ab5067a63febe1bde6804f58283920cde78bcb3e2d1d250a18c01c23a873
Opcode Fuzzy Hash: 501332e71a98436242e0ae6cfa0dae2ef838f73a5209c8c67b49fd8cf05c90fd
Instruction Fuzzy Hash: 95712831380209BFEB259F64CC45FE9B765FF04754F008624F625AA5D0DBB2B965CB90

Function 6C865ED2 Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 482COMMON

Download Yara Rule

Strings

\sx, xrefs: 6C865ED8

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID:
String ID: \sx
API String ID: 0-995570312
Opcode ID: 9c5166480f8618209a914c7bbe1905be9a2f72197093e62ec5146e4b0fd1f20f
Instruction ID: a6c6ef724c86bc481c49f9739eddfe5155a4394242728bd6535dcb53012a215e
Opcode Fuzzy Hash: 9c5166480f8618209a914c7bbe1905be9a2f72197093e62ec5146e4b0fd1f20f
Instruction Fuzzy Hash: 0202E235A00619DFCB15CF5ACA90D9EB7B6FF4A318B148958E901EBB11D731AD42CB90

Function 6C91D897 Relevance: 18.5, APIs: 12, Instructions: 456windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C91D89E
IsRectEmpty.USER32(?), ref: 6C91D8C4
CreateCompatibleDC.GDI32(?), ref: 6C91D99D
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C91D9E5
SelectObject.GDI32(?,00000000), ref: 6C91DA44
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6C91DA7E
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 6C91DC56
CreateCompatibleBitmap.GDI32(?,00000075,?), ref: 6C91DC75

Part of subcall function 6C91DD88: DrawStateW.USER32(00000001,?,00000000,00000001,00000000,?,?,?,?,?), ref: 6C91DDC6

BitBlt.GDI32(?,00000000,00000000,00000074,?,?,?,?,00CC0020), ref: 6C91DCC4
CreateCompatibleBitmap.GDI32(?,?,00000075), ref: 6C91DCE3
BitBlt.GDI32(?,00000000,00000000,?,00000074,?,?,?,00CC0020), ref: 6C91DD35
DeleteObject.GDI32(?), ref: 6C91DD4C

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CompatibleCreate$Bitmap$Object$DeleteDrawEmptyH_prolog3RectSelectState
String ID:
API String ID: 1489821248-0
Opcode ID: 37c58a3e80bf52add6fb5e67893a5a5498e7aa7273a6f389d572e8d71099ca76
Instruction ID: 20a353974cc2bc15a722af8a6efefbec4165a6f8ef16105df7a6632819f74762
Opcode Fuzzy Hash: 37c58a3e80bf52add6fb5e67893a5a5498e7aa7273a6f389d572e8d71099ca76
Instruction Fuzzy Hash: 8F02E375A04219AFCF05CFA9C985AEEBBB6FF48304F148519F819A7B50D731E941CBA0

Function 6C863CEE Relevance: 18.1, APIs: 12, Instructions: 127windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C863CF5
IsWindowVisible.USER32(?), ref: 6C863D4E
CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 6C863D80
CreateRectRgn.GDI32(00000000,00000000,00000005,00000005), ref: 6C863D9F
CombineRgn.GDI32(?,?,?,00000003), ref: 6C863DB9
CreateEllipticRgn.GDI32(00000000,00000000,0000000B,0000000B), ref: 6C863DCD
CombineRgn.GDI32(?,?,?,00000002), ref: 6C863DE7
CreateRectRgn.GDI32(?,00000000,?,00000005), ref: 6C863E00
CombineRgn.GDI32(?,?,?,00000003), ref: 6C863E1A
CreateEllipticRgn.GDI32(?,00000000,?,0000000B), ref: 6C863E36
CombineRgn.GDI32(?,?,?,00000002), ref: 6C863E50
SetWindowRgn.USER32(?,00000000,00000001), ref: 6C863E64

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Create$Combine$Rect$EllipticWindow$H_prolog3Visible
String ID:
API String ID: 1706452674-0
Opcode ID: e6da08b273c09b104277ea0402d77cf8f6f23bc804b98a5126d832e849044eb9
Instruction ID: 26c0dd58a0d1cd286907fc5819a0e0b131b5ef12b46ee519d1b46afd0a608a3b
Opcode Fuzzy Hash: e6da08b273c09b104277ea0402d77cf8f6f23bc804b98a5126d832e849044eb9
Instruction Fuzzy Hash: 5E416471A0020AABDF259FA5CD45AFF7B79BF04349F104829B212A6990DF358E47CB61

Function 6C9133EA Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 202COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6C913484
InvalidateRect.USER32(?,?,00000001), ref: 6C9134DD
InvalidateRect.USER32(?,?,00000001), ref: 6C9134EC

Strings

\sx, xrefs: 6C9133F0

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Invalidate$Empty
String ID: \sx
API String ID: 1126320529-995570312
Opcode ID: cc437e9712c62571898c1e508845c8189928833f14138d4c94e36d799c71a0dc
Instruction ID: dd845e6cb066fa7b83988a6d7720f1ddf5bd4ef55158e933cf19093a18afecf2
Opcode Fuzzy Hash: cc437e9712c62571898c1e508845c8189928833f14138d4c94e36d799c71a0dc
Instruction Fuzzy Hash: A2714831B00619DFDF05CF64C885AAE7BB9FF49314F154069E815AB690CB74AA42CFA0

Function 6C91BB09 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C91BB10
GetObjectW.GDI32(00000008,00000018,00000000), ref: 6C91BB27

Part of subcall function 6C91BA66: CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 6C91BADD

CreateCompatibleDC.GDI32(00000000), ref: 6C91BBA7
SelectObject.GDI32(?,00000008), ref: 6C91BBBA
CreateCompatibleDC.GDI32(00000000), ref: 6C91BBD8
SelectObject.GDI32(00000000,?), ref: 6C91BBED
BitBlt.GDI32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00CC0020), ref: 6C91BC0C
SelectObject.GDI32(00000000,00000000), ref: 6C91BC1A
SelectObject.GDI32(?,00000000), ref: 6C91BC24

Strings

, xrefs: 6C91BB79

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Object$Select$Create$Compatible$H_prolog3Section
String ID:
API String ID: 2431383920-3916222277
Opcode ID: 18a75bdea6843399169fc965ce80171d1c939442168ca07975e1b0c810e92635
Instruction ID: 6987af731a61886b9bb791866d5d72e996374a58798adadd9bf9c9428ed5a555
Opcode Fuzzy Hash: 18a75bdea6843399169fc965ce80171d1c939442168ca07975e1b0c810e92635
Instruction Fuzzy Hash: 3941A5B2E002199FDB11CFE9CC45AEE7B7AEF55308F108529F511A6B50DF318A06CBA0

Function 6C866E50 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 118windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C866E5A
SendMessageW.USER32(?,00000000,00000000,00000080), ref: 6C866EA1
SendMessageW.USER32(?,00000000,00000000,?), ref: 6C866ECD
ValidateRect.USER32(?,00000000), ref: 6C866EE0

Part of subcall function 6C943A48: GetClientRect.USER32(?,?), ref: 6C943AAC

GetClientRect.USER32(?,?), ref: 6C866F51
BeginPaint.USER32(?,?), ref: 6C866F5E
SendMessageW.USER32(?,00000000,00000000,?), ref: 6C866F94
SendMessageW.USER32(?,00000000,00000000), ref: 6C866FB6
EndPaint.USER32(?,?), ref: 6C866FCE

Strings

W, xrefs: 6C866F13

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: MessageSend$Rect$ClientPaint$BeginH_prolog3_Validate
String ID: W
API String ID: 3883544035-655174618
Opcode ID: 3192660cd01a0f4ce1a776594a5d70143a68a393f7dca7947bdc84c397e9ca45
Instruction ID: 0df37d56c2d171fd2036b224d91664d59e6b65745cec46b56b21cf2e30b4adab
Opcode Fuzzy Hash: 3192660cd01a0f4ce1a776594a5d70143a68a393f7dca7947bdc84c397e9ca45
Instruction Fuzzy Hash: 1E419F71A00746ABCF259F72C944EAEBAB6FB98308F10892EE055D2E60DB31D945CB50

Function 6C943B97 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 86COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 6C943BB7

Strings

D2D1.dll, xrefs: 6C943BC4
DWrite.dll, xrefs: 6C943C24
D2D1CreateFactory, xrefs: 6C943BDE
DWriteCreateFactory, xrefs: 6C943C39
D2D1MakeRotateMatrix, xrefs: 6C943C16

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Initialize
String ID: D2D1.dll$D2D1CreateFactory$D2D1MakeRotateMatrix$DWrite.dll$DWriteCreateFactory
API String ID: 2538663250-1403614551
Opcode ID: d512416a57fd8b50861e27f140873a135882355db45e13fd08ebd5f8438818eb
Instruction ID: 350cd12ebd28e6707787f172685aa0a46830cd34c958d1c174c2d4eec5dd118b
Opcode Fuzzy Hash: d512416a57fd8b50861e27f140873a135882355db45e13fd08ebd5f8438818eb
Instruction Fuzzy Hash: F421B27135470AAFE7249F75CC88B1776B9FB4125AF14CA2DE852C2D40EB34D4468B30

Function 6C84CBC0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C84CC37
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6C84CD76
std::_Lockit::~_Lockit.LIBCPMT ref: 6C84CE0B
Concurrency::cancel_current_task.LIBCPMT ref: 6C84CE25
Concurrency::cancel_current_task.LIBCPMT ref: 6C84CE2A
Concurrency::cancel_current_task.LIBCPMT ref: 6C84CE2F

Strings

true, xrefs: 6C84CD35
bad locale name, xrefs: 6C84CE34
false, xrefs: 6C84CD0B

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstd::_$Lockit$Locinfo::_Locinfo_dtorLockit::_Lockit::~_
String ID: bad locale name$false$true
API String ID: 2199893758-1062449267
Opcode ID: 4c6992e001ca187adf0ab7db7efaf5d97c5099014e8c32e28f42064f67c38811
Instruction ID: 4b6f6fc9768221a47b82df1a2c8a243861200fa054f01103f499e8a2c385e62e
Opcode Fuzzy Hash: 4c6992e001ca187adf0ab7db7efaf5d97c5099014e8c32e28f42064f67c38811
Instruction Fuzzy Hash: 317173B0D017589EEB20DFA5C54478EBBF8AF25308F208919D815EBB81E775D509CB92

Function 6C85CD8E Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 146COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C85CD98
GetCurrentThemeName.UXTHEME(?,000000FF,?,000000FF,00000000,00000000), ref: 6C85CDEE
GetThemeColor.UXTHEME(00000000,00000001,00000000,00000EEF,?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 6C85CEB8

Strings

homestead, xrefs: 6C85CEEE
normalcolor, xrefs: 6C85CED3
Luna, xrefs: 6C85CE6A
royale, xrefs: 6C85CF41
Aero, xrefs: 6C85CE80
metallic, xrefs: 6C85CF09

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Theme$ColorCurrentH_prolog3_Name
String ID: Aero$Luna$homestead$metallic$normalcolor$royale
API String ID: 2781885202-2881773410
Opcode ID: d947c360cc76944a05396cfe71313263f251fe704d2a2932fb19d5f30bd3e186
Instruction ID: 604a40fbca6a271726875bef725c19be4f30a15637d3d0041f2d172d1612c336
Opcode Fuzzy Hash: d947c360cc76944a05396cfe71313263f251fe704d2a2932fb19d5f30bd3e186
Instruction Fuzzy Hash: 5D51F97150112C5ADB34DB25CD04FDB7779AF14358F4409EAA408A3981EFB19BE4CEA8

Function 6C8698C9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 139windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6C869913
BeginDeferWindowPos.USER32(00000008), ref: 6C869929
GetTopWindow.USER32(?), ref: 6C86993A
GetDlgCtrlID.USER32(00000000), ref: 6C869943
SendMessageW.USER32(00000000,00000361,00000000,00000000), ref: 6C86997B
GetWindow.USER32(00000000,00000002), ref: 6C869984
CopyRect.USER32(?,?), ref: 6C86999F
EndDeferWindowPos.USER32(00000000), ref: 6C869A2F

Strings

\sx, xrefs: 6C8698CF

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
String ID: \sx
API String ID: 1228040700-995570312
Opcode ID: 1a2780e0b6ebc7fd3bcabe76bbd71228ff0465f82f97b344dda028e01d1e7aac
Instruction ID: 580212abcb9af0a515b5d28f0a2075a7a45d7758442b2334a73ae368a23fa025
Opcode Fuzzy Hash: 1a2780e0b6ebc7fd3bcabe76bbd71228ff0465f82f97b344dda028e01d1e7aac
Instruction Fuzzy Hash: 19512B31A01209DFCF24DFA9C984BDEB7B5FF49359F148859E816EB680C734A941CB60

Function 6C86A38C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 6C86A393
GetPropW.USER32(?,AfxOldWndProc423), ref: 6C86A3AA
CallWindowProcW.USER32(?,?,00000110,?,?), ref: 6C86A40A

Part of subcall function 6C86A8C0: GetWindowRect.USER32(?,00000000), ref: 6C86A8F9
Part of subcall function 6C86A8C0: GetWindow.USER32(?,00000004), ref: 6C86A916

SetWindowLongW.USER32(?,000000FC,?), ref: 6C86A42D
RemovePropW.USER32(?,AfxOldWndProc423), ref: 6C86A439
GlobalFindAtomW.KERNEL32(AfxOldWndProc423), ref: 6C86A444
GlobalDeleteAtom.KERNEL32(?), ref: 6C86A44E

Part of subcall function 6C86A963: GetWindowRect.USER32(?,?), ref: 6C86A970

CallWindowProcW.USER32(?,?,?,?,?), ref: 6C86A496

Strings

AfxOldWndProc423, xrefs: 6C86A39E, 6C86A433, 6C86A43F

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catch_LongRemove
String ID: AfxOldWndProc423
API String ID: 3351853316-1060338832
Opcode ID: edc734f137f34c5f0a80fad5ebadd790484e972e27c9b9dd673ade582fb78134
Instruction ID: 873c28ad97162009de8be1cafdd790891b9d5523adb37f24211c8a4116c0bc65
Opcode Fuzzy Hash: edc734f137f34c5f0a80fad5ebadd790484e972e27c9b9dd673ade582fb78134
Instruction Fuzzy Hash: 6E31C471A00218BBCB159FBACE4CDEF7B79EF4A354F104919F502A6E40DB3099428B74

Function 6C996326 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 6C996348
GetStockObject.GDI32(0000000D), ref: 6C996354
GetObjectW.GDI32(00000000,0000005C,?), ref: 6C996365
GetDC.USER32(00000000), ref: 6C996374
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6C99638B
MulDiv.KERNEL32(?,00000048,00000000), ref: 6C996397
ReleaseDC.USER32(00000000,00000000), ref: 6C9963A3

Strings

\sx, xrefs: 6C99632C
System, xrefs: 6C99633E, 6C9963B8

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System$\sx
API String ID: 46613423-1992837229
Opcode ID: 29bee4f756d3bcc5d9bb400caab5f01d2e61e134c35304046a263d1e18a3adff
Instruction ID: 5ff88b3f10ae4cafbe42443c525758bb4b6d4d4281534af18ff6e3424cd8296b
Opcode Fuzzy Hash: 29bee4f756d3bcc5d9bb400caab5f01d2e61e134c35304046a263d1e18a3adff
Instruction Fuzzy Hash: F6118E71700319ABEF089F65CC4AFAE7BB9EB45749F08411DF606DB680DB70D906D6A0

Function 6C8807AC Relevance: 15.2, APIs: 10, Instructions: 200COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8807B6
GetObjectW.GDI32(?,00000018,?), ref: 6C8807DB
GetObjectW.GDI32(?,00000054,?), ref: 6C880820
CreateCompatibleDC.GDI32(00000000), ref: 6C88090C
SelectObject.GDI32(?,?), ref: 6C88092E
GetPixel.GDI32(?,00000000,00000000), ref: 6C88098D
GetPixel.GDI32(?,?,00000000), ref: 6C88099F
SetPixel.GDI32(?,00000000,00000000,00000000), ref: 6C8809AE
SetPixel.GDI32(?,?,00000000,00000000), ref: 6C8809C0
SelectObject.GDI32(?,00000000), ref: 6C880A0E

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ObjectPixel$Select$CompatibleCreateH_prolog3_
String ID:
API String ID: 1266819874-0
Opcode ID: b9871c87e95372897d1cb591afebe8e470ef57a003627043866fe7efca3b01ca
Instruction ID: 0f57422862d0937bb0d9a423b80748c305ba7d8a1189689d13985d8a3ac5748e
Opcode Fuzzy Hash: b9871c87e95372897d1cb591afebe8e470ef57a003627043866fe7efca3b01ca
Instruction Fuzzy Hash: AB812B71E012298FDB24CFA9CD84A9DBBB5BF49344F14856AE848E7B41DB309D86CF50

Function 6C871B0B Relevance: 15.1, APIs: 10, Instructions: 149windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C871B15
GetMenuItemCount.USER32(?), ref: 6C871B41
GetSubMenu.USER32(?,00000000), ref: 6C871B77
GetMenuState.USER32(?,?,00000400), ref: 6C871B94
GetSubMenu.USER32(?,00000000), ref: 6C871BF1
GetMenuStringW.USER32(?,?,?,00000100,00000400), ref: 6C871C1A
AppendMenuW.USER32(00000000,00000010,00000000,?), ref: 6C871CA2
GetMenuItemCount.USER32(00000000), ref: 6C871D12
InsertMenuW.USER32(?,00000000,?,00000000), ref: 6C871D3F
GetMenuItemID.USER32(?,?), ref: 6C871D70

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Menu$Item$Count$AppendH_prolog3_InsertStateString
String ID:
API String ID: 2171526683-0
Opcode ID: d4630fce19b5ca1c8fa7522e3bba716df003b9ff79af3edb249f88deb50a3bf7
Instruction ID: 2eed30c6f139f222b1cfc16c04e84f6fb9ae6c97d6dadf200d634295ec18af27
Opcode Fuzzy Hash: d4630fce19b5ca1c8fa7522e3bba716df003b9ff79af3edb249f88deb50a3bf7
Instruction Fuzzy Hash: 4B612871A4122DABDF34DF55CE98BDDB7B4BB18305F1044E9E409A6650EB309E82CF60

Function 6C8DF707 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 305COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8DF70E
SetRectEmpty.USER32(00000001), ref: 6C8DF74E

Part of subcall function 6C86C609: GetWindowLongW.USER32(?,000000F0), ref: 6C86C616

__EH_prolog3_GS.LIBCMT ref: 6C8DF8EE
GetClientRect.USER32(?,0000E801), ref: 6C8DF926
SelectObject.GDI32(00000001,00000000), ref: 6C8DF962
SelectObject.GDI32(00000001,?), ref: 6C8DFA10
IsRectEmpty.USER32(?), ref: 6C8DFA1D

Part of subcall function 6C8673EC: GetParent.USER32(8D6CA331), ref: 6C867418

Strings

Afx:StatusBar, xrefs: 6C8DF7AB

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$EmptyH_prolog3_ObjectSelect$ClientLongParentWindow
String ID: Afx:StatusBar
API String ID: 2548710182-3033333705
Opcode ID: f35ef4d30443853b76e4f3c38a75ae4cde9e6bce1b691efe2373996e0f2f6b53
Instruction ID: 9969f1ab18f3eb7ae9d67067103f81cccaa4584df8b8531a2112168fbde6ef65
Opcode Fuzzy Hash: f35ef4d30443853b76e4f3c38a75ae4cde9e6bce1b691efe2373996e0f2f6b53
Instruction Fuzzy Hash: 75A10731B002299FCF249B78CE14AEE77B9BF59358B114929E805E7B40DF34A941DBA1

Function 6C85EEDA Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 300windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C85EEE1
GetParent.USER32(?), ref: 6C85EEF5

Part of subcall function 6C86C235: GetWindowLongW.USER32(00076850,000000EC), ref: 6C86C242

Part of subcall function 6C915480: __EH_prolog3.LIBCMT ref: 6C915487
Part of subcall function 6C915480: SendMessageW.USER32(00000000,0000007F,00000000,00000000), ref: 6C9154AA
Part of subcall function 6C915480: SendMessageW.USER32(00000000,0000007F,00000001,00000000), ref: 6C9154BE
Part of subcall function 6C915480: GetClassLongW.USER32(00000000,000000DE), ref: 6C91551B
Part of subcall function 6C915480: GetClassLongW.USER32(00000000,000000F2), ref: 6C91552C

GetSystemMetrics.USER32(00000032), ref: 6C85EF3E
GetSystemMetrics.USER32(00000031), ref: 6C85EF49
GetSystemMetrics.USER32(00000004), ref: 6C85EF5A
GetSystemMetrics.USER32(00000004), ref: 6C85EF66
DrawIconEx.USER32(?,?,?,?,?,?,00000000,00000000,00000003), ref: 6C85EFC3

Strings

\sx, xrefs: 6C85F152

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: MetricsSystem$Long$ClassH_prolog3MessageSend$DrawIconParentWindow
String ID: \sx
API String ID: 1977492230-995570312
Opcode ID: 82984403ec9df882fdef6bb972aae89fd716c72f7dfe5c714fc51846f039e3e8
Instruction ID: b95ccaba9d482a405304b7ecadb983239195bd0a17e95f29efaab61d212e3c38
Opcode Fuzzy Hash: 82984403ec9df882fdef6bb972aae89fd716c72f7dfe5c714fc51846f039e3e8
Instruction Fuzzy Hash: 70B19F71B0021A9FCF15CFA8C944AEEBBB6BF48314F54452AE805F7780DB74A946CB90

Function 6C87DE35 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 261windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C87F4E1: GdipGetImagePixelFormat.GDIPLUS(?,6CA73BD8,00000000,00000000,?,6C87DE79,78E4735C,?,00000000,6CA73BD8), ref: 6C87F4EF

Part of subcall function 6C87F499: GdipGetImagePalette.GDIPLUS(?,00000000,?,?,?,6C87DF98,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,78E4735C), ref: 6C87F4A8

GdipBitmapLockBits.GDIPLUS(?,?,00000001,?,?,00000000,00000000,?,00000000,00000000,00000000,78E4735C,?,00000000,6CA73BD8), ref: 6C87E08D
GdipBitmapUnlockBits.GDIPLUS(?,?,?,?,00000001,?,?,00000000,00000000,?,00000000,00000000,00000000,78E4735C,?,00000000), ref: 6C87E13D
GdipDrawImageI.GDIPLUS(?,00000000,00000000,00000000,?,?,00000082,00000000,00022009,?,00000000,00000000,?,00000000,00000000,00000000), ref: 6C87E18F
GdipDeleteGraphics.GDIPLUS(?,?,00000000,00000000,00000000,?,?,00000082,00000000,00022009,?,00000000,00000000,?,00000000,00000000), ref: 6C87E19A
GdipDisposeImage.GDIPLUS(?,?,?,00000000,00000000,00000000,?,?,00000082,00000000,00022009,?,00000000,00000000,?,00000000), ref: 6C87E1A5

Strings

\sx, xrefs: 6C87DE4C
&, xrefs: 6C87DEBD
&, xrefs: 6C87E047

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Gdip$Image$BitmapBits$DeleteDisposeDrawFormatGraphicsLockPalettePixelUnlock
String ID: &$ &$\sx
API String ID: 1665940520-1779867131
Opcode ID: d3a09ee9073008bc8cafdcd49d83990dfdc15e784afdb087ff4dfd6ced477f4f
Instruction ID: e0a92f4a35422e3d9bb70c2ef24874711770ffad8382148e5fa7f07955c95298
Opcode Fuzzy Hash: d3a09ee9073008bc8cafdcd49d83990dfdc15e784afdb087ff4dfd6ced477f4f
Instruction Fuzzy Hash: 2DA17DB1A005299FCB34CF14CD80AEDB7B9EF84318F1545A9EA09A7701D7309E85CFA9

Function 6C8F5112 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 144registrylibraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8F5119
GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000104,0000002C,6C858790,?,6CA42F78,00000000,00000000,00000001,00000003,00000000,00000000,00000001,?), ref: 6C8F5151
LoadTypeLib.OLEAUT32(?,?), ref: 6C8F51C3
GetModuleHandleW.KERNEL32(OLEAUT32.DLL,00000000,?,?,?,?,00000001), ref: 6C8F524B
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 6C8F525B
RegisterTypeLib.OLEAUT32 ref: 6C8F527E

Strings

OLEAUT32.DLL, xrefs: 6C8F5246
RegisterTypeLibForUser, xrefs: 6C8F5255

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ModuleType$AddressFileH_prolog3_HandleLoadNameProcRegister
String ID: OLEAUT32.DLL$RegisterTypeLibForUser
API String ID: 866051225-2666564778
Opcode ID: 131164aa8a9cade682a9d5acd8a401f050b58941e0798100a5c8b723394df30a
Instruction ID: 3974a2635cc9f336c2b37f363a1dc4b52791f16bc06fa63e640d0375fff37c2b
Opcode Fuzzy Hash: 131164aa8a9cade682a9d5acd8a401f050b58941e0798100a5c8b723394df30a
Instruction Fuzzy Hash: 08519231A002099FDF15DFA8CD549DE7BB5BF09358F148559E811B7790DB31AE0ACB60

Function 6C9AEBAE Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 133memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(comctl32.dll,6C9AECF3,00000000,00000000,00000000,?,6C947A34,00000000,00000000,6C9466FC,0000001C,6C94782A,?,6C9466FC,?,00000000), ref: 6C9AEBE1
GetUserDefaultUILanguage.KERNEL32(?,6C947A34,00000000,00000000,6C9466FC,0000001C,6C94782A,?,6C9466FC,?,00000000,00000000,00000000,?,6C9466FC,00000000), ref: 6C9AEBF1
FindResourceExW.KERNEL32(00000000,00000005,000003EE,0000FC11,?,6C947A34,00000000,00000000,6C9466FC,0000001C,6C94782A,?,6C9466FC,?,00000000,00000000), ref: 6C9AEC2F
FindResourceW.KERNEL32(00000000,000003EE,00000005,?,6C947A34,00000000,00000000,6C9466FC,0000001C,6C94782A,?,6C9466FC,?,00000000,00000000,00000000), ref: 6C9AEC4E
LoadResource.KERNEL32(00000000,00000000,?,6C947A34,00000000,00000000,6C9466FC,0000001C,6C94782A,?,6C9466FC,?,00000000,00000000,00000000), ref: 6C9AEC5A

Part of subcall function 6C9AED31: GetDC.USER32(00000000), ref: 6C9AED84
Part of subcall function 6C9AED31: EnumFontFamiliesExW.GDI32(00000000,?,6C9AED1B,?,00000000,?,?,?,?,?,00000000,00000000), ref: 6C9AED9F
Part of subcall function 6C9AED31: ReleaseDC.USER32(00000000,00000000), ref: 6C9AEDA7

GlobalAlloc.KERNEL32(00000040,00000000,?,6C947A34,00000000,00000000,6C9466FC,0000001C,6C94782A,?,6C9466FC,?,00000000,00000000,00000000), ref: 6C9AEC8A

Strings

comctl32.dll, xrefs: 6C9AEBDC
MS UI Gothic, xrefs: 6C9AEC08

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Resource$Find$AllocDefaultEnumFamiliesFontGlobalHandleLanguageLoadModuleReleaseUser
String ID: MS UI Gothic$comctl32.dll
API String ID: 1606157363-3248924666
Opcode ID: b80986332352ec4578a07ab796e6910f34655f2b470e6e22ea8d8dc53197586f
Instruction ID: 35394b8e4a9b9712b7357b598f951914bf08c6e2cf43c1bdc822feba1ae55230
Opcode Fuzzy Hash: b80986332352ec4578a07ab796e6910f34655f2b470e6e22ea8d8dc53197586f
Instruction Fuzzy Hash: 2241D471300606ABEB155BA9CD49B7B73BCEF45758F10843DF929CBA80EB70D85287A1

Function 6C8EBC82 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 133COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(80004005,80004005,00000002), ref: 6C8EBD75
GetMonitorInfoW.USER32(00000000), ref: 6C8EBD7C
CopyRect.USER32(6C854E9D,?), ref: 6C8EBD8E
SystemParametersInfoW.USER32(00000030,00000000,6C854E9D,00000000), ref: 6C8EBDA0
IntersectRect.USER32(6C8A9624,6C854E9D,80004005), ref: 6C8EBDD3

Strings

4(@P, xrefs: 6C8EBDFB
\sx, xrefs: 6C8EBC88
(, xrefs: 6C8EBD5A

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: InfoMonitorRect$CopyFromIntersectParametersPointSystem
String ID: ($4(@P$\sx
API String ID: 2931574886-64240450
Opcode ID: ab5e388d842f0ea3242d2c688314f6ab26fa770d99f456b87f53ae80978610bb
Instruction ID: 58267dc453c96091fe0c60e5f4489ae1bc1d47f63f70f333f5d0298ad58a8e6c
Opcode Fuzzy Hash: ab5e388d842f0ea3242d2c688314f6ab26fa770d99f456b87f53ae80978610bb
Instruction Fuzzy Hash: F9510771A0160ADFCB14CFA9CA48AEEBBF4FF09309F10456AE515E7650D730EA45CBA4

Function 6C872AF5 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 122windowthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C872A4A: GetParent.USER32(?), ref: 6C872AA7
Part of subcall function 6C872A4A: GetLastActivePopup.USER32(?), ref: 6C872ABA
Part of subcall function 6C872A4A: IsWindowEnabled.USER32(?), ref: 6C872ACE
Part of subcall function 6C872A4A: EnableWindow.USER32(?,00000000), ref: 6C872AE1

EnableWindow.USER32(?,00000001), ref: 6C872B40
GetWindowThreadProcessId.USER32(?,?), ref: 6C872B56
GetCurrentProcessId.KERNEL32 ref: 6C872B60
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 6C872B76
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 6C872C01
MessageBoxW.USER32(?,?,?,6C8421AE), ref: 6C872C23
EnableWindow.USER32(00000000,00000001), ref: 6C872C48

Strings

\sx, xrefs: 6C872AFE

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$Enable$MessageProcess$ActiveCurrentEnabledFileLastModuleNameParentPopupSendThread
String ID: \sx
API String ID: 1924968399-995570312
Opcode ID: cf81ceace5d1d9603eb9a18d589874270c59f1e197a0d66852bc4ee43eb91860
Instruction ID: 642d48de989da0f6ee086a76c4af34a0ae114f0dad48a0cccc6137c5170d9e12
Opcode Fuzzy Hash: cf81ceace5d1d9603eb9a18d589874270c59f1e197a0d66852bc4ee43eb91860
Instruction Fuzzy Hash: C341A371A4121EEBDB309F28CD8CBED77B4EB54348F1049A9E519E7640E7748E818BA0

Function 6C945CA2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

RealChildWindowFromPoint.USER32(?,?,?), ref: 6C945CC6
ClientToScreen.USER32(?,?), ref: 6C945CE0
GetWindow.USER32(?,00000005), ref: 6C945D32

Strings

\sx, xrefs: 6C945CA8

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$ChildClientFromPointRealScreen
String ID: \sx
API String ID: 2518355518-995570312
Opcode ID: 92f0bf2af0684122c18d12163af738377b9931f28e7ca4c7fe6776e2cf6054a5
Instruction ID: e9c8d457f36d4a8fdd1e558b365fd0f32a3c33f7a0cb7a17a136ec68dff65256
Opcode Fuzzy Hash: 92f0bf2af0684122c18d12163af738377b9931f28e7ca4c7fe6776e2cf6054a5
Instruction Fuzzy Hash: 4B115E31B0161AABCB059FA88848AEF77B9EF4A245F118519F412E3140DB30DA46CBA4

Function 6C865C13 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6C865C30
GetWindowRect.USER32(?,?), ref: 6C865C4E
ScreenToClient.USER32(?,?), ref: 6C865C5B
ScreenToClient.USER32(?,?), ref: 6C865C68
EqualRect.USER32(?,?), ref: 6C865C73
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 6C865C9A
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 6C865CA4

Strings

\sx, xrefs: 6C865C19

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID: \sx
API String ID: 443303494-995570312
Opcode ID: c2aa81a6324a6578902ed1c53a27b9025eef1f5fc16c2eafa1fe6768d84cae5a
Instruction ID: 2b976e9e87317ad2e8fc3e899c58ff298c7f9d7ea317c99c7b6ba65b7f58a90d
Opcode Fuzzy Hash: c2aa81a6324a6578902ed1c53a27b9025eef1f5fc16c2eafa1fe6768d84cae5a
Instruction Fuzzy Hash: 7C218131A0020AEFCF04DFA5CD88EAEBBB8FF09349F11855AE901EA105D7309942CB60

Function 6C8677C9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 6C867810
SetActiveWindow.USER32(?), ref: 6C86781B
SendMessageW.USER32(?,00000112,?,?), ref: 6C867835
IsWindow.USER32(?), ref: 6C86783C
SetActiveWindow.USER32(?), ref: 6C867847
IsWindow.USER32(00000000), ref: 6C86784E
SetFocus.USER32(00000000), ref: 6C867859

Strings

u, xrefs: 6C867862

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: 448d575fccd0d5f03f2df93ef30a0c906f8b4aebb43a3de04d8432a5cf8afba0
Instruction ID: 002a27cfa583310fb1c093f366e7c04cbd54679e328b02ed245d0c2f8bfef30d
Opcode Fuzzy Hash: 448d575fccd0d5f03f2df93ef30a0c906f8b4aebb43a3de04d8432a5cf8afba0
Instruction Fuzzy Hash: 6311B632701315ABDB221A7ACE08A6D3664EB45389B10CE24F616C5F59C778C846C7E4

Function 6C9AD5C3 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9AD5CA

Part of subcall function 6C945D74: EnterCriticalSection.KERNEL32(6CA75378,?,00000000,?,?,6C94325E,00000010,00000008,6C87313A,6C87317D,6C866C9B,6C873149,6C86EB35,00000004,6C86E0A4,00000000), ref: 6C945DA5
Part of subcall function 6C945D74: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,6C94325E,00000010,00000008,6C87313A,6C87317D,6C866C9B,6C873149,6C86EB35,00000004,6C86E0A4,00000000), ref: 6C945DBB
Part of subcall function 6C945D74: LeaveCriticalSection.KERNEL32(6CA75378,?,00000000,?,?,6C94325E,00000010,00000008,6C87313A,6C87317D,6C866C9B,6C873149,6C86EB35,00000004,6C86E0A4,00000000), ref: 6C945DC9
Part of subcall function 6C945D74: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,6C94325E,00000010,00000008,6C87313A,6C87317D,6C866C9B,6C873149,6C86EB35,00000004,6C86E0A4,00000000,?), ref: 6C945DD6

GetProfileIntW.KERNEL32(windows,DragScrollInset,0000000B), ref: 6C9AD615
GetProfileIntW.KERNEL32(windows,DragScrollDelay,00000032), ref: 6C9AD628
GetProfileIntW.KERNEL32(windows,DragScrollInterval,00000032), ref: 6C9AD63B

Strings

windows, xrefs: 6C9AD60F, 6C9AD614, 6C9AD622, 6C9AD635
DragScrollInset, xrefs: 6C9AD60A
DragScrollInterval, xrefs: 6C9AD630
DragScrollDelay, xrefs: 6C9AD61D

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CriticalSection$Profile$Enter$H_prolog3InitializeLeave
String ID: DragScrollDelay$DragScrollInset$DragScrollInterval$windows
API String ID: 4229786687-1024936294
Opcode ID: 4935c2917f01ccc6c6f1b2cb92acf0c7602b1df877b8343fb8ec3176dc9ed633
Instruction ID: 6f42b65c3cd35c4478d3ce8336898186a8657238633198f3fa3b17a22f9408fb
Opcode Fuzzy Hash: 4935c2917f01ccc6c6f1b2cb92acf0c7602b1df877b8343fb8ec3176dc9ed633
Instruction Fuzzy Hash: 260175B0B40311AFDB15CFA48D0970976F0BF15B04F409A2DF108E6B80D7708087CB65

Function 6C874823 Relevance: 13.8, APIs: 9, Instructions: 267COMMON

Download Yara Rule

APIs

GdipDrawImageRectI.GDIPLUS(?,00000000,?,?,?,?,00000000,?,6C8747B2,?,?,?,?,?,?,?), ref: 6C8747F2
GetWindowRect.USER32(?,?), ref: 6C874866
OffsetRect.USER32(?,?,?), ref: 6C87487C

Part of subcall function 6C86D4B1: __EH_prolog3.LIBCMT ref: 6C86D4B8
Part of subcall function 6C86D4B1: GetDC.USER32(00000000), ref: 6C86D4E4

CreateCompatibleDC.GDI32(?), ref: 6C8748EF
SelectObject.GDI32(?,?), ref: 6C87490F
SelectObject.GDI32(?,?), ref: 6C874961
CreateCompatibleDC.GDI32(?), ref: 6C874AA5
SelectObject.GDI32(?,00000000), ref: 6C874AC6
SelectObject.GDI32(?,00000000), ref: 6C874AF7

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ObjectSelect$Rect$CompatibleCreate$DrawGdipH_prolog3ImageOffsetWindow
String ID:
API String ID: 4105739581-0
Opcode ID: cc03ed595162965a5b9fdf29b7cbbca8e1fe1c91d1f79c5b01940030f10b61f8
Instruction ID: 12de50fc1fc6e2e9f757a8f5d169cbbd7da3b85c6a3a65fd0c8a0f08c9e0c8ef
Opcode Fuzzy Hash: cc03ed595162965a5b9fdf29b7cbbca8e1fe1c91d1f79c5b01940030f10b61f8
Instruction Fuzzy Hash: F2B15D31A00219DFCF25CFA8CA44BEDBBB5BF85344F108659E906B7651EB306A56CF60

Function 6C8FA030 Relevance: 13.6, APIs: 9, Instructions: 137COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,00000000,00000005,00000024,6C8A9EB0,?,?,00000170,80004005,80004005,54000000,?,000000DD,000000FF,00000001), ref: 6C8FA078
LoadResource.KERNEL32(?,00000000,?,?,00000170,80004005,80004005,54000000,?,000000DD,000000FF,00000001,?,?), ref: 6C8FA084
LockResource.KERNEL32(0000007E,00000024,6C8A9EB0,?,?,00000170,80004005,80004005,54000000,?,000000DD,000000FF,00000001,?,?), ref: 6C8FA094
GetDesktopWindow.USER32 ref: 6C8FA0CB
IsWindowEnabled.USER32(00000000), ref: 6C8FA0D6
EnableWindow.USER32(00000000,00000000), ref: 6C8FA0E2
EnableWindow.USER32(00000000,00000001), ref: 6C8FA1C6
GetActiveWindow.USER32 ref: 6C8FA1D0
SetActiveWindow.USER32(00000000,?,00000024,6C8A9EB0,?,?,00000170), ref: 6C8FA1DC

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$DesktopEnabledFindLoadLock
String ID:
API String ID: 2497874451-0
Opcode ID: f776dccefec41423ed08f4c6940b157a4afa65700085bbd6133f68d15a52b076
Instruction ID: 68a318447df7c2493f552b4380ee2ba6f9de8f36e4a3b81dd7bc0ed584feb600
Opcode Fuzzy Hash: f776dccefec41423ed08f4c6940b157a4afa65700085bbd6133f68d15a52b076
Instruction Fuzzy Hash: 6C519230B013169BDF259F65CA847EEB774BF083A9F114429D922A7781DB349843CBA1

Function 6C871D84 Relevance: 13.6, APIs: 9, Instructions: 89windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C871D8B
GetMenuItemCount.USER32(?), ref: 6C871DD1
GetMenuItemCount.USER32(6C9AE061), ref: 6C871DDD
GetSubMenu.USER32(6C9AE061,-00000001), ref: 6C871DF4
GetMenuItemCount.USER32(00000000), ref: 6C871E07
GetSubMenu.USER32(00000000,00000000), ref: 6C871E18
RemoveMenu.USER32(00000000,00000000,00000400,?,?,?,?,?,6CA567DC,0000000C,00000004,6C841EF8,6C9AE061,?,6C842BB6,80004005), ref: 6C871E32

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Menu$CountItem$H_prolog3Remove
String ID:
API String ID: 3061525546-0
Opcode ID: cc3356f6f3a0e73aaf983aa4dd643af16524a648332db0ff76cb07aeb5b5f294
Instruction ID: b39002899205acc1e00e93ab6cd6bcf298b4471611712fc5d78db91b7884e5fe
Opcode Fuzzy Hash: cc3356f6f3a0e73aaf983aa4dd643af16524a648332db0ff76cb07aeb5b5f294
Instruction Fuzzy Hash: 1121A272A01249EBDF308F68CE58A9F7FB9FF41349F104969F419D6940EB30D646CA60

Function 6C91FD99 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 263COMMON

Download Yara Rule

APIs

FillRect.USER32(56010845,?,?), ref: 6C91FDD3
FillRect.USER32(?,?,?), ref: 6C91FE3A
FillRect.USER32(?,?,?), ref: 6C91FEDD

Part of subcall function 6C86D46D: __EH_prolog3.LIBCMT ref: 6C86D474
Part of subcall function 6C86D46D: CreateSolidBrush.GDI32(?), ref: 6C86D48F

Strings

\sx, xrefs: 6C91FD9F

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: FillRect$BrushCreateH_prolog3Solid
String ID: \sx
API String ID: 1242064992-995570312
Opcode ID: 7b1cf1eeb735dddb9da5cf66f004eae4a09aa8d600ab9def9c34697a1364f2b2
Instruction ID: b302d70b8a81450cce55d988b5bb95dac1fed4fea86f8bdc55b3c87deca7c48f
Opcode Fuzzy Hash: 7b1cf1eeb735dddb9da5cf66f004eae4a09aa8d600ab9def9c34697a1364f2b2
Instruction Fuzzy Hash: E9A15171A0011ADFCF08CF98C9959EEBBB6FF44304F14812EE906AB694D775E949CB90

Function 6C8E9D9B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 257windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6C8E9DC4
IsWindowVisible.USER32(?), ref: 6C8E9DD7
GetWindowRect.USER32(?,?), ref: 6C8E9E38
IsZoomed.USER32(?), ref: 6C8E9E47
SetWindowRgn.USER32(?,00000000,00000001), ref: 6C8E9EB9
GetSystemMetrics.USER32(00000004), ref: 6C8E9F3B

Strings

\sx, xrefs: 6C8E9DA1

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$Visible$MetricsRectSystemZoomed
String ID: \sx
API String ID: 3738653960-995570312
Opcode ID: 346d70c982727c1155c13cd7f0da97c33eabcd5cc4546b7b934a85fbab2b0b06
Instruction ID: ce8649d76da366589a6427c866c81d1320eadfbd5f06d1d238318ef93bafc575
Opcode Fuzzy Hash: 346d70c982727c1155c13cd7f0da97c33eabcd5cc4546b7b934a85fbab2b0b06
Instruction Fuzzy Hash: A0A15A70F0061AEFDB18CFA9CA44BEEBBB5FF49308F144529E415A7A50DB70A941CB91

Function 6C868046 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 209libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll), ref: 6C868068
GetProcAddress.KERNEL32(00000000,GetGestureInfo), ref: 6C86809D
GetProcAddress.KERNEL32(00000000,CloseGestureInfoHandle), ref: 6C8680C5
ScreenToClient.USER32(?,?), ref: 6C868151

Strings

user32.dll, xrefs: 6C86805E
GetGestureInfo, xrefs: 6C86808F
CloseGestureInfoHandle, xrefs: 6C8680B7

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: AddressProc$ClientHandleModuleScreen
String ID: CloseGestureInfoHandle$GetGestureInfo$user32.dll
API String ID: 471820996-2905070798
Opcode ID: 96b642abcc82231892b3c1f6f9aeca0c861672d24749b372ab22cfddb9dc4f9e
Instruction ID: e4fff642bfdeb51122b90b4151d01b41d32901cf68a38d718f3f631657360656
Opcode Fuzzy Hash: 96b642abcc82231892b3c1f6f9aeca0c861672d24749b372ab22cfddb9dc4f9e
Instruction Fuzzy Hash: BB81BFB4701616EFCB19CF69C690969BBB5FF0A348B10856AE809D3F10D735E952CF90

Function 6C9CA56B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 6C9CA5B2
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 6C9CA61D
LCMapStringEx.KERNEL32(00000000,6CA42FD1,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C9CA63A
LCMapStringEx.KERNEL32(00000000,6CA42FD1,00000000,00000000,?,?,00000000,00000000,00000000), ref: 6C9CA679
LCMapStringEx.KERNEL32(00000000,6CA42FD1,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 6C9CA6D8
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6C9CA6FB

Strings

\sx, xrefs: 6C9CA571

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID: \sx
API String ID: 2829165498-995570312
Opcode ID: 2b621a4b8c848e31d3d656d1309e63479010c5a2a495af1bd3e1ad75b164aeaf
Instruction ID: 163605cbae1e5ae2f4e0a187ccddcd0a60996854366d1444da7a43ea5cc8cdcc
Opcode Fuzzy Hash: 2b621a4b8c848e31d3d656d1309e63479010c5a2a495af1bd3e1ad75b164aeaf
Instruction Fuzzy Hash: 6351A172B01206AFEF104FA4CC44FAA3BBDFF55B58F218029F914D6590EB34D9118BA6

Function 6C85C918 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

FillRect.USER32(?,?,00000000), ref: 6C85C957
GetParent.USER32(?), ref: 6C85C978
GetWindowRect.USER32(?,?), ref: 6C85C995
GetClientRect.USER32(?,?), ref: 6C85CA38
MapWindowPoints.USER32(?,?,?,00000002), ref: 6C85CA4A
DrawThemeBackground.UXTHEME(?,?,00000000,00000000,?,00000000), ref: 6C85CA72

Strings

\sx, xrefs: 6C85C91E

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Window$BackgroundClientDrawFillParentPointsTheme
String ID: \sx
API String ID: 2136005349-995570312
Opcode ID: 9cea27d30d6f29d61d5e3d0c26de91c3be4bacc434ae98b17205456e3f1fe96c
Instruction ID: de4856311be2ae179cfb0756106d1ce020df9df7fc511c5d6c8a449081370167
Opcode Fuzzy Hash: 9cea27d30d6f29d61d5e3d0c26de91c3be4bacc434ae98b17205456e3f1fe96c
Instruction Fuzzy Hash: 1F4187B5A0020A9FCF11DF69CA449AEBBF8FF4D344B448669E805E7611E730E951CFA0

Function 6C873762 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121windowCOMMON

Download Yara Rule

APIs

CheckMenuItem.USER32(?,?,00000400), ref: 6C873791

Part of subcall function 6C945A11: GetWindowTextW.USER32(?,?,00000100), ref: 6C945A6F
Part of subcall function 6C945A11: lstrcmpW.KERNEL32(?,?,?,00000000), ref: 6C945A81
Part of subcall function 6C945A11: SetWindowTextW.USER32(?,?), ref: 6C945A8D

SendMessageW.USER32(?,00000087,00000000,00000000), ref: 6C8737AC
SendMessageW.USER32(?,000000F1,?,00000000), ref: 6C8737C9
SetMenuItemBitmaps.USER32(?,?,00000400,00000000,00000000), ref: 6C873836
SetMenuItemInfoW.USER32(?,?,00000001,?), ref: 6C873886

Strings

@, xrefs: 6C87387C
0, xrefs: 6C873875

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ItemMenu$MessageSendTextWindow$BitmapsCheckInfolstrcmp
String ID: 0$@
API String ID: 72408025-1545510068
Opcode ID: e83f95696ac8c3e358fb3f7a6977e2bc6a19f3dd95cf966743f909c2e94d2015
Instruction ID: c6c66e93fa87e8f85b7953f7054bd31fafda87ad1ec23e702004c25654b28ef6
Opcode Fuzzy Hash: e83f95696ac8c3e358fb3f7a6977e2bc6a19f3dd95cf966743f909c2e94d2015
Instruction Fuzzy Hash: 4441D271701225EFDB349F55C944B9EBBB9FF04744F108A29E90997940EB70EC42CBA1

Function 6C9CB750 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6C9CB787
___except_validate_context_record.LIBVCRUNTIME ref: 6C9CB78F
_ValidateLocalCookies.LIBCMT ref: 6C9CB818
__IsNonwritableInCurrentImage.LIBCMT ref: 6C9CB843
_ValidateLocalCookies.LIBCMT ref: 6C9CB898

Strings

\sx, xrefs: 6C9CB802, 6C9CB87F
csm, xrefs: 6C9CB82D

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: \sx$csm
API String ID: 1170836740-1956744791
Opcode ID: 112c8ec01652e5d9d1d8a8b4b94419fdc24232bbc6c65329077119c1b0b13998
Instruction ID: f920e290b213777d6bd92c29c4913d450cd80ce135623b6f889afd0327236920
Opcode Fuzzy Hash: 112c8ec01652e5d9d1d8a8b4b94419fdc24232bbc6c65329077119c1b0b13998
Instruction Fuzzy Hash: 3B41B034B00209ABCF00CF69C880A9EBBB9FF15318F148195E8289BB51D735DA15CB93

Function 6C869BD8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6C869BF9
GetWindow.USER32(?,00000005), ref: 6C869C10
GetWindowRect.USER32(00000000,?), ref: 6C869C2B

Part of subcall function 6C86E5B6: ScreenToClient.USER32(?,?), ref: 6C86E5C5
Part of subcall function 6C86E5B6: ScreenToClient.USER32(?,?), ref: 6C86E5D2

SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015,?), ref: 6C869C51
GetWindow.USER32(00000000,00000002), ref: 6C869C5A
ScrollWindow.USER32(?,?,?,?,?), ref: 6C869C76

Strings

\sx, xrefs: 6C869BDE

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$ClientScreen$RectScrollVisible
String ID: \sx
API String ID: 1714389229-995570312
Opcode ID: eac4efcc40b152d06bfb6e8ccf97272e5b86bbabc98195341f5de92ee427240f
Instruction ID: 7f60380a3bfe39431d2457c08e5ff9cb600ca52681177b926329f3d18a6428a2
Opcode Fuzzy Hash: eac4efcc40b152d06bfb6e8ccf97272e5b86bbabc98195341f5de92ee427240f
Instruction Fuzzy Hash: FE219C3170060AAFCB119F65CD88AAE77B9FF89748B118519F90297A50EB30DD428B60

Function 6C944F3D Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(uxtheme.dll,?,?,6C86F85D,?,00000000,?,?,?,000000FF,?,?,00000040), ref: 6C944F4F
GetProcAddress.KERNEL32(00000000,DrawThemeTextEx), ref: 6C944F5F
EncodePointer.KERNEL32(00000000,?,6C86F85D,?,00000000,?,?,?,000000FF,?,?,00000040), ref: 6C944F68
DecodePointer.KERNEL32(00000000,?,?,6C86F85D,?,00000000,?,?,?,000000FF,?,?,00000040), ref: 6C944F76
DrawThemeText.UXTHEME(?,?,?,?,?,?,?,00000000,?,?,6C86F85D,?,00000000,?,?,?), ref: 6C944FC3

Strings

DrawThemeTextEx, xrefs: 6C944F59
uxtheme.dll, xrefs: 6C944F4A

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeDrawEncodeHandleModuleProcTextTheme
String ID: DrawThemeTextEx$uxtheme.dll
API String ID: 1727381832-3035683158
Opcode ID: 43dac8fa56d624dc42987c49a1031b7e4f7919d6db5af6bde45871843f54eede
Instruction ID: 70f2946edd054d4c627a0d518ff4a06247513a5661b060dd0eba7443bd28163b
Opcode Fuzzy Hash: 43dac8fa56d624dc42987c49a1031b7e4f7919d6db5af6bde45871843f54eede
Instruction Fuzzy Hash: AD11E53660061AAFDF021FA0CC08D9A3F7ABF09399B058554FE14A5520C736D872AFA0

Function 6C91D54F Relevance: 12.3, APIs: 8, Instructions: 295windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C91D556
CreateCompatibleDC.GDI32(00000000), ref: 6C91D5BA
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C91D5F0
SelectObject.GDI32(?,00000000), ref: 6C91D644
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 6C91D7AE
DeleteObject.GDI32(?), ref: 6C91D7E7
GetPixel.GDI32(00000000,?,00000000), ref: 6C91D859
SetPixel.GDI32(?,00000000,000000FF,00000000), ref: 6C91D870

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CompatibleCreateObjectPixel$BitmapDeleteH_prolog3_Select
String ID:
API String ID: 1635930241-0
Opcode ID: c7119a75a77d36493ecf319388ecc501fac00a01b53adfc9d290406698663c5b
Instruction ID: 70e774153e2a5af3c7d1b26ab844af581e76de0f668de1e09a5507fe40de9c38
Opcode Fuzzy Hash: c7119a75a77d36493ecf319388ecc501fac00a01b53adfc9d290406698663c5b
Instruction Fuzzy Hash: BFB12E72E002189FDF05CFA9C945ADEBBB6EF98314F258169E415EBB90D730D905CB90

Function 6C871FDC Relevance: 12.3, APIs: 8, Instructions: 289filecomCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C871FE3
OleDuplicateData.OLE32(?,00000000,00000000), ref: 6C872074
GlobalLock.KERNEL32(00000000), ref: 6C872096
CopyMetaFileW.GDI32(?,00000000), ref: 6C8720A4
GlobalUnlock.KERNEL32(00000000), ref: 6C8720B2
GlobalFree.KERNEL32(00000000), ref: 6C8720B9
GlobalUnlock.KERNEL32(00000000), ref: 6C8720C6
CopyFileW.KERNEL32(?,?,00000000,016087C7,?,00000054,6C95B78D,-00000014,?,-00000014,6C8FEC90,00000000), ref: 6C872272

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Global$CopyFileUnlock$DataDuplicateFreeH_prolog3_LockMeta
String ID:
API String ID: 985170318-0
Opcode ID: f7810ad21e2d471457ee94145634fb54a4a5f5678169fcb3e3aa71d46b6d1928
Instruction ID: 933d4db3b8cab6b25a9ba55093c2ef867565f019c93433a09cf54fb51de57dbf
Opcode Fuzzy Hash: f7810ad21e2d471457ee94145634fb54a4a5f5678169fcb3e3aa71d46b6d1928
Instruction Fuzzy Hash: 1EA17F70610606EFDB349F64CA4CA2ABBB5FF49718704C65DE819CBA54E735E811CBB0

Function 6C85D970 Relevance: 12.1, APIs: 8, Instructions: 142windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C85D977
InflateRect.USER32(?), ref: 6C85D99F
DrawFocusRect.USER32(?,?), ref: 6C85DA09
InflateRect.USER32(?), ref: 6C85DA1D
InflateRect.USER32(?), ref: 6C85DA65
InflateRect.USER32(?), ref: 6C85DAB5
CreateHatchBrush.GDI32(00000005,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C85DAD9
FillRect.USER32(?,?,00000000), ref: 6C85DAF4

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Inflate$BrushCreateDrawFillFocusH_prolog3Hatch
String ID:
API String ID: 4128771895-0
Opcode ID: 447ef269c311e613fe70abc426a5ace6e5a6a7789446c049f6d64180c3ee6416
Instruction ID: 39dff9745d5c63dbf009ae53fbcb61dfd614feaf6fa7e1f54fdb7e74ff52eac3
Opcode Fuzzy Hash: 447ef269c311e613fe70abc426a5ace6e5a6a7789446c049f6d64180c3ee6416
Instruction Fuzzy Hash: F6516AB2900109EFCB24DF94CA49DDF77BCEB49318F81852AF810A7650DB74DA59CBA1

Function 6C881092 Relevance: 12.1, APIs: 8, Instructions: 136windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C881099
EnterCriticalSection.KERNEL32(6CA73BD8,00000018,6C843E9D,?,00000000,00000000,00000000), ref: 6C8810B7
SelectObject.GDI32(?,00000018), ref: 6C881104
LeaveCriticalSection.KERNEL32(6CA73BD8,?), ref: 6C881121
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 6C881149
SelectObject.GDI32(00000000), ref: 6C881158
CreateCompatibleDC.GDI32(00000000), ref: 6C8811E0
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C881200

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Create$BitmapCompatibleCriticalObjectSectionSelect$EnterH_prolog3Leave
String ID:
API String ID: 4255533662-0
Opcode ID: 0a2a6adff64eb83d06b37dd691ef3f86b90cfad696dd4926087ec4e52867a9b9
Instruction ID: 01c3674f9c517a862eaf9788494654f6daef528bdcef72e03bdc036ab0f0f4ec
Opcode Fuzzy Hash: 0a2a6adff64eb83d06b37dd691ef3f86b90cfad696dd4926087ec4e52867a9b9
Instruction Fuzzy Hash: 95514978602706DFDB35CF25CA40A9AB7F4BF45709B108D2DE4A6C6E50EB30E946CB21

Function 6C85FCC9 Relevance: 12.1, APIs: 8, Instructions: 123COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C85FCD0
GetSysColor.USER32(00000017), ref: 6C85FCED
InflateRect.USER32(?,00000002,00000002), ref: 6C85FD10
DrawThemeBackground.UXTHEME(?,?,00000001,00000000,?,00000000), ref: 6C85FD33
GetThemeColor.UXTHEME(?,00000001,00000000,00000EDB,?), ref: 6C85FD48
GetThemeColor.UXTHEME(?,00000001,00000000,00000EDC,?), ref: 6C85FD5D
GetSysColorBrush.USER32(00000018), ref: 6C85FD67
FillRect.USER32(00000000,?,00000000), ref: 6C85FD7A

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Color$Theme$Rect$BackgroundBrushDrawFillH_prolog3_Inflate
String ID:
API String ID: 229325109-0
Opcode ID: ce0934959f01d3d911a71d5f042ddb721caecb7f05be5e26e749ccc4f8f24d8e
Instruction ID: d7361d68ab731ea27a9c0dd9a083a7f8219a4170fdee08b6f8b475ce6ff8945b
Opcode Fuzzy Hash: ce0934959f01d3d911a71d5f042ddb721caecb7f05be5e26e749ccc4f8f24d8e
Instruction Fuzzy Hash: 41412771B0021AAFDF14CFA4C988EEE77B9FF09348B005469F901AB650CB71AD06CB60

Function 6C880044 Relevance: 12.1, APIs: 8, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,00000000,00000000,00000000,?,?,6C880039,00000000,00000000,?,6CA0BE30,?,6C880E95,?,?,?), ref: 6C880055
GlobalLock.KERNEL32(00000000), ref: 6C880062
GlobalUnlock.KERNEL32(00000000), ref: 6C88006D
GlobalFree.KERNEL32(00000000), ref: 6C880074
GlobalUnlock.KERNEL32(00000000), ref: 6C880092
CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000), ref: 6C88009F
EnterCriticalSection.KERNEL32(6CA73BD8,00000000), ref: 6C8800B8
LeaveCriticalSection.KERNEL32(6CA73BD8,00000000), ref: 6C88011F

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Global$CriticalSectionUnlock$AllocCreateEnterFreeLeaveLockStream
String ID:
API String ID: 295443201-0
Opcode ID: 9405bb6991ca73449b34c7e74cb95730472801cd3ba35c1dd7cf277edec76792
Instruction ID: 3883871809602e52ca93ea5afb7b78226c21e46f0aaba4cb5267bb8ead3e1c03
Opcode Fuzzy Hash: 9405bb6991ca73449b34c7e74cb95730472801cd3ba35c1dd7cf277edec76792
Instruction Fuzzy Hash: 3B21A235703716ABDF355B65CD18A5E37B8BB4635DB008429E401D3A40EB35DA038B71

Function 6C86FC21 Relevance: 12.1, APIs: 8, Instructions: 65COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000031), ref: 6C86FC2F
GetSystemMetrics.USER32(00000032), ref: 6C86FC3D
SetRectEmpty.USER32(6CA73AFC), ref: 6C86FC50
EnumDisplayMonitors.USER32(00000000,00000000,6C86FA37,6CA73AFC), ref: 6C86FC60
SystemParametersInfoW.USER32(00000030,00000000,6CA73AFC,00000000), ref: 6C86FC6F
SystemParametersInfoW.USER32(00001002,00000000,6CA73B20,00000000), ref: 6C86FC9C
SystemParametersInfoW.USER32(00001012,00000000,6CA73B24,00000000), ref: 6C86FCB0
SystemParametersInfoW.USER32(0000100A,00000000,6CA73B34,00000000), ref: 6C86FCD6

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
String ID:
API String ID: 2614369430-0
Opcode ID: e7949f9d808ca9d3f3acc63104a2f8af062394b52b2496528edb764036e8dbc6
Instruction ID: 5ef37ae836dc0f7c077f38a4b9ca7c801ad6fbc7ed398ff8a98e422aa5964e4a
Opcode Fuzzy Hash: e7949f9d808ca9d3f3acc63104a2f8af062394b52b2496528edb764036e8dbc6
Instruction Fuzzy Hash: 87215CB1301216BFE7084F75898CBE3BBBCFF1A389F004629E949C6140D7B05846CBA0

Function 6C8F6CD6 Relevance: 12.1, APIs: 8, Instructions: 64memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(00000000), ref: 6C8F6CEA
lstrcmpW.KERNEL32(00000000,?), ref: 6C8F6D03
OpenPrinterW.WINSPOOL.DRV(?,?,00000000), ref: 6C8F6D18
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6C8F6D38
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6C8F6D40
GlobalLock.KERNEL32(00000000), ref: 6C8F6D4E
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 6C8F6D5F
ClosePrinter.WINSPOOL.DRV(?), ref: 6C8F6D77

Part of subcall function 6C9459DE: GlobalFlags.KERNEL32(6C87096D), ref: 6C9459EB
Part of subcall function 6C9459DE: GlobalUnlock.KERNEL32(6C87096D), ref: 6C9459F9
Part of subcall function 6C9459DE: GlobalFree.KERNEL32(6C87096D), ref: 6C945A05

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: b4f3d4eee89658f276fd892b8f85bab3550fcba675aadba405016cbc6978bd1d
Instruction ID: 5f8e6a010027af97bc6ac8ca02ddb44d0e8d896ca66d584fff93ad385a68bc4d
Opcode Fuzzy Hash: b4f3d4eee89658f276fd892b8f85bab3550fcba675aadba405016cbc6978bd1d
Instruction Fuzzy Hash: 3911BE71200A09BEEB222FB0CD45DAA7ABDEB147CDB10462AB621C0920C732C955DB72

Function 6C91538C Relevance: 12.1, APIs: 8, Instructions: 57COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000020), ref: 6C9153BA
GetSystemMetrics.USER32(00000021), ref: 6C9153C4
GetSystemMetrics.USER32(00000005), ref: 6C9153D3
GetSystemMetrics.USER32(00000006), ref: 6C9153DD
GetSystemMetrics.USER32(0000005C), ref: 6C9153F4
GetSystemMetrics.USER32(0000005C), ref: 6C9153FE
GetSystemMetrics.USER32(00000007), ref: 6C915416
GetSystemMetrics.USER32(00000008), ref: 6C915420

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 55bb6abc2392b267b5ae496b120cb78a835c775d7dd7b397ec52d99801c7edef
Instruction ID: 3e4b5e3f4d08521fe1e5b2cd6798b419056c07fb7bd7f73d95671e838dfeeb4e
Opcode Fuzzy Hash: 55bb6abc2392b267b5ae496b120cb78a835c775d7dd7b397ec52d99801c7edef
Instruction Fuzzy Hash: DB115B36B45B069FE7004FA5880A755B7F8FF11B9AF11842EE695C69C0E770D4C6CB10

Function 6C871F5D Relevance: 12.0, APIs: 8, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32(-00000014), ref: 6C871F66
GlobalAlloc.KERNEL32(00002002,00000000,?,?,6C87229F,016087C7,?,00000054,6C95B78D,-00000014,?,-00000014,6C8FEC90,00000000), ref: 6C871F7E
GlobalLock.KERNEL32(-00000014), ref: 6C871F8E
GlobalLock.KERNEL32(?), ref: 6C871F97
GlobalSize.KERNEL32(?), ref: 6C871FA4

Part of subcall function 6C86EC8A: _memcpy_s.LIBCMT ref: 6C86EC99

GlobalUnlock.KERNEL32(?), ref: 6C871FB5
GlobalUnlock.KERNEL32(?), ref: 6C871FBE
GlobalSize.KERNEL32(?), ref: 6C871FCE

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Global$Size$LockUnlock$Alloc_memcpy_s
String ID:
API String ID: 3833998449-0
Opcode ID: 8b33e1e8528251c87dbeadbddf3b1b46657a96378b28b6f2a3cb32159bf19782
Instruction ID: 9596512e8d9cbfabaef3a8900990acc2233b6be0d80b994ce650023a4021b855
Opcode Fuzzy Hash: 8b33e1e8528251c87dbeadbddf3b1b46657a96378b28b6f2a3cb32159bf19782
Instruction Fuzzy Hash: EE012575701715BBDB241F65CD8CC9E7F7CEB062997008528F909D1511DB31990697B0

Function 6C932040 Relevance: 12.0, APIs: 8, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 6C932046
GetSystemMetrics.USER32(0000000C), ref: 6C932051
GetSystemMetrics.USER32(00000002), ref: 6C93205C
GetSystemMetrics.USER32(00000003), ref: 6C93206A
GetDC.USER32(00000000), ref: 6C932078
GetDeviceCaps.GDI32(00000000,00000058), ref: 6C932083
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6C93208F
ReleaseDC.USER32(00000000,00000000), ref: 6C93209B

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 5962921e1eeb9dbe13901bbb5d5610be2f4df429c6b5768165e63682f5575fe4
Instruction ID: a10b6a13da2d4a51636fcc0ace2635cebddcaf9381f1ebfa6c150a2d21cd1a9e
Opcode Fuzzy Hash: 5962921e1eeb9dbe13901bbb5d5610be2f4df429c6b5768165e63682f5575fe4
Instruction Fuzzy Hash: 2FF0E771B40712ABEB195FB1980DB563BB4FB46756F00861EF202CA180DBB58487CF90

Function 6C8D938C Relevance: 10.9, APIs: 7, Instructions: 414COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C8D9393
GetWindow.USER32(?,00000005), ref: 6C8D9402

Part of subcall function 6C8D938C: __EH_prolog3.LIBCMT ref: 6C8D8E38
Part of subcall function 6C8D938C: GetWindow.USER32(?,00000005), ref: 6C8D8E56
Part of subcall function 6C8D938C: GetWindow.USER32(?,00000002), ref: 6C8D8E8F

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$H_prolog3
String ID:
API String ID: 1351209170-0
Opcode ID: 4bad5370a7ace386b087a2096413cb864fdbd0c2fcdbccb2c5bb3b6d16692c09
Instruction ID: 71b8694caebb19210e30c464abf21bff77d8dbbd6f2226befbe0938ee8fed67a
Opcode Fuzzy Hash: 4bad5370a7ace386b087a2096413cb864fdbd0c2fcdbccb2c5bb3b6d16692c09
Instruction Fuzzy Hash: 9EF17C34B0122A9FCF14DF64C968AEDB7B1BF49314F014969E812A7B90DF34AD46CB91

Function 6C97F650 Relevance: 10.8, APIs: 7, Instructions: 333windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,00000001,00000000), ref: 6C97F68A
__EH_prolog3_GS.LIBCMT ref: 6C97F6ED
GetClientRect.USER32(00000000,?), ref: 6C97F788
GetParent.USER32(?), ref: 6C97F930
GetNextDlgGroupItem.USER32(?,?,00000000), ref: 6C97F964
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 6C97F9D8
GetNextDlgGroupItem.USER32(?,?,00000000), ref: 6C97F9E9

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: GroupItemNext$ClientH_prolog3_MessageParentRectRedrawSendWindow
String ID:
API String ID: 2296408814-0
Opcode ID: 083a7def7f9c544e9ae5d0bda15e0d22429d134be471ddf0caeee4084f1beb6d
Instruction ID: c0247eebcbb5ddfe75fefbacc0f3e68d3e1a2970bed6158c4ba651fef96a93ac
Opcode Fuzzy Hash: 083a7def7f9c544e9ae5d0bda15e0d22429d134be471ddf0caeee4084f1beb6d
Instruction Fuzzy Hash: 2FC19F31A01219ABDF14DF68C994BEE7BB9BF49358F140069E905B7B50DB30E946CB60

Function 6C9E17E1 Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6C9E1867

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 15e1bcecc5968a93ea416e1938c36c66204e08d29b2f9682e5d25721f3eb5c4f
Instruction ID: b71f0761995dea950c27b62e9893a8d7045e0d50358f8440eb16b55410398382
Opcode Fuzzy Hash: 15e1bcecc5968a93ea416e1938c36c66204e08d29b2f9682e5d25721f3eb5c4f
Instruction Fuzzy Hash: 8CB14672A05365AFDB028F68CC81BEA7BA9EF3F314F144195E904AB782D374D901C7A1

Function 6C85F4DD Relevance: 10.8, APIs: 7, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C85F4E7
CreatePolygonRgn.GDI32(?,00000008,00000002), ref: 6C85F73E
FillRect.USER32(00000002,?,?), ref: 6C85F7C2
FillRect.USER32(00000002,?,-000000D0), ref: 6C85F805
Polyline.GDI32(00000002,?,00000008), ref: 6C85F81D
OffsetRect.USER32(00000000,00000001,00000001), ref: 6C85F87B
OffsetRect.USER32(00000000,000000FF,000000FF), ref: 6C85F8A3

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$FillOffset$CreateH_prolog3_PolygonPolyline
String ID:
API String ID: 2710902255-0
Opcode ID: ba403e5f2a26b5edbe296bafb1482620ae7c593ae8f92c6107774c7167b35dae
Instruction ID: 81ae3495ce7fa2a7b45025011eee0bdcc329726bb4de6c5094e8b2f110bb3556
Opcode Fuzzy Hash: ba403e5f2a26b5edbe296bafb1482620ae7c593ae8f92c6107774c7167b35dae
Instruction Fuzzy Hash: FCD15C71E002199FDF24CFA4C984BEDBBB5BF08304F50456AE909AB791DB749A49CF50

Function 6C91E4A1 Relevance: 10.8, APIs: 7, Instructions: 266windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C91E4A8
CreateCompatibleDC.GDI32(00000000), ref: 6C91E514
CreateCompatibleBitmap.GDI32(?,00000020,?), ref: 6C91E54A
SelectObject.GDI32(?,00000000), ref: 6C91E5A4
BitBlt.GDI32(?,00000000,00000000,00000020,?,03E8FFFF,00000020,?,00CC0020), ref: 6C91E5CC
BitBlt.GDI32(?,00000020,?,00000020,00000048,?,00000000,00000000,00CC0020), ref: 6C91E7A5
DeleteObject.GDI32(?), ref: 6C91E7BC

Part of subcall function 6C87F3FD: FillRect.USER32(?,?,-000000A8), ref: 6C87F419

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CompatibleCreateObject$BitmapDeleteFillH_prolog3RectSelect
String ID:
API String ID: 3910664508-0
Opcode ID: 45b8cb44a3b22e3fed54681fae0e375b046492e60fbe1821e3980eed3fbed44a
Instruction ID: 2453a0796763e3547c85e651be19b4b00edb15df971a758ce1278c60b454e098
Opcode Fuzzy Hash: 45b8cb44a3b22e3fed54681fae0e375b046492e60fbe1821e3980eed3fbed44a
Instruction Fuzzy Hash: 3AA1AE31A0420E9BDF10CFA8C985AEEBBF9FF58344F104629F551E6A90EB34D945CB90

Function 6C907166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C90716D
IsRectEmpty.USER32(?), ref: 6C9072BD
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 6C907340
PtInRect.USER32(?,?,?), ref: 6C90748D
GetParent.USER32(?), ref: 6C9074A9

Strings

\sx, xrefs: 6C907237

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$EmptyH_prolog3ParentRedrawWindow
String ID: \sx
API String ID: 3997883630-995570312
Opcode ID: 8442bc53e1edb73747ffd88fedfd628e2d3b1f9aab0d9975b479df23c3af900b
Instruction ID: db4354c9c56eca32bd01922765fbd85268122ab1c0c6347a43e70adaa09a8a2e
Opcode Fuzzy Hash: 8442bc53e1edb73747ffd88fedfd628e2d3b1f9aab0d9975b479df23c3af900b
Instruction Fuzzy Hash: DCA14A31B006068FDF08DF68C988AAE77B6BF95314F1845BDD809DBA45DB30E945CB60

Function 6C844080 Relevance: 10.7, APIs: 7, Instructions: 221windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6C8440BD
LoadBitmapW.USER32(?,-000000B1), ref: 6C844161
GetObjectW.GDI32(00000000,00000018,?), ref: 6C844188
ImageList_AddMasked.COMCTL32(?,00000000,000000FF,00000010,?,00000005,00000000,00000000,?,50402808,000000AB,?,?,56000007,?), ref: 6C8441C1
SendMessageW.USER32(?,00001109,00000000,?), ref: 6C8441E0
LoadMenuW.USER32(?,000000AD), ref: 6C84429C
GetSubMenu.USER32(00000000,00000000), ref: 6C8442B0

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: LoadMenu$BitmapEmptyImageList_MaskedMessageObjectRectSend
String ID:
API String ID: 4268898049-0
Opcode ID: dddf2a8332259376adae78e4388548d047090141e5ac94d802c5810fceadcef7
Instruction ID: 1bfa79897cce8d6edfda6f9091192e7bbb7e222493588906868ec51009cd8259
Opcode Fuzzy Hash: dddf2a8332259376adae78e4388548d047090141e5ac94d802c5810fceadcef7
Instruction Fuzzy Hash: CA81AE71740209AFEB24DF68CD55BEEB7B8BF48704F108628F515A76C0CB746949CBA0

Function 6C8683BD Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 215windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C9432A0: __EH_prolog3.LIBCMT ref: 6C9432A7

SendMessageW.USER32(?,00000433,00000000,?), ref: 6C868595
GetWindowLongW.USER32(?,000000FC), ref: 6C8685A0
GetWindowLongW.USER32(?,000000FC), ref: 6C8685B4
SetWindowLongW.USER32(?,000000FC,00000000), ref: 6C8685DD

Strings

\sx, xrefs: 6C8684C1
,, xrefs: 6C86857D

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: LongWindow$H_prolog3MessageSend
String ID: ,$\sx
API String ID: 4140968126-2057053908
Opcode ID: ea7cdb9b364f98bd5b75fc8a8bbf6df5d078b0b07aa0132513b5031088be0420
Instruction ID: 6db58667078ef74694e06c23cb86796808c39e3fd49d55596c89054490a241ac
Opcode Fuzzy Hash: ea7cdb9b364f98bd5b75fc8a8bbf6df5d078b0b07aa0132513b5031088be0420
Instruction Fuzzy Hash: 69710331700215AFCF25AF7AC994A9EBBB5BF49318B00492AE905D7F50DB30E901CB91

Function 6C9A1CB1 Relevance: 10.7, APIs: 7, Instructions: 195windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9A1CB8
_memcpy_s.LIBCMT ref: 6C9A1DC9
CoTaskMemFree.OLE32(?,000000FF), ref: 6C9A1DF1
GetParent.USER32(?), ref: 6C9A1E57
SendMessageW.USER32(?,00000464,00000104,00000000), ref: 6C9A1E80
GetParent.USER32(?), ref: 6C9A1EA6
SendMessageW.USER32(?,00000465,00000104,00000000), ref: 6C9A1ECC

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: MessageParentSend$FreeH_prolog3Task_memcpy_s
String ID:
API String ID: 3096905456-0
Opcode ID: 65dff92a6b1b701de78d58bd53ae137b5f9c5899f039da2c2debf68319657719
Instruction ID: 30f77f54dcf4b46af586966981f7ffff6c279d00c75fdb8acbb4a0b1dcc6da08
Opcode Fuzzy Hash: 65dff92a6b1b701de78d58bd53ae137b5f9c5899f039da2c2debf68319657719
Instruction Fuzzy Hash: C0616371A0051ADFCF04DFA8CD94EAEB7B4BF05718B104929E515E7AA0DB30ED46CB54

Function 6C88013A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002000), ref: 6C88021D
GetObjectW.GDI32(00000000,00000018,?), ref: 6C88023A
DeleteObject.GDI32(00000000), ref: 6C880245
DeleteObject.GDI32(00000000), ref: 6C8802EA

Part of subcall function 6C880FCC: GetObjectW.GDI32(?,00000054,?), ref: 6C880FE6

__EH_prolog3.LIBCMT ref: 6C880141

Part of subcall function 6C9459B8: DeleteObject.GDI32(6C87096D), ref: 6C9459CA

Part of subcall function 6C87FFE0: FindResourceW.KERNEL32(00000000,?,PNG,?,?,?,6CA0BE30,?,6C880E95,?,?,?,00000038,6C87FA98), ref: 6C880002
Part of subcall function 6C87FFE0: LoadResource.KERNEL32(00000000,00000000,?,6CA0BE30,?,6C880E95,?,?,?,00000038,6C87FA98), ref: 6C880010
Part of subcall function 6C87FFE0: LockResource.KERNEL32(00000000,?,6CA0BE30,?,6C880E95,?,?,?,00000038,6C87FA98), ref: 6C88001B
Part of subcall function 6C87FFE0: SizeofResource.KERNEL32(00000000,00000000,?,6CA0BE30,?,6C880E95,?,?,?,00000038,6C87FA98), ref: 6C880029

Strings

, xrefs: 6C880250

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Object$Resource$Delete$Load$FindH_prolog3ImageLockSizeof
String ID:
API String ID: 1337615151-3916222277
Opcode ID: b1e491d990d5d7d6961a45a5760380b3d4634436de38319b0a45886e57c75151
Instruction ID: d0992716164faa11ee90bfd354d6995a0154539596187827fea1eeb9f2e9c784
Opcode Fuzzy Hash: b1e491d990d5d7d6961a45a5760380b3d4634436de38319b0a45886e57c75151
Instruction Fuzzy Hash: 0D51C671A0365AEFDF259FA4CA80BEDB378BF05308F40492DE521A3E40DB709955CBA1

Function 6C905DCD Relevance: 10.6, APIs: 7, Instructions: 142COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C905DD4

Part of subcall function 6C93447F: __EH_prolog3.LIBCMT ref: 6C934486
Part of subcall function 6C93447F: SetRectEmpty.USER32(?), ref: 6C93467C

Part of subcall function 6C97D5EB: __EH_prolog3.LIBCMT ref: 6C97D5F2

SetRectEmpty.USER32(?), ref: 6C905F5D
SetRectEmpty.USER32(?), ref: 6C905F64
SetRectEmpty.USER32(?), ref: 6C905F97
SetRectEmpty.USER32(?), ref: 6C906001
SetRectEmpty.USER32(?), ref: 6C90600E
SetRectEmpty.USER32(?), ref: 6C90601B

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID:
API String ID: 3752103406-0
Opcode ID: fd554dde6d1210a042f734479156acf61afc8ef8f9ce8a97d05017d2707f19e2
Instruction ID: 15fe2cbcb7d59544f3c3885a4000e662345db949177a5e957b99b824266f1e00
Opcode Fuzzy Hash: fd554dde6d1210a042f734479156acf61afc8ef8f9ce8a97d05017d2707f19e2
Instruction Fuzzy Hash: 2D71EEB1906B158FCB65CF28C58868ABBF4BF08304F15896ED4AE9B311C734AA45CF85

Function 6C869A67 Relevance: 10.6, APIs: 7, Instructions: 135windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6C869A94
PeekMessageW.USER32(000000FF,00000000,00000000,00000000,00000000), ref: 6C869AB6
UpdateWindow.USER32(?), ref: 6C869AD0
SendMessageW.USER32(000000DD,00000121,00000001,?), ref: 6C869AF6
SendMessageW.USER32(?,0000036A,00000000,00000000), ref: 6C869B0E
UpdateWindow.USER32(?), ref: 6C869B5B

Part of subcall function 6C86C609: GetWindowLongW.USER32(?,000000F0), ref: 6C86C616

PeekMessageW.USER32(000000FF,00000000,00000000,00000000,00000000), ref: 6C869BA5

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 1392c0b0d5c4ef574eef6f6f4fafc587baa516d09d7ff15648f87d4e58325ebb
Instruction ID: 54d9b67b4782782de74591563dc4d179bb04852a7ba5db76f752662087003c47
Opcode Fuzzy Hash: 1392c0b0d5c4ef574eef6f6f4fafc587baa516d09d7ff15648f87d4e58325ebb
Instruction Fuzzy Hash: D541A170B00215BBEF189B7ACA88B6E7BB8FF04759F104968E815D7D80D770D941C790

Function 6C898B9E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C898BA5
CopyRect.USER32(?,?), ref: 6C898C53
IsRectEmpty.USER32(?), ref: 6C898C6B
IsRectEmpty.USER32(?), ref: 6C898C83
IsRectEmpty.USER32(?), ref: 6C898C98

Part of subcall function 6C86FCED: __EH_prolog3.LIBCMT ref: 6C86FCF4
Part of subcall function 6C86FCED: LoadCursorW.USER32(00000000,00007F00), ref: 6C86FD18
Part of subcall function 6C86FCED: GetClassInfoW.USER32(?,?,?), ref: 6C86FD53

Strings

Afx:ControlBar, xrefs: 6C898BDA

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Empty$ClassCopyCursorH_prolog3H_prolog3_InfoLoad
String ID: Afx:ControlBar
API String ID: 685170547-4244778371
Opcode ID: a7c567f616ad943e54dadee24a7464cc6f0284e0b812491f15120772a3295916
Instruction ID: 1741855ce1c1b4123916939e1704072c4ac34c482b07d022844151f5f1f57528
Opcode Fuzzy Hash: a7c567f616ad943e54dadee24a7464cc6f0284e0b812491f15120772a3295916
Instruction Fuzzy Hash: 6C415B31A002099FDF55CFA8CA84AEE77F5BF49348F154469EC05BB640DB75AA0ACB60

Function 6C90BD3C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C90BD43

Part of subcall function 6C9508BB: __EH_prolog3.LIBCMT ref: 6C9508C2

Part of subcall function 6C9592DA: SetRectEmpty.USER32(?), ref: 6C95930F

SetRectEmpty.USER32(?), ref: 6C90BE73
SetRectEmpty.USER32 ref: 6C90BE84
SetRectEmpty.USER32(?), ref: 6C90BE8B

Strings

False, xrefs: 6C90BEF2, 6C90BEF7, 6C90BEFF
True, xrefs: 6C90BE93, 6C90BE9E, 6C90BEE6

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID: False$True
API String ID: 3752103406-1895882422
Opcode ID: 1cd39e9c1682685acead261992824933f745bf6f9f0efe1eb22516e4ba4646f9
Instruction ID: 14dce242fcb70f4b0c39661a2c69953f104855ed7236454b7981fcfb46b06923
Opcode Fuzzy Hash: 1cd39e9c1682685acead261992824933f745bf6f9f0efe1eb22516e4ba4646f9
Instruction Fuzzy Hash: AB51F1B09043019FCB0ACF29D485BE8BBE8BF18314F1981BEE81D9B796CB705645CB65

Function 6C8648CE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 118libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Comctl32.dll,00000000,00000000,00000002,Comctl32.dll,00000040), ref: 6C864A64

Part of subcall function 6C864816: GetProcAddress.KERNEL32(00000000,6CA07F64), ref: 6C864844

GetModuleFileNameW.KERNEL32(?,?,00000105,?,6C86BE5C,00000010,6CA55C00,00000010,6C865A99,00000000,?,6C8D9E87,?), ref: 6C86497E
SetLastError.KERNEL32(0000006F,?,6C86BE5C,00000010,6CA55C00,00000010,6C865A99,00000000,?,6C8D9E87,?), ref: 6C864992
GetLastError.KERNEL32(00000020), ref: 6C8649E9

Strings

GetModuleHandleExW, xrefs: 6C864931
Comctl32.dll, xrefs: 6C864A50, 6C864A55, 6C864A63

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorLast$AddressFileLibraryLoadModuleNameProc
String ID: Comctl32.dll$GetModuleHandleExW
API String ID: 3640817601-1171143627
Opcode ID: 6066c3c0f82b90ddd158ed0cea74801eff6818bfa376839ac150dec79078158b
Instruction ID: c042e1bff6649a0199c253e56de338840e949719b126fd035bd8e6dff4ac0856
Opcode Fuzzy Hash: 6066c3c0f82b90ddd158ed0cea74801eff6818bfa376839ac150dec79078158b
Instruction Fuzzy Hash: 0541FD70A01315AAEB30CB5ACE58BDD7778ABC4359F204A76E515F2E90DB3489C1CF24

Function 6C84A960 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C84A983
std::_Lockit::_Lockit.LIBCPMT ref: 6C84A9A6
std::_Lockit::~_Lockit.LIBCPMT ref: 6C84A9C6
std::_Lockit::~_Lockit.LIBCPMT ref: 6C84AA53
Concurrency::cancel_current_task.LIBCPMT ref: 6C84AA6B

Strings

F^, xrefs: 6C84A995, 6C84AA4A

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
String ID: F^
API String ID: 3053331623-3468755180
Opcode ID: 61878ce14bb12210dd9990d316d2a5fee283e7d57305b3746ecc879c15117bbf
Instruction ID: d01e84942dbcddaf4ad837594c1661ba7651b2a76c438a2b4230e297e20fff23
Opcode Fuzzy Hash: 61878ce14bb12210dd9990d316d2a5fee283e7d57305b3746ecc879c15117bbf
Instruction Fuzzy Hash: 0731E275A0022A9FCF25CF54C980BDEBB74FB01728F158A39D8156BB40D730A945CBE2

Function 6C84B0F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C84B113
std::_Lockit::_Lockit.LIBCPMT ref: 6C84B136
std::_Lockit::~_Lockit.LIBCPMT ref: 6C84B156
std::_Lockit::~_Lockit.LIBCPMT ref: 6C84B1E3
Concurrency::cancel_current_task.LIBCPMT ref: 6C84B1FB

Strings

8W^, xrefs: 6C84B125, 6C84B1DA

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
String ID: 8W^
API String ID: 3053331623-2886785626
Opcode ID: c1a74bb27d419c9f1e57c4f562f49b5d6aeb2d34b8a2132f3b4580a55cf45a6b
Instruction ID: 2d45f7415f7aee3f2538a6962f529209999c9fa6795a4de0d179def992a501f4
Opcode Fuzzy Hash: c1a74bb27d419c9f1e57c4f562f49b5d6aeb2d34b8a2132f3b4580a55cf45a6b
Instruction Fuzzy Hash: B3310475A0062ADFCF25CF54C980BAEBB74FB45728F158A29D805A7B40D730A945CBE2

Function 6C8F9274 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 6C8F927E
RegOpenKeyExW.ADVAPI32(?,00000010,00000000,0002001F,?,00000228,6C8F5B2A,?,?,00000000,?,00000004,6C8F5552,80000000,?,80000000), ref: 6C8F9324

Part of subcall function 6C8B3367: __EH_prolog3.LIBCMT ref: 6C8B336E

RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6C8F9348
RegCloseKey.ADVAPI32(?,?,?,?,00000001,?,00000001), ref: 6C8F93FD

Strings

Software\Classes\, xrefs: 6C8F92CA

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CloseEnumH_prolog3H_prolog3_catch_Open
String ID: Software\Classes\
API String ID: 854624316-1121929649
Opcode ID: fe21044c8cd60ed6edd9d8e9ce55d2c6589b2ccc9c266f5ca9503b763af38998
Instruction ID: b4924bb61aa94cf767906f7ac6abb768602ba895cda51c94b75df27c35ec751a
Opcode Fuzzy Hash: fe21044c8cd60ed6edd9d8e9ce55d2c6589b2ccc9c266f5ca9503b763af38998
Instruction Fuzzy Hash: E641E331901218EBDB31DFA8DE88BDD77B4AF44358F1449E9E415A3780DB70DB8ACA21

Function 6C868907 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll), ref: 6C868932
GetProcAddress.KERNEL32(00000000,GetTouchInputInfo), ref: 6C868967
GetProcAddress.KERNEL32(00000000,CloseTouchInputHandle), ref: 6C86898F

Strings

CloseTouchInputHandle, xrefs: 6C868981
user32.dll, xrefs: 6C868928
GetTouchInputInfo, xrefs: 6C868959

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CloseTouchInputHandle$GetTouchInputInfo$user32.dll
API String ID: 667068680-1853737257
Opcode ID: c58638540552b5de21fd1c2beddbf5922bf367e8ecba186c0cc1616fa7815914
Instruction ID: 9e587fa98dc5cf092fb9cd846c46acddeb3e81d4980ff33b12881aa9fe8eee2d
Opcode Fuzzy Hash: c58638540552b5de21fd1c2beddbf5922bf367e8ecba186c0cc1616fa7815914
Instruction Fuzzy Hash: DC310C78702326BBCF29CF16C9159597B74FB47B59711882AE849D3B40D735F802CB21

Function 6C951329 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6C951347
SendMessageW.USER32(?,00000439,00000000,?), ref: 6C95138C
SendMessageW.USER32(?,00000410,00000000,?), ref: 6C9513D0
ScreenToClient.USER32(00000000,?), ref: 6C9513F8
SendMessageW.USER32(?,00000407,00000000,?), ref: 6C951420

Strings

\sx, xrefs: 6C95132F

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: MessageSend$ClientScreenWindow
String ID: \sx
API String ID: 4074774880-995570312
Opcode ID: 277b525685f658d439dd80eae4fb17638f2a01282e63f40df8e05a77351faaf4
Instruction ID: a8a2d0e823ebd5d42e202cee09f487aad639cb83376699190f1d576f0d80f1fa
Opcode Fuzzy Hash: 277b525685f658d439dd80eae4fb17638f2a01282e63f40df8e05a77351faaf4
Instruction Fuzzy Hash: E931A971A01218ABDF04DF55C844ADEB7B8FF49714F104119FA15A7A90D770E955C7A0

Function 6C853F40 Relevance: 10.6, APIs: 7, Instructions: 92COMMON

Download Yara Rule

APIs

Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C853F70

Part of subcall function 6C90C413: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C90C4AD

Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C853FBE
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C853FF3
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C854004
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C854015

Part of subcall function 6C906035: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C9060B2

Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C85404D
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C854094

Part of subcall function 6C8DA822: DestroyMenu.USER32(?), ref: 6C8DA86B

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ContextExternal$BaseBase::~Concurrency::details::$DestroyMenu
String ID:
API String ID: 1488951477-0
Opcode ID: 2ed30c9fb89dc0179f28cd788591cfdda86fe8710586c2f785ee2bc0007bb08a
Instruction ID: f7ad9e73cc448375984cca6fde3174ac8eec690865b77670187b34cf6f8b65df
Opcode Fuzzy Hash: 2ed30c9fb89dc0179f28cd788591cfdda86fe8710586c2f785ee2bc0007bb08a
Instruction Fuzzy Hash: D1411D71241A029BC22DEF78C5619E9F760BF65308B80093DC46A03F60EF71769DCB91

Function 6C86349D Relevance: 10.6, APIs: 7, Instructions: 82windowCOMMON

Download Yara Rule

APIs

FillRect.USER32(?,?,-000000A0), ref: 6C8634C6
InflateRect.USER32(?,000000FF,000000FF), ref: 6C8634D4
PatBlt.GDI32(?,?,?,00000001,?,005A0049), ref: 6C8634FA
PatBlt.GDI32(?,?,?,?,00000001,005A0049), ref: 6C863513
PatBlt.GDI32(?,00000000,?,00000001,?,005A0049), ref: 6C86352C
PatBlt.GDI32(?,?,?,00000000,00000001,005A0049), ref: 6C863548
FillRect.USER32(?,?,-000000D0), ref: 6C86356B

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Fill$Inflate
String ID:
API String ID: 2224923502-0
Opcode ID: 45ab9651786ef5b515b2a3baecf9bcf12959a1b908dd950dbce44541d04716d4
Instruction ID: 496ca6708c3751d2b95b8252b8cdfdc3e815f4d39317e0dd5f8e6f7d4fc5430d
Opcode Fuzzy Hash: 45ab9651786ef5b515b2a3baecf9bcf12959a1b908dd950dbce44541d04716d4
Instruction Fuzzy Hash: 1631FB72200209BFDF159F58CD49EAA3BBDFB09354F008524F925C66A1D771ED61CBA0

Function 6C9E5C8D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,6C9E5D9C,?,6C9DFDF6,00000000,00000000,00000008,?,6C9E6006,00000022,FlsSetValue,6CA3E480,6CA3E488,00000000), ref: 6C9E5D4E

Strings

api-ms-, xrefs: 6C9E5CE4
ext-ms-, xrefs: 6C9E5CF8

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 6eb6ae7aad500ea85a9cb9d86f1cb7b005745df1b59b16c33e6207cd7952d360
Instruction ID: 5fb70c0746e8dcdc1b15924fc0edbcde648f99d702c99d0b8801a727e88383fb
Opcode Fuzzy Hash: 6eb6ae7aad500ea85a9cb9d86f1cb7b005745df1b59b16c33e6207cd7952d360
Instruction Fuzzy Hash: E7213D35B01712ABDB139B25CC48A4A377CAF273ACF254614ED15E7780D730E942C6E0

Function 6C85B990 Relevance: 10.6, APIs: 7, Instructions: 71windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 6C85B9AF
GetObjectW.GDI32(0000005C,?), ref: 6C85B9C2

Part of subcall function 6C86FA11: SystemParametersInfoW.USER32(00000029,?,?,00000000), ref: 6C86FA2D

CreateFontIndirectW.GDI32(?), ref: 6C85BA05
SendMessageW.USER32(?,00000030,?,00000001), ref: 6C85BA28
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 6C85BA37
SendMessageW.USER32(?,00000030,?,00000001), ref: 6C85BA4B
SendMessageW.USER32(?,00000030,?,00000001), ref: 6C85BA5B

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: MessageSend$Object$CreateDeleteFontIndirectInfoParametersSystem
String ID:
API String ID: 2281635968-0
Opcode ID: 2d474c79235e14286477f6de81dd4b0758244cf5d386dbba0a9278b413b941a0
Instruction ID: b29114a6a8149bdc0b1cb180b0b83d16aa8f70564cf31a01c7ade74792c0edbd
Opcode Fuzzy Hash: 2d474c79235e14286477f6de81dd4b0758244cf5d386dbba0a9278b413b941a0
Instruction Fuzzy Hash: 6021C631314305AFDB259FA8CC44FEABBADFB89355F000639F658C6290DB7199198BA1

Function 6C869769 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 70libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,user32.dll,?,?,00000000,?,6C867E77,00000000,00000000), ref: 6C86977A
GetProcAddress.KERNEL32(00000000,RegisterTouchWindow), ref: 6C86978C
GetProcAddress.KERNEL32(00000000,UnregisterTouchWindow), ref: 6C86979A

Strings

user32.dll, xrefs: 6C869771
RegisterTouchWindow, xrefs: 6C869786
UnregisterTouchWindow, xrefs: 6C869792

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: RegisterTouchWindow$UnregisterTouchWindow$user32.dll
API String ID: 667068680-2470269259
Opcode ID: dd76f887516c6bf0eed996f7f937d96af0477b92792ea39d044f58eed7f02a7c
Instruction ID: 8edfea2d16aea95aef77d94d81e6655b95aa2891f8f59b0abad29998c5e50aad
Opcode Fuzzy Hash: dd76f887516c6bf0eed996f7f937d96af0477b92792ea39d044f58eed7f02a7c
Instruction Fuzzy Hash: AA1103327016196BCB151F66E888A5AFB78FF463ACB00452AE904C3E40DF71EC568BE0

Function 6C863078 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FillRect.USER32(?,?,00000000), ref: 6C8630B5
GetParent.USER32(?), ref: 6C8630C7
GetClientRect.USER32(?,?), ref: 6C8630DA
GetParent.USER32(?), ref: 6C8630E3
MapWindowPoints.USER32(?,?,?,00000002), ref: 6C8630FB

Strings

\sx, xrefs: 6C86307E

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ParentRect$ClientFillPointsWindow
String ID: \sx
API String ID: 3058756167-995570312
Opcode ID: 3c6b55c6071811719b042d6d5187b958c62ce4a138bda8955cfde9084be3f7dc
Instruction ID: ef01ceaa3d49efbe32f2897203866fdccb1820e1bcde902543979ce5da49ad30
Opcode Fuzzy Hash: 3c6b55c6071811719b042d6d5187b958c62ce4a138bda8955cfde9084be3f7dc
Instruction Fuzzy Hash: 6721A432B00119AFCF04DFA4C949CAEBBB9FF0A304B114159F505A7611DB31AE5ACBD1

Function 6C867B49 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 6C867B60
FindResourceW.KERNEL32(?,00000000,AFX_DIALOG_LAYOUT), ref: 6C867B88
SizeofResource.KERNEL32(?,00000000), ref: 6C867B9A
LoadResource.KERNEL32(?,00000000), ref: 6C867BA6
LockResource.KERNEL32(00000000), ref: 6C867BB1

Strings

AFX_DIALOG_LAYOUT, xrefs: 6C867B79

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Resource$FindLoadLockSizeofWindow
String ID: AFX_DIALOG_LAYOUT
API String ID: 2582447065-2436846380
Opcode ID: 24bd68c865d00987f552452a87bce12e9dc91eab33ce701412a15955f322deb4
Instruction ID: 2c3635d951dab94736a8b4866f2baad19563aa99bfbae79028040f7a8f1f057f
Opcode Fuzzy Hash: 24bd68c865d00987f552452a87bce12e9dc91eab33ce701412a15955f322deb4
Instruction Fuzzy Hash: 45118271701305BBEB224B768D48EAE7ABCEF45799B104839B905D2A00EF74D842C6B4

Function 6C8B536F Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C8B5376

Strings

BLUE_, xrefs: 6C8B53CA
IDX_OFFICE2007_STYLE, xrefs: 6C8B5386
BLACK_, xrefs: 6C8B53C3, 6C8B53CF, 6C8B53D7
AQUA_, xrefs: 6C8B53BC
SILVER_, xrefs: 6C8B53B5

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: H_prolog3
String ID: AQUA_$BLACK_$BLUE_$IDX_OFFICE2007_STYLE$SILVER_
API String ID: 431132790-2717817858
Opcode ID: 0aa6863f62ea559504f6d4c4a7be43abdc653006825505952d13ef75b5b3d701
Instruction ID: 4c18b0a202a215b28c73a897fe016a71fdcb435b5244ce51018b3de5fb470dd7
Opcode Fuzzy Hash: 0aa6863f62ea559504f6d4c4a7be43abdc653006825505952d13ef75b5b3d701
Instruction Fuzzy Hash: 7A11277240020D9BCB24DBACCB50AFF77B5AFA1318F154D19E411ABF80CB319A5AC762

Function 6C8DFC43 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

CopyRect.USER32(00000001,00000000), ref: 6C8DFC75
InflateRect.USER32(00000001,000000FF,000000FF), ref: 6C8DFC8C
InvalidateRect.USER32(00000000,00000001,00000000,?,00000001), ref: 6C8DFCA0
UpdateWindow.USER32(00000000), ref: 6C8DFCA9

Strings

4(@P, xrefs: 6C8DFCB0
\sx, xrefs: 6C8DFC49

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$CopyInflateInvalidateUpdateWindow
String ID: 4(@P$\sx
API String ID: 1253262389-2506994739
Opcode ID: 03cf1f527e9da75a3856d72da7e2335ff8489857bc457bfb4c2a50ab9653b8e7
Instruction ID: 85bae31487311bc9d3395d0a1cbc36cff8ba8ac45ffc6c10edb48d57ba836144
Opcode Fuzzy Hash: 03cf1f527e9da75a3856d72da7e2335ff8489857bc457bfb4c2a50ab9653b8e7
Instruction Fuzzy Hash: E501B932701615EBCB10DF68D908A9F77F8FF19359F124A29E411D2580DB30EA16D791

Function 6C8F70BD Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C8F70C4

Part of subcall function 6C9902D7: __EH_prolog3.LIBCMT ref: 6C9902DE

Strings

PreviewPages, xrefs: 6C8F712A
Settings, xrefs: 6C8F712F
Recent File List, xrefs: 6C8F70F9
, xrefs: 6C8F70D1
File%d, xrefs: 6C8F70F4

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: H_prolog3
String ID: $File%d$PreviewPages$Recent File List$Settings
API String ID: 431132790-2750173842
Opcode ID: d3b58e45f3441751d1ac251f05aaa0127bc9b6c31ce1a0301cd0439767334fa5
Instruction ID: d515efa09beb3ee9ba71064289acba3b867c8a5f048d215bcdda0bc6a3413fb6
Opcode Fuzzy Hash: d3b58e45f3441751d1ac251f05aaa0127bc9b6c31ce1a0301cd0439767334fa5
Instruction Fuzzy Hash: CD01F5307003189FEB149F60C845B9C3AA17F58364F11456AED20DFFC2DB748986CB61

Function 6C9D7E2C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,78E4735C,?,?,00000000,6C9F5700,000000FF,?,6C9D7DC6,00000000,?,6C9D7D9A,?), ref: 6C9D7E61
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C9D7E73
FreeLibrary.KERNEL32(00000000,?,?,00000000,6C9F5700,000000FF,?,6C9D7DC6,00000000,?,6C9D7D9A,?), ref: 6C9D7E95

Strings

\sx, xrefs: 6C9D7E41
CorExitProcess, xrefs: 6C9D7E6B
mscoree.dll, xrefs: 6C9D7E5A

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$\sx$mscoree.dll
API String ID: 4061214504-3671566553
Opcode ID: ba367937d7838cc97fde5d69dca16c4ff270b7c4b0eb0a2bdf0c19e04b593c85
Instruction ID: 383a9840e6a610edfcb5e7d670873990d285a79617750b058a8aa739a6ec06fb
Opcode Fuzzy Hash: ba367937d7838cc97fde5d69dca16c4ff270b7c4b0eb0a2bdf0c19e04b593c85
Instruction Fuzzy Hash: 2801AC31A0062AAFDF059F50CC04FAF7BB8FB45758F01861AF821E2690D735D901CB60

Function 6C944DD2 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(uxtheme.dll,?,?,6C86EFB2,?,?,00000002,00000000,0000007D,00000001,00000000,?,6C8542BA,?,50008200,0000E801), ref: 6C944DE4
GetProcAddress.KERNEL32(00000000,BeginBufferedPaint), ref: 6C944DF4
EncodePointer.KERNEL32(00000000,?,6C86EFB2,?,?,00000002,00000000,0000007D,00000001,00000000,?,6C8542BA,?,50008200,0000E801,00000000), ref: 6C944DFD
DecodePointer.KERNEL32(00000000,?,?,6C86EFB2,?,?,00000002,00000000,0000007D,00000001,00000000,?,6C8542BA,?,50008200,0000E801), ref: 6C944E0B

Strings

BeginBufferedPaint, xrefs: 6C944DEE
uxtheme.dll, xrefs: 6C944DDF

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: BeginBufferedPaint$uxtheme.dll
API String ID: 2061474489-1632326970
Opcode ID: 22aea6692019fb93b31434f98676e55f611c03efc18f770e19065fb94ddb0d13
Instruction ID: 04612d656e6a0f6ad60fbdc09afc7dc7790b1b35fba88eb080b290fbdef92641
Opcode Fuzzy Hash: 22aea6692019fb93b31434f98676e55f611c03efc18f770e19065fb94ddb0d13
Instruction Fuzzy Hash: 37F0F935B4172AAB9F065EA48C08D5B3F78BB05799744C514F915D2510D731C8628FA0

Function 6C945622 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(shell32.dll,?,?,6C9A18E4,?,00000000,6CA30AA0,6C9A1BB2), ref: 6C945634
GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 6C945644
EncodePointer.KERNEL32(00000000,?,6C9A18E4,?,00000000,6CA30AA0,6C9A1BB2), ref: 6C94564D
DecodePointer.KERNEL32(00000000,?,?,6C9A18E4,?,00000000,6CA30AA0,6C9A1BB2), ref: 6C94565B

Strings

shell32.dll, xrefs: 6C94562F
SHCreateItemFromParsingName, xrefs: 6C94563E

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: SHCreateItemFromParsingName$shell32.dll
API String ID: 2061474489-2320870614
Opcode ID: c5418845b8fbe7b58bdfef3b975d3de4998925ab780895589e2b7a4bc88c6f05
Instruction ID: cbf56af40780850220cef961b0e85ac61ecbae7b16558a45d83396c358434264
Opcode Fuzzy Hash: c5418845b8fbe7b58bdfef3b975d3de4998925ab780895589e2b7a4bc88c6f05
Instruction Fuzzy Hash: 22F03A7570172BAB9F066FA48C0C95A3F78BB067AA704C118FD09E7A10D735C8538BB4

Function 6C944EE1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,?,?,6C8A7DEF,00000323,00000001,?,00000004,6C853C52,?,?,?,?,6C9F3DA0,000000FF), ref: 6C944EF3
GetProcAddress.KERNEL32(00000000,ChangeWindowMessageFilter), ref: 6C944F03
EncodePointer.KERNEL32(00000000,?,?,6C8A7DEF,00000323,00000001,?,00000004,6C853C52,?,?,?,?,6C9F3DA0,000000FF), ref: 6C944F0C
DecodePointer.KERNEL32(00000000,?,?,6C8A7DEF,00000323,00000001,?,00000004,6C853C52,?,?,?,?,6C9F3DA0,000000FF), ref: 6C944F1A

Strings

ChangeWindowMessageFilter, xrefs: 6C944EFD
user32.dll, xrefs: 6C944EEE

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 2061474489-2498399450
Opcode ID: ec08b492f85465332bba77d63184a6a15f21fe3c01eee36a6b7a70389feb24b0
Instruction ID: 86a41caf5a6bcb7282139acc322d41dc696ccfe8a1fce2b107daceffd6625ca6
Opcode Fuzzy Hash: ec08b492f85465332bba77d63184a6a15f21fe3c01eee36a6b7a70389feb24b0
Instruction Fuzzy Hash: F7F05834B06B26AB9F062F65880880A3EBCBB0669A301C565FC05D6A00DB35C8638FB0

Function 6C94521A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(uxtheme.dll,?,?,6C86F20D,?,00000001), ref: 6C94522C
GetProcAddress.KERNEL32(00000000,EndBufferedPaint), ref: 6C94523C
EncodePointer.KERNEL32(00000000,?,?,6C86F20D,?,00000001), ref: 6C945245
DecodePointer.KERNEL32(00000000,?,?,6C86F20D,?,00000001), ref: 6C945253

Strings

EndBufferedPaint, xrefs: 6C945236
uxtheme.dll, xrefs: 6C945227

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: EndBufferedPaint$uxtheme.dll
API String ID: 2061474489-2993015961
Opcode ID: d10f06bb731a4c2a8509f0760d22855b1f239d9af57db2b72bc986e8b3034561
Instruction ID: be1614a2a208d2ef3b69e8f2118bfa1a81a5a78e2e9e45cfa4562ce215ca0955
Opcode Fuzzy Hash: d10f06bb731a4c2a8509f0760d22855b1f239d9af57db2b72bc986e8b3034561
Instruction Fuzzy Hash: 95F05E75B01726AB8F096BA4880C80A3F7CAE06799300C526FC09E7610D735C8438AB0

Function 6C944E8C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(uxtheme.dll,?,6C86F467,00000800,00000800,?,?,6C8DF71E,00000800,00000018,6C8DF703,00000800,00000000,?,0000007D), ref: 6C944E9B
GetProcAddress.KERNEL32(00000000,BufferedPaintUnInit), ref: 6C944EAB
EncodePointer.KERNEL32(00000000,?,6C86F467,00000800,00000800,?,?,6C8DF71E,00000800,00000018,6C8DF703,00000800,00000000,?,0000007D), ref: 6C944EB4
DecodePointer.KERNEL32(00000000,?,6C86F467,00000800,00000800,?,?,6C8DF71E,00000800,00000018,6C8DF703,00000800,00000000,?,0000007D), ref: 6C944EC2

Strings

BufferedPaintUnInit, xrefs: 6C944EA5
uxtheme.dll, xrefs: 6C944E96

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: BufferedPaintUnInit$uxtheme.dll
API String ID: 2061474489-1501038116
Opcode ID: 667d373ab30ccafdfb4ccb635649f2bac13a85c2043a08a76969403ffb983187
Instruction ID: 9f984f1c94d4056eda24ccab22ac65614b47b4358c3ac7a4552504792bf07d49
Opcode Fuzzy Hash: 667d373ab30ccafdfb4ccb635649f2bac13a85c2043a08a76969403ffb983187
Instruction Fuzzy Hash: 0DE03971B01B23AB9F152F34A81C95F3A78AA4229A306C618F802D3A00DB35C8438EB0

Function 6C944E37 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(uxtheme.dll,?,6C86EF84,00000001,00000000,?,6C8542BA,?,50008200,0000E801,00000000,0000E828,0000E831,00000001,0000007E,?), ref: 6C944E46
GetProcAddress.KERNEL32(00000000,BufferedPaintInit), ref: 6C944E56
EncodePointer.KERNEL32(00000000,?,6C8542BA,?,50008200,0000E801,00000000,0000E828,0000E831,00000001,0000007E,?,00000001,0000007D,?,00000800), ref: 6C944E5F
DecodePointer.KERNEL32(00000000,?,6C86EF84,00000001,00000000,?,6C8542BA,?,50008200,0000E801,00000000,0000E828,0000E831,00000001,0000007E,?), ref: 6C944E6D

Strings

BufferedPaintInit, xrefs: 6C944E50
uxtheme.dll, xrefs: 6C944E41

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: BufferedPaintInit$uxtheme.dll
API String ID: 2061474489-1331937065
Opcode ID: 25a560bc045f7223e267266e7fd67719941756b45d25131ede9a92d8ecd10f85
Instruction ID: e93813062152a39ea8c052796cab8d3ea274ec40fdc93eadd865217ea548852d
Opcode Fuzzy Hash: 25a560bc045f7223e267266e7fd67719941756b45d25131ede9a92d8ecd10f85
Instruction Fuzzy Hash: D4E0E575701733ABEF156F74A80C95B3A7C6B4669A305C655F811D7900DB35C8834FB1

Function 6C9454C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(shell32.dll,?,6C865A3E,?,?,6C8F9D91,000FC000,00000010,00000048,6C8F9D36,00000000,6C89F93B,?), ref: 6C9454D0
GetProcAddress.KERNEL32(00000000,InitNetworkAddressControl), ref: 6C9454E0
EncodePointer.KERNEL32(00000000,?,?,6C8F9D91,000FC000,00000010,00000048,6C8F9D36,00000000,6C89F93B,?), ref: 6C9454E9
DecodePointer.KERNEL32(00000000,?,6C865A3E,?,?,6C8F9D91,000FC000,00000010,00000048,6C8F9D36,00000000,6C89F93B,?), ref: 6C9454F7

Strings

shell32.dll, xrefs: 6C9454CB
InitNetworkAddressControl, xrefs: 6C9454DA

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: InitNetworkAddressControl$shell32.dll
API String ID: 2061474489-1950653938
Opcode ID: 41efed84e8726a2c2ecd4a780a26ab31ec6d88e3290c8fd288d07aa4050fcff8
Instruction ID: 86ecd157e3b8ff82eda7ce8689d9ccf63659fa1528ddc8baa461981dceb751bc
Opcode Fuzzy Hash: 41efed84e8726a2c2ecd4a780a26ab31ec6d88e3290c8fd288d07aa4050fcff8
Instruction Fuzzy Hash: F0E0ED35B05B339F9F0A2BB4980C55B3A78BB4669A345C669FC02D7604DB35C84387B0

Function 6C931FEE Relevance: 10.5, APIs: 7, Instructions: 25COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 6C931FF3
GetSysColor.USER32(00000010), ref: 6C931FFE
GetSysColor.USER32(00000014), ref: 6C932009
GetSysColor.USER32(00000012), ref: 6C932014
GetSysColor.USER32(00000006), ref: 6C93201F
GetSysColorBrush.USER32(0000000F), ref: 6C93202A
GetSysColorBrush.USER32(00000006), ref: 6C932035

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: bc3c56ecf5266cad551e5887ea84e2670c25d01e7733dff4e8b60025990576ce
Instruction ID: f75345f7e9a4751d9fe72c59f7d80610adc3576d121f2527f091924d3ff4ab37
Opcode Fuzzy Hash: bc3c56ecf5266cad551e5887ea84e2670c25d01e7733dff4e8b60025990576ce
Instruction Fuzzy Hash: 7CF0FE71B407019BDB645FB0890D75A7AF0FB09766F00891DE242CB980E776D487DF50

Function 6C87A58C Relevance: 9.3, APIs: 6, Instructions: 297COMMON

Download Yara Rule

APIs

Part of subcall function 6C86CC71: ShowWindow.USER32(?,6C9AEDF4,00000000,?,6C87A7D4,00000000,?,?,6C9AEDF4,?,00000000,?,?,6C87A374,00000000,000000FF), ref: 6C86CC82

GetDesktopWindow.USER32 ref: 6C87A808
GetWindow.USER32(00000000), ref: 6C87A80F
GetWindowLongW.USER32(00000000,000000F0), ref: 6C87A83D
ShowWindow.USER32(00000000,00000000,?,6C9AEDF4,6C9AEDF4,?,?,6C9AEDF4,?,00000000,?,?,6C87A374,00000000,000000FF,00000000), ref: 6C87A858
ShowWindow.USER32(00000000,00000004,?,6C9AEDF4,6C9AEDF4,?,?,6C9AEDF4,?,00000000,?,?,6C87A374,00000000,000000FF,00000000), ref: 6C87A879
GetWindow.USER32(00000000,00000002), ref: 6C87A886

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$Show$DesktopLong
String ID:
API String ID: 3178490500-0
Opcode ID: 82040cc3a2322f5d06af3f1d692794924471ab1ba272a02ff6b8a5a79e469a79
Instruction ID: a79b97f0bcebdcc97b77afffd16b082b37b7440e8cf845e1f90837ca03277a8b
Opcode Fuzzy Hash: 82040cc3a2322f5d06af3f1d692794924471ab1ba272a02ff6b8a5a79e469a79
Instruction Fuzzy Hash: 1BA114317016259BDB388F28C980BDE7764EF45368F148A69EC19DBA40EB34DD428BF0

Function 6C9A4508 Relevance: 9.2, APIs: 6, Instructions: 203COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9A450F
GetDC.USER32(?), ref: 6C9A4650

Part of subcall function 6C90426F: __EH_prolog3.LIBCMT ref: 6C904276

ReleaseDC.USER32(?,00000000), ref: 6C9A46BA
GetDeviceCaps.GDI32(?,00000058), ref: 6C9A46E1
GetDeviceCaps.GDI32(?,0000005A), ref: 6C9A46F5
ShowScrollBar.USER32(?,00000001,00000000,00000001,00000001,00000001,6CA31110,6CA31110), ref: 6C9A47AE

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CapsDevice$H_prolog3H_prolog3_ReleaseScrollShow
String ID:
API String ID: 3992271784-0
Opcode ID: c2351f8214a5d3fd5d3e366415d0594675ea97875ade848f14f62a1755f75d7b
Instruction ID: 8aa5570a749443cc06b1a28740012a19c57edda64f6064b873a799570246c188
Opcode Fuzzy Hash: c2351f8214a5d3fd5d3e366415d0594675ea97875ade848f14f62a1755f75d7b
Instruction Fuzzy Hash: 9C910374B012119FDB08CF68C994BA97BB5BF49354F1541B9E909EB7A1CB34A902CFA0

Function 6C853210 Relevance: 9.2, APIs: 6, Instructions: 179windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6C85324C
SendMessageW.USER32(?,00001109,00000000,?), ref: 6C8532A5
LoadBitmapW.USER32(?,-000000AF), ref: 6C85334E
GetObjectW.GDI32(00000000,00000018,?), ref: 6C85336A
ImageList_AddMasked.COMCTL32(?,00000000,00FF00FF,00000010,?,00000005,00000000,00000000,?,50402808,000000A9,00000000,?,00000004), ref: 6C8533A3
SendMessageW.USER32(?,00001109,00000000,?), ref: 6C8533C2

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: MessageSend$BitmapEmptyImageList_LoadMaskedObjectRect
String ID:
API String ID: 2800448286-0
Opcode ID: 3306a4c373726d1d96a32454e297bf239d78cea2abd2c43737b7f2407b67442e
Instruction ID: ec4de100fd94c7eca343d47ff6dd4e12a43b89b199315d4bc41d854e7a566dbd
Opcode Fuzzy Hash: 3306a4c373726d1d96a32454e297bf239d78cea2abd2c43737b7f2407b67442e
Instruction Fuzzy Hash: E151BE31740706AFEB259B68CD59FEEB3A8FF08705F104638F615A76C0CB70A9558BA0

Function 6C91E2C6 Relevance: 9.1, APIs: 6, Instructions: 147windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C91E2CD
CreateCompatibleDC.GDI32(00000000), ref: 6C91E351
CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 6C91E381
SelectObject.GDI32(?,00000000), ref: 6C91E3D4

Part of subcall function 6C91FD99: FillRect.USER32(56010845,?,?), ref: 6C91FDD3

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CompatibleCreate$BitmapFillH_prolog3_ObjectRectSelect
String ID:
API String ID: 527521954-0
Opcode ID: 24acebe4c00f4bbdc2c4256eb30dfbe76cd09b87700c1c2d83469680795dec6d
Instruction ID: 21311af68de6cc8a15725205172b79fa773d423e1dd016e2278dc7b106085d91
Opcode Fuzzy Hash: 24acebe4c00f4bbdc2c4256eb30dfbe76cd09b87700c1c2d83469680795dec6d
Instruction Fuzzy Hash: 9E51F771901209EFDF06DFE5CA49AEEBBB5BF08308F154015E904BBA90D731D915CBA1

Function 6C862BEF Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 380windowCOMMON

Download Yara Rule

APIs

GetBkColor.GDI32(?), ref: 6C862C30
GetTextColor.GDI32(?), ref: 6C862CDC
GetBkColor.GDI32(?), ref: 6C862ECE
DrawIconEx.USER32(?,?,?,?,?,?,00000000,00000000,00000003), ref: 6C862FE7

Strings

\sx, xrefs: 6C862BF5

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Color$DrawIconText
String ID: \sx
API String ID: 2759393849-995570312
Opcode ID: ea6bfcf5773d4103a1469fa1556a8d3f1161af45c28e9817f5d0289321027d79
Instruction ID: d348bcd68685dfacbeea4a9e617bbd2364476915c2671bf9c42cf2adee48940e
Opcode Fuzzy Hash: ea6bfcf5773d4103a1469fa1556a8d3f1161af45c28e9817f5d0289321027d79
Instruction Fuzzy Hash: DDE16E31A00219DFCF14CFA9C988A9EBBB6BF48318F154569E815EB790C774AD46CF90

Function 6C8F989C Relevance: 9.1, APIs: 6, Instructions: 116networkCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8F98A6
WSAStartup.WS2_32(00000101,?), ref: 6C8F98EB
WSACleanup.WS2_32 ref: 6C8F993A
WSASetLastError.WS2_32(0000276C), ref: 6C8F9945
WSACleanup.WS2_32 ref: 6C8F99E5
FreeLibrary.KERNEL32(?,6C8F9A00,?,6C8F9A00,00000198,6C858564,00000000), ref: 6C8F99EE

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Cleanup$ErrorFreeH_prolog3_LastLibraryStartup
String ID:
API String ID: 700773300-0
Opcode ID: 5eed68276618a75eb77c61a2bb40f81acad239defaeeb9fd13f97b8c8ef474b0
Instruction ID: 7aa6231c4029c05651d13b8d8f6e6922d5f14d22c4e26c568c0ecee5256e3b95
Opcode Fuzzy Hash: 5eed68276618a75eb77c61a2bb40f81acad239defaeeb9fd13f97b8c8ef474b0
Instruction Fuzzy Hash: 6C410530B02716DBEB319F798B447C976A0BF41798F118969E479CBE80DB70D982CB51

Function 6C9A1AEA Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 6C9A1B25
IsWindowEnabled.USER32(00000000), ref: 6C9A1B5B
EnableWindow.USER32(00000000,00000000), ref: 6C9A1B73
EnableWindow.USER32(00000000,00000001), ref: 6C9A1C14
IsWindow.USER32(00000000), ref: 6C9A1C1B
SetFocus.USER32(00000000), ref: 6C9A1C26

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$EnableFocus$Enabled
String ID:
API String ID: 1303138515-0
Opcode ID: 4ed74ec59c42cd70c004f529779f0d0b890906e9fe2060b39c272fd81e36c1d0
Instruction ID: 6ad00a1d6829ac37391759cfe1f0e3eddde56a6ba2ecd148fb8cae5b49e085a8
Opcode Fuzzy Hash: 4ed74ec59c42cd70c004f529779f0d0b890906e9fe2060b39c272fd81e36c1d0
Instruction Fuzzy Hash: 3441A230701701EFDB099FB4C888B99B7B9FF06358F058169E0199B6A1DB70E85BCB91

Function 6C8E64E9 Relevance: 9.1, APIs: 6, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C8E64F0

Part of subcall function 6C898448: __EH_prolog3.LIBCMT ref: 6C89844F
Part of subcall function 6C898448: SetRectEmpty.USER32 ref: 6C898539
Part of subcall function 6C898448: SetRectEmpty.USER32(?), ref: 6C898564

Part of subcall function 6C87C53E: __EH_prolog3.LIBCMT ref: 6C87C545

SetRectEmpty.USER32(?), ref: 6C8E665B
SetRectEmpty.USER32(?), ref: 6C8E666A
SetRectEmpty.USER32(?), ref: 6C8E6671
SetRectEmpty.USER32(?), ref: 6C8E6678
SetRectEmpty.USER32(?), ref: 6C8E66A2

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID:
API String ID: 3752103406-0
Opcode ID: 400b7d2892b2605ac120d9c1a3bfd33dc1d6308293c3603284d7f00bafee45f5
Instruction ID: e41cf0c7cf856a565a30ded4ac53475904e6ed3db807e647d72d1a7f8e07804e
Opcode Fuzzy Hash: 400b7d2892b2605ac120d9c1a3bfd33dc1d6308293c3603284d7f00bafee45f5
Instruction Fuzzy Hash: 7551A2F0901B018FC794CF29C588699BBE4BF98218F2889BEC65DCB212EB365546CF14

Function 6C965DD1 Relevance: 9.1, APIs: 6, Instructions: 84windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C965DD8
GetMenuItemCount.USER32(?), ref: 6C965DFE
GetMenuItemID.USER32(?,00000000), ref: 6C965E15
GetMenuState.USER32(?,00000000,00000400), ref: 6C965E2D
GetSubMenu.USER32(?,00000000), ref: 6C965EA0

Part of subcall function 6C89BF88: GetMenuStringW.USER32(00000000,00000000,00000000,00000000,?), ref: 6C89BF9C
Part of subcall function 6C89BF88: GetMenuStringW.USER32(00000000,00000000,00000000,00000001,?), ref: 6C89BFC0

Part of subcall function 6C965B4B: __EH_prolog3.LIBCMT ref: 6C965B52

ModifyMenuW.USER32(?,00000000,00000400,00000000,?), ref: 6C965E87

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Menu$H_prolog3ItemString$CountModifyState
String ID:
API String ID: 2436308985-0
Opcode ID: dc80af18dd5a76ba392cfc47ac6faccd01577452e7dd713e630ce3989f7b8a43
Instruction ID: ef6613bab4d11f485220057d4f40f168a9720b0c0fb160afd6c810f995b4b4cf
Opcode Fuzzy Hash: dc80af18dd5a76ba392cfc47ac6faccd01577452e7dd713e630ce3989f7b8a43
Instruction Fuzzy Hash: 8B21C330601206BBEF159B65CD58BFEBA75BF10349F108528E125A6ED1DB30D956CB50

Function 6C86F67A Relevance: 9.1, APIs: 6, Instructions: 84windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C86F681
CreateRectRgnIndirect.GDI32(00000000), ref: 6C86F6A1

Part of subcall function 6C86E5F5: SelectClipRgn.GDI32(?,00000000), ref: 6C86E615
Part of subcall function 6C86E5F5: SelectClipRgn.GDI32(?,00000000), ref: 6C86E62B

GetParent.USER32(00000000), ref: 6C86F6C1
DrawThemeParentBackground.UXTHEME(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000018), ref: 6C86F6E2
MapWindowPoints.USER32(00000000,?,00000000,00000001), ref: 6C86F716
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6C86F742

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ClipParentSelect$BackgroundCreateDrawH_prolog3IndirectMessagePointsRectSendThemeWindow
String ID:
API String ID: 935984306-0
Opcode ID: 39bee5692e9f587c5310d5cd3a0cc065181bb867184011fceaaa7c49d77c2fc9
Instruction ID: bb44d91de4c9a4e6b2ddc281a2e27d820111d7310ad460aa055991ff35bebd0f
Opcode Fuzzy Hash: 39bee5692e9f587c5310d5cd3a0cc065181bb867184011fceaaa7c49d77c2fc9
Instruction Fuzzy Hash: 09314F71A0020AEFCF11CFE5CA49BEE7BB5BF18345F104828E505A6A60DB75D909DB90

Function 6C9E4A69 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(78E4735C,00000000,00000000,00000000), ref: 6C9E4ACC

Part of subcall function 6C9EA918: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6C9E9427,?,00000000,-00000008), ref: 6C9EA979

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6C9E4D1E
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C9E4D64
GetLastError.KERNEL32 ref: 6C9E4E07

Strings

\sx, xrefs: 6C9E4A7F

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID: \sx
API String ID: 2112829910-995570312
Opcode ID: e67080a9a5898833edb89096b9efc7cc1c600dae5525344c874495b99b8ae9dd
Instruction ID: 7d5583d84b1c91de476183e3896414ac273a182724f004fda849a9942bb6bd9f
Opcode Fuzzy Hash: e67080a9a5898833edb89096b9efc7cc1c600dae5525344c874495b99b8ae9dd
Instruction Fuzzy Hash: DED149B5E042599FCB06CFE8C880AADBBB9BF19314F14856AE425EB741D730E946CF50

Function 6C872A4A Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 6C872A82
GetParent.USER32(?), ref: 6C872A90
GetParent.USER32(?), ref: 6C872AA7
GetLastActivePopup.USER32(?), ref: 6C872ABA
IsWindowEnabled.USER32(?), ref: 6C872ACE
EnableWindow.USER32(?,00000000), ref: 6C872AE1

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: ee212f9332e1a0a7d64a369bf5d81934d87afea881045ca9a07afe8aba966d5a
Instruction ID: 2598202bbf10179058e6a58b5a99a6e5523fc3c0883356edb012cc2f7343e20c
Opcode Fuzzy Hash: ee212f9332e1a0a7d64a369bf5d81934d87afea881045ca9a07afe8aba966d5a
Instruction Fuzzy Hash: 4A11B732701722DBDE315A5A4A4CB5FB6B86F16B98F170974EC14E7600FB28CC0246F0

Function 6C9A03FC Relevance: 9.1, APIs: 6, Instructions: 63windowCOMMON

Download Yara Rule

APIs

LoadMenuW.USER32(?,000000C8), ref: 6C9A0430
LoadAcceleratorsW.USER32(?,000000C8), ref: 6C9A043F
LoadMenuW.USER32(?,FFFFFFFF), ref: 6C9A0460
LoadAcceleratorsW.USER32(?,FFFFFFFF), ref: 6C9A046F
LoadMenuW.USER32(?,00000001), ref: 6C9A0490
LoadAcceleratorsW.USER32(?,00000001), ref: 6C9A049F

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Load$AcceleratorsMenu
String ID:
API String ID: 144087665-0
Opcode ID: 0425e14585758550cdbe44e4b023eecdc7541727cfc1d89b5017ae45e4dbe498
Instruction ID: 2a6d4bc2a2cfc78f08647f529aa0ea4d6ebaa2118f4a0fdef78f0aac62af2e18
Opcode Fuzzy Hash: 0425e14585758550cdbe44e4b023eecdc7541727cfc1d89b5017ae45e4dbe498
Instruction Fuzzy Hash: C621DB71601A67EFC7549FA698484E9F7F8FF0531A304912EFA5182A00E734A862CFB1

Function 6C9CCFE6 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6C9CCE3F,6C9C7B79,6C9C7E3C,?,6C9C8072,?,00000001,?,?,00000001,?,6CA65F78,0000000C,6C9C816B), ref: 6C9CCFF4
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6C9CD002
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6C9CD01B
SetLastError.KERNEL32(00000000,6C9C8072,?,00000001,?,?,00000001,?,6CA65F78,0000000C,6C9C816B,?,00000001,?), ref: 6C9CD06D

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 037542f367e5205c126c4be44a792695462c4a4cc5000c92c1c9370d225364b5
Instruction ID: 07634a4b226e961b4258123defce9418eab59b063c933f43713959e402ccfbf0
Opcode Fuzzy Hash: 037542f367e5205c126c4be44a792695462c4a4cc5000c92c1c9370d225364b5
Instruction Fuzzy Hash: AE01283334D712DEAB19657E6C85AA63A68EB2367C7214329E81083AD0EF21D8079193

Function 6C921EFC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 231COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C921F03

Strings

Alt, , xrefs: 6C922134, 6C922143
Press, xrefs: 6C921F77
Separator, xrefs: 6C92205E, 6C922063, 6C92206E
Execute, xrefs: 6C921F7C, 6C921F84, 6C921F8C

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: H_prolog3
String ID: Alt, $Execute$Press$Separator
API String ID: 431132790-3451492657
Opcode ID: 12edcf87210b29454c4f4b18e680452d5cc86fe0ae4926f315807b2fe8974754
Instruction ID: eed8d8f837cf77f5c63109a2ee8651edbdd91358202b0b09aeb9cb0937677f47
Opcode Fuzzy Hash: 12edcf87210b29454c4f4b18e680452d5cc86fe0ae4926f315807b2fe8974754
Instruction Fuzzy Hash: 7F81C2316106058FDF14DF24C998FAE73A5BF55318F04486DE8429BB85DF38EA0ACBA1

Function 6C913025 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 6C913105
IsWindow.USER32(?), ref: 6C91315A
SetRectEmpty.USER32(?), ref: 6C9131D3
SetRectEmpty.USER32(?), ref: 6C9131DD

Strings

\sx, xrefs: 6C91302B

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: EmptyRect$Window
String ID: \sx
API String ID: 1945993337-995570312
Opcode ID: e3edff42905e6cc499f47ffb4f5e6374b7f2de88a27b179dc3542dde50287e68
Instruction ID: c3c8a9d85dd010fc2828ce3cfdc69097a47772a9336c58ea3be54591b9f79c33
Opcode Fuzzy Hash: e3edff42905e6cc499f47ffb4f5e6374b7f2de88a27b179dc3542dde50287e68
Instruction Fuzzy Hash: 96618971A05608CFDB05CF68C884BAA73F9BF09318F1441A9ED15AF686CB31EA46CF50

Function 6C846410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C84649A
__Getctype.LIBCPMT ref: 6C846503
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6C846537
std::_Lockit::~_Lockit.LIBCPMT ref: 6C8465CC

Strings

bad locale name, xrefs: 6C8465E9

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 3327844093-1405518554
Opcode ID: fa79205635faae703a9fcd0ccc645605af39b70db5953a123dc6b20fec02dad8
Instruction ID: 7f308845407a1d0cab995a8797da06621a37c1a19853b964fbd08a6e557caa44
Opcode Fuzzy Hash: fa79205635faae703a9fcd0ccc645605af39b70db5953a123dc6b20fec02dad8
Instruction Fuzzy Hash: 555172B1D017589BEB10CFA8C944BCEBBB8AF24318F158514D814EB784E774EA48C7A2

Function 6C85C720 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C85C727
DrawThemeBackground.UXTHEME(00000000,?,00000001,00000000,?,00000000,?,?,?,?,?,?,?,0000001C), ref: 6C85C75B
InflateRect.USER32(?,000000FD,000000FD), ref: 6C85C77D
DrawThemeBackground.UXTHEME(00000000,?,00000003,00000000,?,00000000,?,?,?,?,?,?,?,?,0000001C), ref: 6C85C7B5

Strings

%d%%, xrefs: 6C85C7DC

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: BackgroundDrawTheme$H_prolog3_InflateRect
String ID: %d%%
API String ID: 1553386484-1518462796
Opcode ID: 6cd139c5322d76630f296e27dba156096bb39b84963c156b6162c1dafd23d0fe
Instruction ID: d3f23e8b81aa2cc76ebc5c354b90b11cd5cf30d0804694d3ed16829648dde5e1
Opcode Fuzzy Hash: 6cd139c5322d76630f296e27dba156096bb39b84963c156b6162c1dafd23d0fe
Instruction Fuzzy Hash: FA414775A002099FDB44DFA8CD85BDE77B9BF4D318F540868E501AB690C7B0E916CFA0

Function 6C8678F2 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C86C609: GetWindowLongW.USER32(?,000000F0), ref: 6C86C616

GetClientRect.USER32(?,?), ref: 6C86795A
IsMenu.USER32(00000000), ref: 6C867996
AdjustWindowRectEx.USER32(?,00000000,00000000,?), ref: 6C8679AE
GetClientRect.USER32(?,?), ref: 6C8679F6

Strings

\sx, xrefs: 6C8678F8

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$ClientWindow$AdjustLongMenu
String ID: \sx
API String ID: 3435883281-995570312
Opcode ID: dd0a6f6158783f67167ddf4501cdeae1c299471fe2bffa1851cdce069279017c
Instruction ID: 7b915748bf6249e5cd0f6e0b9376dfa8d8d3e83c0cc59597f87ed8689aba58ef
Opcode Fuzzy Hash: dd0a6f6158783f67167ddf4501cdeae1c299471fe2bffa1851cdce069279017c
Instruction Fuzzy Hash: 37319331B00305AFDB14DBBACA48ABFB7B9FF55218F154929E901E7A41DB34A941C6A0

Function 6C86F77D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C86F784
SysStringLen.OLEAUT32(?), ref: 6C86F7C3
SysStringLen.OLEAUT32(?), ref: 6C86F7E2
SysFreeString.OLEAUT32(?), ref: 6C86F869

Strings

@, xrefs: 6C86F807

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: String$FreeH_prolog3
String ID: @
API String ID: 315669285-2766056989
Opcode ID: ca133a48a4390f29c995bad80975ac4391a14a2b7eeae98eb55d02b7b779594a
Instruction ID: b58591c3506b32c648be53d760be4415dd0f42035223eb2e210318f50daa6e8b
Opcode Fuzzy Hash: ca133a48a4390f29c995bad80975ac4391a14a2b7eeae98eb55d02b7b779594a
Instruction Fuzzy Hash: FD316E71A0020AAFDF04CFE9CD44AEE7B79EF14318F104529F920AA790DB30D956CB50

Function 6C855770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000030,00000001,00000080), ref: 6C855868
SendMessageW.USER32(?,00000030,00000001), ref: 6C85587A
SendMessageW.USER32(?,00000030,00000001), ref: 6C85588C
RedrawWindow.USER32(?,00000000,00000000,00000585,?,6C85449A,?,00000000,00000000,?,00000000,00000000,?,00000003,00000001,?), ref: 6C85589A

Strings

ApplicationLook, xrefs: 6C8558AB

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: MessageSend$RedrawWindow
String ID: ApplicationLook
API String ID: 648961319-3231287756
Opcode ID: bd90d4f82f7a26845772ec0cdbba2004bca052c4fe4e1a11e4ac119d34d35667
Instruction ID: ef2508367fe5d7b5b3e7ff4cccb998cc600273f9e9667300e79e09f0e4a67724
Opcode Fuzzy Hash: bd90d4f82f7a26845772ec0cdbba2004bca052c4fe4e1a11e4ac119d34d35667
Instruction Fuzzy Hash: 5B31E834384329FBDB758B88CD02F957764BB41758F804936B20166ED0C7F16994CF61

Function 6C865B0F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__snprintf_s.LIBCMT ref: 6C865B5B
__snprintf_s.LIBCMT ref: 6C865B8F
GetClassInfoW.USER32(?,0000007C,?), ref: 6C865BBF

Strings

Afx:%p:%x, xrefs: 6C865B4F
Afx:%p:%x:%p:%p:%p, xrefs: 6C865B85

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: __snprintf_s$ClassInfo
String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
API String ID: 1341824228-2801496823
Opcode ID: d5e5562f335e0e0752de66030c1ed6a7769041b6a5ab801e7194ad5881a4c598
Instruction ID: 7e1bab449870400bc68b59a6843b5a3a78780f60be2632ce4c7e8d3e8626b656
Opcode Fuzzy Hash: d5e5562f335e0e0752de66030c1ed6a7769041b6a5ab801e7194ad5881a4c598
Instruction Fuzzy Hash: EE315CB090070CAFCB21EFAAC944ADE7BF8EF59348F018426E514ABB52D7309954CB75

Function 6C8E0AEB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8E09E8: KillTimer.USER32(?,?,00000000,00000800,?,?,?,?,?,00000058,00000040,6C8542D4,6CA6CB3C,00000004,?,50008200), ref: 6C8E0A13

GetIconInfo.USER32(00000000,00000001), ref: 6C8E0B3A
GetObjectW.GDI32(4(@P,00000018,?), ref: 6C8E0B49
DeleteObject.GDI32(00000001), ref: 6C8E0B52
DeleteObject.GDI32(?), ref: 6C8E0B5B

Strings

4(@P, xrefs: 6C8E0B46

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Object$Delete$IconInfoKillTimer
String ID: 4(@P
API String ID: 3402499453-4081170755
Opcode ID: 96cd92eb073a1d013647ad758d6b590168ac023b7ee2b9c7718ce9c46b919f1c
Instruction ID: 54620754d3bc289e5df8048bd660bf5aaec6fd3d2442b81e39765451bf87d225
Opcode Fuzzy Hash: 96cd92eb073a1d013647ad758d6b590168ac023b7ee2b9c7718ce9c46b919f1c
Instruction Fuzzy Hash: F621A330601208BBDF21AF64CE14FAE7BB9FF89718F004929F80196A90CB34EA45DF50

Function 6C9AED31 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 6C9AED84
EnumFontFamiliesExW.GDI32(00000000,?,6C9AED1B,?,00000000,?,?,?,?,?,00000000,00000000), ref: 6C9AED9F
ReleaseDC.USER32(00000000,00000000), ref: 6C9AEDA7
__EH_prolog3.LIBCMT ref: 6C9AEDCB

Strings

\sx, xrefs: 6C9AED37

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: EnumFamiliesFontH_prolog3Release
String ID: \sx
API String ID: 1064023238-995570312
Opcode ID: bb0cee2cefa2b81aacfd60d6b8faff102914ef889baf700c26eece51cedb9064
Instruction ID: 6335f54ba2fc6c9e76241fa82982a9f375faaf7772361c0cf7943fbbf00e5446
Opcode Fuzzy Hash: bb0cee2cefa2b81aacfd60d6b8faff102914ef889baf700c26eece51cedb9064
Instruction Fuzzy Hash: 59218171A01718ABCB24DBA88D08EEE77B9AF55708F014419E905EB740EB34DA0A87E5

Function 6C8E94DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65windowCOMMON

Download Yara Rule

APIs

SHAppBarMessage.SHELL32(00000007,?), ref: 6C8E952C
SHAppBarMessage.SHELL32(00000007,?), ref: 6C8E9546
SHAppBarMessage.SHELL32(00000007,?), ref: 6C8E955D
SHAppBarMessage.SHELL32(00000007,?), ref: 6C8E9577

Strings

\sx, xrefs: 6C8E94E3

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Message
String ID: \sx
API String ID: 2030045667-995570312
Opcode ID: 2a2202b60a70b5623d9e6926ad9fc7b6672a1418c5fd803cde445a7ab08d3a21
Instruction ID: 8450ff51c10f29d238da133bde97de2e654d3063a2069e1fd7bf0a836953d675
Opcode Fuzzy Hash: 2a2202b60a70b5623d9e6926ad9fc7b6672a1418c5fd803cde445a7ab08d3a21
Instruction Fuzzy Hash: DF214D71B0120AAFEB18DF61C845BEABBF8FB09354F104429E459E2280DB74A645CFA1

Function 6C9444C5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

BeginDeferWindowPos.USER32(00000000), ref: 6C9444E3
IsWindow.USER32(?), ref: 6C9444FE
DeferWindowPos.USER32(00000000,?,00000000,?,?,?,?,00000000), ref: 6C944547
EndDeferWindowPos.USER32(00000000), ref: 6C944552

Strings

\sx, xrefs: 6C9444CB

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$Defer$Begin
String ID: \sx
API String ID: 2880567340-995570312
Opcode ID: 00ac1a8a70d5209139d1deafbf44dec22364a66270089397d2f658baecbbe482
Instruction ID: a401bd27f4bb0ae5583489bb0f51ca9dd895e1c06c800ab6c78c5ae296e58d10
Opcode Fuzzy Hash: 00ac1a8a70d5209139d1deafbf44dec22364a66270089397d2f658baecbbe482
Instruction Fuzzy Hash: CF111771A0020AAFDF05CFA9C844BAEBBF9FF59348F508119E505E7650DB30EA51CBA1

Function 6C945A11 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62stringCOMMON

Download Yara Rule

APIs

GetWindowTextW.USER32(?,?,00000100), ref: 6C945A6F
lstrcmpW.KERNEL32(?,?,?,00000000), ref: 6C945A81
SetWindowTextW.USER32(?,?), ref: 6C945A8D
GetLastError.KERNEL32(?,00000000), ref: 6C945AAA

Strings

\sx, xrefs: 6C945A1A

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: TextWindow$ErrorLastlstrcmp
String ID: \sx
API String ID: 1997968240-995570312
Opcode ID: 44b3f3e0742680bfb437869cc22e2df951a561b160f3f40ce2965e547a7d2ac4
Instruction ID: 2c56aec6d8043fc7a4db5615539afe8d95710304c3a7b0cac83f816ac023d470
Opcode Fuzzy Hash: 44b3f3e0742680bfb437869cc22e2df951a561b160f3f40ce2965e547a7d2ac4
Instruction Fuzzy Hash: 0A11C6717013196BDB04AEA88C88AEF77BCEF45648F10856EE916D3601EB34DA0687A1

Function 6C86773F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000000C,?), ref: 6C86778A
SetBkColor.GDI32(?,?), ref: 6C867794
GetSysColor.USER32(00000008), ref: 6C8677A4
SetTextColor.GDI32(?,?), ref: 6C8677AC

Part of subcall function 6C945C3A: GetWindowLongW.USER32(?,000000F0), ref: 6C945C55
Part of subcall function 6C945C3A: GetClassNameW.USER32(?,?,0000000A), ref: 6C945C6A
Part of subcall function 6C945C3A: CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF,?,6C86777F,?,?), ref: 6C945C81

Strings

\sx, xrefs: 6C867745

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Color$ClassCompareLongNameObjectStringTextWindow
String ID: \sx
API String ID: 3274569906-995570312
Opcode ID: e7f4f3dfd0f2d071fed6e84afed0175d34113363b86ff6ea01dff3692cf0ee14
Instruction ID: e84769da9d2b85beb9afe4d0ab553e7256b2215b70c1f09b7852314c5b07e119
Opcode Fuzzy Hash: e7f4f3dfd0f2d071fed6e84afed0175d34113363b86ff6ea01dff3692cf0ee14
Instruction Fuzzy Hash: 98018831701105ABDB109F698D449BFB3B9AF17718F50491AF921D6980CB30D90287F1

Function 6C94482E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C944835
GetClassNameW.USER32(?,00000000,00000400), ref: 6C944866
GetWindowLongW.USER32(?,000000F0), ref: 6C94489F

Strings

ComboBox, xrefs: 6C944879
ComboBoxEx32, xrefs: 6C94488A

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ClassH_prolog3LongNameWindow
String ID: ComboBox$ComboBoxEx32
API String ID: 297531199-1907415764
Opcode ID: c8f650ced69ff672af8cf544ed5fb9f9764911e48993c5d7892028ab0b46b9e1
Instruction ID: 7bdc54b31ee7a9cda6ff7ba4fc35ec1a322cc873ac28477a4c332344a4f30c34
Opcode Fuzzy Hash: c8f650ced69ff672af8cf544ed5fb9f9764911e48993c5d7892028ab0b46b9e1
Instruction Fuzzy Hash: 5B01C435514516ABDB049F58CD04BEE7378BF21329F104969E411A2ED0DF34E91ACA59

Function 6C87FFE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,?,PNG,?,?,?,6CA0BE30,?,6C880E95,?,?,?,00000038,6C87FA98), ref: 6C880002
LoadResource.KERNEL32(00000000,00000000,?,6CA0BE30,?,6C880E95,?,?,?,00000038,6C87FA98), ref: 6C880010
LockResource.KERNEL32(00000000,?,6CA0BE30,?,6C880E95,?,?,?,00000038,6C87FA98), ref: 6C88001B
SizeofResource.KERNEL32(00000000,00000000,?,6CA0BE30,?,6C880E95,?,?,?,00000038,6C87FA98), ref: 6C880029

Strings

PNG, xrefs: 6C87FFF9

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: PNG
API String ID: 3473537107-364855578
Opcode ID: 36b7fdb662c4ae1ca02e115f741eab94e861f2ce79d305e1f6a3de92d497db73
Instruction ID: a8e31bb4c9f8e834578685eb4a437eb5ed4a191e63a0789fbeaf66b0fed9ed6f
Opcode Fuzzy Hash: 36b7fdb662c4ae1ca02e115f741eab94e861f2ce79d305e1f6a3de92d497db73
Instruction Fuzzy Hash: 6EF062767036567B9B265BA68D48C9F777CDF466983118929FA05D3A00EB30D90286B0

Function 6C945C3A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 6C945C55
GetClassNameW.USER32(?,?,0000000A), ref: 6C945C6A
CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF,?,6C86777F,?,?), ref: 6C945C81

Strings

\sx, xrefs: 6C945C40
combobox, xrefs: 6C945C72

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ClassCompareLongNameStringWindow
String ID: \sx$combobox
API String ID: 1414938635-1259455617
Opcode ID: 5033c1979ce4ccdae8d62fc05917db7243dc161c25c2ca3942a26bfd035e043e
Instruction ID: 1c8393afe88d3f3427bbab6176fb27a91a35aad702dfb050970c5777cafaa63f
Opcode Fuzzy Hash: 5033c1979ce4ccdae8d62fc05917db7243dc161c25c2ca3942a26bfd035e043e
Instruction Fuzzy Hash: 23F0A43175521A6BCF04DF688D46EEE77B89B07728F504315B522E61C4DB20E5068795

Function 6C94508F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled), ref: 6C9450B1
EncodePointer.KERNEL32(00000000,?,6C86FB85,6CA73B8C,6C8EA39C), ref: 6C9450BA
DecodePointer.KERNEL32(00000000,?,?,6C86FB85,6CA73B8C,6C8EA39C), ref: 6C9450C8

Strings

DwmIsCompositionEnabled, xrefs: 6C9450AB
dwmapi.dll, xrefs: 6C94509C

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeProc
String ID: DwmIsCompositionEnabled$dwmapi.dll
API String ID: 2069163248-1198327662
Opcode ID: b95ba58ac5b7e36a9c8c469ee573466b60f7ff8272fa0566e2c65feda6c17c0c
Instruction ID: cc3a53606fbfcf7293a6f6166fef87d82f0c6db811f79152fa6a1218a91170e1
Opcode Fuzzy Hash: b95ba58ac5b7e36a9c8c469ee573466b60f7ff8272fa0566e2c65feda6c17c0c
Instruction Fuzzy Hash: 55F05439705727DBDB191BA4D808A593B6CAB063AAB11C515EC0AD7A00DB35D9428BF0

Function 6C945033 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 6C945055
EncodePointer.KERNEL32(00000000,?,6C874DF0,00000450,?,00000000,?,00000004,?,?,?,?,?,?,?,6C8D51BD), ref: 6C94505E
DecodePointer.KERNEL32(00000000,?,?,6C874DF0,00000450,?,00000000,?,00000004), ref: 6C94506C

Strings

DwmInvalidateIconicBitmaps, xrefs: 6C94504F
dwmapi.dll, xrefs: 6C945040

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeProc
String ID: DwmInvalidateIconicBitmaps$dwmapi.dll
API String ID: 2069163248-1901905683
Opcode ID: 8cf1377a9fd2bd5099dd20dc4bcdb3a15e3dd497141a36f5bb3e59c46a981555
Instruction ID: 6eab79db63c865a4f0def539f4347905bd0ae560c26d558809128f7bb916a305
Opcode Fuzzy Hash: 8cf1377a9fd2bd5099dd20dc4bcdb3a15e3dd497141a36f5bb3e59c46a981555
Instruction Fuzzy Hash: 3BF0A739701727EB9B152BB9880C85A3B7C6B062AA3048624FC06D7E00DB36C8834BF4

Function 6C84F910 Relevance: 7.9, APIs: 5, Instructions: 420COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?), ref: 6C84FC4A
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000000,?,?,?,?,?,?,?), ref: 6C84FC8C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?), ref: 6C84FCA1
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C84FCD3
Concurrency::cancel_current_task.LIBCPMT ref: 6C84FDA9

Part of subcall function 6C844D00: ___std_exception_copy.LIBVCRUNTIME ref: 6C844D3E

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ByteCharMultiWide$Concurrency::cancel_current_task___std_exception_copy
String ID:
API String ID: 4024204131-0
Opcode ID: 9494e8ce42a7f1d11ea0678f6a24fcfab4dfe46cf7ddea4dff7d5470f338ec46
Instruction ID: 7c7a4d01e31691e155a1a64efe507d26fbbda4c074b7e1ede74362de98ff7762
Opcode Fuzzy Hash: 9494e8ce42a7f1d11ea0678f6a24fcfab4dfe46cf7ddea4dff7d5470f338ec46
Instruction Fuzzy Hash: 1DF11570E052499FCB24CFA8C950BEEFBB5AF9A304F24866DE850B7781D7345905CBA1

Function 6C8426E0 Relevance: 7.7, APIs: 5, Instructions: 222COMMON

Download Yara Rule

APIs

Part of subcall function 6C86D51A: __EH_prolog3.LIBCMT ref: 6C86D521
Part of subcall function 6C86D51A: BeginPaint.USER32(?,?,00000004,6C842711), ref: 6C86D54D

GetClientRect.USER32(?,?), ref: 6C842726
FillRect.USER32(?,?), ref: 6C84273C

Part of subcall function 6C86E6E0: SelectObject.GDI32(?,00000000), ref: 6C86E700
Part of subcall function 6C86E6E0: SelectObject.GDI32(?,00000000), ref: 6C86E716

Part of subcall function 6C86E39F: MoveToEx.GDI32(?,?,?,?), ref: 6C86E3C0
Part of subcall function 6C86E39F: MoveToEx.GDI32(?,?,?,?), ref: 6C86E3D6

Part of subcall function 6C86E36A: MoveToEx.GDI32(?,?,?,00000000), ref: 6C86E385
Part of subcall function 6C86E36A: LineTo.GDI32(?,?,?), ref: 6C86E394

Part of subcall function 6C86E74D: GetStockObject.GDI32(?), ref: 6C86E757
Part of subcall function 6C86E74D: SelectObject.GDI32(?,00000000), ref: 6C86E76B
Part of subcall function 6C86E74D: SelectObject.GDI32(?,00000000), ref: 6C86E77B

InflateRect.USER32(?,000000F6,00000000), ref: 6C842849

Part of subcall function 6C86E7CC: SetBkMode.GDI32(?,6C842858), ref: 6C86E7E0
Part of subcall function 6C86E7CC: SetBkMode.GDI32(?,6C842858), ref: 6C86E7F2

Part of subcall function 6C86E919: SetTextColor.GDI32(?,?), ref: 6C86E92E
Part of subcall function 6C86E919: SetTextColor.GDI32(?,?), ref: 6C86E940

Part of subcall function 6C8727B8: SetBkColor.GDI32(?,6C8428FC), ref: 6C8727D4
Part of subcall function 6C8727B8: ExtTextOutW.GDI32(?,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 6C8727E9

InflateRect.USER32(?,000000EC,00000000), ref: 6C842904
ImageList_Draw.COMCTL32(?,00000003,?,?,?,00000000), ref: 6C84291F

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Object$RectSelect$ColorMoveText$InflateMode$BeginClientDrawFillH_prolog3ImageLineList_PaintStock
String ID:
API String ID: 429370534-0
Opcode ID: 0b9a75d6147737a8b33da679d5b283604a00f553120234a69e451ae5e4d3b7d0
Instruction ID: a3eea1ab2e25168b956219fa3143f1b685ed93cc51bce95559a9470dc43f8ba1
Opcode Fuzzy Hash: 0b9a75d6147737a8b33da679d5b283604a00f553120234a69e451ae5e4d3b7d0
Instruction Fuzzy Hash: B7917E31D10219DBDF21DBA8CD44FEDB7B5BF19304F1485A9E509B3691EB306A89CBA0

Function 6C990046 Relevance: 7.7, APIs: 5, Instructions: 220windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C99004D
StringFromCLSID.OLE32(00000000,?,00000018,6C98FCE2,00000000,?,00000000,?,00000000,?,?,?,0000000A,00000008,6C8FDA29,?), ref: 6C99005B
CoTaskMemFree.OLE32(?,00000001,?,00000000,?,?,00000001), ref: 6C99008D

Part of subcall function 6C94F6D0: GetModuleFileNameW.KERNEL32(?,?,00000104,?), ref: 6C94F6F7

Part of subcall function 6C870D2B: MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,00000000,6CA2F854,?,?,6C9900CA,6CA2F854), ref: 6C870D5A

Part of subcall function 6C865D68: _memcpy_s.LIBCMT ref: 6C865DD4

Part of subcall function 6C98F90A: __EH_prolog3.LIBCMT ref: 6C98F911

ExtractIconW.SHELL32(?,00000008,?), ref: 6C990139
DestroyIcon.USER32(00000000,?,00000001), ref: 6C990144

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: H_prolog3Icon$ByteCharDestroyExtractFileFreeFromModuleMultiNameStringTaskWide_memcpy_s
String ID:
API String ID: 2633863281-0
Opcode ID: 67a48da22acd60c998e1586b07e8e6bf1f7592339ee4ca58b09c4e96cbdab88d
Instruction ID: 0fde1db570baf12a6e54780bf93977b70d48d7e3a1a15aa5c7c9b4f2c92be1cd
Opcode Fuzzy Hash: 67a48da22acd60c998e1586b07e8e6bf1f7592339ee4ca58b09c4e96cbdab88d
Instruction Fuzzy Hash: 32816071A00159AFDF14DBA8CD94EFE7778BF29308F144828E522A7AD0DB309E49C761

Function 6C91D2A1 Relevance: 7.7, APIs: 5, Instructions: 218windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C91D2A8
CreateCompatibleDC.GDI32(00000000), ref: 6C91D362
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C91D398
SelectObject.GDI32(?,00000000), ref: 6C91D3F1
DeleteObject.GDI32(?), ref: 6C91D524

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CompatibleCreateObject$BitmapDeleteH_prolog3_Select
String ID:
API String ID: 3801890737-0
Opcode ID: 3fced68fc6ebdf5e8c1d37ba2c229e0eb7a76adae1d02376a230d3d35bccdfae
Instruction ID: d7acd6f055ba840f260bb1fc0c6e60b60707d1efe652001da35a281b57b30fa5
Opcode Fuzzy Hash: 3fced68fc6ebdf5e8c1d37ba2c229e0eb7a76adae1d02376a230d3d35bccdfae
Instruction Fuzzy Hash: 1A91F172E002199FCF05CFA9C984ADDBBB5BF48308F24812AE415A7B54DB30E946CF90

Function 6C84AD80 Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C84AE1B
std::_Lockit::_Lockit.LIBCPMT ref: 6C84AE3F
std::_Lockit::~_Lockit.LIBCPMT ref: 6C84AE60
std::_Lockit::~_Lockit.LIBCPMT ref: 6C84AEF4
Concurrency::cancel_current_task.LIBCPMT ref: 6C84AFBE

Part of subcall function 6C846250: ___std_exception_copy.LIBVCRUNTIME ref: 6C84628E

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task___std_exception_copy
String ID:
API String ID: 1238493420-0
Opcode ID: 1dbe55281c5a2ee79ad49ffebf2f9bbaed6e820f163038d6a47e64c3cd2a2c8a
Instruction ID: 54f75a57a6442e59cb2b6be637acea0a49ffd0b13dd00ec0193f1ddf5b54adf6
Opcode Fuzzy Hash: 1dbe55281c5a2ee79ad49ffebf2f9bbaed6e820f163038d6a47e64c3cd2a2c8a
Instruction Fuzzy Hash: AE714574A00208DFDB14CFA8C984F9EBBF4BF59318F288569E416AB751D734E905CB61

Function 6C844A00 Relevance: 7.7, APIs: 5, Instructions: 180windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000407,00000000,?), ref: 6C886B55
PostMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C886B98
GetParent.USER32(?), ref: 6C886C5B
GetParent.USER32(?), ref: 6C886C8F
GetCapture.USER32 ref: 6C886CAE

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: MessageParent$CapturePostSend
String ID:
API String ID: 3593767962-0
Opcode ID: db2153e77464836a555b6943a0df72dfc1bf8fcfe3be1fdea39bfec4662d3598
Instruction ID: af6edd7fb142479c1aeadb50fad5202554f099456ba4e50d8f2f527e2c52a754
Opcode Fuzzy Hash: db2153e77464836a555b6943a0df72dfc1bf8fcfe3be1fdea39bfec4662d3598
Instruction Fuzzy Hash: 1351D130327207ABEB324B24CB58B6D3AA6FB05B5DF254D68E814DBE91CB32D841C751

Function 6C8E9034 Relevance: 7.7, APIs: 5, Instructions: 178windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8E903B
IsWindowVisible.USER32(?), ref: 6C8E923F

Part of subcall function 6C88BBF5: __EH_prolog3.LIBCMT ref: 6C88BBFC

Part of subcall function 6C86CC1D: IsWindow.USER32(00000000), ref: 6C86CC2C
Part of subcall function 6C86CC1D: SetWindowTextW.USER32(00000000,?), ref: 6C86CC48

GetWindowRect.USER32(?,?), ref: 6C8E9154
GetSystemMetrics.USER32(00000010), ref: 6C8E915C
GetSystemMetrics.USER32(00000011), ref: 6C8E916B

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$MetricsSystem$H_prolog3H_prolog3_RectTextVisible
String ID:
API String ID: 4238341832-0
Opcode ID: 99147da823409d4ef51a8620fd128a259574bdf7615e94344b8a15e82a91a085
Instruction ID: 67fab01929dec897e63dcd030c09cdcefded05cd29e361da6a0d8633b6b04edc
Opcode Fuzzy Hash: 99147da823409d4ef51a8620fd128a259574bdf7615e94344b8a15e82a91a085
Instruction Fuzzy Hash: 6C617B31B0021A9BDF09DF68C994BEDB7B6BF49314F14406AE905EB780DB75AD42CB90

Function 6C8EC6FB Relevance: 7.7, APIs: 5, Instructions: 168windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C8EC702
RedrawWindow.USER32(?,00000000,00000000,00000541), ref: 6C8EC906

Part of subcall function 6C86C609: GetWindowLongW.USER32(?,000000F0), ref: 6C86C616

GetSystemMenu.USER32(?,00000000,0000002C,6C8EA089), ref: 6C8EC73F
IsMenu.USER32(?), ref: 6C8EC758
IsMenu.USER32(?), ref: 6C8EC76A

Part of subcall function 6C9524CE: SetRectEmpty.USER32(00000030), ref: 6C9524FA

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Menu$Window$EmptyH_prolog3LongRectRedrawSystem
String ID:
API String ID: 477644042-0
Opcode ID: 1611e637e91c6dcdae654a49af2c99cd2f7529697b196c3743c80020e855b73e
Instruction ID: dcf9a9f029cd91ee04621d57aae4581430865002d4edaf65ccd8cc5bc529e8e7
Opcode Fuzzy Hash: 1611e637e91c6dcdae654a49af2c99cd2f7529697b196c3743c80020e855b73e
Instruction Fuzzy Hash: C9516B71E002199BDB14DFB8CA44BEEBBB2BF89318F204529E516F7781DB749905CB50

Function 6C8F8B39 Relevance: 7.7, APIs: 5, Instructions: 164stringCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C8F8B43
lstrcmpW.KERNEL32(00000000,00000000,?,00000001,0014000C,00000000,?,6C9044B4,?), ref: 6C8F8C06
lstrcmpW.KERNEL32(?,00000000,?,?,6C9044B4,?), ref: 6C8F8C3B
lstrcmpW.KERNEL32(00000002,?,?,?,6C9044B4,?), ref: 6C8F8C65
GlobalLock.KERNEL32(?), ref: 6C8F8B65

Part of subcall function 6C99349E: __EH_prolog3.LIBCMT ref: 6C9934A5

Part of subcall function 6C993713: GlobalLock.KERNEL32(00000000), ref: 6C993726

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: lstrcmp$GlobalH_prolog3Lock
String ID:
API String ID: 1551776427-0
Opcode ID: a8d338c0495424ec3e639829a603c1c23fee266d3ab19acdc045bb553c170ce9
Instruction ID: a0787c17df9613c7068d3aae132042c50ae53019189f62cfcae82e50a08d3e0b
Opcode Fuzzy Hash: a8d338c0495424ec3e639829a603c1c23fee266d3ab19acdc045bb553c170ce9
Instruction Fuzzy Hash: 7A61F57050120ADFDB25CF65CA54BECF7B0BF21358F24889AD52597AA0D731DA8ACF50

Function 6C859F10 Relevance: 7.6, APIs: 5, Instructions: 132windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6C859F3C
SendMessageW.USER32(?,00000143,00000000,6CA456DC), ref: 6C859F81
SendMessageW.USER32(?,00000143,00000000,6CA456E8), ref: 6C859F95
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 6C859FA6
GetClientRect.USER32(?,00000001), ref: 6C859FBB

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: MessageSend$Rect$ClientEmpty
String ID:
API String ID: 1272544524-0
Opcode ID: a979f067720f1f97785e384965b6f2bebc6d5584b2d15935354a99c60e28d62c
Instruction ID: 27b90b712b94ba5575c0c861b985bd30e712b414f9ae65090f4b56c6e1c57aac
Opcode Fuzzy Hash: a979f067720f1f97785e384965b6f2bebc6d5584b2d15935354a99c60e28d62c
Instruction Fuzzy Hash: DC419E31740305AFDB249F24CC89FEA77A9FF88714F180679BA199F2D1D770AA41CA61

Function 6C8CE4E5 Relevance: 7.6, APIs: 5, Instructions: 117COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C8CE4EC
SetRectEmpty.USER32(?), ref: 6C8CE63C
SetRectEmpty.USER32(?), ref: 6C8CE643
SetRectEmpty.USER32 ref: 6C8CE64A
SetRectEmpty.USER32(?), ref: 6C8CE657

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID:
API String ID: 3752103406-0
Opcode ID: c9872cc129801e7a3de2c5332076ce3ce59dcfb50c784528bbf559caf370bb17
Instruction ID: 63adca701a54c3665a8798824fe8b5886cd38994ecbc9d3d66b356a877b0a692
Opcode Fuzzy Hash: c9872cc129801e7a3de2c5332076ce3ce59dcfb50c784528bbf559caf370bb17
Instruction Fuzzy Hash: C65108B09007419FCB54CF64C984BEABBF4BF18304F4489BED95A8B781DB74A549CB51

Function 6C9A5C75 Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9A5C7C

Part of subcall function 6C86D5B9: __EH_prolog3.LIBCMT ref: 6C86D5C0
Part of subcall function 6C86D5B9: GetWindowDC.USER32(00000000,00000004,6C8705D3,00000000), ref: 6C86D5EC

Part of subcall function 6C86E810: SetMapMode.GDI32(?,FFFFFEFF), ref: 6C86E824
Part of subcall function 6C86E810: SetMapMode.GDI32(?,FFFFFEFF), ref: 6C86E836

LPtoDP.GDI32(?,?,00000001), ref: 6C9A5CE0
LPtoDP.GDI32(?,?,00000001), ref: 6C9A5CFF
LPtoDP.GDI32(?,?,00000001), ref: 6C9A5D1E
InvalidateRect.USER32(?,00000000,00000001), ref: 6C9A5DE2

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: H_prolog3Mode$InvalidateRectWindow
String ID:
API String ID: 1124340077-0
Opcode ID: e5b028582fc8fd159fe38384f32832a4de929cc3e409033f03d0c23ed6e5dd89
Instruction ID: 62b27380e5c3e51ebd66d1b19e781035912f8b26205472ab9c95678324868e02
Opcode Fuzzy Hash: e5b028582fc8fd159fe38384f32832a4de929cc3e409033f03d0c23ed6e5dd89
Instruction Fuzzy Hash: C741C074700B069FDB24CF69C484B9AB7F5BF4A314F10892DE9AADB690E770A805CB11

Function 6C85DB9A Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C85DBA1
GetTextColor.GDI32(?), ref: 6C85DBAC
OffsetRect.USER32(?,00000001,00000001), ref: 6C85DBF6
FillRect.USER32(?,?,-000000D0), ref: 6C85DC42
OffsetRect.USER32(?,00000001,00000001), ref: 6C85DC73

Part of subcall function 6C91D54F: __EH_prolog3_GS.LIBCMT ref: 6C91D556
Part of subcall function 6C91D54F: CreateCompatibleDC.GDI32(00000000), ref: 6C91D5BA
Part of subcall function 6C91D54F: CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C91D5F0
Part of subcall function 6C91D54F: SelectObject.GDI32(?,00000000), ref: 6C91D644

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$CompatibleCreateOffset$BitmapColorFillH_prolog3H_prolog3_ObjectSelectText
String ID:
API String ID: 4029571948-0
Opcode ID: f31b044fb444e25561f1880ede7a106067ef3e11fb9a5174f18ec088f8d4b8e0
Instruction ID: 7dc5e09a2a438966b721edff22502509204afc7b0dd32e51f08b978cdfad266d
Opcode Fuzzy Hash: f31b044fb444e25561f1880ede7a106067ef3e11fb9a5174f18ec088f8d4b8e0
Instruction Fuzzy Hash: 4D418272A00209AFCF55EB94CA44FDE33BDAF08318F818566E410D7691CBB4DA59CBA1

Function 6C84AFD0 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C84AFF3
std::_Lockit::_Lockit.LIBCPMT ref: 6C84B016
std::_Lockit::~_Lockit.LIBCPMT ref: 6C84B036
std::_Lockit::~_Lockit.LIBCPMT ref: 6C84B0C3
Concurrency::cancel_current_task.LIBCPMT ref: 6C84B0DB

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
String ID:
API String ID: 3053331623-0
Opcode ID: f8fa1271f5bc6b14b1209b2ef2357cc847ed6c2de634233bce3d2a9c364244d6
Instruction ID: ef6c79b415204bc9abc5b976788d53ed172f7b1f28bda4b00b4e112ae661a7c6
Opcode Fuzzy Hash: f8fa1271f5bc6b14b1209b2ef2357cc847ed6c2de634233bce3d2a9c364244d6
Instruction Fuzzy Hash: 1231D475A0062ADFCF25CF54C980BAEB774FB01729F158A19D825A7740D730AD05CBE2

Function 6C84B640 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C84B663
std::_Lockit::_Lockit.LIBCPMT ref: 6C84B686
std::_Lockit::~_Lockit.LIBCPMT ref: 6C84B6A6
std::_Lockit::~_Lockit.LIBCPMT ref: 6C84B733
Concurrency::cancel_current_task.LIBCPMT ref: 6C84B74B

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
String ID:
API String ID: 3053331623-0
Opcode ID: 15da5e31affbd740654373c3c327a1742ddd04b2b2c977e04c2275ed10f94293
Instruction ID: d8e4ae7cc803ab50a8cd9045a270d5ed06aeeb721dfbe33a09773c0c413e2a2c
Opcode Fuzzy Hash: 15da5e31affbd740654373c3c327a1742ddd04b2b2c977e04c2275ed10f94293
Instruction Fuzzy Hash: B731D475A0466ADFCB25CF54C980BAEB774FB51328F158A19D805A7B40D730AD05CBD2

Function 6C87ACF0 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C86C609: GetWindowLongW.USER32(?,000000F0), ref: 6C86C616

Part of subcall function 6C87B177: GetParent.USER32(?), ref: 6C87B17A
Part of subcall function 6C87B177: GetParent.USER32(00000000), ref: 6C87B181

SendMessageW.USER32(?,00000234,00000000,00000000), ref: 6C87AD64
SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6C87AD8D
SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6C87ADAC
SendMessageW.USER32(?,00000222,?,00000000), ref: 6C87ADC6
SendMessageW.USER32(?,00000222,00000000,?), ref: 6C87ADEF

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: MessageSend$Parent$LongWindow
String ID:
API String ID: 4191550487-0
Opcode ID: 46c088efc322de02f0b5f8d445007eb852c10033ab1467d171ea4001a5311f18
Instruction ID: d1b0892ca7593fb6b0839ca0e9a81d03de9020d4e69977afb20adafba5421d56
Opcode Fuzzy Hash: 46c088efc322de02f0b5f8d445007eb852c10033ab1467d171ea4001a5311f18
Instruction Fuzzy Hash: D421B971300604BFEB355A65CA88EEE7A7AFB0875EF040A28F45196990EB70DD95C670

Function 6C86A104 Relevance: 7.6, APIs: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C86A10E
GetTopWindow.USER32(?), ref: 6C86A13B
GetDlgCtrlID.USER32(00000000), ref: 6C86A14D
SendMessageW.USER32(?,00000087,00000000,00000000), ref: 6C86A1A8
GetWindow.USER32(00000000,00000002), ref: 6C86A1EA

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$CtrlH_prolog3MessageSend
String ID:
API String ID: 849854284-0
Opcode ID: af27b109b505dc9c240d332f94ed3a4454bde8f7ef750feca16591c84a724d40
Instruction ID: 89eab829a6c865b6c6f23049ecb03b2aa6dca043e670de4af524fdb74937e893
Opcode Fuzzy Hash: af27b109b505dc9c240d332f94ed3a4454bde8f7ef750feca16591c84a724d40
Instruction Fuzzy Hash: 9B210731A01228ABDF359B2ACE44FEE7675EF51308F10056AF916E2E41EF308E45CB52

Function 6C915480 Relevance: 7.6, APIs: 5, Instructions: 67windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C915487
SendMessageW.USER32(00000000,0000007F,00000000,00000000), ref: 6C9154AA
SendMessageW.USER32(00000000,0000007F,00000001,00000000), ref: 6C9154BE
GetClassLongW.USER32(00000000,000000DE), ref: 6C91551B
GetClassLongW.USER32(00000000,000000F2), ref: 6C91552C

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ClassLongMessageSend$H_prolog3
String ID:
API String ID: 350087385-0
Opcode ID: d7ccee2bbc9df1d8ffc1ecafbb57655fde783b139921415929a3a46cabe4f08d
Instruction ID: 6e33d0370673098ac8f5d8991a107d6eb19ad8dde57e2199c92c8b8cb869a9b4
Opcode Fuzzy Hash: d7ccee2bbc9df1d8ffc1ecafbb57655fde783b139921415929a3a46cabe4f08d
Instruction Fuzzy Hash: D911E431B4922ABBDB254A64CC45B9E763ABB14768F120720B855B6FE0DBB1DD0486E0

Function 6C87289E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?), ref: 6C8728AD
GetDeviceCaps.GDI32(?,00000058), ref: 6C8728F5
GetDeviceCaps.GDI32(?,0000005A), ref: 6C872902

Part of subcall function 6C86E301: MulDiv.KERNEL32(?,00000000,00000000), ref: 6C86E33A
Part of subcall function 6C86E301: MulDiv.KERNEL32(?,00000000,00000000), ref: 6C86E35B

MulDiv.KERNEL32(?,00000060,000009EC), ref: 6C872924
MulDiv.KERNEL32(?,00000060,000009EC), ref: 6C872931

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: cc10bf5b652f7186252370922d098d4feab3a3fa73150e33c262583da3109003
Instruction ID: 5e476d5e92d685c1bc6877dd0cd4b784fdaf2e2133ecd7b89aac2feb224a7239
Opcode Fuzzy Hash: cc10bf5b652f7186252370922d098d4feab3a3fa73150e33c262583da3109003
Instruction Fuzzy Hash: BB11E239300725AFCB251F21C84892EBFB9FB8A3647148419E80293B40DB36AC539FA0

Function 6C87236C Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?), ref: 6C87237B
GetDeviceCaps.GDI32(?,00000058), ref: 6C8723C3
GetDeviceCaps.GDI32(?,0000005A), ref: 6C8723D0

Part of subcall function 6C86DFC0: MulDiv.KERNEL32(?,00000000,00000000), ref: 6C86DFF9
Part of subcall function 6C86DFC0: MulDiv.KERNEL32(?,00000000,00000000), ref: 6C86E01A

MulDiv.KERNEL32(?,000009EC,00000060), ref: 6C8723F2
MulDiv.KERNEL32(?,000009EC,00000060), ref: 6C8723FF

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 1bb4ee4bc1566847889f7bfacfd0a80704ff9b04c150fb8754a241a50f652d31
Instruction ID: f3d904608b2da8868c5e4b8868d0cdabd7754a9da6c7d632271eb99edf623fd3
Opcode Fuzzy Hash: 1bb4ee4bc1566847889f7bfacfd0a80704ff9b04c150fb8754a241a50f652d31
Instruction Fuzzy Hash: FF11BF39300715EFCB291F25C94891EBBB9FB8A3A57148519F94293B50DB35AC53CFA0

Function 6C863BD6 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

DrawThemeBackground.UXTHEME(00000000,?,00000001,00000000,?,00000000), ref: 6C863C0A
GetThemeColor.UXTHEME(00000000,00000001,00000000,00000EDB,?), ref: 6C863C1D
GetThemeColor.UXTHEME(00000000,00000001,00000000,00000EDF,?), ref: 6C863C32
GetSysColorBrush.USER32(00000018), ref: 6C863C3C
FillRect.USER32(?,?,00000000), ref: 6C863C53

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ColorTheme$BackgroundBrushDrawFillRect
String ID:
API String ID: 3021913306-0
Opcode ID: 1c7c00f3161402072d91fd0c0e67e3f92b44fb3b92d20576e4b856beefe8ad24
Instruction ID: 70a00bb34789d5d83d8e8f0722a22a1d811c61db3577b491fdb7548238cc71f0
Opcode Fuzzy Hash: 1c7c00f3161402072d91fd0c0e67e3f92b44fb3b92d20576e4b856beefe8ad24
Instruction Fuzzy Hash: 13113032390615BBEB258B99CE46F9A7778EB49B48F014819B705E6890C7B1AC51C790

Function 6C9C9B4C Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9C9B53
std::_Lockit::_Lockit.LIBCPMT ref: 6C9C9B5E
std::_Lockit::~_Lockit.LIBCPMT ref: 6C9C9BCC

Part of subcall function 6C9C9CB0: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C9C9CC8

std::locale::_Setgloballocale.LIBCPMT ref: 6C9C9B79
_Yarn.LIBCPMT ref: 6C9C9B8F

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 297844bb48c596ba0d3c08a50f14e7d0d85cf03f7ae3460da46798fe3dff72c8
Instruction ID: 006bc43f10b3b4c14465d4ef050ec2b50a18b1097773387c8c87a95c4d360d03
Opcode Fuzzy Hash: 297844bb48c596ba0d3c08a50f14e7d0d85cf03f7ae3460da46798fe3dff72c8
Instruction Fuzzy Hash: 4201B175B006259BCB0ADB20C854ABD77B5BFA524CB154019D81297B80CF349A4ACBD7

Function 6C9935A4 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(00000000), ref: 6C9935B2
GlobalLock.KERNEL32(?), ref: 6C9935C2
CreateDCW.GDI32(?,?,?,00000000), ref: 6C9935E8
GlobalUnlock.KERNEL32(00000000), ref: 6C9935F3
GlobalUnlock.KERNEL32(?), ref: 6C9935FE

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Global$LockUnlock$Create
String ID:
API String ID: 2536725124-0
Opcode ID: 2bc790fba4af293c447547d1ddd926933dca7c8e86b0adbc2a1d1e82cb986701
Instruction ID: 876c6ebd5a6338cd17d9795ed67d7b6513bec51dc2ad1916d5a89eba8698b5bd
Opcode Fuzzy Hash: 2bc790fba4af293c447547d1ddd926933dca7c8e86b0adbc2a1d1e82cb986701
Instruction Fuzzy Hash: 4501A231202E2ABBCB128F79C8099AA7BBCBF857997148015FC08C3614E735E912C7E0

Function 6C9D9063 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 425COMMON

Download Yara Rule

APIs

Part of subcall function 6C9D9013: __allrem.LIBCMT ref: 6C9D9028
Part of subcall function 6C9D9013: __allrem.LIBCMT ref: 6C9D9036
Part of subcall function 6C9D9013: __allrem.LIBCMT ref: 6C9D904F

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C9D922B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C9D92BB
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C9D9350

Strings

\sx, xrefs: 6C9D906B

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID: \sx
API String ID: 1992179935-995570312
Opcode ID: 0e3ad47eebb8482828073629283f7b1743d2d06050f9c3a145a86c0ca5054a31
Instruction ID: 49e9b2f34d28deca86800a7b59045fe0a7746c129b65fe628f110e8d60be398b
Opcode Fuzzy Hash: 0e3ad47eebb8482828073629283f7b1743d2d06050f9c3a145a86c0ca5054a31
Instruction Fuzzy Hash: 14D1F771E01F469AEB04AEE9C8A079DB3B9AF64728F17C129D909F2E40DF70F9058751

Function 6C8AA101 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

\sx, xrefs: 6C8F6825

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID:
String ID: \sx
API String ID: 0-995570312
Opcode ID: b6fb522118d536e2eacb7ba4254f9c45fbd2fe251b74fa2d35d28e817318ab06
Instruction ID: c0c3543c41bcb0d2fb844a1a3535dbff9cf90cbee7978038c0e160da198f7b47
Opcode Fuzzy Hash: b6fb522118d536e2eacb7ba4254f9c45fbd2fe251b74fa2d35d28e817318ab06
Instruction Fuzzy Hash: 11A19C347007269FDB19CF64C998BA9B7B0FB05318F10856ED8169BB91CB74AD86CF90

Function 6C9E927C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 197COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 6C9E9431

Part of subcall function 6C9E15D2: HeapAlloc.KERNEL32(00000000,?,?,?,6C9CAD3B,?,?,?,?,?,6C844C3D,6C9C9407,?,?,6C9C9407), ref: 6C9E1604

__freea.LIBCMT ref: 6C9E9444
__freea.LIBCMT ref: 6C9E9451

Strings

\sx, xrefs: 6C9E9283

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: __freea$AllocHeap
String ID: \sx
API String ID: 85559729-995570312
Opcode ID: 1b1239bf03a96d61b8a5697e1f40e81567dc52f38f09d53adfc30f5ef762e6c8
Instruction ID: 6f6291eebba076e2ea467a9cf6228755cfd8cd858ac93a62fbd9604bc1d5db8e
Opcode Fuzzy Hash: 1b1239bf03a96d61b8a5697e1f40e81567dc52f38f09d53adfc30f5ef762e6c8
Instruction Fuzzy Hash: 4B51C372601216AFEB124F65CC80EEB37ADEF7D758B260429FD14D6A40FB30D914C662

Function 6C89F7F4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179COMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 6C89F941
SetClassLongW.USER32(?,000000F6,00000000), ref: 6C89F94D
GetWindowRect.USER32(?,?), ref: 6C89F96B

Strings

\sx, xrefs: 6C89F7FA

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: BrushClassColorLongRectWindow
String ID: \sx
API String ID: 3059706247-995570312
Opcode ID: df612594453c91e61ef9ea7d06f22b3e6072837ad9ffeeb54f9a05a41fd01ceb
Instruction ID: 671fde434e2d57ce8f0ef358f0aa40e8fe8b5b31e57a2367ecab74d33af796ef
Opcode Fuzzy Hash: df612594453c91e61ef9ea7d06f22b3e6072837ad9ffeeb54f9a05a41fd01ceb
Instruction Fuzzy Hash: 3D614B71A00219AFDF15DFA8C994AEEBBF5BF58314F10452AF805EB740DB34A941CBA0

Function 6C85F21E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C85F225
FillRect.USER32(?,?,-000000D0), ref: 6C85F252

Part of subcall function 6C86D46D: __EH_prolog3.LIBCMT ref: 6C86D474
Part of subcall function 6C86D46D: CreateSolidBrush.GDI32(?), ref: 6C86D48F

FillRect.USER32(?,?,?), ref: 6C85F3BC

Strings

\sx, xrefs: 6C85F362

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: FillH_prolog3Rect$BrushCreateSolid
String ID: \sx
API String ID: 1943250179-995570312
Opcode ID: fb1faf91fc7466f8d0d2f7f83defa1076ed5e65d48e2bed6113ef2a485d6d7d9
Instruction ID: b1e97e18b2420eed3f436a2294d4c57954362e14b4d2c5a15ce0735f8d69f059
Opcode Fuzzy Hash: fb1faf91fc7466f8d0d2f7f83defa1076ed5e65d48e2bed6113ef2a485d6d7d9
Instruction Fuzzy Hash: CA518E71A00209ABCF11DFA8CE85DEE7BB6FF58308F004429F905A7790CB719959CBA1

Function 6C8D504A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 149windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6C8D5064
MapWindowPoints.USER32(?,?,0000002C,00000002), ref: 6C8D509D
GetWindowLongW.USER32(?,000000F0), ref: 6C8D5109

Strings

\sx, xrefs: 6C8D5050

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$LongPointsVisible
String ID: \sx
API String ID: 2971626980-995570312
Opcode ID: d14a2d324497d30ef640dbb7a2d2a56cfef24194a24cd5e376226ccb86d50813
Instruction ID: 340df15d8adb28ba2f14f5c7b32e5ea9de88be1e0499405db65db64c9ea01435
Opcode Fuzzy Hash: d14a2d324497d30ef640dbb7a2d2a56cfef24194a24cd5e376226ccb86d50813
Instruction Fuzzy Hash: 0151CF71B003169FDF149F68C964ABE77B5EF89304F15046AE802EB780DB30AD02CB91

Function 6C860C8A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 144COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C860C91
CreateRectRgnIndirect.GDI32(?), ref: 6C860DB6

Part of subcall function 6C86D46D: __EH_prolog3.LIBCMT ref: 6C86D474
Part of subcall function 6C86D46D: CreateSolidBrush.GDI32(?), ref: 6C86D48F

FillRect.USER32(?,00000000,?), ref: 6C860CE4

Strings

%d%%, xrefs: 6C860D57

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CreateRect$BrushFillH_prolog3H_prolog3_IndirectSolid
String ID: %d%%
API String ID: 2254786338-1518462796
Opcode ID: f8fee2b60c891bc34946d451d0a5497cd2c33baad49a8de6273f8bf9d97dfdb8
Instruction ID: 3d0d2a0c082b723832ec3cf415ed287c44fb1a3da2c88673a1738ce4a7260b59
Opcode Fuzzy Hash: f8fee2b60c891bc34946d451d0a5497cd2c33baad49a8de6273f8bf9d97dfdb8
Instruction Fuzzy Hash: 6C518C31A0024DDBCF14DFA8C995ADE77B9BF48318F114569F811A7690CB34AE0ACF90

Function 6C84CE40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C84CEB0
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6C84CF3C
std::_Lockit::~_Lockit.LIBCPMT ref: 6C84CFD1

Strings

bad locale name, xrefs: 6C84CFEA

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 3553999535-1405518554
Opcode ID: 4be47a0f875aee246636e90de341b6c541bc468f1da4d2ebcfca1697a0fdd0d2
Instruction ID: 22a85c811b45eadcd8623f92cafc0bbf168eaff94aa06d5a2a9d5cbc5e9b3034
Opcode Fuzzy Hash: 4be47a0f875aee246636e90de341b6c541bc468f1da4d2ebcfca1697a0fdd0d2
Instruction Fuzzy Hash: A54183B1D056189FEF10DFA8C944BCEBBB8AF25318F108528E815A7741E778D908CB91

Function 6C84D000 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C84D070
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6C84D0FC
std::_Lockit::~_Lockit.LIBCPMT ref: 6C84D191

Strings

bad locale name, xrefs: 6C84D1AA

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 3553999535-1405518554
Opcode ID: 5fc73ee3e85d94b9257d31576646e98bd2bf794293cd550936af1c25b28b35ab
Instruction ID: 0e74daf64a10528c2a6dbf4a3dff9a7fe636091f23c1fa30b80650e9d829dcfa
Opcode Fuzzy Hash: 5fc73ee3e85d94b9257d31576646e98bd2bf794293cd550936af1c25b28b35ab
Instruction Fuzzy Hash: EB4183B1D01659DBEB10CFA8C944BDEBBB4AF25318F108529E814B7780E779D905CBA2

Function 6C8D78BC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6C8D798A
GetWindowRect.USER32(?,0000002C), ref: 6C8D799E
UnionRect.USER32(0000002C,0000002C,?), ref: 6C8D79AD

Strings

\sx, xrefs: 6C8D78C2

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Window$Union
String ID: \sx
API String ID: 4061794321-995570312
Opcode ID: f5663e9a7f1ea1e4957f1d06d80e77efbf6e59c8ac8ab41f552f443d05512f7b
Instruction ID: bacb50d9bc4a497930a95682f8927613863d5c44cedd7f796e6dcdf2df096982
Opcode Fuzzy Hash: f5663e9a7f1ea1e4957f1d06d80e77efbf6e59c8ac8ab41f552f443d05512f7b
Instruction Fuzzy Hash: 11419132B00219AFDB18DFB5CA54EEEB7B8FF19304F114529E505A7640DB30B954CBA0

Function 6C84F730 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C84F7A0
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6C84F82C
std::_Lockit::~_Lockit.LIBCPMT ref: 6C84F8C1

Strings

bad locale name, xrefs: 6C84F8DA

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 3553999535-1405518554
Opcode ID: 8af4f904903acc755b698a00c4428a575af7485c6f2a8e015b19a990e9db490d
Instruction ID: e28f2727b14dc69a7fcf521d73057cd2714f85b779293981565e9c344f39a98b
Opcode Fuzzy Hash: 8af4f904903acc755b698a00c4428a575af7485c6f2a8e015b19a990e9db490d
Instruction Fuzzy Hash: 7E5175B1D0165C9FEB10CFA8C944BDEBBB4AF25318F158529E815BB740E778D904CB91

Function 6C8738A9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 6C8738BE
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 6C8739B3
LoadBitmapW.USER32(00000000,00007FE3), ref: 6C8739CA

Strings

\sx, xrefs: 6C8738B2

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID: \sx
API String ID: 2596413745-995570312
Opcode ID: b74a5af7930895485898ffa20803a845b02e1dfd876f73c34d8ea0992a172cd1
Instruction ID: be7c4b3ba7213b657fadc62983662b44501571f56c4061605350aeef1e0a52e2
Opcode Fuzzy Hash: b74a5af7930895485898ffa20803a845b02e1dfd876f73c34d8ea0992a172cd1
Instruction Fuzzy Hash: 5931C971B002259FDB34CF288D85BADB7F4FB45304F4045AAD54AE7681DB70AE868F61

Function 6C85DDA4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C85DDAB
InflateRect.USER32(?,00000005,00000005), ref: 6C85DDE9
Ellipse.GDI32(00000000,?,00000000,?,?), ref: 6C85DEB4

Strings

Gu,, xrefs: 6C85DE35

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: EllipseH_prolog3_InflateRect
String ID: Gu,
API String ID: 3279685039-3926172423
Opcode ID: 91ae707339f8e15df7c365b92d57a812b92d5c7d957851cf348fee2a9c5fbd96
Instruction ID: 56af3fe6e0555338dcc965c875b3e2f38e278f5b789122e97c5d3a54f272f6cb
Opcode Fuzzy Hash: 91ae707339f8e15df7c365b92d57a812b92d5c7d957851cf348fee2a9c5fbd96
Instruction Fuzzy Hash: 48415D71E001089FCF54DFA8CA45AEE77B5AF18308F50456AE901A7B90DB74EE19CFA1

Function 6C8E09E8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91timewindowCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,?,00000000,00000800,?,?,?,?,?,00000058,00000040,6C8542D4,6CA6CB3C,00000004,?,50008200), ref: 6C8E0A13
DestroyIcon.USER32(00000000,?,000000FF,00000000,?,00000000,00000001,0000001C,00000020,000000FF,00000001,00000001,?,0000001C,00000020,?), ref: 6C8E0AA0
SetTimer.USER32(?,?,0000007D,00000000), ref: 6C8E0ADE

Strings

4(@P, xrefs: 6C8E0AAC

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Timer$DestroyIconKill
String ID: 4(@P
API String ID: 1879703730-4081170755
Opcode ID: f8825d1ee2068da4e2979cf76f0aa5e444a71a7a06fc6a3c3bbc551f2ee671ec
Instruction ID: 7b39ac306cfd9ff6899ec506c5dc5495e8db40e50bc2616d57ff00b57e139cab
Opcode Fuzzy Hash: f8825d1ee2068da4e2979cf76f0aa5e444a71a7a06fc6a3c3bbc551f2ee671ec
Instruction Fuzzy Hash: 7331D531201218EFCF228F15CE84A9E3F75FF89354B10487AFC116AA65CB71D992EB90

Function 6C85FB9C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,000000FF,000000FF), ref: 6C85FBC6
FillRect.USER32(?,?,-000000D0), ref: 6C85FBE3
OffsetRect.USER32(?,00000000,00000001), ref: 6C85FC19

Strings

\sx, xrefs: 6C85FBA2

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$FillInflateOffset
String ID: \sx
API String ID: 783136803-995570312
Opcode ID: 0ef3428d152e973207dbfa0e459e817b4d4fd7a92b358aa0b4738b118b082e44
Instruction ID: 666633b157c72a7712d7173e33d41c7d21b77acb97224a2c0a019cbf612797fa
Opcode Fuzzy Hash: 0ef3428d152e973207dbfa0e459e817b4d4fd7a92b358aa0b4738b118b082e44
Instruction Fuzzy Hash: AC212AB2A0021AABCB10DF95CD89DEF7BBCFF05254B404526B915E7241C774EA19CBA1

Function 6C846840 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 6C8468DF

Part of subcall function 6C9CB8AE: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,6C9C9415,?,6CA66060,?,?), ref: 6C9CB90F

Strings

ios_base::badbit set, xrefs: 6C846877, 6C8468A2, 6C8468C3
ios_base::eofbit set, xrefs: 6C846886
ios_base::failbit set, xrefs: 6C846798, 6C846881

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: 0e51f5e0927c890060836775421e3faf30b6cc5c18bf88505bdec04a828ea3ee
Instruction ID: c5b8b65b518da226a744f7a5d8a143a8c35f807bcf4f0470cea01a734883f558
Opcode Fuzzy Hash: 0e51f5e0927c890060836775421e3faf30b6cc5c18bf88505bdec04a828ea3ee
Instruction Fuzzy Hash: BE11BBB29007186BC710DF9CC946BD6B3B8AF55321F14C91AF968D7A40F731E954CB91

Function 6C98E119 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindow.USER32(00000000,00000005), ref: 6C98E146
GetClassNameW.USER32(?,?,00000400), ref: 6C98E168

Part of subcall function 6C9AE5AF: __EH_prolog3.LIBCMT ref: 6C9AE5B6

GetWindow.USER32(?,00000002), ref: 6C98E1A6

Strings

\sx, xrefs: 6C98E122

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$ClassH_prolog3Name
String ID: \sx
API String ID: 632776892-995570312
Opcode ID: 2864a87a5c3f377976d6b90d1fc7446cc0ae99c011abdcfba10edb40dbb9be6e
Instruction ID: 23b2f95e63a9ce0d1577f18d9a7a56231cc862aef9ee241fb45e0927d26f52cf
Opcode Fuzzy Hash: 2864a87a5c3f377976d6b90d1fc7446cc0ae99c011abdcfba10edb40dbb9be6e
Instruction Fuzzy Hash: F311D076B12215AFDB219B79CC54EAAB7BCAB08308F014968A486D7A90DF30DD4687D0

Function 6C85D50B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

FillRect.USER32(?,?,-00000098), ref: 6C85D538
InflateRect.USER32(?,000000FF,000000FF), ref: 6C85D57A
DrawEdge.USER32(?,?,00000004,0000000F), ref: 6C85D597

Strings

\sx, xrefs: 6C85D511

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$DrawEdgeFillInflate
String ID: \sx
API String ID: 785442924-995570312
Opcode ID: e8f87fdf54a88b66386081ed1d4bd6369bc45fd43e6e233a92de678af68dd1f0
Instruction ID: e89fb1704743eeaa5dd65be96dc65d67c8a4e897c67ef4b4d4392f7d3b9e1bbf
Opcode Fuzzy Hash: e8f87fdf54a88b66386081ed1d4bd6369bc45fd43e6e233a92de678af68dd1f0
Instruction Fuzzy Hash: 13114272A10209AFCF04DFA4C985DEE77BCFF09314F908569E511AB291DB70DA0ACB61

Function 6C88CAC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C88CACE

Part of subcall function 6C959A09: __EH_prolog3.LIBCMT ref: 6C959A10

Strings

MFCToolBars, xrefs: 6C88CAD9
%TsMFCToolBarParameters, xrefs: 6C88CB01
LargeIcons, xrefs: 6C88CB46

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: H_prolog3
String ID: %TsMFCToolBarParameters$LargeIcons$MFCToolBars
API String ID: 431132790-953485693
Opcode ID: 767338ca43e99fc975ab9dadb0c9aad4522e56aecc7a89e769362b3625b4b712
Instruction ID: 7b5d127ec6e20771fc8c11b5d71518243c929570d671829b60676739be96bd04
Opcode Fuzzy Hash: 767338ca43e99fc975ab9dadb0c9aad4522e56aecc7a89e769362b3625b4b712
Instruction Fuzzy Hash: 36216DB5B0030A9FDF04DFA4C990AEEB775BF54308F104829D401A7781DB34DA4ACB61

Function 6C86FCED Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C86FCF4
LoadCursorW.USER32(00000000,00007F00), ref: 6C86FD18
GetClassInfoW.USER32(?,?,?), ref: 6C86FD53

Part of subcall function 6C865A70: GetClassInfoW.USER32(?,?,?), ref: 6C865A89

Strings

%Ts:%x:%x:%x:%x, xrefs: 6C86FD3E

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ClassInfo$CursorH_prolog3Load
String ID: %Ts:%x:%x:%x:%x
API String ID: 1242006032-4057404147
Opcode ID: e5126455e03467b675d0c3d48e5e7ba5dee0995ce0c2bb24c677280d58688a39
Instruction ID: 1568995f0fae765df580177882ad11c987985d70e7523fe2088819678e08a0e6
Opcode Fuzzy Hash: e5126455e03467b675d0c3d48e5e7ba5dee0995ce0c2bb24c677280d58688a39
Instruction Fuzzy Hash: 48213AB0A00209AFDB51DFA9C984BDDBBF4BF18709F10882AE508E7740D7759A49CB65

Function 6C8727FA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C945D74: EnterCriticalSection.KERNEL32(6CA75378,?,00000000,?,?,6C94325E,00000010,00000008,6C87313A,6C87317D,6C866C9B,6C873149,6C86EB35,00000004,6C86E0A4,00000000), ref: 6C945DA5
Part of subcall function 6C945D74: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,6C94325E,00000010,00000008,6C87313A,6C87317D,6C866C9B,6C873149,6C86EB35,00000004,6C86E0A4,00000000), ref: 6C945DBB
Part of subcall function 6C945D74: LeaveCriticalSection.KERNEL32(6CA75378,?,00000000,?,?,6C94325E,00000010,00000008,6C87313A,6C87317D,6C866C9B,6C873149,6C86EB35,00000004,6C86E0A4,00000000), ref: 6C945DC9
Part of subcall function 6C945D74: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,6C94325E,00000010,00000008,6C87313A,6C87317D,6C866C9B,6C873149,6C86EB35,00000004,6C86E0A4,00000000,?), ref: 6C945DD6

CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 6C872841
CreatePatternBrush.GDI32(00000000), ref: 6C87284E
DeleteObject.GDI32(00000000), ref: 6C87285A

Strings

\sx, xrefs: 6C872800

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CriticalSection$CreateEnter$BitmapBrushDeleteInitializeLeaveObjectPattern
String ID: \sx
API String ID: 3767330792-995570312
Opcode ID: 4fb1f32dd6eb2732d32477bd510c54f51216f2637b893eb7125ed38a44560962
Instruction ID: 12f8a52047b3e8e85dc2fc23261e9b517e28183e55d083db979b28c3f3106ddd
Opcode Fuzzy Hash: 4fb1f32dd6eb2732d32477bd510c54f51216f2637b893eb7125ed38a44560962
Instruction Fuzzy Hash: 5E012531B11A55EADB2997798D08AAE37B8EBD6709F00812DE44283681DB348507CB72

Function 6C8EBB93 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000085,00000000,00000000), ref: 6C8EBBE7
SetRectEmpty.USER32 ref: 6C8EBBEE
UpdateWindow.USER32(?), ref: 6C8EBBFD

Strings

\sx, xrefs: 6C8EBB99

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: EmptyMessageRectSendUpdateWindow
String ID: \sx
API String ID: 2064314377-995570312
Opcode ID: 1fcc163105519716aa73532a13068ce4ceb211a03d29f0b31e462467a5f9dac0
Instruction ID: b97432754433c5241494bcf623edea15561637aa4f4649e3dc5d325dab9f1574
Opcode Fuzzy Hash: 1fcc163105519716aa73532a13068ce4ceb211a03d29f0b31e462467a5f9dac0
Instruction Fuzzy Hash: F5014C727007099FCB04DF68C885BAE77BAFF4A268F154059E946EB250CB71AD42CB94

Function 6C86599D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C945D74: EnterCriticalSection.KERNEL32(6CA75378,?,00000000,?,?,6C94325E,00000010,00000008,6C87313A,6C87317D,6C866C9B,6C873149,6C86EB35,00000004,6C86E0A4,00000000), ref: 6C945DA5
Part of subcall function 6C945D74: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,6C94325E,00000010,00000008,6C87313A,6C87317D,6C866C9B,6C873149,6C86EB35,00000004,6C86E0A4,00000000), ref: 6C945DBB
Part of subcall function 6C945D74: LeaveCriticalSection.KERNEL32(6CA75378,?,00000000,?,?,6C94325E,00000010,00000008,6C87313A,6C87317D,6C866C9B,6C873149,6C86EB35,00000004,6C86E0A4,00000000), ref: 6C945DC9
Part of subcall function 6C945D74: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,6C94325E,00000010,00000008,6C87313A,6C87317D,6C866C9B,6C873149,6C86EB35,00000004,6C86E0A4,00000000,?), ref: 6C945DD6

GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 6C8659DF
FreeLibrary.KERNEL32(?,?,Function_00026C9B,?,?,?,6C8F9E65,?,6C89F93B,?), ref: 6C8659EF

Strings

hhctrl.ocx, xrefs: 6C8659C3
HtmlHelpW, xrefs: 6C8659D9

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CriticalSection$Enter$AddressFreeInitializeLeaveLibraryProc
String ID: HtmlHelpW$hhctrl.ocx
API String ID: 3484705245-3773518134
Opcode ID: 544f3171ffbbf3908b208ab762aa2d4bed23c79e7cecf3a98cc594dae10eccdd
Instruction ID: 2761d1d720aeee8426a0831bd45c84c92e7e1bd460c95d8c095527e4466abbbc
Opcode Fuzzy Hash: 544f3171ffbbf3908b208ab762aa2d4bed23c79e7cecf3a98cc594dae10eccdd
Instruction Fuzzy Hash: DA01F731600B0AABDB315FA7DD18B4A7BB0AF00769F00CD29E45696E51DB30E4548761

Function 6C86FA37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32(?,?), ref: 6C86FA5A
CopyRect.USER32(?,?), ref: 6C86FA6C

Strings

(, xrefs: 6C86FA53
\sx, xrefs: 6C86FA3D

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CopyInfoMonitorRect
String ID: ($\sx
API String ID: 2119610155-4275447854
Opcode ID: 061e7fbae3a1105a97916dbf08edb634e6dd05a3c94b8867ff52d5c48e76b0d5
Instruction ID: 21583e1bf4e1f24669e5ac2d9dde7b1630ad583833bd4ffa8e43c30d0c4b007d
Opcode Fuzzy Hash: 061e7fbae3a1105a97916dbf08edb634e6dd05a3c94b8867ff52d5c48e76b0d5
Instruction Fuzzy Hash: A911A271A0070ADFCB14DFA9C58499AB7F8FF18605B50882EE5AAE3650E730EA45CF51

Function 6C8F5A3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,00000010,?,?,6C8F93BB,?,00000010,?,?,?,00000001,?,00000001), ref: 6C8F5A51
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6C8F5A61

Strings

RegDeleteKeyTransactedW, xrefs: 6C8F5A5B
Advapi32.dll, xrefs: 6C8F5A4C

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyTransactedW
API String ID: 1646373207-2168864297
Opcode ID: fb0166ce6f774594fae83bb831e4c0938383dbdd67b1e1a312eeb5946d70a8b8
Instruction ID: 9a46b086a53f76e0778b28702ba61aeba7e15afe5c9d8da703b66dbfbf558da4
Opcode Fuzzy Hash: fb0166ce6f774594fae83bb831e4c0938383dbdd67b1e1a312eeb5946d70a8b8
Instruction Fuzzy Hash: ECF0963230571AAFDB105E54DC84827B77DFB811DD310C93AF564C2800D7328853C760

Function 6C8F5A9D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,?,?,6C8F57EA,?,?,?,00000000,00000008,00000000,00000008,6C98FB15,80000000,CLSID,00000000), ref: 6C8F5AAE
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6C8F5ABE

Strings

RegOpenKeyTransactedW, xrefs: 6C8F5AB8
Advapi32.dll, xrefs: 6C8F5AA9

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 1646373207-3913318428
Opcode ID: 1bc3f13dad14c1973862dee8acb51a078c47aa6603e38645c58f85f8467cae2b
Instruction ID: 139aa829baea6834bae38432211a42c988b4e2ddbbeec3f331af8fe9463faa0c
Opcode Fuzzy Hash: 1bc3f13dad14c1973862dee8acb51a078c47aa6603e38645c58f85f8467cae2b
Instruction Fuzzy Hash: C1F0623234070AABCF115E94DC04B9A3BB9FB853D6F11C879F520C1850DB728463DBA0

Function 6C9CE132 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6C9CE0E3,00000001,?,00000001,?,?,?,6C9CE1D2,00000001,FlsFree,6CA3BB04,FlsFree), ref: 6C9CE13F
GetLastError.KERNEL32(?,6C9CE0E3,00000001,?,00000001,?,?,?,6C9CE1D2,00000001,FlsFree,6CA3BB04,FlsFree,00000001,?,6C9CD0F3), ref: 6C9CE149
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6C9CE171

Strings

api-ms-, xrefs: 6C9CE156

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 7bd1373362fce9af62debe14ea9a1aafb72f214475354856f8caf482463ab3d1
Instruction ID: 8a5bf76b5b147e2582a6a9096f383ee9c41613c53493c49c68b9ee92ffac6131
Opcode Fuzzy Hash: 7bd1373362fce9af62debe14ea9a1aafb72f214475354856f8caf482463ab3d1
Instruction Fuzzy Hash: 78E09230344609B7EB001A61DC06F483F29AB00B88F114420F90EE88D0DB72E6A696DA

Function 6C88149C Relevance: 6.4, APIs: 4, Instructions: 433COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C8814A6
GetObjectW.GDI32(?,00000018,?), ref: 6C881576
DeleteObject.GDI32(?), ref: 6C88164B
DeleteObject.GDI32(?), ref: 6C881A0D

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Object$Delete$H_prolog3
String ID:
API String ID: 487261545-0
Opcode ID: 612ecd7eeab881cf62a5e35e1a6e1c01ef02673b21a3319179db941d2d10a13e
Instruction ID: db90ef36195517449047b16ec5996803ddcb904080bcf383d8c1947e9fb8dfb8
Opcode Fuzzy Hash: 612ecd7eeab881cf62a5e35e1a6e1c01ef02673b21a3319179db941d2d10a13e
Instruction Fuzzy Hash: BB122670E017198FDB25CFA9C990B9EFBB5BF09304F10866AD459B7A50EB30A985CF50

Function 6C8D5E7A Relevance: 6.2, APIs: 4, Instructions: 230windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C8D5E81
SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6C8D5EB4
GetWindow.USER32(?,00000005), ref: 6C8D5FC3

Part of subcall function 6C8D615D: BringWindowToTop.USER32(?), ref: 6C8D61FD
Part of subcall function 6C8D615D: RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 6C8D6251
Part of subcall function 6C8D615D: RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 6C8D625D

GetWindow.USER32(?,00000002), ref: 6C8D601D

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$Redraw$BringH_prolog3MessageSend
String ID:
API String ID: 259967589-0
Opcode ID: dd1528a4608fd89772d28dd9285295b75d281e88a8edac7def65fb12f284c06e
Instruction ID: a7aac64dfb5b4f5e227af759687c178792ee15b4bf04a0340f4ee06e75812cd6
Opcode Fuzzy Hash: dd1528a4608fd89772d28dd9285295b75d281e88a8edac7def65fb12f284c06e
Instruction Fuzzy Hash: 5C81B271B003199FDF259F658954BAE7772EF49314F05083AEC01ABB81DF74A905CBA1

Function 6C9A10A3 Relevance: 6.2, APIs: 4, Instructions: 198comCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9A10AD
GetVersionExW.KERNEL32(?), ref: 6C9A1129
CoInitializeEx.OLE32(00000000,00000002), ref: 6C9A12B9
CoCreateInstance.OLE32(6CA39C08,00000000,00000001,6CA30CE4,?), ref: 6C9A1300

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CreateH_prolog3_InitializeInstanceVersion
String ID:
API String ID: 1117250964-0
Opcode ID: ba536691f2674b3f73173883341cc6129c80aa0d29b81127e7ac8950fc948858
Instruction ID: 6c3d4da5e9e78b4031d3fd62ef97ff005e4f4aefdc0ba2914e4fb22505403723
Opcode Fuzzy Hash: ba536691f2674b3f73173883341cc6129c80aa0d29b81127e7ac8950fc948858
Instruction Fuzzy Hash: 7E813770B01616AFD758CF68C940BDAB7B8BF0A318F00825AE918D7B40DB30EA55CF95

Function 6C85F8C6 Relevance: 6.2, APIs: 4, Instructions: 194COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C85F8CD
InflateRect.USER32(?,000000FF,00000000), ref: 6C85F8ED
InflateRect.USER32(?,000000FF,000000FE), ref: 6C85F912
FillRect.USER32(?,?,?), ref: 6C85F933

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Inflate$FillH_prolog3_
String ID:
API String ID: 3515757206-0
Opcode ID: fdd1c45f3abafccdbda6077b85ed1533ec52f2af4113108ca177a13dbcc682cd
Instruction ID: bd1d688fe68f261096454c38c32d8191450a781bfafd8b4254e6d7745718f710
Opcode Fuzzy Hash: fdd1c45f3abafccdbda6077b85ed1533ec52f2af4113108ca177a13dbcc682cd
Instruction Fuzzy Hash: 71618C71A0020DABCF15DF68CA84EEE77BAEF18358F500525F811A7790DB349D59CBA0

Function 6C8E07AF Relevance: 6.2, APIs: 4, Instructions: 190COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C8E07B6
SelectObject.GDI32(?,?), ref: 6C8E0983

Part of subcall function 6C86D4B1: __EH_prolog3.LIBCMT ref: 6C86D4B8
Part of subcall function 6C86D4B1: GetDC.USER32(00000000), ref: 6C86D4E4

SelectObject.GDI32(?,00000000), ref: 6C8E0874
GetSystemMetrics.USER32(00000000), ref: 6C8E0948

Part of subcall function 6C8DFBA7: GetTextExtentPoint32W.GDI32(?,?,0000007D,00000800), ref: 6C8DFBB9

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: H_prolog3ObjectSelect$ExtentMetricsPoint32SystemText
String ID:
API String ID: 182195805-0
Opcode ID: 1d920890a4a303236465b06360d2068f200853325c1a9163071e243ee55f6753
Instruction ID: 294ae4150722d33ef3e6d45c6069a7cdb759625c4781731ee9cfea9f66d8faec
Opcode Fuzzy Hash: 1d920890a4a303236465b06360d2068f200853325c1a9163071e243ee55f6753
Instruction Fuzzy Hash: C4710470A002099FDB14CF69C990BAEBBB5BF99308F10496EE415EB791DF30E946DB50

Function 6C880D7B Relevance: 6.2, APIs: 4, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C880D82
LoadImageW.USER32(?,?,00000000,00000000,00000000,00002000), ref: 6C880ED8
GetObjectW.GDI32(00000000,00000018,?), ref: 6C880EEA
DeleteObject.GDI32(00000000), ref: 6C880F42

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Object$DeleteH_prolog3ImageLoad
String ID:
API String ID: 91933946-0
Opcode ID: 4d0e56099cca50f5423bfe11611ac2eb56996aac6497444f65ccfefb589e2ab9
Instruction ID: 9a4125690476f014ed70fbc86e0d3024ac5930039f22c35b2632d6b6f7e65479
Opcode Fuzzy Hash: 4d0e56099cca50f5423bfe11611ac2eb56996aac6497444f65ccfefb589e2ab9
Instruction Fuzzy Hash: 6461F331903705CBDF21DF68CA807EE77B5BF45314F208A69DC546BA95CB709946CBA0

Function 6C8F9D40 Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(00000000), ref: 6C8F9E49
DestroyWindow.USER32(00000000,?,00000000,00000000,6C8F9B41,00000000,?,6C89F93B,?), ref: 6C8F9F32
GlobalUnlock.KERNEL32(00000000), ref: 6C8F9F3F
GlobalFree.KERNEL32(00000000), ref: 6C8F9F46

Part of subcall function 6C996326: GetStockObject.GDI32(00000011), ref: 6C996348
Part of subcall function 6C996326: GetStockObject.GDI32(0000000D), ref: 6C996354
Part of subcall function 6C996326: GetObjectW.GDI32(00000000,0000005C,?), ref: 6C996365
Part of subcall function 6C996326: GetDC.USER32(00000000), ref: 6C996374
Part of subcall function 6C996326: GetDeviceCaps.GDI32(00000000,0000005A), ref: 6C99638B
Part of subcall function 6C996326: MulDiv.KERNEL32(?,00000048,00000000), ref: 6C996397
Part of subcall function 6C996326: ReleaseDC.USER32(00000000,00000000), ref: 6C9963A3

Part of subcall function 6C996010: GlobalFree.KERNEL32 ref: 6C996017

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Global$Object$FreeStock$CapsDestroyDeviceLockReleaseUnlockWindow
String ID:
API String ID: 191377077-0
Opcode ID: 149aa39e60400e99dc4d79d12f606f94e56febcb00680d96530d0e837e51e2fe
Instruction ID: 05ad74509dfa24a3345b5c9246c06dfff587f103d611610538582275e03838bc
Opcode Fuzzy Hash: 149aa39e60400e99dc4d79d12f606f94e56febcb00680d96530d0e837e51e2fe
Instruction Fuzzy Hash: 9D518030A0121ADFCF15DFA4CA85AEEBBB4BF04358F154469E811E7750DB749E06CBA1

Function 6C87A40E Relevance: 6.1, APIs: 4, Instructions: 145windowCOMMON

Download Yara Rule

APIs

SetMenu.USER32(?,?), ref: 6C87A45D
GetMenu.USER32(?), ref: 6C87A4CC
SetMenu.USER32(?,00000000), ref: 6C87A4F1
SendMessageW.USER32(?,00000362,?,00000000), ref: 6C87A582

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Menu$MessageSend
String ID:
API String ID: 3482896889-0
Opcode ID: bd74c2a78702d7c96172a034fccc8062010ceb9ad25b4104f5ce2e4fd3fb4845
Instruction ID: 630b3d1c95738ba034a8e85b407634eda651dabf4b0d4e4bbc48af5b0a1aa8a6
Opcode Fuzzy Hash: bd74c2a78702d7c96172a034fccc8062010ceb9ad25b4104f5ce2e4fd3fb4845
Instruction Fuzzy Hash: 2241B571300206ABCB348F69C944AEEB7A9FF49754F148536E519C7E10E732E952CBA0

Function 6C844790 Relevance: 6.1, APIs: 4, Instructions: 137windowCOMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 6C8447F7
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 6C844824
LoadMenuW.USER32(?,000000AD), ref: 6C844855
GetSubMenu.USER32(00000000,00000000), ref: 6C844869

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Menu$ClientLoadMessageScreenSend
String ID:
API String ID: 688987412-0
Opcode ID: 0f477ddc55ab8ef3135d30e2fead4825b58f0a0180ef3c6cc2135bc8ef4f8717
Instruction ID: 283b2eba437eb8e9e6c08d7dbdeea3e25aa7505a9cad5eb7de304975aff2d876
Opcode Fuzzy Hash: 0f477ddc55ab8ef3135d30e2fead4825b58f0a0180ef3c6cc2135bc8ef4f8717
Instruction Fuzzy Hash: DB41B471B00249AFDF24DFA8CA44BEE7BB5FF84304F108929F51597A90DB749905CB90

Function 6C8A3AAC Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6C8A3B7D
SetRectEmpty.USER32(?), ref: 6C8A3B8A
SetRectEmpty.USER32(?), ref: 6C8A3C48
SetRectEmpty.USER32 ref: 6C8A3CA7

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: 97e15270ffeaec4e796ca8f3dc3a44f3badbedf0447cd8a91efff7ba03e4ab93
Instruction ID: b83c5893a0aaea834b5244aa1d1a2c3691b267ef1517035ac0e09755c90d224b
Opcode Fuzzy Hash: 97e15270ffeaec4e796ca8f3dc3a44f3badbedf0447cd8a91efff7ba03e4ab93
Instruction Fuzzy Hash: 5751D9B09112258FCB648F5985C46E53BA8FB09B54F0842BBED0CCFA5AC7B05546DFA1

Function 6C8732E6 Relevance: 6.1, APIs: 4, Instructions: 112windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,?,00000403), ref: 6C8733A9
GetFocus.USER32 ref: 6C8733C3
GetParent.USER32(?), ref: 6C8733CE
SendMessageW.USER32(?,00000028,00000000,00000000), ref: 6C8733E3

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: EnableFocusItemMenuMessageParentSend
String ID:
API String ID: 2297321873-0
Opcode ID: 8aa6a535c7996d3a2a407e12832e01cd496c14ea0583be2b0f5792d210ec630f
Instruction ID: 735a98b53a0b979c78650a604108f5336f3d96c8e2ee71f4032cee313e73a367
Opcode Fuzzy Hash: 8aa6a535c7996d3a2a407e12832e01cd496c14ea0583be2b0f5792d210ec630f
Instruction Fuzzy Hash: DE41F231200205EFCB349F19C948B5EBBB5FF85719F108529E40587E90EB70AD86CBA1

Function 6C86EEFC Relevance: 6.1, APIs: 4, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C86EF03
GetClientRect.USER32(6CA093EC,?), ref: 6C86EF52

Part of subcall function 6C867552: GetScrollPos.USER32(6CA093EC,00000800), ref: 6C86757E

Part of subcall function 6C944E37: GetModuleHandleW.KERNEL32(uxtheme.dll,?,6C86EF84,00000001,00000000,?,6C8542BA,?,50008200,0000E801,00000000,0000E828,0000E831,00000001,0000007E,?), ref: 6C944E46
Part of subcall function 6C944E37: GetProcAddress.KERNEL32(00000000,BufferedPaintInit), ref: 6C944E56
Part of subcall function 6C944E37: EncodePointer.KERNEL32(00000000,?,6C8542BA,?,50008200,0000E801,00000000,0000E828,0000E831,00000001,0000007E,?,00000001,0000007D,?,00000800), ref: 6C944E5F

CreateCompatibleDC.GDI32(?), ref: 6C86EFEE
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C86F014

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CompatibleCreate$AddressBitmapClientEncodeH_prolog3HandleModulePointerProcRectScroll
String ID:
API String ID: 1015973060-0
Opcode ID: b587c197855babc7b30b157a509d1ff9674649791b2fa3ab818bc3116e98d5da
Instruction ID: b6cd49ba0b401fcabb17ec7ec6ca5c38ca08c817ca0a38a4ad2074f70a04ab2a
Opcode Fuzzy Hash: b587c197855babc7b30b157a509d1ff9674649791b2fa3ab818bc3116e98d5da
Instruction Fuzzy Hash: 6E414BB0A00606EFDB20CF6ACA84A99BBB4BF18308F15C96DE45987E50D770E955CFD1

Function 6C86C9BD Relevance: 6.1, APIs: 4, Instructions: 101windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 6C86C9EA
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 6C86CA4B
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 6C86CA95
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 6C86CAC4

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3cf0f17c457cd2be23705a1ca7907a718ae8d298d295f1215d74ebe1b49f77fb
Instruction ID: 13fb3993c3870450db06969043aa1f4cee448bb7e05bb0237d68ff1a22c9dcf0
Opcode Fuzzy Hash: 3cf0f17c457cd2be23705a1ca7907a718ae8d298d295f1215d74ebe1b49f77fb
Instruction Fuzzy Hash: 5631C8B1A40206FFEF25EE66CA84B6976B9FB00389F104879E11293E51CB70AD41D694

Function 6C85E4AC Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,000000FF,000000FF), ref: 6C85E4E6
InflateRect.USER32(?,000000FF,000000FF), ref: 6C85E527
InflateRect.USER32(?,?,?), ref: 6C85E558
InflateRect.USER32(?,00000001,00000001), ref: 6C85E583

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: InflateRect
String ID:
API String ID: 2073123975-0
Opcode ID: 45a9673ebde7687eca977fb722211262c353a8f87dd90909ce260e5812364efd
Instruction ID: 1745c44f8649c1bfcbdefe1b9e49962951d271ee57c47d6eacc07ebb7d8fb65b
Opcode Fuzzy Hash: 45a9673ebde7687eca977fb722211262c353a8f87dd90909ce260e5812364efd
Instruction Fuzzy Hash: 03317472604219ABCF14EEACCD48DDF73ACBF08224B845E75B510D7691DBB4E8588BA0

Function 6C94402B Relevance: 6.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(00000000), ref: 6C944037
GetClientRect.USER32(?,00000000), ref: 6C944057
GetParent.USER32(?), ref: 6C944076
OffsetRect.USER32(00000000,00000000,00000000), ref: 6C9440F8

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$ClientEmptyOffsetParent
String ID:
API String ID: 3819956977-0
Opcode ID: beb0dc74206762ce9880b6853aae1b0437e3b53ead7d76ef482d5f323b68a4a1
Instruction ID: eac426c188bc481f49772b42cfcb7de75abbffecf229f3de7ee9fa6c74120d91
Opcode Fuzzy Hash: beb0dc74206762ce9880b6853aae1b0437e3b53ead7d76ef482d5f323b68a4a1
Instruction Fuzzy Hash: 26317071200602EFEB18CF69C998A69B7E8FF54359B14C56DE41AC7A40EB34EC51CBA0

Function 6C863E8F Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

RedrawWindow.USER32(?,00000000,00000000,00000585,?,?,00000000,00000800,6C86418C,00000002,00000000,?,?,?,6C855846,6CA10964), ref: 6C863EC0
RedrawWindow.USER32(?,00000000,00000000,00000585,?,00000000,00000800,6C86418C,00000002,00000000,?,?,?,6C855846,6CA10964,?), ref: 6C863EED
RedrawWindow.USER32(?,00000000,00000000,00000185,?,00000000,00000800,6C86418C,00000002,00000000,?,?,?,6C855846,6CA10964,?), ref: 6C863F2A
RedrawWindow.USER32(?,00000000,00000000,00000585,?,?,6C855846,6CA10964,?,?,00000000,6C9F3E9D,000000FF,?,6C85449A,?), ref: 6C91A873

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: RedrawWindow
String ID:
API String ID: 2219533335-0
Opcode ID: ed576b3c37bdc43ef408a686c12491ae160c3e64e33011695650826bfac6c6cf
Instruction ID: 49119b8653444ae7700351990c71d67dbd1c3631a6384235656fc39b5f5b9134
Opcode Fuzzy Hash: ed576b3c37bdc43ef408a686c12491ae160c3e64e33011695650826bfac6c6cf
Instruction Fuzzy Hash: 29210332741B12ABEB310E16CE05B167374BF44B54F250969ED587BE90EB60FC868AD0

Function 6C9DDE9E Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc3c63e6be320bd24faffcf9f7d86127015842dfdcc3d2dc74a24469945ed6a2
Instruction ID: d77c5d592e043e75229a9e9ea515485c5e4aa47a432d0b0212009ca77f67a565
Opcode Fuzzy Hash: bc3c63e6be320bd24faffcf9f7d86127015842dfdcc3d2dc74a24469945ed6a2
Instruction Fuzzy Hash: 98112732314B09ABDB101A6A9C08B8A3B7CEB92BA8F128165E410F7780D770FC118A71

Function 6C869482 Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C8694BC
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C8694E6
GetCapture.USER32 ref: 6C8694FC
SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6C86950B

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: 65b28a6ce9e3f657e720081667a66129dfa4ba49a5e49d354b5fa378b7c0415e
Instruction ID: 0a5c538563a87a517cc9e19a49c2b39bcd0e9dd84645507263d95efe471954fd
Opcode Fuzzy Hash: 65b28a6ce9e3f657e720081667a66129dfa4ba49a5e49d354b5fa378b7c0415e
Instruction Fuzzy Hash: 3311B23130020ABFEE251B258C8CFBE7B6EFF4879CF000424F60596E95DB719D5296A0

Function 6C841F30 Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,00000006), ref: 6C841F48
LoadResource.KERNEL32(?,00000000), ref: 6C841F5C

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Resource$FindLoad
String ID:
API String ID: 2619053042-0
Opcode ID: 86acaffc1db5892db945a6b41d4de417de8388102cdb6cc27ff69610ba908d4c
Instruction ID: 78f19419c0f41fdbd9931c275af19fdb1157d5327985b4f35e98829b42e35afc
Opcode Fuzzy Hash: 86acaffc1db5892db945a6b41d4de417de8388102cdb6cc27ff69610ba908d4c
Instruction Fuzzy Hash: C101D633B0422A5BCB301B69ED444BAB76CEB857AA7018927FD4DD7500D731D81346A0

Function 6C9477B6 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,00000005,?,00000000,00000000,00000000,?,6C9466FC,00000000,?,00000000,?,00000000,?,?), ref: 6C9477D4
LoadResource.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,6C9466FC,00000000,?,00000000,?,00000000,?,?), ref: 6C9477E9
LockResource.KERNEL32(00000000,?,00000000,00000000,00000000,?,6C9466FC,00000000,?,00000000,?,00000000,?,?), ref: 6C9477FB
GlobalFree.KERNEL32(?), ref: 6C94783A

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Resource$FindFreeGlobalLoadLock
String ID:
API String ID: 3898064442-0
Opcode ID: 2a1b41bb5d12a5f01e3dc46a80ea20bed6b1c9feab36c53e754053156198f80d
Instruction ID: cac4fbc5fea3f5d9588f06ca3e82b3a9e7b17886d23781310747ffcc12617d3f
Opcode Fuzzy Hash: 2a1b41bb5d12a5f01e3dc46a80ea20bed6b1c9feab36c53e754053156198f80d
Instruction Fuzzy Hash: 8611B471601615ABC7265B56C884BDABBA8BF153A8F15C1B8E808E7B00DB71DC05CBE0

Function 6C874733 Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 6C8422D0: InitializeCriticalSectionEx.KERNEL32(6CA764DC,00000000,00000000,00000000,?,?,?,6C8800ED,00000000,00000000), ref: 6C842329
Part of subcall function 6C8422D0: GetLastError.KERNEL32(?,?,?,6C8800ED,00000000,00000000), ref: 6C842333

GdipCreateFromHDC.GDIPLUS(?,?), ref: 6C874773
GdipSetInterpolationMode.GDIPLUS(?,?,?,?), ref: 6C874784
GdipDeleteGraphics.GDIPLUS(?,?,?,?,?,?,?,?,?,?), ref: 6C8747BA
GdipDisposeImage.GDIPLUS(?), ref: 6C8747C2

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Gdip$CreateCriticalDeleteDisposeErrorFromGraphicsImageInitializeInterpolationLastModeSection
String ID:
API String ID: 3355326447-0
Opcode ID: 417349d9946d6f3b3bafc061ede51db6e5603bbc4df34ef61657314680f79b0e
Instruction ID: 7004faa72363ff4a1e449c77d64be066f98341bc0efdf22942f297095229cd3c
Opcode Fuzzy Hash: 417349d9946d6f3b3bafc061ede51db6e5603bbc4df34ef61657314680f79b0e
Instruction Fuzzy Hash: B6113072A0011DEF8F20DFB8CA40DDEBBB8EF55748B104569E805E7610E736DA16CBA1

Function 6C8601FB Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C860202
IsRectEmpty.USER32(?), ref: 6C860224

Part of subcall function 6C91D54F: __EH_prolog3_GS.LIBCMT ref: 6C91D556
Part of subcall function 6C91D54F: CreateCompatibleDC.GDI32(00000000), ref: 6C91D5BA
Part of subcall function 6C91D54F: CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C91D5F0
Part of subcall function 6C91D54F: SelectObject.GDI32(?,00000000), ref: 6C91D644

IsRectEmpty.USER32(?), ref: 6C860268
FillRect.USER32(?,?,-000000A0), ref: 6C860289

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$CompatibleCreateEmpty$BitmapFillH_prolog3H_prolog3_ObjectSelect
String ID:
API String ID: 2706196367-0
Opcode ID: 4e041c112ab6837b8135dde0b416454af567cade28f95171ea939d978e8657c4
Instruction ID: 6d96c23c85ce142f94daee1be42d6e5636d353c6eccb5e376af7d2c2addd5008
Opcode Fuzzy Hash: 4e041c112ab6837b8135dde0b416454af567cade28f95171ea939d978e8657c4
Instruction Fuzzy Hash: 41118172604149ABCF55DFA4CE05EEE33BCBF2830CF584629A014E7A90DB74D519CB62

Function 6C873F6E Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6C873F78
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6C873FBB
RedrawWindow.USER32(?,00000000,00000000,00000185,?,?,?,?,?,?,00000000), ref: 6C873FCB
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6C873FA3

Part of subcall function 6C87ACF0: SendMessageW.USER32(?,00000234,00000000,00000000), ref: 6C87AD64
Part of subcall function 6C87ACF0: SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6C87AD8D
Part of subcall function 6C87ACF0: SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6C87ADAC
Part of subcall function 6C87ACF0: SendMessageW.USER32(?,00000222,?,00000000), ref: 6C87ADC6

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: MessageSend$ParentRedrawWindow
String ID:
API String ID: 2139789815-0
Opcode ID: 8211c5dfbe50868d76eb2d0b8e21d0300d7b01c164507f9295c552d3f6cc04ce
Instruction ID: 125ce9131673b1ec778e9554f935829baa9649e0cf68cc55fa47e86aa506f6cc
Opcode Fuzzy Hash: 8211c5dfbe50868d76eb2d0b8e21d0300d7b01c164507f9295c552d3f6cc04ce
Instruction Fuzzy Hash: CE11E532300605BFEB391A25CD58FAA76BAFB8478DF104439F50586990EF719C86DBA0

Function 6C844AE0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 6C86D51A: __EH_prolog3.LIBCMT ref: 6C86D521
Part of subcall function 6C86D51A: BeginPaint.USER32(?,?,00000004,6C842711), ref: 6C86D54D

GetWindowRect.USER32(?,?), ref: 6C844B1F

Part of subcall function 6C86E5B6: ScreenToClient.USER32(?,?), ref: 6C86E5C5
Part of subcall function 6C86E5B6: ScreenToClient.USER32(?,?), ref: 6C86E5D2

InflateRect.USER32(?,00000001,00000001), ref: 6C844B38
GetSysColor.USER32(00000010), ref: 6C844B46
GetSysColor.USER32(00000010), ref: 6C844B4B

Part of subcall function 6C86D6AE: EndPaint.USER32(?,?,78E4735C,?,?,Function_001B504C,000000FF,?,6C842998), ref: 6C86D6E0

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ClientColorPaintRectScreen$BeginH_prolog3InflateWindow
String ID:
API String ID: 3025975366-0
Opcode ID: 6d67a5c7114dfdb7696f32def3ae8d148fa04c14d3ef4d7cefee9f2fa717cf6d
Instruction ID: 6d54f87b03a493e697401864b53ece44f4cb00b2625dc244e9f50a6a6a5baca8
Opcode Fuzzy Hash: 6d67a5c7114dfdb7696f32def3ae8d148fa04c14d3ef4d7cefee9f2fa717cf6d
Instruction Fuzzy Hash: 76018471D00219ABCB25DBA4CC44FEEB7BCFB04714F10862AE415A3A80DBB8554ACBA0

Function 6C853920 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 6C86D51A: __EH_prolog3.LIBCMT ref: 6C86D521
Part of subcall function 6C86D51A: BeginPaint.USER32(?,?,00000004,6C842711), ref: 6C86D54D

GetWindowRect.USER32(?,?), ref: 6C85395F

Part of subcall function 6C86E5B6: ScreenToClient.USER32(?,?), ref: 6C86E5C5
Part of subcall function 6C86E5B6: ScreenToClient.USER32(?,?), ref: 6C86E5D2

InflateRect.USER32(?,00000001,00000001), ref: 6C853978
GetSysColor.USER32(00000010), ref: 6C853986
GetSysColor.USER32(00000010), ref: 6C85398B

Part of subcall function 6C86D6AE: EndPaint.USER32(?,?,78E4735C,?,?,Function_001B504C,000000FF,?,6C842998), ref: 6C86D6E0

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ClientColorPaintRectScreen$BeginH_prolog3InflateWindow
String ID:
API String ID: 3025975366-0
Opcode ID: 698213589a7d8e9c27e1f025a731839d4091c99f22860ee38163e082bfe4d8a6
Instruction ID: d4641625fd9b93e09bfcaad37b8acc089a898d2fd02dc00a64dc3c760673b4de
Opcode Fuzzy Hash: 698213589a7d8e9c27e1f025a731839d4091c99f22860ee38163e082bfe4d8a6
Instruction Fuzzy Hash: FE018471D00219ABCB25DBA4CC44FEEB77CFB04714F10862AF415A3A80DBB8554ACBA0

Function 6C85D667 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C85D66E
FillRect.USER32(?,?,-000000D0), ref: 6C85D693
CreateSolidBrush.GDI32(000000FF), ref: 6C85D6AE
FillRect.USER32(00000000,00000000,00000000), ref: 6C85D6C7

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: FillRect$BrushCreateH_prolog3Solid
String ID:
API String ID: 1242064992-0
Opcode ID: 2a490f9a5f62c9be9d6689c772d2e56bb4856bed10afc38e5772bc9b001489db
Instruction ID: d030ea1a6a044f53e11ea67a7e901954fefea9777fa8603c546b0bb6cd1f1ecd
Opcode Fuzzy Hash: 2a490f9a5f62c9be9d6689c772d2e56bb4856bed10afc38e5772bc9b001489db
Instruction Fuzzy Hash: FE119471900209EFCF54DF94CA04BEE77B8FF14319F454616E424A7690C7749A6ACFA2

Function 6C869CF7 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 6C869CFE
GetTopWindow.USER32(00000000), ref: 6C869D41
GetWindow.USER32(00000000,00000002), ref: 6C869D63

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 500ef3ba60862a9e6f1be1f8b0d21e6769bb2a5d12dbbcde33619f6f3a182cdd
Instruction ID: e08afd10ce211b3f3b8fb078c3c90a1967892ccfc0d589dd9046bd1169ed9ea7
Opcode Fuzzy Hash: 500ef3ba60862a9e6f1be1f8b0d21e6769bb2a5d12dbbcde33619f6f3a182cdd
Instruction Fuzzy Hash: 3901003220121ABBDF225F56CE04EDE3E29FF1639BF008825F915548A0C735C562EBA1

Function 6C867223 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6C86722D
GetTopWindow.USER32(00000000), ref: 6C86723A

Part of subcall function 6C867223: GetWindow.USER32(00000000,00000002), ref: 6C867289

GetTopWindow.USER32(?), ref: 6C86726E

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: c2dc6da9e79e6ae02a21c4c68c59f2fa40209da50f5c56507febf4307a2b4513
Instruction ID: a946c4375f40b4b3bd2c7a9b4b06fec0569b5da6c10f5af0b1450d77ac449129
Opcode Fuzzy Hash: c2dc6da9e79e6ae02a21c4c68c59f2fa40209da50f5c56507febf4307a2b4513
Instruction Fuzzy Hash: 40014431605656A7DB321E778E04EDE3B79AF02399F088919FD1698F10DF31C55286D1

Function 6C912EF1 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(00000000,00000030,00000001,?,6C90C8D4,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6C912F07
InvalidateRect.USER32(00000000,?,00000001,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6C912F2C
InvalidateRect.USER32(00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6C912F55
UpdateWindow.USER32(00000000), ref: 6C912F69

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: InvalidateRect$UpdateWindow
String ID:
API String ID: 488614814-0
Opcode ID: ced1c92ec14efa224d8e36da7ed7d548b67459aea1eb481d58744e1ac57e39c6
Instruction ID: 88d0f210847ac72e2a352734a70307ed99e77293ba8d1bd1ff8dcc3fb9b62217
Opcode Fuzzy Hash: ced1c92ec14efa224d8e36da7ed7d548b67459aea1eb481d58744e1ac57e39c6
Instruction Fuzzy Hash: AB018832315A009FE7109B18CC49F82B7F8FF09305F1085ADE19AC7AA0C370E892CB50

Function 6C86CB47 Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6C86CB55
GetParent.USER32(?), ref: 6C86CB68
GetParent.USER32(?), ref: 6C86CB82
SetFocus.USER32(?,00000000,?,?,6C84260E), ref: 6C86CB9B

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Parent$Focus
String ID:
API String ID: 384096180-0
Opcode ID: e9395cee47dcba5bfb70ae0a1258af5e9b9422da1bbe3699a54e302bb0aee123
Instruction ID: 15276ce97fc3c9cd18473daf09a2e725e0605f17d3fc5ee49794d62fde2b29aa
Opcode Fuzzy Hash: e9395cee47dcba5bfb70ae0a1258af5e9b9422da1bbe3699a54e302bb0aee123
Instruction Fuzzy Hash: F6F01232B007015BDE252B75CE0CD5A76F9BF492567040D6AA545D3F21DF35EC468790

Function 6C9F1E2C Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,6C9EFFD4,00000000,00000001,0000000C,00000000,?,6C9E4E5B,00000000,00000000,00000000), ref: 6C9F1E43
GetLastError.KERNEL32(?,6C9EFFD4,00000000,00000001,0000000C,00000000,?,6C9E4E5B,00000000,00000000,00000000,00000000,00000000,?,6C9E5435,00000000), ref: 6C9F1E4F

Part of subcall function 6C9F1E15: CloseHandle.KERNEL32(FFFFFFFE,6C9F1E5F,?,6C9EFFD4,00000000,00000001,0000000C,00000000,?,6C9E4E5B,00000000,00000000,00000000,00000000,00000000), ref: 6C9F1E25

___initconout.LIBCMT ref: 6C9F1E5F

Part of subcall function 6C9F1DD7: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C9F1E06,6C9EFFC1,00000000,?,6C9E4E5B,00000000,00000000,00000000,00000000), ref: 6C9F1DEA

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,6C9EFFD4,00000000,00000001,0000000C,00000000,?,6C9E4E5B,00000000,00000000,00000000,00000000), ref: 6C9F1E74

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: f8507aff7e1b44d942df4e8b3a239cade3a5f4dfb688e63de05524764c789cfd
Instruction ID: c2b4726aa9538c141ed38bbd41277b0d4f7521b151c983076abe2b51a84d42d1
Opcode Fuzzy Hash: f8507aff7e1b44d942df4e8b3a239cade3a5f4dfb688e63de05524764c789cfd
Instruction Fuzzy Hash: BDF0123A340256BBCF161F92DC089993F39FB0A3A9B448014FA3995520C731C822DBD0

Function 6C9EA683 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C9EA1BA: GetOEMCP.KERNEL32(00000000,?,?,6C9E488F,4D88C033), ref: 6C9EA1E5

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,6C9EA4CA,?,00000000,?,6C9E488F,4D88C033), ref: 6C9EA6E4
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,6C9EA4CA,?,00000000,?,6C9E488F,4D88C033), ref: 6C9EA720

Strings

\sx, xrefs: 6C9EA68B

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CodeInfoPageValid
String ID: \sx
API String ID: 546120528-995570312
Opcode ID: 26337703cbe17b65f39584a9c9815d0c123bab02b839379106d4f197e87ffe1a
Instruction ID: d4682a7f46e0751845bd1665b6fecf118482814eb27d344cb53db726f1b04ed0
Opcode Fuzzy Hash: 26337703cbe17b65f39584a9c9815d0c123bab02b839379106d4f197e87ffe1a
Instruction Fuzzy Hash: 26514571E003459EDB12CF36C8806AABFF9EFB9308F14816ED09287A61DB75D546CB90

Function 6C846760 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 6C8468DF

Part of subcall function 6C9CB8AE: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,6C9C9415,?,6CA66060,?,?), ref: 6C9CB90F

Strings

ios_base::badbit set, xrefs: 6C846877, 6C8468A2, 6C8468C3
ios_base::failbit set, xrefs: 6C846798

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 3109751735-1240500531
Opcode ID: 2709c6c6518d613bb0ee6ed22888f82b227410931ff5a633a9ee2cc8b1e12c99
Instruction ID: 13320dbd643b6b8b1a6ae54020f4a5e8249d5bd98039503c62efc50ab19d9d60
Opcode Fuzzy Hash: 2709c6c6518d613bb0ee6ed22888f82b227410931ff5a633a9ee2cc8b1e12c99
Instruction Fuzzy Hash: 9241E772910218ABCB14CF98CD45B9AF7B8EF55324F14C62AE924D7B40E734A944CBA1

Function 6C85D7D1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 6C85D846
InflateRect.USER32(?,000000FF,000000FF), ref: 6C85D8D8

Strings

\sx, xrefs: 6C85D7D7

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$InflateOffset
String ID: \sx
API String ID: 3840071959-995570312
Opcode ID: d48720c616c10e739a06127133c6b3b543e0d3477ce3823568c90b001fc8ee96
Instruction ID: 729c051a83f37dd4fa97ff33d57a7c131e0ad2f6140c5671c7887d6ba752c48d
Opcode Fuzzy Hash: d48720c616c10e739a06127133c6b3b543e0d3477ce3823568c90b001fc8ee96
Instruction Fuzzy Hash: 8041E371E00229DFCF60DFA4CA40ADE77B8EF09328B554A67EC11AB681C770D955CBA1

Function 6C9DEB35 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132fileCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C9DEB85
ReadFile.KERNEL32(?,?,00001000,?,00000000,6C9DE8C2,00000001,00000000,6C84782E,00000000,?,?,00000000,?,?,6C9DED51), ref: 6C9DEC0B

Strings

\sx, xrefs: 6C9DEB44

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: FileReadUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: \sx
API String ID: 1834446548-995570312
Opcode ID: c3cca82ba959b7d0721120564c1ce1af8adccef010dae7e4e4b930de58cda913
Instruction ID: ab38b7e4d74c56fbd663b639ab0320bf82bd49b2237362af244d41af70e31ea2
Opcode Fuzzy Hash: c3cca82ba959b7d0721120564c1ce1af8adccef010dae7e4e4b930de58cda913
Instruction Fuzzy Hash: 27410435A00655ABDB25CF34CC80BD9B7B9AB48308F15C1A9E548A7640D7B1EAC6CF91

Function 6C98FA9E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C98FAA8
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,00000000,?,?,?,?,?,?,?,?,0000022C,6C98FCF7), ref: 6C98FC4A

Part of subcall function 6C8F576F: __EH_prolog3.LIBCMT ref: 6C8F5776

Strings

CLSID, xrefs: 6C98FB0A

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CloseH_prolog3H_prolog3_
String ID: CLSID
API String ID: 237612280-910414637
Opcode ID: 7ff3939b8b77857df6621d923887c0d694ce039996fa531cb76e2e6c3c656527
Instruction ID: 904232a2c2d368811b43b2dd055a09d7cf4de52e3705d4b0b3dbfdccf70519e0
Opcode Fuzzy Hash: 7ff3939b8b77857df6621d923887c0d694ce039996fa531cb76e2e6c3c656527
Instruction Fuzzy Hash: F7519475D4121D9FDB24CF54CC88AD9B3B5AF68348F1485E9E819A3710DB30DE858F60

Function 6C864C66 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129timeCOMMON

Download Yara Rule

APIs

SystemTimeToVariantTime.OLEAUT32(?,?), ref: 6C864C89
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 6C864CB5

Strings

\sx, xrefs: 6C864C6C, 6C864D20

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Time$SystemVariant
String ID: \sx
API String ID: 352189841-995570312
Opcode ID: b172763a7094e4ea30c00fd5dccc2077e523a3b7bb6e7cddf3300d53cc21e312
Instruction ID: fcaf41882a81e749bad6c7c1fd9a2a23c90973d06135ec5ab7dc8f0680403049
Opcode Fuzzy Hash: b172763a7094e4ea30c00fd5dccc2077e523a3b7bb6e7cddf3300d53cc21e312
Instruction Fuzzy Hash: 5D41B635B0020AABCB00EF5AC950AAEB7B6FF85718F508519EC15D7B40D730EE42C764

Function 6C8F5B60 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

StringFromGUID2.OLE32(?,?,00000027,?,?,00000000,00000000,?), ref: 6C8F5C5B

Strings

\sx, xrefs: 6C8F5B69
Interface\, xrefs: 6C8F5B7F

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: FromString
String ID: Interface\$\sx
API String ID: 1694596556-2077585241
Opcode ID: 48d3587dace222a123bab27a8f7510e099443a6418572f86e5002be2d4cf2aa0
Instruction ID: db6d457ca060dbcf439329a0ca8608f5e1cb2603f649cfbbc07094219c9e375a
Opcode Fuzzy Hash: 48d3587dace222a123bab27a8f7510e099443a6418572f86e5002be2d4cf2aa0
Instruction Fuzzy Hash: 9B414D34A002299FCB14DB14CD65ADEB7B8EF49344F0144DAE54AE7610CB71AE83CF90

Function 6C8D8BDF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,0000002C), ref: 6C8D8C70
IsRectEmpty.USER32(0000002C), ref: 6C8D8C7A

Strings

\sx, xrefs: 6C8D8BE5

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$ClientEmpty
String ID: \sx
API String ID: 2342100703-995570312
Opcode ID: 3bb289d03831ecc40e7ca54242c356bdcc4d268e6171d241ce9ac5aaaf98d14d
Instruction ID: 17ca39897139a5ab0087f1f0dac1aa6524c52828fcc4695273a8d7ddd7682b29
Opcode Fuzzy Hash: 3bb289d03831ecc40e7ca54242c356bdcc4d268e6171d241ce9ac5aaaf98d14d
Instruction Fuzzy Hash: 5E41AE70B0121A9BCF089F24C898AAEB7B5FF55218F15457ED80ADB681DF34A946CB90

Function 6C898736 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,00000001), ref: 6C898826

Strings

\sx, xrefs: 6C8987B5
4(@P, xrefs: 6C89884B, 6C898798

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: RectWindow
String ID: 4(@P$\sx
API String ID: 861336768-2506994739
Opcode ID: d2f1aeedb7289480d48eddbbf70e3a0efcabc44142f946c5e27f7a6b2e2ffff9
Instruction ID: c7f6fdabfa282303f4bbcefa666ce2331384b8e0f1244b2f9cd6daf3c8403adc
Opcode Fuzzy Hash: d2f1aeedb7289480d48eddbbf70e3a0efcabc44142f946c5e27f7a6b2e2ffff9
Instruction Fuzzy Hash: BE417D75A0020AEFCB14CF68C994AEEB7B4FF59314F21456EE815E7701D730AA15CBA0

Function 6C9E50D9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,00000000,?,00000000,6C9E54AA,00000000,?,00000000,?,00000000,00000000,0000000C,00000000,00000000,6CA66658), ref: 6C9E51C2
GetLastError.KERNEL32(6C9E54AA,00000000,?,00000000,?,00000000,00000000,0000000C,00000000,00000000,6CA66658,00000014,6C9D7014,00000000,00000000,00000000), ref: 6C9E51F2

Strings

\sx, xrefs: 6C9E50E8

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: \sx
API String ID: 442123175-995570312
Opcode ID: c9e7008a3627194f416de3840caf26c0f8c438904c3e3e0c620fc135469c90fa
Instruction ID: 55acc289ebe3736cc35fefc95988d1f09a9859e26383634f198608b873862e8f
Opcode Fuzzy Hash: c9e7008a3627194f416de3840caf26c0f8c438904c3e3e0c620fc135469c90fa
Instruction Fuzzy Hash: 9331A17170021AAFDB19CF68CC81AEA77B9EF58305F1440A9E506D7790D770EE818B61

Function 6C9EBCBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,-00000008,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,FFFFF9B5), ref: 6C9EBD86
__freea.LIBCMT ref: 6C9EBD93

Part of subcall function 6C9E15D2: HeapAlloc.KERNEL32(00000000,?,?,?,6C9CAD3B,?,?,?,?,?,6C844C3D,6C9C9407,?,?,6C9C9407), ref: 6C9E1604

Strings

\sx, xrefs: 6C9EBCC4

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: AllocHeapStringType__freea
String ID: \sx
API String ID: 2523373117-995570312
Opcode ID: a26af38c10967bab6550c66371f6298b9350fc638dfdc6794b38fcaf572dcd2b
Instruction ID: d37f21d250b7536aa85e14909ced0a868e0a8addaed6c4a6376abd7070fee26c
Opcode Fuzzy Hash: a26af38c10967bab6550c66371f6298b9350fc638dfdc6794b38fcaf572dcd2b
Instruction Fuzzy Hash: EF3107B2A0130AABDF128F65CC40EEF7BB8EF68318F114168EC1897650E734C991C7A5

Function 6C882113 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(00000008,00000018,?), ref: 6C882141
IntersectRect.USER32(00000000,?,00000000), ref: 6C8821AD

Strings

\sx, xrefs: 6C882119

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: IntersectObjectRect
String ID: \sx
API String ID: 3895296623-995570312
Opcode ID: 71b1470e6e09d7986efe642195513c970a7e7ad0a60ac9bd52b5ffa363164f0d
Instruction ID: d70c28edbb09432e64e5168b6e0cd87059cd388139aac70689be17f09aaf2f77
Opcode Fuzzy Hash: 71b1470e6e09d7986efe642195513c970a7e7ad0a60ac9bd52b5ffa363164f0d
Instruction Fuzzy Hash: 29318175E02219ABCF14CFA4D944AEEBBF9FF48314F20812AE511F3640DB749A46CB90

Function 6C9E4FF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000,?,6C9E5493,00000000,?,00000000,?,00000000,00000000), ref: 6C9E509A
GetLastError.KERNEL32(?,6C9E5493,00000000,?,00000000,?,00000000,00000000,0000000C,00000000,00000000,6CA66658,00000014,6C9D7014,00000000,00000000), ref: 6C9E50C0

Strings

\sx, xrefs: 6C9E4FFF

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: \sx
API String ID: 442123175-995570312
Opcode ID: 5c4d865aaca72694525492574ab3ae2afea276c28de8d09d374b5f24c3df9fa0
Instruction ID: 026c953f83f336abce1b6b56bc0612d5caff992752a96d2662591fa48eca0195
Opcode Fuzzy Hash: 5c4d865aaca72694525492574ab3ae2afea276c28de8d09d374b5f24c3df9fa0
Instruction Fuzzy Hash: 21219131B01219DBCB15CF19C8809EAB3B9FF5D315F1445AAE90AD7250D730EE86CBA1

Function 6C94621D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C946224
GlobalFree.KERNEL32(?), ref: 6C9462F3

Strings

\sx, xrefs: 6C9462BC

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: FreeGlobalH_prolog3
String ID: \sx
API String ID: 3174139085-995570312
Opcode ID: 475098ce0e2437aba71235be705535f2f2927635c524685f797d70bb1ee68c7c
Instruction ID: c0bd814db4bc9616efbd8f956b7062feb0eae62e942229ccc761049bdfb6c2ed
Opcode Fuzzy Hash: 475098ce0e2437aba71235be705535f2f2927635c524685f797d70bb1ee68c7c
Instruction Fuzzy Hash: E321C571200B04ABDB249F78C940BDE77A5FF10618F108A2DE46A87B81DF34E905C755

Function 6C90B0FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

EnableScrollBar.USER32(?,00000002,00000000), ref: 6C90B169
EnableScrollBar.USER32(?,00000002,00000003), ref: 6C90B1C9

Strings

\sx, xrefs: 6C90B104

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: EnableScroll
String ID: \sx
API String ID: 2561945981-995570312
Opcode ID: 9b4cc7267f5e7e4486ff0bc3df6721fa02b7163927d30bb5384443ef6e44a1b6
Instruction ID: 2db737026d97345bebc5621c234efeadf305b6614c9e24e43e34110081f6ab7b
Opcode Fuzzy Hash: 9b4cc7267f5e7e4486ff0bc3df6721fa02b7163927d30bb5384443ef6e44a1b6
Instruction Fuzzy Hash: 68213E31741208ABDF049F69CC96FEE77B9AB54744F04046DE506AB6C2DBB4EA05CBA0

Function 6C880FCC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,00000054,?), ref: 6C880FE6

Strings

, xrefs: 6C880FF4
\sx, xrefs: 6C880FD2

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Object
String ID: $\sx
API String ID: 2936123098-758330267
Opcode ID: 664344b8d8f51a22ab66aa7e5505272dcbcbb068525b398491ac2d8ab874a1d8
Instruction ID: acd3fc974fc75bb4debfa8f4201678daee1aa93a6abaaeb14c6773331e7cfb5e
Opcode Fuzzy Hash: 664344b8d8f51a22ab66aa7e5505272dcbcbb068525b398491ac2d8ab874a1d8
Instruction Fuzzy Hash: 5421CD31B0B1CA4ED734CB658E542AEFBF59F55308B05846AC064DFD81CB31D919D740

Function 6C88A659 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C88A660
SetRectEmpty.USER32(?), ref: 6C88A6F0

Strings

Afx:ToolBar, xrefs: 6C88A6FB

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: EmptyH_prolog3_Rect
String ID: Afx:ToolBar
API String ID: 2941628838-177727192
Opcode ID: 8ec78bb2c23549e58467e62a7c561ab31e42a7f1d73e277c8591f7b193f667fc
Instruction ID: 70f1ea4ab64cf912e5afe63f62210b10c089dd7ddc60b70494de69e936db0b44
Opcode Fuzzy Hash: 8ec78bb2c23549e58467e62a7c561ab31e42a7f1d73e277c8591f7b193f667fc
Instruction Fuzzy Hash: 3A218931A002099FCF08CF68CA85AEE7AE1AF08314F05462EF805E7680DB34AD548BA4

Function 6C86F4DA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000014), ref: 6C86F548
CreateDIBitmap.GDI32(?,00000028,00000004,?,00000028,00000000), ref: 6C86F5C1

Strings

\sx, xrefs: 6C86F4E3

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: BitmapColorCreate
String ID: \sx
API String ID: 2048008349-995570312
Opcode ID: 469f8b198186ea47192e0afe8d2d3daafeb08a1873e6e4412489b02cbf92b536
Instruction ID: f9793440ab4db3d91e19173cf247e0b0070c83d38597c254c00301c98f302d1a
Opcode Fuzzy Hash: 469f8b198186ea47192e0afe8d2d3daafeb08a1873e6e4412489b02cbf92b536
Instruction Fuzzy Hash: F6218420B0138D9AEB05DF788846BEDB7B4BF15348F10C15DD545F7241EB309A4ACB65

Function 6C91BA66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 6C91BADD

Strings

\sx, xrefs: 6C91BA6C
(, xrefs: 6C91BAA0

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CreateSection
String ID: ($\sx
API String ID: 2449625523-4275447854
Opcode ID: b60ae53d522edcb9d53523144eb7cdffa0579c6e5de83fde28bdca4f7d4b34f9
Instruction ID: 499a6127995c189af016f4b3941e00839b88ba339b022954f723b2a11a364a5e
Opcode Fuzzy Hash: b60ae53d522edcb9d53523144eb7cdffa0579c6e5de83fde28bdca4f7d4b34f9
Instruction Fuzzy Hash: 992166B1A15209AFEB08DFA9D845AEEB7F9EF49704F10812EE901E7B40D770D9058B54

Function 6C945E0C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C945E13
~refcount_ptr.LIBCPMT ref: 6C945ED7

Strings

\sx, xrefs: 6C945EA6

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: H_prolog3~refcount_ptr
String ID: \sx
API String ID: 249636908-995570312
Opcode ID: c27db505f095906623e71260492c2066306df70e4fc854d787f543956dd1e255
Instruction ID: 217d62783705a952599c8f84b628f1a383b79d7f4f79dcea2def3436dae9e3b7
Opcode Fuzzy Hash: c27db505f095906623e71260492c2066306df70e4fc854d787f543956dd1e255
Instruction Fuzzy Hash: C3218971900B44EFCB24DF58C941B9AB7F4FF28708F10891EA55697B80DB74EA48CB91

Function 6C86A8C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 6C86C609: GetWindowLongW.USER32(?,000000F0), ref: 6C86C616

GetWindowRect.USER32(?,00000000), ref: 6C86A8F9
GetWindow.USER32(?,00000004), ref: 6C86A916

Part of subcall function 6C86C773: IsWindowEnabled.USER32(?), ref: 6C86C77E

Strings

\sx, xrefs: 6C86A8C6

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$EnabledLongRect
String ID: \sx
API String ID: 3170195891-995570312
Opcode ID: 89670ddc58fd7734d9f89a3200491018ada81482dcaf3b2e2f6ce536ba1f3bd8
Instruction ID: 034d9864515f3cfd17f764e0944e2b95d990be202e547a465c2e49c7dc56fec6
Opcode Fuzzy Hash: 89670ddc58fd7734d9f89a3200491018ada81482dcaf3b2e2f6ce536ba1f3bd8
Instruction Fuzzy Hash: 7511043070021A9BDF15DB2ACA51BFEB3B6AF4530CF214519E812D7A40DB34E956CB50

Function 6C8F576F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47registryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C8F5776
RegOpenKeyExW.ADVAPI32(?,?,?,00000000,00000008,00000000,00000008,6C98FB15,80000000,CLSID,00000000,00020019,?,00000000,0000022C,6C98FCF7), ref: 6C8F57EC

Part of subcall function 6C8B3367: __EH_prolog3.LIBCMT ref: 6C8B336E

Strings

Software\Classes\, xrefs: 6C8F57A6

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: H_prolog3$Open
String ID: Software\Classes\
API String ID: 1097726706-1121929649
Opcode ID: fded692aedcaccf56162d297db81947c6f25a1d430a6fb3d3a73a75c89d99b25
Instruction ID: 90476855217559d4af0ceeb9621983cdca6d1a885a88df3a86eb4e718e95598b
Opcode Fuzzy Hash: fded692aedcaccf56162d297db81947c6f25a1d430a6fb3d3a73a75c89d99b25
Instruction Fuzzy Hash: 4511A57590121EDFCF15DF94CA40AEE7B74BF14348F108869E82163B40DF319A5ACBA2

Function 6C944901 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CopyRect.USER32(00000000,00000000), ref: 6C94492B
GetWindowRect.USER32(6C944C83,?), ref: 6C94493A

Strings

\sx, xrefs: 6C944907

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$CopyWindow
String ID: \sx
API String ID: 1174400184-995570312
Opcode ID: 9f8879a5fdd33c3b0c0d7541371dd0d8869390b3b84ff3eb08538d345f90bdb0
Instruction ID: 02737318678b61174749f00b91729ea4dafa0ddece1bd44a11f1aa68243ca0d6
Opcode Fuzzy Hash: 9f8879a5fdd33c3b0c0d7541371dd0d8869390b3b84ff3eb08538d345f90bdb0
Instruction Fuzzy Hash: 03016231B00209ABCB14DF68C984ADFB3F9BF1A318F11851DB506A7240DB70AE45CB61

Function 6C8F588E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41registryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C8F5895
RegSetValueW.ADVAPI32(?,?,?,00000000,00000008), ref: 6C8F58F9

Part of subcall function 6C8B3367: __EH_prolog3.LIBCMT ref: 6C8B336E

Strings

Software\Classes\, xrefs: 6C8F58C5

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: H_prolog3$Value
String ID: Software\Classes\
API String ID: 2677715340-1121929649
Opcode ID: e0be084d0c2e59dbfd866407b91ff91b4f39319ee5ad417b7663c76a26634006
Instruction ID: 1e7275e2529d84da7414dc1ce10f8a4ce5a9b13a58726347b67e2f84ab540ee0
Opcode Fuzzy Hash: e0be084d0c2e59dbfd866407b91ff91b4f39319ee5ad417b7663c76a26634006
Instruction Fuzzy Hash: C401757590012EAFCF11DFD4CD00AEF7774BF14358F144915E91167780DB319A5A97A2

Function 6C8F5809 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40registryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C8F5810
RegQueryValueW.ADVAPI32(?,?,?,00000000), ref: 6C8F5871

Part of subcall function 6C8B3367: __EH_prolog3.LIBCMT ref: 6C8B336E

Strings

Software\Classes\, xrefs: 6C8F5840

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: H_prolog3$QueryValue
String ID: Software\Classes\
API String ID: 3057600494-1121929649
Opcode ID: d70469f37aa99eac1f7f366b7b6accd50115a8eb6e36b939e0272b2d0293f035
Instruction ID: 85b4b7982e890ca30c0990107113a2ea20d3c845423955d0b5b9224b65e88ce7
Opcode Fuzzy Hash: d70469f37aa99eac1f7f366b7b6accd50115a8eb6e36b939e0272b2d0293f035
Instruction Fuzzy Hash: 5701847590011EAFCF21DBA4CE00AFF7774BF14358F144919E82167B80DB319A5A8BA2

Function 6C9365DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000001,00000001), ref: 6C936628
UpdateWindow.USER32(?), ref: 6C936631

Strings

\sx, xrefs: 6C9365E4

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: InvalidateRectUpdateWindow
String ID: \sx
API String ID: 1236202516-995570312
Opcode ID: 88dfb19f0c831db84a0a9b5f3a861c3da55951d656c5faa59c5a89fbbb1f6740
Instruction ID: fb806b6a95233b8046e235e6bbf680f9fed8983f9658b514a980c80413270f08
Opcode Fuzzy Hash: 88dfb19f0c831db84a0a9b5f3a861c3da55951d656c5faa59c5a89fbbb1f6740
Instruction Fuzzy Hash: 7501D63170120AEBCF04DF64C808ABEB7B9FF59348F114029E401E3550DB30AA46CB91

Function 6C872758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?,75A7CF90), ref: 6C872771
ExtTextOutW.GDI32(?,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 6C8727A3

Strings

\sx, xrefs: 6C87275E

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: ColorText
String ID: \sx
API String ID: 2223400495-995570312
Opcode ID: 50cb2607f53bccfa05bd397c8f8e87da71ff6e1f7e038dca98dafdb7ffee06ee
Instruction ID: 8bcaea6d0625fd04887d45848f231b86d4750e1ca77404671034fb4c3c5720b8
Opcode Fuzzy Hash: 50cb2607f53bccfa05bd397c8f8e87da71ff6e1f7e038dca98dafdb7ffee06ee
Instruction Fuzzy Hash: 9F01FBB0A00209AFDF08DF58CD469AFBBB5EF09304B00812EB81693351D770AE11CBA5

Function 6C8C4953 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C8C495A
FindResourceW.KERNEL32(?,0000007D,STYLE_XML,0000007D,00000800,00000004,6C85583C,00000000,00000000,?,?,00000000,6C9F3E9D,000000FF,?,6C85449A), ref: 6C8C4998

Strings

STYLE_XML, xrefs: 6C8C498C

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: FindH_prolog3Resource
String ID: STYLE_XML
API String ID: 3036663282-3909253476
Opcode ID: f0cd2073d94425d8e2a935de04cc658bb0b37d611172e0f2480e03faf4ff4115
Instruction ID: e981ef565d236f0bdc295d52116cb4d997596848b9fe9e54c5b4865565857c4c
Opcode Fuzzy Hash: f0cd2073d94425d8e2a935de04cc658bb0b37d611172e0f2480e03faf4ff4115
Instruction Fuzzy Hash: 67F0C8757002399BCB25DB788D805FD72B8BFD53087114D25F021A7B50C770D58A8B6A

Function 6C9C8FFF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 6C841F00: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,6C9AE061,?,6C842BB6,80004005,?,6C946181,00000004,6C945966,6C9AE061,6C9AE061,00000010,6C86717D,6C9AE061), ref: 6C841F05
Part of subcall function 6C841F00: GetLastError.KERNEL32(?,00000000,00000000,6C9AE061,?,6C842BB6,80004005,?,6C946181,00000004,6C945966,6C9AE061,6C9AE061,00000010,6C86717D,6C9AE061), ref: 6C841F0F

IsDebuggerPresent.KERNEL32(?,?,?,6C841CBD), ref: 6C9C9032
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,6C841CBD), ref: 6C9C9041

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 6C9C903C

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 9804667930e07d00bc58b7831fd97730d3f2146fd7edab921cc42508e74ce741
Instruction ID: 5d041f52d79ef3ad508c488056b347ec2be9dbc7729cf156131a5b50c5cfcdfb
Opcode Fuzzy Hash: 9804667930e07d00bc58b7831fd97730d3f2146fd7edab921cc42508e74ce741
Instruction Fuzzy Hash: 2EE039703003528BD7349F28D6043467AE8AF0978DF04896CE49AC6B00EBB6D08ACB62

Function 6C945D74 Relevance: 5.0, APIs: 4, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CA75378,?,00000000,?,?,6C94325E,00000010,00000008,6C87313A,6C87317D,6C866C9B,6C873149,6C86EB35,00000004,6C86E0A4,00000000), ref: 6C945DA5
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,6C94325E,00000010,00000008,6C87313A,6C87317D,6C866C9B,6C873149,6C86EB35,00000004,6C86E0A4,00000000), ref: 6C945DBB
LeaveCriticalSection.KERNEL32(6CA75378,?,00000000,?,?,6C94325E,00000010,00000008,6C87313A,6C87317D,6C866C9B,6C873149,6C86EB35,00000004,6C86E0A4,00000000), ref: 6C945DC9
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,6C94325E,00000010,00000008,6C87313A,6C87317D,6C866C9B,6C873149,6C86EB35,00000004,6C86E0A4,00000000,?), ref: 6C945DD6

Part of subcall function 6C945D50: InitializeCriticalSection.KERNEL32(6CA75378,6C945D8E,?,?,6C94325E,00000010,00000008,6C87313A,6C87317D,6C866C9B,6C873149,6C86EB35,00000004,6C86E0A4,00000000,?), ref: 6C945D68

Memory Dump Source

Source File: 00000004.00000002.3181485367.000000006C841000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C840000, based on PE: true

Associated: 00000004.00000002.3181468531.000000006C840000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181617241.000000006CA07000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181659829.000000006CA6B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181676663.000000006CA6D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181696145.000000006CA71000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181711812.000000006CA73000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CA77000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.3181728563.000000006CAB3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c840000_ShellExperienceHosts.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID:
API String ID: 713024617-0
Opcode ID: 6ddc8d10f4f37ae3bf111c5258ad9d0b38e749f1029f2b48231e6397242f51d1
Instruction ID: 2184424700fcef33c24b0b11f6599554d6070954fd788e96e3ef88be9f1c389a
Opcode Fuzzy Hash: 6ddc8d10f4f37ae3bf111c5258ad9d0b38e749f1029f2b48231e6397242f51d1
Instruction Fuzzy Hash: 6CF0C2B2B00329AFDB091F988C4CB59B73CFF5335AF848026E401D2951D371D8438AB2

Function 0040710B Relevance: 5.0, Strings: 4, Instructions: 30COMMON

Download Yara Rule

Strings

l3A, xrefs: 00407131
t3A, xrefs: 00407138
p3A, xrefs: 0040713F
h3A, xrefs: 00407146

Memory Dump Source

Source File: 00000004.00000002.3180934718.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3180911974.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3180955468.000000000040C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3180955468.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3180955468.0000000000456000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.3181055019.000000000049F000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ShellExperienceHosts.jbxd

Similarity

API ID:
String ID: h3A$l3A$p3A$t3A
API String ID: 0-422395243
Opcode ID: 323ff9953e1600890f904706cadf687cbd5e63ac7881b1e7a3b936ad8b4e984c
Instruction ID: 0d0a6c218b558ce51a144ca132cdf3fd2609f9de01a02927fca728c9dddb9a1a
Opcode Fuzzy Hash: 323ff9953e1600890f904706cadf687cbd5e63ac7881b1e7a3b936ad8b4e984c
Instruction Fuzzy Hash: 59E0B632A9C50E268A158DBC210C4663A8CD291719B084173B45CEEFA4D92AEF90D08D

Analysis Process: powershell.exePID: 6528, Parent PID: 6552COMMON

Executed Functions

Function 034C29F0 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2990311884.00000000034C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_34c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3aa60384a89de284f4266405d742502e20f087f037a1a067c1f4890adbe76a
Instruction ID: 5c521dba8fb3b0ef3da1874dad83e80c145abdc5ce405113188ca16aad073dd0
Opcode Fuzzy Hash: fe3aa60384a89de284f4266405d742502e20f087f037a1a067c1f4890adbe76a
Instruction Fuzzy Hash: 6B91A174A002458FCB15CF9DC4949AEFBB1FF88310B2485AAD815AB365C776FC51CB94

Function 034C2B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2990311884.00000000034C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_34c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 335a90bef42f20b6e917d8b06692261a25f129880029205e3b2293e6667cb4ee
Instruction ID: 6a36316d1555e2125efc310e2ef1d837842065b62bec465f8fd104decf9766d5
Opcode Fuzzy Hash: 335a90bef42f20b6e917d8b06692261a25f129880029205e3b2293e6667cb4ee
Instruction Fuzzy Hash: 2A417C74A005498FCB05CF49C1989AEFBB1FF48310B1585AAC815AB364C7B2FC51CFA4

Function 034C2C85 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2990311884.00000000034C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_34c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c836495c83630bc7ce21b6c30e4fd693b3900d9070b6aa5ea53b4b50acdbfa71
Instruction ID: 1cecfd8b1065896b744dd0d90befa10c13fb9be49620ae15bc8bc8431ffcd0dc
Opcode Fuzzy Hash: c836495c83630bc7ce21b6c30e4fd693b3900d9070b6aa5ea53b4b50acdbfa71
Instruction Fuzzy Hash: 8021902651E3D25FDB07D728ACB00D5BF74AE4723071A48D7C4A0CF1A3C6558E0AC7AA

Function 034C2C5C Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2990311884.00000000034C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 034C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_34c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac66e5b337de518aae7a789167a5ba954550fcfcb7c88e6e7fb0601b696f7f45
Instruction ID: 08be2b3509afccbcaa2ab180c976cd8307cb549be1d76beb3c2b823e6fcec4bd
Opcode Fuzzy Hash: ac66e5b337de518aae7a789167a5ba954550fcfcb7c88e6e7fb0601b696f7f45
Instruction Fuzzy Hash: 6B11E5345092949FCB03DF6CD8A09E9BF70EF0A320B1485CBD4619F262C6369C56CB64

Function 0341D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2989854792.000000000341D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0341D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_341d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f497bad3f8cf26ca359bf7d6293084fbe520dbedf346fd4cf8c13bee36c45bfb
Instruction ID: e89fdacb48bad6c8c5fb72265534ea4d3f2e927051fa63a6a9094afba51d45f1
Opcode Fuzzy Hash: f497bad3f8cf26ca359bf7d6293084fbe520dbedf346fd4cf8c13bee36c45bfb
Instruction Fuzzy Hash: 8F01407244E7C05ED7128B25C994B62BFB8DF57224F1D80DBD9888F2A3C2695849C772

Function 0341D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2989854792.000000000341D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0341D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_341d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c36d6d1c4b8d8afde60c7287b35806797572beef4e8af8fcf7117bed9335902
Instruction ID: 86bea63abfc37d2aead769b9d8486b56d4273af91a2f95c5904c7832df6ba454
Opcode Fuzzy Hash: 4c36d6d1c4b8d8afde60c7287b35806797572beef4e8af8fcf7117bed9335902
Instruction Fuzzy Hash: CB01F7B18047409AE710CA29CDC0B77FF98DF42368F0CC46BED484E242C6789842C6B5

Analysis Process: powershell.exePID: 6592, Parent PID: 2788COMMON

Executed Functions

Function 06F417D8 Relevance: 5.6, Strings: 4, Instructions: 592COMMON

Download Yara Rule

Strings

4'sq, xrefs: 06F41B20
4'sq, xrefs: 06F41C7A
4'sq, xrefs: 06F41B16
4'sq, xrefs: 06F41C70

Memory Dump Source

Source File: 00000012.00000002.3012196919.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6f40000_powershell.jbxd

Similarity

API ID:
String ID: 4'sq$4'sq$4'sq$4'sq
API String ID: 0-1617174353
Opcode ID: c8d42f553456111e41badc1b354ae01e7124a258bc5851c3ecff11bfbbbfa5e5
Instruction ID: 2931c4b8022c98d6ff3285f38b6a7136e390eb6de974b830fbe858fde6bca357
Opcode Fuzzy Hash: c8d42f553456111e41badc1b354ae01e7124a258bc5851c3ecff11bfbbbfa5e5
Instruction Fuzzy Hash: F4120332F042148FDB55EB7898116BABFA29FC1350F1481BADA05CB691EF36C985C7E1

Function 0282C830 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988953460.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11473a99adb58c34718bbe41bcc90a8b8c29e4e49f080e4746b35d82ac2f386a
Instruction ID: c37e1521f702e05256963791c7d70a44e9ccebd3d3d1325398404cc28e463e99
Opcode Fuzzy Hash: 11473a99adb58c34718bbe41bcc90a8b8c29e4e49f080e4746b35d82ac2f386a
Instruction Fuzzy Hash: 28022A78A052599FDB05CF98C484AADFBB2FF48314F25815AE849EB361C731ED85CB90

Function 02828830 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988953460.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3975501b4961336d59b9b39f9f02d02032d7af4391db179b5740ab2609f481b
Instruction ID: 75be0aefac01ca3339bdc5390471906e5c452a0e67a3685f6353906cd1bfac32
Opcode Fuzzy Hash: d3975501b4961336d59b9b39f9f02d02032d7af4391db179b5740ab2609f481b
Instruction Fuzzy Hash: D6D14878A012599FDF05CFA8D484A9DFBB2EF48314F258159E849EB351CB30ED85CBA1

Function 02827068 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988953460.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dbb4cb7f37923f3da939b2ac948ed5f1c550c81c9a1d1c4399edb828b1d8c93
Instruction ID: 150e2a2eb13700ce814ab2be98cae32e678360e49c439755e0379aec5e7e00c2
Opcode Fuzzy Hash: 7dbb4cb7f37923f3da939b2ac948ed5f1c550c81c9a1d1c4399edb828b1d8c93
Instruction Fuzzy Hash: 01C19D39A00218CFCB14DFA9D944A9DFBB6FF84314F158559E806EB265CB34ED89CB80

Function 028229F0 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988953460.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ecfbb6f4fbb3b6f3a3a2fde59db533d45496629860dd49c7893da861850c82
Instruction ID: eb24c8a65cf89edcd2556791a8ef8497c3f2789fbcc1aa5c9621b2346849f470
Opcode Fuzzy Hash: 33ecfbb6f4fbb3b6f3a3a2fde59db533d45496629860dd49c7893da861850c82
Instruction Fuzzy Hash: F2917E78A002558FCB15CF9DC4949AEFBB1FF48310B2486A9D815EB3A5C735EC95CBA0

Function 0282799E Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988953460.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8165432e26173e28275a6ac9f0dd63b4ee4f455ec61dacfcb4092d520c3c28b
Instruction ID: 9a1b8392509b282f190de1fea8e32095e06f6d6da953903197a52c4a5dac8fad
Opcode Fuzzy Hash: e8165432e26173e28275a6ac9f0dd63b4ee4f455ec61dacfcb4092d520c3c28b
Instruction Fuzzy Hash: 2E712B74E00218DFDB14DFA5D894BADFBF2BF88354F148429E406AB250DB35AD86CB51

Function 02827830 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988953460.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 985e8da91f585b337b48605e0aa91d8064f7fd39d7bb2b06d1571f50f6f8e03e
Instruction ID: add114924cad1a3b80a191e96cefb64e13deb6bcc6de99afac2ce8a8f12e5841
Opcode Fuzzy Hash: 985e8da91f585b337b48605e0aa91d8064f7fd39d7bb2b06d1571f50f6f8e03e
Instruction Fuzzy Hash: 8F516B74A002189FDB14DFA9D884AADFBB6FF88314F148869E405EB350DB74A885CB91

Function 06F417BC Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3012196919.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27e5dd969ec23413bd93e9eaad02d08fcae8db049d0c116758cc4721fb24a63a
Instruction ID: 89a3a3b64c8a28a62f161c3893c5cf466120ea7a1f2031804de720444fb98968
Opcode Fuzzy Hash: 27e5dd969ec23413bd93e9eaad02d08fcae8db049d0c116758cc4721fb24a63a
Instruction Fuzzy Hash: A9410432E09205DFDBA4EB28C951A767FA29F84380F1881A5D901CB656DB36D8C4C7F2

Function 028275C1 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988953460.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d25795dcaf035a4e7eb7c5ebb5e4baa62fed3328425b9b0cf40b5523a3beb934
Instruction ID: 932961231149adedc02b9dc338d226f91c71a8e2e264d74f4cb9c39d159a78df
Opcode Fuzzy Hash: d25795dcaf035a4e7eb7c5ebb5e4baa62fed3328425b9b0cf40b5523a3beb934
Instruction Fuzzy Hash: EF418F39A00214CFDB14DB75C5557ADBBF2EF89750F198869E406EB3A0DB349C85CB90

Function 0282781B Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988953460.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8ce92843ed17f7385795e75348c8b7d1d21ff9dc031222d801a60f1cb16653f
Instruction ID: a10f5aa5bf332ae8ab4c1919488a1e27101cb8eeaabde04bd507d0e6f8d8570c
Opcode Fuzzy Hash: a8ce92843ed17f7385795e75348c8b7d1d21ff9dc031222d801a60f1cb16653f
Instruction Fuzzy Hash: 7C414C74E002199FDB14DFA5C8847ADFBB2BF89354F148829D406AB750DB74AC85CB91

Function 02822B00 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988953460.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d94f9f0d8d42e8d377553944d472d1422a030e42d926704557b8a098b71e2ad
Instruction ID: fbcc011028b34f217a582372d1284a0bfc765aa899c1e6c1d7a37b7e1926e805
Opcode Fuzzy Hash: 8d94f9f0d8d42e8d377553944d472d1422a030e42d926704557b8a098b71e2ad
Instruction Fuzzy Hash: B6415AB8A00115DFCB09CF59C498AAEFBB1FF48310B258259D815AB364C732FC95CBA0

Function 02827A12 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988953460.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94f4b2a072877afe733d5b6c5c26c923ead40e9c009d243a833b11f465025f5b
Instruction ID: f406c0eab193ba80ded3e3e7f8cd4ac7f59a7047cf3c9b0c8855049139b48210
Opcode Fuzzy Hash: 94f4b2a072877afe733d5b6c5c26c923ead40e9c009d243a833b11f465025f5b
Instruction Fuzzy Hash: AA316239E00118AFCF15DBB5D890AADF7F7AF88344F148469E806EB260DB34AD45CB51

Function 028279DF Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988953460.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2ccb80368c95846ccc64bee2c66058da065b1ae217a7b0a2474e3c7b3d6b951
Instruction ID: eca6fc69424b109142bc3d6b8a87a4636e78e9fbfdfc43035f7b7235c67dc6c2
Opcode Fuzzy Hash: f2ccb80368c95846ccc64bee2c66058da065b1ae217a7b0a2474e3c7b3d6b951
Instruction Fuzzy Hash: 4D316039E01218AFCF15DBB5D890AADF7F7AF88344F148469E806EB250DB34AD46CB51

Function 028279AA Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988953460.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e9e2ccc2bf46f5b03502436874acdba8c24aa2be74db95386b3570101b92c7f
Instruction ID: b76868c26f7b9e9ac16ef1406e06295f318fe3351f63a50aa1d6ce690fbd6d35
Opcode Fuzzy Hash: 3e9e2ccc2bf46f5b03502436874acdba8c24aa2be74db95386b3570101b92c7f
Instruction Fuzzy Hash: 26319238E00218AFCF15DBB5D890AADF7F7AF84348F148469E806E7250DB34AD46CB51

Function 02827A45 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988953460.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886fd6d5576b008c306fa831b3f568c11e364269c7949c5ee597230873d46e9c
Instruction ID: 587e9bed80e60a0defaeaf338db6c86cd0bf08048f4da7ab9208aa90fec188d6
Opcode Fuzzy Hash: 886fd6d5576b008c306fa831b3f568c11e364269c7949c5ee597230873d46e9c
Instruction Fuzzy Hash: C0318E75E00218AFCF14DBB5D890AADF7F6AF88344F148469E806EB260DB34AD46CB51

Function 028287F5 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988953460.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081f1959bf8708658c56615c694e460911b93a139c4165fc6167e567af1e7646
Instruction ID: e00a9104c19f4ab3f97c040e6db6631413f78945b27b846298dea852e6c7b163
Opcode Fuzzy Hash: 081f1959bf8708658c56615c694e460911b93a139c4165fc6167e567af1e7646
Instruction Fuzzy Hash: 43215C78A052998FCB01CBA8D89099EBFB1FF4A310B15409AD948EB352C330ED45CBA1

Function 0282C82F Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988953460.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f131d4d3837ad8e10a3f2fb180899a9ec703e9783cad486c52bdf97e7fbe69b8
Instruction ID: 91fd81d31d9ae3610919e1a49a1d498c6b6f88993a5d89f99a4ca853e99af46f
Opcode Fuzzy Hash: f131d4d3837ad8e10a3f2fb180899a9ec703e9783cad486c52bdf97e7fbe69b8
Instruction Fuzzy Hash: 3B21B479A005199FCB04DF99C9849AEFBB1FF8C310B258169E909EB755C731EC91CBA0

Function 0277D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988542484.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_277d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef193f4d9e66fba1157d3b181ddd556b06d2d093ba22d86ca77284b780e7b42
Instruction ID: 2b6701eb04821a84ddb22e29dbd6c90e2732611d46989460e94de229b9110d64
Opcode Fuzzy Hash: bef193f4d9e66fba1157d3b181ddd556b06d2d093ba22d86ca77284b780e7b42
Instruction Fuzzy Hash: 8001F2715093009AEF308A29C9C4B67BF98DF41328F08D42AED485A282C7789841CAB1

Function 0277D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988542484.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_277d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5714a36194cae488ee5d41dc65dc1adfabb178dd7e97a54c94d255c3837537f
Instruction ID: d87be3718d0ca0f2678dc843ba1dba1160b2d732f79329ee76ebd51aa9ac76a5
Opcode Fuzzy Hash: f5714a36194cae488ee5d41dc65dc1adfabb178dd7e97a54c94d255c3837537f
Instruction Fuzzy Hash: ED015E7240E3C05EE7228B258894B62BFB4DF53224F1D80DBD9888F2A3C3695849C772

Function 02826E58 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988953460.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20401b706c1a13b2ae7b0bd4ecf0e5a3e6e319f18cd349baf289b2a41c5489ef
Instruction ID: 6b1f8442bed7bfa14f42b52b0a23d2706fb608ec955d50301bd11ee0c1eb1d2c
Opcode Fuzzy Hash: 20401b706c1a13b2ae7b0bd4ecf0e5a3e6e319f18cd349baf289b2a41c5489ef
Instruction Fuzzy Hash: 2901FB78D0020A8FDB80DF68D485AAEBBF0FF08300F504199D949D7321E730A941CB91

Function 02827058 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988953460.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8766e12124386facedb4e4a9e4a3b969992a926a45e3bf41ec38570c43dbabd6
Instruction ID: 7fde0e455d1dfedba59be2f875c8c233dd903388bb830ac846c506d6978e9ecc
Opcode Fuzzy Hash: 8766e12124386facedb4e4a9e4a3b969992a926a45e3bf41ec38570c43dbabd6
Instruction Fuzzy Hash: DDF0BE39600300DFD715CB19C408A65BBA5FF86318B0980AAE588CB262CB76DC4AC750

Function 02826E68 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988953460.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 736e8dbd74f3c492896ab3824d7405ea3ee3b75ac5534e203a5b1e6c963509a1
Instruction ID: f2ac1a7d5c439d63a42e003f93f28880ec71a6b7fc5132801c3ff3bff81d0d89
Opcode Fuzzy Hash: 736e8dbd74f3c492896ab3824d7405ea3ee3b75ac5534e203a5b1e6c963509a1
Instruction Fuzzy Hash: 9CF0A978E0421A8FC780DF68C485AAEBBF4FF49314F505199E509EB321E730A995CB91

Function 02827555 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988953460.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2820000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e2c8c5ad0168dd8c13579e5caf2f8a13ef6079737582f6a5c7d95f5b5868f8
Instruction ID: 782cfdc235ccd87633c4a7eeb9f39523f360ab07cfee2849366e6c5e907ede02
Opcode Fuzzy Hash: 36e2c8c5ad0168dd8c13579e5caf2f8a13ef6079737582f6a5c7d95f5b5868f8
Instruction Fuzzy Hash: 7AF030B4A0020ADFEB04DFA4C595BAEBBB2EB80304F104914E102DF394CB789D89DBD0

Non-executed Functions

Function 06F40518 Relevance: 12.8, Strings: 10, Instructions: 316COMMON

Download Yara Rule

Strings

k, xrefs: 06F407DD
4'sq, xrefs: 06F40627
k, xrefs: 06F407CF
tPsq, xrefs: 06F40771
$sq, xrefs: 06F40720
$sq, xrefs: 06F406FA
tPsq, xrefs: 06F40765
#j, xrefs: 06F405E7
4'sq, xrefs: 06F4061B
$sq, xrefs: 06F4072C

Memory Dump Source

Source File: 00000012.00000002.3012196919.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6f40000_powershell.jbxd

Similarity

API ID:
String ID: 4'sq$4'sq$tPsq$tPsq$#j$$sq$$sq$$sq$k$k
API String ID: 0-2162574907
Opcode ID: 22a64bb2795f3f18d842a6e2a937f7a7924e6e672ed4efe9e74fa9d9485f01a6
Instruction ID: cdac90a72cc1c62ad50499cd14d87651a0e8b433536a7c02aa49a15ae6c51730
Opcode Fuzzy Hash: 22a64bb2795f3f18d842a6e2a937f7a7924e6e672ed4efe9e74fa9d9485f01a6
Instruction Fuzzy Hash: 4CA14A32F082518FD7A56B79941166ABFE2DFC2250F14806BDA46CB692DF35CC81C7E1

Function 06F41168 Relevance: 8.9, Strings: 7, Instructions: 187COMMON

Download Yara Rule

Strings

k, xrefs: 06F4136B
4'sq, xrefs: 06F41212
$sq, xrefs: 06F41326
k, xrefs: 06F4135D
4'sq, xrefs: 06F4121E
$sq, xrefs: 06F412EF
$sq, xrefs: 06F4131A

Memory Dump Source

Source File: 00000012.00000002.3012196919.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6f40000_powershell.jbxd

Similarity

API ID:
String ID: 4'sq$4'sq$$sq$$sq$$sq$k$k
API String ID: 0-806588815
Opcode ID: 9911f7faa9a5049609d678fefcc211198d002dcd3f08fce886b9df548529c475
Instruction ID: c8c7b13cb0d66935e5e982ad997e7a8b5d9082137c9169b2694f1765f4028bc9
Opcode Fuzzy Hash: 9911f7faa9a5049609d678fefcc211198d002dcd3f08fce886b9df548529c475
Instruction Fuzzy Hash: 12513932F042058FEBA4F6A9981177BBFA6AFC2251F14806AD505C7A81DF35C9D1C7A1

Function 06F44468 Relevance: 7.9, Strings: 6, Instructions: 384COMMON

Download Yara Rule

Strings

tPsq, xrefs: 06F44518
p5j, xrefs: 06F44637
tPsq, xrefs: 06F4450C
4'sq, xrefs: 06F44867
d5j, xrefs: 06F4482E
4'sq, xrefs: 06F4485D

Memory Dump Source

Source File: 00000012.00000002.3012196919.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6f40000_powershell.jbxd

Similarity

API ID:
String ID: 4'sq$4'sq$d5j$p5j$tPsq$tPsq
API String ID: 0-1422792497
Opcode ID: 0196af748d3b13886354f6861b29cb2f14228e495e24e001f5fceaa676b5e9c3
Instruction ID: 4c32db19cb311b75b6e1d80ef75b0a18d491a01a19f6f0884c519aa4734b9e5e
Opcode Fuzzy Hash: 0196af748d3b13886354f6861b29cb2f14228e495e24e001f5fceaa676b5e9c3
Instruction Fuzzy Hash: E7C13632F082558FDB94AB7884117AAFFE2EFC2250F14807AD905EBA52DB35C845C7E1

Function 06F44298 Relevance: 6.4, Strings: 5, Instructions: 123COMMON

Download Yara Rule

Strings

$sq, xrefs: 06F44329
4'sq, xrefs: 06F443D8
4'sq, xrefs: 06F443E4
$sq, xrefs: 06F442E3
$sq, xrefs: 06F4431D

Memory Dump Source

Source File: 00000012.00000002.3012196919.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6f40000_powershell.jbxd

Similarity

API ID:
String ID: 4'sq$4'sq$$sq$$sq$$sq
API String ID: 0-737313894
Opcode ID: aa0107251be31b3020668fdcf77886262662b0202a95eca99a198235a1345527
Instruction ID: da11467030b9df3e446175680107d0859c887cac915d4e68efdc47c6274bbb1e
Opcode Fuzzy Hash: aa0107251be31b3020668fdcf77886262662b0202a95eca99a198235a1345527
Instruction Fuzzy Hash: 65315936B042418FDB65A679841277ABFE2EFC2600F2480ABD145DF692DF36CC45D7A2

Function 06F432A8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$sq, xrefs: 06F43310
$sq, xrefs: 06F432BA
$sq, xrefs: 06F432D6
$sq, xrefs: 06F43304

Memory Dump Source

Source File: 00000012.00000002.3012196919.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6f40000_powershell.jbxd

Similarity

API ID:
String ID: $sq$$sq$$sq$$sq
API String ID: 0-2855845837
Opcode ID: f77772c8091265677aabb7199ba4c58c959df9a21d5c8ea4077457d67413d39c
Instruction ID: 633fb5619138298107b49905dc03d587c9754cfaf65dadb6bc23d59f9436d7a8
Opcode Fuzzy Hash: f77772c8091265677aabb7199ba4c58c959df9a21d5c8ea4077457d67413d39c
Instruction Fuzzy Hash: DE210833F142156BEBB4757F9843B37BE969BC1714F64802AA905CBB86DE36D84083A1

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TEKujpTgCK.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Downloads\program\IOVAS

C:\Users\Public\Downloads\program\ShellExperienceHosts.exe

C:\Users\Public\Downloads\program\yyzyBase.dll

C:\Users\Public\Downloads\tsetup-x64.5.4.0.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\PolicyManagement.xml

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2xb4kfq5.vpr.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4r3lguwj.zcu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ewunkjvh.ae3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fv4aiqk2.zvy.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ifi3etrm.vt5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qo05mrg1.m0b.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tayoekha.3p0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zxjtqi0w.tuo.ps1

C:\Users\user\AppData\Local\Temp\monitor.bat

C:\Users\user\AppData\Local\Temp\monitor.pid

C:\Users\user\AppData\Local\updated.ps1

C:\Users\user\Desktop\tsetup-x64.5.4.0.exe.lnk

\Device\Null

Static File Info

Windows Analysis Report
TEKujpTgCK.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre