Edit tour

Windows Analysis Report
ep_setup.exe

Overview

General Information

Sample name:	ep_setup.exe
Analysis ID:	1578478
MD5:	f164888a6fbc646b093f6af6663f4e63
SHA1:	3c0bb9f9a4ad9b1c521ad9fc30ec03668577c97c
SHA256:	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

System process connects to network (likely due to code injection or exploit)

Contains functionality to automate explorer (e.g. start an application)

Possible COM Object hijacking

Sigma detected: Explorer NOUACCHECK Flag

Binary contains a suspicious time stamp

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (foreground window change detection)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses taskkill to terminate processes

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w11x64_office

ep_setup.exe (PID: 8360 cmdline: "C:\Users\user\Desktop\ep_setup.exe" MD5: F164888A6FBC646B093F6AF6663F4E63)

taskkill.exe (PID: 8452 cmdline: "C:\Windows\system32\taskkill.exe" /f /im explorer.exe MD5: 050ED22BB515A81ED6FC73D042CE5DB4)

conhost.exe (PID: 8464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

sc.exe (PID: 8600 cmdline: "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB MD5: FF2A4319FA5531F0D7B98DBBA9ABBD4A)

conhost.exe (PID: 8612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

sc.exe (PID: 8704 cmdline: "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB MD5: FF2A4319FA5531F0D7B98DBBA9ABBD4A)

conhost.exe (PID: 8712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

regsvr32.exe (PID: 8756 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll" MD5: AF0CDEF5F6ECB9B8EBEF4E480EBAAA5A)

regsvr32.exe (PID: 8780 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll" MD5: AF0CDEF5F6ECB9B8EBEF4E480EBAAA5A)

explorer.exe (PID: 8820 cmdline: "C:\Windows\explorer.exe" MD5: E2D1F700066D39814081317462A0FD74)

explorer.exe (PID: 9004 cmdline: "C:\Windows\explorer.exe" /NoUACCheck MD5: E2D1F700066D39814081317462A0FD74)

WidgetBoard.exe (PID: 3720 cmdline: "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe" -RegisterProcessAsComServer -ServerName:Microsoft.Windows.WidgetBoardServer MD5: FE1C0C15EF5C6C2B0A1508BF23EAD6CE)

cleanup

Sigma Signatures

System Summary

Sigma detected: Explorer NOUACCHECK Flag

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\explorer.exe" /NoUACCheck, CommandLine: "C:\Windows\explorer.exe" /NoUACCheck, CommandLine|base64offset|contains: y, Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1316, ProcessCommandLine: "C:\Windows\explorer.exe" /NoUACCheck, ProcessId: 9004, ProcessName: explorer.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T19:31:35.085160+0100	2803274	2	Potentially Bad Traffic	192.168.2.24	49789	20.233.83.145	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Windows\explorer.exe

Code function: 10_2_00007FFD6D9EFC70 CreateFileW,GetLastError,GetFileSizeEx,GetLastError,CloseHandle,CloseHandle,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,GetLastError,CryptDestroyHash,CryptReleaseContext,CloseHandle,

10_2_00007FFD6D9EFC70

Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\ep_setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\ep_gui.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\ep_dwm.exe	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\ep_weather_host.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\WebView2Loader.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\ep_taskbar.2.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\Windows.UI.ShellCommon.pri	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\pris	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\pris\Windows.UI.ShellCommon.en-US.pri	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\StartUI	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\StartUI\Assets	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\officehub150x150.png	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\officehub71x71.png	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\onenote150x150.png	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\onenote71x71.png	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\Fonts	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\Fonts\BitMDL2.ttf	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\Fonts\SkypeUISymbol-Regular.ttf	Jump to behavior

Source: C:\Users\user\Desktop\ep_setup.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcher

Jump to behavior

Source: ep_setup.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\_work\e\src\out\Release_x64\WebView2Loader.dll.pdb source: ep_setup.exe, 00000000.00000003.11821558605.000001C871496000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\ep_taskbar\ep_taskbar\build\Release\x64\ep_taskbar.2.pdb9 source: ep_setup.exe, 00000000.00000003.11822543132.000001C874031000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: explorer.pdbUGP source: explorer.exe, 0000000A.00000003.11858848202.0000000004745000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.11847883206.00000000037A4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11870074674.0000000004022000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11863590600.0000000003560000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_weather_host_stub.pdb source: ep_setup.exe, 00000000.00000003.11821364595.000001C8714B0000.00000004.00000020.00020000.00000000.sdmp, ep_setup.exe, 00000000.00000003.11821292418.000001C871496000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: StartDocked.pdb source: explorer.exe, 0000000A.00000003.11854421339.00000000037A2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11866660346.0000000003566000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xC:\Users\user\AppData\Roaming\ExplorerPatcher\explorer.pdbqGQSZ source: explorer.exe, 0000000C.00000003.12120814977.000000000A34C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.12083059046.000000000A34E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.12072918147.000000000A34E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: StartUI.pdb source: ep_setup.exe, 00000000.00000003.11829859295.000001C874031000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.11855312455.00000000037A8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11867710926.0000000003561000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: orer.pdb source: explorer.exe, 0000000A.00000003.11861369136.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11862331883.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GET /download/symbols/explorer.pdb/598A53662BD73B032010E6534F37452E1/explorer.pdb HTTP/1.1 source: explorer.exe, 0000000A.00000003.11861221210.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11862331883.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: explorer.pdb source: explorer.exe, 0000000A.00000003.11858848202.0000000004745000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.11847883206.00000000037A4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11870074674.0000000004022000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11863590600.0000000003560000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 10.0.22631.4169C:\Users\user\AppData\Roaming\ExplorerPatcher\explorer.pdbDownloading symbols for OS build 10.0.22631.4169, please wait& ll source: explorer.exe, 0000000A.00000002.11862526061.00000000012B6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: JumpViewUI.pdb source: ep_setup.exe, 00000000.00000003.11827215060.000001C874036000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /download/symbols/explorer.pdb/598A53662BD73B032010E6534F37452E1/explorer.pdb source: explorer.exe, 0000000A.00000002.11862331883.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.11861221210.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.11861369136.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.11861548066.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.11861369136.0000000000F42000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11862526061.00000000012B6000.00000004.00000010.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11862331883.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_gui.pdb source: ep_setup.exe, 00000000.00000003.11820567684.000001C873E31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863036923.00000000041B0000.00000002.00000001.00040000.0000000A.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\ExplorerPatcher\explorer.pdb source: explorer.exe, 0000000A.00000002.11862526061.00000000012B6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: twinui.pcshell.pdbUGP source: explorer.exe, 0000000A.00000003.11849825979.00000000037A9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11865619682.000000000356B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11869683740.0000000003560000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\SYSTEM32\windowsudk.shellcommon.dllorer.pdb source: explorer.exe, 0000000A.00000003.11861369136.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11862331883.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: twinui.pcshell.pdb source: explorer.exe, 0000000A.00000003.11849825979.00000000037A9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11865619682.000000000356B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11869683740.0000000003560000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: http://msdl.microsoft.com/download/symbols/explorer.pdb/598A53662BD73B032010E6534F37452E1/explorer.pdb9 source: explorer.exe, 0000000A.00000002.11862193109.0000000000F15000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ExplorerPatcher.amd64.pdb source: ep_setup.exe, 00000000.00000003.11830929955.000001C873D31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmp, ExplorerPatcher.amd64.dll.0.dr
Source:	Binary string: StartUI.pdb@ source: ep_setup.exe, 00000000.00000003.11829859295.000001C874031000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.11855312455.00000000037A8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11867710926.0000000003561000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\WebView2Loader.dll.pdbOGP source: ep_setup.exe, 00000000.00000003.11821558605.000001C871496000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_dwm.pdb source: ep_setup.exe, 00000000.00000003.11820845862.000001C8714B2000.00000004.00000020.00020000.00000000.sdmp, ep_setup.exe, 00000000.00000003.11820816317.000001C871496000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\ExplorerPatcher\explorer.pdb0 source: explorer.exe, 0000000C.00000003.12113996050.000000000A74C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: JumpViewUI.pdb\|\|#zGCTL source: ep_setup.exe, 00000000.00000003.11827215060.000001C874036000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\Win32\ExplorerPatcher.IA-32.pdb source: ep_setup.exe, 00000000.00000003.11819845500.000001C871496000.00000004.00000020.00020000.00000000.sdmp, ep_setup.exe, 00000000.00000003.11819881387.000001C8714BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_setup.pdb source: ep_setup.exe
Source:	Binary string: /download/symbols/explorer.pdb/598A53662BD73B032010E6534F37452E1/explorer.pdb&No source: explorer.exe, 0000000A.00000003.11861369136.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11862331883.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: http://msdl.microsoft.com/download/symbols/explorer.pdb/598A53662BD73B032010E6534F37452E1/explorer.pdb source: explorer.exe, 0000000A.00000003.11861221210.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11862313131.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.11861369136.0000000000F42000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11862193109.0000000000F15000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\ep_taskbar\ep_taskbar\build\Release\x64\ep_taskbar.2.pdb source: ep_setup.exe, 00000000.00000003.11822543132.000001C874031000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Hostmsdl.microsoft.comGET /download/symbols/explorer.pdb/598A53662BD73B032010E6534F37452E1/explorer.pdb HTTP/1.1 source: explorer.exe, 0000000A.00000003.11861221210.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11862331883.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_weather_host.pdb source: ep_setup.exe, 00000000.00000003.11821073065.000001C873D31000.00000004.00000020.00020000.00000000.sdmp, ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: http://msdl.microsoft.com/download/symbols/explorer.pdb/598A53662BD73B032010E6534F37452E1/explorer.pdbpv source: explorer.exe, 0000000A.00000002.11862193109.0000000000F15000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_startmenu.pdb source: ep_setup.exe, 00000000.00000003.11826615724.000001C871496000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9BCE30 CreateFileA,CreateFileMappingW,CloseHandle,MapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,PathRemoveFileSpecA,UnmapViewOfFile,CloseHandle,CloseHandle,FindFirstFileA,FindClose,DeleteFileA,UnmapViewOfFile,CloseHandle,CloseHandle,	10_2_00007FFD6D9BCE30
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9CD980 InitializeCriticalSection,CreateEventW,CreateEventW,CreateEventW,SetEvent,SetEvent,SetEvent,CreateThread,CloseHandle,SHGetFolderPathW,PathFileExistsW,CreateDirectoryW,CreateMutexExW,CreateEventW,CreateEventW,CreateThread,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetCurrentProcess,K32GetModuleInformation,GetModuleHandleW,GetProcAddress,IsOS,GetCurrentProcess,K32GetModuleInformation,LoadLibraryExW,LoadLibraryW,GetProcAddress,CreateWindowExW,FreeLibraryAndExitThread,SetWindowLongPtrW,FreeLibraryAndExitThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,GetModuleHandleW,GetProcAddress,SHELL32_Create_IEnumUICommand,VirtualProtect,VirtualProtect,GetProcAddress,VirtualProtect,VirtualProtect,LoadLibraryW,GetProcAddress,LoadLibraryExW,GetModuleHandleExW,GetCurrentProcess,K32GetModuleInformation,VirtualProtect,VirtualProtect,GetCurrentProcess,K32GetModuleInformation,LoadLibraryExW,LoadLibraryExW,GetProcAddress,LoadLibraryExW,IsOS,FreeLibraryAndExitThread,CreateThread,CreateThread,CreateThread,CreateWindowInBand,CreateThread,CreateThread,GetWindowsDirectoryW,FindFirstFileW,FindClose,LoadLibraryW,GetProcAddress,GetLastError,	10_2_00007FFD6D9CD980
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9BD920 GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,FindFirstFileW,	10_2_00007FFD6D9BD920
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9E5AC0 RegCreateKeyExW,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetSystemDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,RegDeleteValueW,RegCloseKey,	10_2_00007FFD6D9E5AC0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA13948 FindFirstFileExW,	10_2_00007FFD6DA13948
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9BDAC0 SHGetFolderPathW,FindFirstFileW,FindClose,	10_2_00007FFD6D9BDAC0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9E5070 RegCreateKeyExW,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryA,RegCloseKey,RegSetValueExW,RegSetValueExA,RegSetValueExW,RegCloseKey,	10_2_00007FFD6D9E5070

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 20.233.83.145 443			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.199.110.133 443			Jump to behavior

Source: Joe Sandbox View	IP Address: 20.233.83.145 20.233.83.145
Source: Joe Sandbox View	IP Address: 185.199.110.133 185.199.110.133
Source: Joe Sandbox View	IP Address: 185.199.110.133 185.199.110.133

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.24:49789 -> 20.233.83.145:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 10_2_00007FFD6D9BC6A0 InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

10_2_00007FFD6D9BC6A0

Source: global traffic	HTTP traffic detected: GET /valinet/ExplorerPatcher/releases/latest/download/ep_setup.exe HTTP/1.1User-Agent: ExplorerPatcherHost: github.com
Source: global traffic	HTTP traffic detected: GET /valinet/ExplorerPatcher/releases/download/22621.4317.67.1_b93337a/ep_setup.exe HTTP/1.1User-Agent: ExplorerPatcherHost: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/394318710/5e5bb508-cbdc-44fb-9830-5b535df6ab52?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241219%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241219T183137Z&X-Amz-Expires=300&X-Amz-Signature=4d931bfe0e120653753e28b648e701fc63ba39cdd52171ce1869c497ee2b4b17&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dep_setup.exe&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: ExplorerPatcherConnection: Keep-AliveHost: objects.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /valinet/ExplorerPatcher/releases/latest/download/ep_setup.exe HTTP/1.1User-Agent: ExplorerPatcherHost: github.com

Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: srtb.msn.com
Source: global traffic	DNS traffic detected: DNS query: cxcs.microsoft.net
Source: global traffic	DNS traffic detected: DNS query: tse1.mm.bing.net
Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: objects.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: res.public.onecdn.static.microsoft
Source: global traffic	DNS traffic detected: DNS query: c.pki.goog
Source: global traffic	DNS traffic detected: DNS query: x1.c.lencr.org

Source: ep_setup.exe	String found in binary or memory: http://www.winimage.com/zLibDll
Source: WidgetBoard.exe, 00000013.00000002.13070441821.0000025EB6F13000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13070090823.0000025EB6F02000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13067144725.0000025EB52AC000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13066504454.0000025EB529B000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13067795615.0000025EB52D0000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13067395457.0000025EB52BD000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13066187459.0000025EB5288000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13068764865.0000025EB52E1000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13065517075.0000025EB5247000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13065852874.0000025EB525D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/
Source: explorer.exe, 0000000C.00000003.11898120553.000000000833D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11900533075.0000000008358000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11905805711.000000000833D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11907740169.000000000833D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11895871196.000000000831C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11912085198.000000000833D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 0000000C.00000003.11898120553.000000000833D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11900533075.0000000008358000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11905805711.000000000833D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11907740169.000000000833D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11895871196.000000000831C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11912085198.000000000833D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirm
Source: ep_setup.exe, 00000000.00000003.11830929955.000001C873D31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmp, ExplorerPatcher.amd64.dll.0.dr	String found in binary or memory: https://api.github.com/repos/valinet/ExplorerPatcher/releases?per_page=1
Source: WidgetBoard.exe, 00000013.00000002.13069121561.0000025EB52F2000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13071020949.0000025EB6F35000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13071171585.0000025EB6F46000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13071357058.0000025EB6F77000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13071357058.0000025EB6F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlySunnyDay.png
Source: WidgetBoard.exe, 00000013.00000002.13071357058.0000025EB6F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlySunnyDay.png_c
Source: WidgetBoard.exe, 00000013.00000002.13069121561.0000025EB52F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlySunnyDay.pnges
Source: WidgetBoard.exe, 00000013.00000002.13071357058.0000025EB6F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlySunnyDay.pngin
Source: WidgetBoard.exe, 00000013.00000002.13069121561.0000025EB52F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlySunnyDay.pngse
Source: explorer.exe, 0000000C.00000003.11973400789.0000000008407000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11973802182.000000000A068000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11956784720.0000000008412000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11960065827.000000000840A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/
Source: explorer.exe, 0000000C.00000003.11973400789.0000000008407000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11956784720.0000000008412000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11960065827.000000000840A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/J
Source: ep_setup.exe, 00000000.00000003.11820567684.000001C873E31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863036923.00000000041B0000.00000002.00000001.00040000.0000000A.sdmp	String found in binary or memory: https://github.com/valinet
Source: ep_setup.exe, 00000000.00000003.11820567684.000001C873E31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863036923.00000000041B0000.00000002.00000001.00040000.0000000A.sdmp	String found in binary or memory: https://github.com/valinet)
Source: ep_setup.exe, 00000000.00000003.11820567684.000001C873E31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863036923.00000000041B0000.00000002.00000001.00040000.0000000A.sdmp	String found in binary or memory: https://github.com/valinet/ExplorerPatcher#donate
Source: ep_setup.exe, 00000000.00000003.11820567684.000001C873E31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863036923.00000000041B0000.00000002.00000001.00040000.0000000A.sdmp	String found in binary or memory: https://github.com/valinet/ExplorerPatcher/blob/master/CHANGELOG.md
Source: explorer.exe	String found in binary or memory: https://github.com/valinet/ExplorerPatcher/discussions
Source: explorer.exe	String found in binary or memory: https://github.com/valinet/ExplorerPatcher/discussions/1102
Source: ep_setup.exe, 00000000.00000003.11820567684.000001C873E31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863036923.00000000041B0000.00000002.00000001.00040000.0000000A.sdmp	String found in binary or memory: https://github.com/valinet/ExplorerPatcher/discussions/1679
Source: explorer.exe	String found in binary or memory: https://github.com/valinet/ExplorerPatcher/issues
Source: ep_setup.exe, 00000000.00000003.11830929955.000001C873D31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmp, ExplorerPatcher.amd64.dll.0.dr	String found in binary or memory: https://github.com/valinet/ExplorerPatcher/issueshttps://github.com/valinet/ExplorerPatcher/discussi
Source: explorer.exe	String found in binary or memory: https://github.com/valinet/ExplorerPatcher/releases
Source: explorer.exe, 0000000C.00000003.11973180552.000000000A0DC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11973802182.000000000A068000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11973723475.000000000A0F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/valinet/ExplorerPatcher/releases/download/22621.4317.67.1_b93337a/ep_setup.exe
Source: ep_setup.exe, 00000000.00000003.11830929955.000001C873D31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmp, ExplorerPatcher.amd64.dll.0.dr	String found in binary or memory: https://github.com/valinet/ExplorerPatcher/releases/latest
Source: explorer.exe, 0000000C.00000003.11960065827.0000000008530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exe
Source: explorer.exe, 0000000C.00000003.11956784720.0000000008530000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11973400789.0000000008530000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11960065827.0000000008530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exe1
Source: explorer.exe, 0000000C.00000003.11960065827.00000000084F8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11956784720.00000000084F8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11973400789.00000000084F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exeB
Source: explorer.exe, 0000000C.00000003.11960065827.00000000084F8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11956784720.00000000084F8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11973400789.00000000084F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exes
Source: ep_setup.exe, 00000000.00000003.11820567684.000001C873E31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863036923.00000000041B0000.00000002.00000001.00040000.0000000A.sdmp	String found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/About-advanced-settings
Source: ep_setup.exe, 00000000.00000003.11820567684.000001C873E31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863036923.00000000041B0000.00000002.00000001.00040000.0000000A.sdmp	String found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Configure-updates
Source: ep_setup.exe, 00000000.00000003.11820567684.000001C873E31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863036923.00000000041B0000.00000002.00000001.00040000.0000000A.sdmp	String found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/ExplorerPatcher
Source: ep_setup.exe, 00000000.00000003.11820567684.000001C873E31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863036923.00000000041B0000.00000002.00000001.00040000.0000000A.sdmp	String found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Frequently-asked-questions
Source: ep_setup.exe, 00000000.00000003.11820567684.000001C873E31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863036923.00000000041B0000.00000002.00000001.00040000.0000000A.sdmp	String found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Settings-management
Source: ep_setup.exe, 00000000.00000003.11820567684.000001C873E31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863036923.00000000041B0000.00000002.00000001.00040000.0000000A.sdmp	String found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Simple-Window-Switcher
Source: explorer.exe, 0000000A.00000002.11863106110.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863106110.00000000043D0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11862526061.00000000012B6000.00000004.00000010.00020000.00000000.sdmp, ExplorerPatcher.amd64.dll.0.dr	String found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Symbols
Source: ep_setup.exe, 00000000.00000003.11830929955.000001C873D31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmp, ExplorerPatcher.amd64.dll.0.dr	String found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/SymbolsMicrosoft.Windows.Explorer
Source: ep_setup.exe, 00000000.00000003.11820567684.000001C873E31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863036923.00000000041B0000.00000002.00000001.00040000.0000000A.sdmp	String found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Using-ExplorerPatcher-as-shell-extension
Source: ep_setup.exe, 00000000.00000003.11820567684.000001C873E31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863036923.00000000041B0000.00000002.00000001.00040000.0000000A.sdmp	String found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Weather
Source: ep_setup.exe, 00000000.00000003.11827215060.000001C874036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.skype.com/meetnowjoin.winshell&exp=?exp=https://go.skype.com/meetnow.winshellskype:?actio
Source: ep_setup.exe, 00000000.00000003.11823850464.000001C8740F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.skype.com/meetnowlearn.winshell
Source: WidgetBoard.exe, 00000013.00000002.13070441821.0000025EB6F13000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13070090823.0000025EB6F02000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13067144725.0000025EB52AC000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13066504454.0000025EB529B000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13067795615.0000025EB52D0000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13067395457.0000025EB52BD000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13066187459.0000025EB5288000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13068764865.0000025EB52E1000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13065517075.0000025EB5247000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13065852874.0000025EB525D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: WidgetBoard.exe, 00000013.00000002.13070441821.0000025EB6F13000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13070090823.0000025EB6F02000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13067144725.0000025EB52AC000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13066504454.0000025EB529B000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13067795615.0000025EB52D0000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13067395457.0000025EB52BD000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13066187459.0000025EB5288000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13068764865.0000025EB52E1000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13065517075.0000025EB5247000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13065852874.0000025EB525D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/
Source: explorer.exe, 0000000C.00000003.11908484158.000000000831C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11912085198.000000000831C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11905805711.000000000831C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.local
Source: explorer.exe, 0000000C.00000003.11908484158.000000000831C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11912085198.000000000831C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11905805711.000000000831C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.local/
Source: explorer.exe, 0000000C.00000003.12072918147.000000000A30A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/394318710/5e5bb508-cbdc
Source: ep_setup.exe, 00000000.00000003.11830929955.000001C873D31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmp, ExplorerPatcher.amd64.dll.0.dr	String found in binary or memory: https://raw.githubusercontent.com/valinet/ep_make/master/ep_make_safe.ps1
Source: WidgetBoard.exe, 00000013.00000002.13070441821.0000025EB6F13000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13070090823.0000025EB6F02000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13067144725.0000025EB52AC000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13066504454.0000025EB529B000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13067795615.0000025EB52D0000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13067395457.0000025EB52BD000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13066187459.0000025EB5288000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13068764865.0000025EB52E1000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13065517075.0000025EB5247000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13065852874.0000025EB525D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/
Source: ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/6503598/156949438-4e0c0e0d-67bc-4c76-b75e-e0ffcead3f48.png
Source: ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/6503598/156949442-63f14d44-ec0e-40b2-aa1b-8e4a27ec10f5.png
Source: ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/6503598/156949443-062a0fa9-88c1-4e07-b6b1-8e52ff64f4f3.png
Source: ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/6503598/156949444-d3aea936-4c22-4f17-a201-02155396684d.png
Source: ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/6503598/156949445-60d12efa-a21d-40e0-b9a8-1b7a84e58944.png
Source: ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/6503598/156949447-a6658710-567e-4977-9316-a80007df3076.png
Source: ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/6503598/156949448-cd1b69af-4028-4153-8e40-288526577b58.png
Source: ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/6503598/156949449-9320c6f5-15ef-4c17-9e72-740708f4828c.png
Source: ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/6503598/156949450-7e03a3f5-580e-4414-aaeb-3a0898afd1da.png
Source: ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/6503598/156949451-269d02a3-08cb-4237-9789-f1e60fdc723d.png
Source: ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/6503598/156949452-f347fe27-5005-48f2-9c9a-899bb7b8825e.png
Source: ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/6503598/156949454-81d5d47d-1f33-4859-a112-5a64ceb549a1.png
Source: ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/6503598/156949456-04a4bdbd-ff3b-4484-bb30-8909baff8aa8.png
Source: ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/6503598/156949458-dc66775d-8bb9-4d04-838e-7f550d305c26.png
Source: ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/6503598/156949459-dfe70eba-6c2c-4b1c-b51b-27c13ce7c08c.png
Source: ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/6503598/156949460-7c132d89-efb7-457f-8810-9bf235f5737f.png
Source: ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/6503598/156949461-1f058cf3-6fdd-4aeb-80b7-68fa27b02845.png
Source: ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/6503598/156949462-f50c21dd-85dd-4d9c-a4eb-516e6cddfb1f.png
Source: ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/6503598/156949463-a427edfb-3d7f-4167-bd6f-f5019c482ea1.png
Source: ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/6503598/156949465-54dd31c6-7e3a-464a-8e64-8b54b6fb7a65.png
Source: ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/6503598/156950233-ccaadb4a-2e9a-4934-b41c-acd36a7f0d9c.png
Source: explorer.exe, 0000000C.00000003.11887630206.0000000008220000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11905805711.0000000008220000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11908484158.0000000008220000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11898120553.0000000008220000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11912085198.0000000008220000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vsblobprodscussu5shard86.blob.core.windows.net/
Source: explorer.exe, 0000000C.00000003.11887630206.0000000008220000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11905805711.0000000008220000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11908484158.0000000008220000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11898120553.0000000008220000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11912085198.0000000008220000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vsblobprodscussu5shard86.blob.core.windows.net/F
Source: explorer.exe, 0000000C.00000003.11887630206.0000000008220000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vsblobprodscussu5shard86.blob.core.windows.net/FY
Source: explorer.exe, 0000000C.00000003.11887630206.0000000008220000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vsblobprodscussu5shard86.blob.core.windows.net/NY
Source: explorer.exe, 0000000C.00000003.11907740169.00000000081E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vsblobprodscussu5shard86.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/212EE6F6E5
Source: ep_setup.exe, 00000000.00000003.11821073065.000001C873D31000.00000004.00000020.00020000.00000000.sdmp, ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?hl=%s&q=weather%s%s%s%s%s%s%s%spCoreWebView2ExecuteScriptCompletedHand
Source: ep_setup.exe, 00000000.00000003.11820567684.000001C873E31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863036923.00000000041B0000.00000002.00000001.00040000.0000000A.sdmp	String found in binary or memory: https://www.valinet.ro
Source: ep_setup.exe, 00000000.00000003.11820567684.000001C873E31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863036923.00000000041B0000.00000002.00000001.00040000.0000000A.sdmp	String found in binary or memory: https://www.valinet.ro)

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822

Source: C:\Windows\explorer.exe

Code function: 10_2_00007FFD6D9D1640 GetModuleFileNameW,PathStripPathW,GetCurrentProcessId,OpenProcess,QueryFullProcessImageNameW,CloseHandle,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetSystemMetrics,RegGetValueW,RegGetValueW,FindWindowExW,FindWindowExW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,RegSetKeyValueW,SHCreateThread,RegSetKeyValueW,SHCreateThread,LoadLibraryW,RegOpenKeyW,RegCloseKey,LoadLibraryW,LoadLibraryW,GetModuleHandleExW,

10_2_00007FFD6D9D1640

Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Windows\dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib_orig.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\JumpViewUI_.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\dxgi.dll	Jump to behavior

Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9EFC70	10_2_00007FFD6D9EFC70
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9EF040	10_2_00007FFD6D9EF040
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9CD980	10_2_00007FFD6D9CD980
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9C6BA0	10_2_00007FFD6D9C6BA0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9E5AC0	10_2_00007FFD6D9E5AC0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9D1640	10_2_00007FFD6D9D1640
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9BE500	10_2_00007FFD6D9BE500
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9C8690	10_2_00007FFD6D9C8690
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9DA120	10_2_00007FFD6D9DA120
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9E53F0	10_2_00007FFD6D9E53F0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9E4420	10_2_00007FFD6D9E4420
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9FEE04	10_2_00007FFD6D9FEE04
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9E6DE0	10_2_00007FFD6D9E6DE0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA00E4C	10_2_00007FFD6DA00E4C
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9CFE40	10_2_00007FFD6D9CFE40
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9E7D80	10_2_00007FFD6D9E7D80
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA0ED14	10_2_00007FFD6DA0ED14
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9EBD00	10_2_00007FFD6D9EBD00
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9E4CE0	10_2_00007FFD6D9E4CE0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9FECF8	10_2_00007FFD6D9FECF8
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9EDD30	10_2_00007FFD6D9EDD30
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA15C8C	10_2_00007FFD6DA15C8C
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA0AC6C	10_2_00007FFD6DA0AC6C
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9CCCB0	10_2_00007FFD6D9CCCB0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9FF01C	10_2_00007FFD6D9FF01C
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA04FE8	10_2_00007FFD6DA04FE8
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA01058	10_2_00007FFD6DA01058
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9CCF80	10_2_00007FFD6D9CCF80
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9BEF90	10_2_00007FFD6D9BEF90
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9B2F60	10_2_00007FFD6D9B2F60
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9FFFC0	10_2_00007FFD6D9FFFC0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA01FDC	10_2_00007FFD6DA01FDC
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9C2FD0	10_2_00007FFD6D9C2FD0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9BBFA0	10_2_00007FFD6D9BBFA0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9FEF10	10_2_00007FFD6D9FEF10
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9B3EF0	10_2_00007FFD6D9B3EF0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9B6F20	10_2_00007FFD6D9B6F20
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA03E84	10_2_00007FFD6DA03E84
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA00A14	10_2_00007FFD6DA00A14
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9C4900	10_2_00007FFD6D9C4900
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA13948	10_2_00007FFD6DA13948
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9C6930	10_2_00007FFD6D9C6930
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9C3880	10_2_00007FFD6D9C3880
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA0E880	10_2_00007FFD6DA0E880
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9FEBEC	10_2_00007FFD6D9FEBEC
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9BFBE0	10_2_00007FFD6D9BFBE0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA00C48	10_2_00007FFD6DA00C48
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9C2C20	10_2_00007FFD6D9C2C20
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA04B84	10_2_00007FFD6DA04B84
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA0CBAC	10_2_00007FFD6DA0CBAC
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9FEAE0	10_2_00007FFD6D9FEAE0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9D0AE0	10_2_00007FFD6D9D0AE0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9C5B50	10_2_00007FFD6D9C5B50
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9B7B50	10_2_00007FFD6D9B7B50
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9B1B20	10_2_00007FFD6D9B1B20
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA19A98	10_2_00007FFD6DA19A98
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9BCAC0	10_2_00007FFD6D9BCAC0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9B9AA0	10_2_00007FFD6D9B9AA0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA00604	10_2_00007FFD6DA00604
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9CF5E0	10_2_00007FFD6D9CF5E0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9EE620	10_2_00007FFD6D9EE620
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9CC590	10_2_00007FFD6D9CC590
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9BA4E0	10_2_00007FFD6D9BA4E0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9F0540	10_2_00007FFD6D9F0540
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9F6530	10_2_00007FFD6D9F6530
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA00808	10_2_00007FFD6DA00808
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA157F0	10_2_00007FFD6DA157F0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9F0840	10_2_00007FFD6D9F0840
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9E8820	10_2_00007FFD6D9E8820
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9E47D0	10_2_00007FFD6D9E47D0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA026F8	10_2_00007FFD6DA026F8
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA046C0	10_2_00007FFD6DA046C0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9BC200	10_2_00007FFD6D9BC200
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9BE230	10_2_00007FFD6D9BE230
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9FF230	10_2_00007FFD6D9FF230
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9E8190	10_2_00007FFD6D9E8190
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA001C4	10_2_00007FFD6DA001C4
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9D51C0	10_2_00007FFD6D9D51C0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9C01B0	10_2_00007FFD6D9C01B0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9BE100	10_2_00007FFD6D9BE100
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9BB150	10_2_00007FFD6D9BB150
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9FF124	10_2_00007FFD6D9FF124
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9EE070	10_2_00007FFD6D9EE070
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9E5070	10_2_00007FFD6D9E5070
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9B20D0	10_2_00007FFD6D9B20D0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9FF448	10_2_00007FFD6D9FF448
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA0F394	10_2_00007FFD6DA0F394
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9C6380	10_2_00007FFD6D9C6380
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9B5380	10_2_00007FFD6D9B5380
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA02374	10_2_00007FFD6DA02374
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9D0370	10_2_00007FFD6D9D0370
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA003D0	10_2_00007FFD6DA003D0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA0B308	10_2_00007FFD6DA0B308
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9EE310	10_2_00007FFD6D9EE310
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9B22F0	10_2_00007FFD6D9B22F0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9C3350	10_2_00007FFD6D9C3350
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9FF33C	10_2_00007FFD6D9FF33C
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9C4270	10_2_00007FFD6D9C4270
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA042BC	10_2_00007FFD6DA042BC

Source: C:\Windows\explorer.exe	Code function: String function: 00007FFD6D9B11B0 appears 172 times
Source: C:\Windows\explorer.exe	Code function: String function: 00007FFD6DA07C0C appears 61 times
Source: C:\Windows\explorer.exe	Code function: String function: 00007FFD6D9BD290 appears 81 times
Source: C:\Windows\explorer.exe	Code function: String function: 00007FFD6DA07DF4 appears 42 times
Source: C:\Windows\explorer.exe	Code function: String function: 00007FFD6D9D40C0 appears 70 times

Source: ep_setup.exe	Static PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: ep_setup.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: ep_gui.dll.0.dr	Static PE information: Resource name: RT_STRING type: COM executable for DOS

Source: ep_setup.exe	Binary or memory string: OriginalFilename vs ep_setup.exe
Source: ep_setup.exe, 00000000.00000003.11820845862.000001C8714B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameep_dwm.exe@ vs ep_setup.exe
Source: ep_setup.exe, 00000000.00000003.11830929955.000001C873D31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExplorerPatcher.dll@ vs ep_setup.exe
Source: ep_setup.exe, 00000000.00000003.11827339687.000001C871491000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJumpviewUI.dllj% vs ep_setup.exe
Source: ep_setup.exe, 00000000.00000003.11819845500.000001C871496000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExplorerPatcher.dll@ vs ep_setup.exe
Source: ep_setup.exe, 00000000.00000003.11826697644.000001C8714BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExplorerPatcher.dll@ vs ep_setup.exe
Source: ep_setup.exe, 00000000.00000003.11821558605.000001C871496000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebView2Loader.dll~/ vs ep_setup.exe
Source: ep_setup.exe, 00000000.00000003.11819881387.000001C8714BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExplorerPatcher.dll@ vs ep_setup.exe
Source: ep_setup.exe, 00000000.00000003.11821627302.000001C8714BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebView2Loader.dll~/ vs ep_setup.exe
Source: ep_setup.exe, 00000000.00000003.11821073065.000001C873D31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameep_weather_host.exe@ vs ep_setup.exe
Source: ep_setup.exe, 00000000.00000003.11820816317.000001C871496000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameep_dwm.exe@ vs ep_setup.exe
Source: ep_setup.exe, 00000000.00000003.11829859295.000001C874031000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStartUI.dllj% vs ep_setup.exe
Source: ep_setup.exe, 00000000.00000003.11825986265.000001C871496000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExplorerPatcher.dll@ vs ep_setup.exe
Source: ep_setup.exe, 00000000.00000003.11826615724.000001C871496000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExplorerPatcher.dll@ vs ep_setup.exe
Source: ep_setup.exe, 00000000.00000003.11820567684.000001C873E31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameep_gui.dll@ vs ep_setup.exe
Source: ep_setup.exe, 00000000.00000003.11827215060.000001C874036000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJumpviewUI.dllj% vs ep_setup.exe
Source: ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameep_weather_host.exe@ vs ep_setup.exe

Source: classification engine

Classification label: mal60.evad.winEXE@18/34@10/2

Source: C:\Windows\explorer.exe

Code function: 10_2_00007FFD6D9F2E20 VirtualAlloc,GetLastError,FormatMessageA,

10_2_00007FFD6D9F2E20

Source: C:\Windows\explorer.exe

Code function: 10_2_00007FFD6D9BDCF0 GetWindowsDirectoryW,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,QueryFullProcessImageNameW,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,

10_2_00007FFD6D9BDCF0

Source: C:\Windows\explorer.exe

Code function: 10_2_00007FFD6D9CA6C0 CoCreateInstance,CoCreateInstance,

10_2_00007FFD6D9CA6C0

Source: C:\Windows\explorer.exe

Code function: 10_2_00007FFD6D9EFF30 FindResourceW,SizeofResource,LoadResource,LockResource,LocalAlloc,FreeResource,VerQueryValueW,LocalFree,

10_2_00007FFD6D9EFF30

Source: C:\Users\user\Desktop\ep_setup.exe

File created: C:\Program Files\ExplorerPatcher

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\ExplorerPatcher

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8612:120:WilError_03

Source: C:\Users\user\Desktop\ep_setup.exe	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\ep_setup.exe	Process created: C:\Windows\explorer.exe	Jump to behavior

Source: ep_setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "explorer.exe")

Source: C:\Users\user\Desktop\ep_setup.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ep_setup.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: explorer.exe

String found in binary or memory: Could not modify already-installed funchook handle.

Source: unknown	Process created: C:\Users\user\Desktop\ep_setup.exe "C:\Users\user\Desktop\ep_setup.exe"
Source: C:\Users\user\Desktop\ep_setup.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ep_setup.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ep_setup.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ep_setup.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
Source: C:\Users\user\Desktop\ep_setup.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
Source: C:\Users\user\Desktop\ep_setup.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
Source: unknown	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /NoUACCheck
Source: unknown	Process created: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe" -RegisterProcessAsComServer -ServerName:Microsoft.Windows.WidgetBoardServer
Source: C:\Users\user\Desktop\ep_setup.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: virtdisk.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: servicingcommon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\sc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\sc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: webview2loader.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.fileexplorer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winuicohabitation.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.pcshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wincorlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wpnapps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.hardwareconfirmator.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: stobject.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pnidui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: inputswitch.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowsudk.shellcommon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: peopleband.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.fileexplorer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winuicohabitation.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.pcshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wincorlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.hardwareconfirmator.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: stobject.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pnidui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: inputswitch.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowsudk.shellcommon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: peopleband.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wpnapps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: languageoverlayutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appextension.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sndvolsso.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: tiledatarepository.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: staterepository.core.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepository.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.immersiveshell.serviceprovider.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: deviceassociation.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cldapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.system.launcher.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: applicationframe.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shellcommon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: activationclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: photometadatahandler.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.web.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: container.policy.manager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: holographicextensions.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: abovelockapphost.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pfclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.bluelightreduction.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.signals.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: directxdatabasehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ehstorshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.gaming.input.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.ui.shell.windowtabmanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: notificationcontrollerps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pcshellcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: settingshandlers_desktoptaskbar.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.accessibility.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: systemsettings.datamodel.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: switcherdatamodel.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: structuredquery.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.search.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: daxexec.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: container.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptngc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dmenrollengine.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cflapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.security.authentication.web.core.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: shellcommoncommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winbio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cloudexperiencehostredirection.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1_app.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.management.inprocobjects.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: batmeter.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wmiclnt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: prnfldr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uianimation.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wpnclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.media.devices.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: syncreg.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: actioncenter.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscinterop.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: networkuxbroker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ethernetmediamanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: werconcpl.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: diagnosticdatasettings.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: diagnosticdatasettings.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: hcproviders.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dusmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wpdshserviceobj.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: portabledevicetypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: portabledeviceapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cscobj.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ncsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srchadmin.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: synccenter.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: imapi2.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: microsoft.internal.frameworkudk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: microsoft.ui.windowing.core.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: microsoft.internal.frameworkudk.system.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mrm.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: marshal.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmcorei.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: microsoft.ui.composition.ossupport.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: microsoft.ui.composition.ossupport.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: microsoft.inputstatemanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: microsoft.ui.input.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: themecpl.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: microsoft.directmanipulation.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.energy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: microsoft.ui.xaml.internal.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: threadpoolwinrt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: vcruntime140_1_app.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: widgetboardview.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: d2d1.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: dwmapi.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: windows.staterepositoryclient.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: userenv.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: xmllite.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: wintypes.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: powrprof.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: powrprof.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: rometadata.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: umpdc.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: execmodelclient.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: execmodelproxy.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: windowsudk.shellcommon.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: capauthz.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: shellcommoncommonproxystub.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: iertutil.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: srvcli.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: netutils.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: windows.ui.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Section loaded: windows.ui.immersive.dll

Source: C:\Users\user\Desktop\ep_setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Properties (ExplorerPatcher).lnk.0.dr

LNK file: ..\..\..\..\..\..\Windows\System32\rundll32.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\ep_setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\ep_gui.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\ep_dwm.exe	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\ep_weather_host.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\WebView2Loader.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\ep_taskbar.2.dll	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\Windows.UI.ShellCommon.pri	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\pris	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\pris\Windows.UI.ShellCommon.en-US.pri	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\StartUI	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\StartUI\Assets	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\officehub150x150.png	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\officehub71x71.png	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\onenote150x150.png	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\onenote71x71.png	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\Fonts	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\Fonts\BitMDL2.ttf	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Directory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\Fonts\SkypeUISymbol-Regular.ttf	Jump to behavior

Source: C:\Users\user\Desktop\ep_setup.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcher

Jump to behavior

Source: ep_setup.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: ep_setup.exe

Static file information: File size 11143168 > 1048576

Source: ep_setup.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xa68600

Source: ep_setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ep_setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ep_setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ep_setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ep_setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ep_setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ep_setup.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: ep_setup.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\_work\e\src\out\Release_x64\WebView2Loader.dll.pdb source: ep_setup.exe, 00000000.00000003.11821558605.000001C871496000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\ep_taskbar\ep_taskbar\build\Release\x64\ep_taskbar.2.pdb9 source: ep_setup.exe, 00000000.00000003.11822543132.000001C874031000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: explorer.pdbUGP source: explorer.exe, 0000000A.00000003.11858848202.0000000004745000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.11847883206.00000000037A4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11870074674.0000000004022000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11863590600.0000000003560000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_weather_host_stub.pdb source: ep_setup.exe, 00000000.00000003.11821364595.000001C8714B0000.00000004.00000020.00020000.00000000.sdmp, ep_setup.exe, 00000000.00000003.11821292418.000001C871496000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: StartDocked.pdb source: explorer.exe, 0000000A.00000003.11854421339.00000000037A2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11866660346.0000000003566000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xC:\Users\user\AppData\Roaming\ExplorerPatcher\explorer.pdbqGQSZ source: explorer.exe, 0000000C.00000003.12120814977.000000000A34C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.12083059046.000000000A34E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.12072918147.000000000A34E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: StartUI.pdb source: ep_setup.exe, 00000000.00000003.11829859295.000001C874031000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.11855312455.00000000037A8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11867710926.0000000003561000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: orer.pdb source: explorer.exe, 0000000A.00000003.11861369136.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11862331883.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GET /download/symbols/explorer.pdb/598A53662BD73B032010E6534F37452E1/explorer.pdb HTTP/1.1 source: explorer.exe, 0000000A.00000003.11861221210.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11862331883.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: explorer.pdb source: explorer.exe, 0000000A.00000003.11858848202.0000000004745000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.11847883206.00000000037A4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11870074674.0000000004022000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11863590600.0000000003560000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 10.0.22631.4169C:\Users\user\AppData\Roaming\ExplorerPatcher\explorer.pdbDownloading symbols for OS build 10.0.22631.4169, please wait& ll source: explorer.exe, 0000000A.00000002.11862526061.00000000012B6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: JumpViewUI.pdb source: ep_setup.exe, 00000000.00000003.11827215060.000001C874036000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /download/symbols/explorer.pdb/598A53662BD73B032010E6534F37452E1/explorer.pdb source: explorer.exe, 0000000A.00000002.11862331883.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.11861221210.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.11861369136.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.11861548066.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.11861369136.0000000000F42000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11862526061.00000000012B6000.00000004.00000010.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11862331883.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_gui.pdb source: ep_setup.exe, 00000000.00000003.11820567684.000001C873E31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863036923.00000000041B0000.00000002.00000001.00040000.0000000A.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\ExplorerPatcher\explorer.pdb source: explorer.exe, 0000000A.00000002.11862526061.00000000012B6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: twinui.pcshell.pdbUGP source: explorer.exe, 0000000A.00000003.11849825979.00000000037A9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11865619682.000000000356B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11869683740.0000000003560000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\SYSTEM32\windowsudk.shellcommon.dllorer.pdb source: explorer.exe, 0000000A.00000003.11861369136.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11862331883.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: twinui.pcshell.pdb source: explorer.exe, 0000000A.00000003.11849825979.00000000037A9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11865619682.000000000356B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11869683740.0000000003560000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: http://msdl.microsoft.com/download/symbols/explorer.pdb/598A53662BD73B032010E6534F37452E1/explorer.pdb9 source: explorer.exe, 0000000A.00000002.11862193109.0000000000F15000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ExplorerPatcher.amd64.pdb source: ep_setup.exe, 00000000.00000003.11830929955.000001C873D31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmp, ExplorerPatcher.amd64.dll.0.dr
Source:	Binary string: StartUI.pdb@ source: ep_setup.exe, 00000000.00000003.11829859295.000001C874031000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.11855312455.00000000037A8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11867710926.0000000003561000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\WebView2Loader.dll.pdbOGP source: ep_setup.exe, 00000000.00000003.11821558605.000001C871496000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_dwm.pdb source: ep_setup.exe, 00000000.00000003.11820845862.000001C8714B2000.00000004.00000020.00020000.00000000.sdmp, ep_setup.exe, 00000000.00000003.11820816317.000001C871496000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\ExplorerPatcher\explorer.pdb0 source: explorer.exe, 0000000C.00000003.12113996050.000000000A74C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: JumpViewUI.pdb\|\|#zGCTL source: ep_setup.exe, 00000000.00000003.11827215060.000001C874036000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\Win32\ExplorerPatcher.IA-32.pdb source: ep_setup.exe, 00000000.00000003.11819845500.000001C871496000.00000004.00000020.00020000.00000000.sdmp, ep_setup.exe, 00000000.00000003.11819881387.000001C8714BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_setup.pdb source: ep_setup.exe
Source:	Binary string: /download/symbols/explorer.pdb/598A53662BD73B032010E6534F37452E1/explorer.pdb&No source: explorer.exe, 0000000A.00000003.11861369136.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11862331883.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: http://msdl.microsoft.com/download/symbols/explorer.pdb/598A53662BD73B032010E6534F37452E1/explorer.pdb source: explorer.exe, 0000000A.00000003.11861221210.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11862313131.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.11861369136.0000000000F42000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11862193109.0000000000F15000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\ep_taskbar\ep_taskbar\build\Release\x64\ep_taskbar.2.pdb source: ep_setup.exe, 00000000.00000003.11822543132.000001C874031000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Hostmsdl.microsoft.comGET /download/symbols/explorer.pdb/598A53662BD73B032010E6534F37452E1/explorer.pdb HTTP/1.1 source: explorer.exe, 0000000A.00000003.11861221210.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11862331883.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_weather_host.pdb source: ep_setup.exe, 00000000.00000003.11821073065.000001C873D31000.00000004.00000020.00020000.00000000.sdmp, ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: http://msdl.microsoft.com/download/symbols/explorer.pdb/598A53662BD73B032010E6534F37452E1/explorer.pdbpv source: explorer.exe, 0000000A.00000002.11862193109.0000000000F15000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_startmenu.pdb source: ep_setup.exe, 00000000.00000003.11826615724.000001C871496000.00000004.00000020.00020000.00000000.sdmp

Source: ep_setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ep_setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ep_setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ep_setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ep_setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: JumpViewUI_.dll.0.dr

Static PE information: 0xC8146642 [Fri May 15 14:54:58 2076 UTC]

Source: C:\Windows\explorer.exe

Code function: 10_2_00007FFD6D9CBFE0 LoadLibraryW,GetProcAddress,LoadLibraryW,GetCurrentProcess,K32GetModuleInformation,CreateWindowExW,SetWindowLongPtrW,LoadLibraryW,GetProcAddress,LoadLibraryExW,GetCurrentProcess,K32GetModuleInformation,CreateWindowExW,SetWindowLongPtrW,GetCurrentProcess,K32GetModuleInformation,LoadLibraryExW,CreateWindowExW,SetWindowLongPtrW,RegGetValueW,GetModuleHandleW,GetProcAddress,LoadLibraryW,

10_2_00007FFD6D9CBFE0

Source: ep_weather_host_stub.dll.0.dr	Static PE information: section name: .orpc
Source: WebView2Loader.dll.0.dr	Static PE information: section name: .gxfg
Source: WebView2Loader.dll.0.dr	Static PE information: section name: .retplne
Source: WebView2Loader.dll.0.dr	Static PE information: section name: _RDATA
Source: JumpViewUI_.dll.0.dr	Static PE information: section name: .didat
Source: StartUI_.dll.0.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\ep_setup.exe

Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"

Persistence and Installation Behavior

Possible COM Object hijacking

Source: c:\program files\explorerpatcher\ep_weather_host.dll	COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{a6ea9c2d-4982-4827-9204-0ac532959f6d}\inprocserver32
Source: c:\program files\explorerpatcher\ep_weather_host_stub.dll	COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{cdbf3734-f847-4f1b-b953-a605434dc1e7}\inprocserver32

Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Windows\dxgi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\dxgi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Program Files\ExplorerPatcher\ep_setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Program Files\ExplorerPatcher\ep_gui.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\JumpViewUI_.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Program Files\ExplorerPatcher\WebView2Loader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Program Files\ExplorerPatcher\ep_taskbar.2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Program Files\ExplorerPatcher\ep_weather_host.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Program Files\ExplorerPatcher\ep_dwm.exe	Jump to dropped file

Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Windows\dxgi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\dxgi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\JumpViewUI_.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib.dll	Jump to dropped file

Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher			Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnk			Jump to behavior

Source: C:\Users\user\Desktop\ep_setup.exe

Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB

Source: C:\Windows\explorer.exe

Code function: 10_2_00007FFD6D9CD980 InitializeCriticalSection,CreateEventW,CreateEventW,CreateEventW,SetEvent,SetEvent,SetEvent,CreateThread,CloseHandle,SHGetFolderPathW,PathFileExistsW,CreateDirectoryW,CreateMutexExW,CreateEventW,CreateEventW,CreateThread,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetCurrentProcess,K32GetModuleInformation,GetModuleHandleW,GetProcAddress,IsOS,GetCurrentProcess,K32GetModuleInformation,LoadLibraryExW,LoadLibraryW,GetProcAddress,CreateWindowExW,FreeLibraryAndExitThread,SetWindowLongPtrW,FreeLibraryAndExitThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,GetModuleHandleW,GetProcAddress,SHELL32_Create_IEnumUICommand,VirtualProtect,VirtualProtect,GetProcAddress,VirtualProtect,VirtualProtect,LoadLibraryW,GetProcAddress,LoadLibraryExW,GetModuleHandleExW,GetCurrentProcess,K32GetModuleInformation,VirtualProtect,VirtualProtect,GetCurrentProcess,K32GetModuleInformation,LoadLibraryExW,LoadLibraryExW,GetProcAddress,LoadLibraryExW,IsOS,FreeLibraryAndExitThread,CreateThread,CreateThread,CreateThread,CreateWindowInBand,CreateThread,CreateThread,GetWindowsDirectoryW,FindFirstFileW,FindClose,LoadLibraryW,GetProcAddress,GetLastError,

10_2_00007FFD6D9CD980

Source: C:\Users\user\Desktop\ep_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\explorer.exe

Code function: GetForegroundWindow,GetClassNameW,Sleep,GetForegroundWindow,GetClassNameW,GetForegroundWindow,GetClassNameW,Sleep,GetForegroundWindow,GetClassNameW,RegDeleteTreeW,Sleep,

10_2_00007FFD6D9BDEA0

Source: C:\Users\user\Desktop\ep_setup.exe	Dropped PE file which has not been started: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	Dropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	Dropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	Dropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_gui.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	Dropped PE file which has not been started: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\JumpViewUI_.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	Dropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_taskbar.2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	Dropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	Dropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_weather_host.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exe	Dropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_dwm.exe	Jump to dropped file

Source: C:\Windows\explorer.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\explorer.exe TID: 8260	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 8260	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe

Code function: 10_2_00007FFD6D9B7B50 GetSystemTimeAsFileTime followed by cmp: cmp r15, 02h and CTI: jne 00007FFD6D9B8362h

10_2_00007FFD6D9B7B50

Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9BCE30 CreateFileA,CreateFileMappingW,CloseHandle,MapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,PathRemoveFileSpecA,UnmapViewOfFile,CloseHandle,CloseHandle,FindFirstFileA,FindClose,DeleteFileA,UnmapViewOfFile,CloseHandle,CloseHandle,	10_2_00007FFD6D9BCE30
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9CD980 InitializeCriticalSection,CreateEventW,CreateEventW,CreateEventW,SetEvent,SetEvent,SetEvent,CreateThread,CloseHandle,SHGetFolderPathW,PathFileExistsW,CreateDirectoryW,CreateMutexExW,CreateEventW,CreateEventW,CreateThread,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetCurrentProcess,K32GetModuleInformation,GetModuleHandleW,GetProcAddress,IsOS,GetCurrentProcess,K32GetModuleInformation,LoadLibraryExW,LoadLibraryW,GetProcAddress,CreateWindowExW,FreeLibraryAndExitThread,SetWindowLongPtrW,FreeLibraryAndExitThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,GetModuleHandleW,GetProcAddress,SHELL32_Create_IEnumUICommand,VirtualProtect,VirtualProtect,GetProcAddress,VirtualProtect,VirtualProtect,LoadLibraryW,GetProcAddress,LoadLibraryExW,GetModuleHandleExW,GetCurrentProcess,K32GetModuleInformation,VirtualProtect,VirtualProtect,GetCurrentProcess,K32GetModuleInformation,LoadLibraryExW,LoadLibraryExW,GetProcAddress,LoadLibraryExW,IsOS,FreeLibraryAndExitThread,CreateThread,CreateThread,CreateThread,CreateWindowInBand,CreateThread,CreateThread,GetWindowsDirectoryW,FindFirstFileW,FindClose,LoadLibraryW,GetProcAddress,GetLastError,	10_2_00007FFD6D9CD980
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9BD920 GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,FindFirstFileW,	10_2_00007FFD6D9BD920
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9E5AC0 RegCreateKeyExW,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetSystemDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,RegDeleteValueW,RegCloseKey,	10_2_00007FFD6D9E5AC0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA13948 FindFirstFileExW,	10_2_00007FFD6DA13948
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9BDAC0 SHGetFolderPathW,FindFirstFileW,FindClose,	10_2_00007FFD6D9BDAC0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9E5070 RegCreateKeyExW,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryA,RegCloseKey,RegSetValueExW,RegSetValueExA,RegSetValueExW,RegCloseKey,	10_2_00007FFD6D9E5070

Source: C:\Windows\explorer.exe

Code function: 10_2_00007FFD6D9F2D90 GetSystemInfo,VirtualAlloc,

10_2_00007FFD6D9F2D90

Source: explorer.exe, 0000000C.00000003.12120814977.000000000A34C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.12083059046.000000000A34E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.12072918147.000000000A34E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: public: virtual long __cdecl CAccessibleWrapperBase::get_accDescription(struct tagVARIANT,unsigned short * __ptr64 * __ptr64) __ptr644hGFSY
Source: explorer.exe, 0000000C.00000003.11993886952.000000000A5E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}w
Source: explorer.exe, 0000000C.00000003.11898120553.0000000008295000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}!
Source: explorer.exe, 0000000C.00000003.12122521889.000000000A1D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000C.00000003.11997714650.000000000A4F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{887c27cf-b658-19ef-a77e-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{887c27cf-b658-19ef-a77e-806e6f6e6963}#00000013CCA00000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{887c27cf-b658-19ef-a77e-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{887c27cf-b658-19ef-a77e-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}))0uY
Source: explorer.exe, 0000000C.00000003.12092608290.000000000A195000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}_
Source: explorer.exe, 0000000C.00000003.12083059046.000000000A37F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{887c27cf-b658-19ef-a77e-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{887c27cf-b658-19ef-a77e-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000C.00000003.12122521889.000000000A1D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00']=
Source: explorer.exe, 0000000C.00000003.12120814977.000000000A4F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000C.00000003.11888813571.00000000045BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AGE#Volume#{887c27cf-b658-19ef-a77e-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{887c27cf-b658-19ef-a77e-806e6f6e6963}#00000013CCA00000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{887c27cf-b658-19ef-a77e-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{887c27cf-b658-19ef-a77e-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000002.11862331883.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.11861221210.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.11861548066.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.11861369136.0000000000F42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 0000000C.00000003.11973400789.000000000851E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000C.00000003.12092608290.000000000A195000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000C.00000003.12021193389.000000000A27B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000

Source: C:\Windows\explorer.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\explorer.exe

Code function: 10_2_00007FFD6D9D3CF0 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

10_2_00007FFD6D9D3CF0

Source: C:\Windows\explorer.exe

10_2_00007FFD6D9CBFE0

Source: C:\Windows\explorer.exe

Code function: 10_2_00007FFD6D9DAD70 GetProcessHeap,HeapFree,

10_2_00007FFD6D9DAD70

Source: C:\Windows\System32\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9F0EC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFD6D9F0EC0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9F1BB0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFD6D9F1BB0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6DA0BA88 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFD6DA0BA88

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 20.233.83.145 443			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.199.110.133 443			Jump to behavior

Contains functionality to automate explorer (e.g. start an application)

Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9C3DA0 FindWindowExW,FindWindowExW,FindWindowExW,SendMessageW,	10_2_00007FFD6D9C3DA0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9C3880 GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,FindWindowExW,FindWindowExW,FindWindowW,FindWindowExW,FindWindowExW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,SetCursorPos,FindWindowW,PostMessageW,PostMessageW,FindWindowExW,FindWindowW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,FindWindowExW,PostMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SendMessageCallbackW,PostMessageW,	10_2_00007FFD6D9C3880
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9C3880 GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,FindWindowExW,FindWindowExW,FindWindowW,FindWindowExW,FindWindowExW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,SetCursorPos,FindWindowW,PostMessageW,PostMessageW,FindWindowExW,FindWindowW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,FindWindowExW,PostMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SendMessageCallbackW,PostMessageW,	10_2_00007FFD6D9C3880
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9C3880 GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,FindWindowExW,FindWindowExW,FindWindowW,FindWindowExW,FindWindowExW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,SetCursorPos,FindWindowW,PostMessageW,PostMessageW,FindWindowExW,FindWindowW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,FindWindowExW,PostMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SendMessageCallbackW,PostMessageW,	10_2_00007FFD6D9C3880
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9C3880 GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,FindWindowExW,FindWindowExW,FindWindowW,FindWindowExW,FindWindowExW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,SetCursorPos,FindWindowW,PostMessageW,PostMessageW,FindWindowExW,FindWindowW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,FindWindowExW,PostMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SendMessageCallbackW,PostMessageW,	10_2_00007FFD6D9C3880
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9C3880 GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,FindWindowExW,FindWindowExW,FindWindowW,FindWindowExW,FindWindowExW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,SetCursorPos,FindWindowW,PostMessageW,PostMessageW,FindWindowExW,FindWindowW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,FindWindowExW,PostMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SendMessageCallbackW,PostMessageW,	10_2_00007FFD6D9C3880
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9BF4C0 FindWindowW,SendMessageTimeoutW,	10_2_00007FFD6D9BF4C0

Source: C:\Windows\explorer.exe	Code function: GetModuleFileNameW,PathStripPathW,GetCurrentProcessId,OpenProcess,QueryFullProcessImageNameW,CloseHandle,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetSystemMetrics,RegGetValueW,RegGetValueW,FindWindowExW,FindWindowExW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,RegSetKeyValueW,SHCreateThread,RegSetKeyValueW,SHCreateThread,LoadLibraryW,RegOpenKeyW,RegCloseKey,LoadLibraryW,LoadLibraryW,GetModuleHandleExW, \explorer.exe		10_2_00007FFD6D9D1640
Source: C:\Windows\explorer.exe	Code function: Sleep,GetWindowsDirectoryW,CreateProcessW,FreeConsole,GetCurrentProcessId,OpenProcess,TerminateProcess, \explorer.exe		10_2_00007FFD6D9EFAB0

Source: C:\Windows\explorer.exe

Code function: 10_2_00007FFD6D9D0370 SetProcessDpiAwarenessContext,GetModuleFileNameW,GetCurrentDirectoryW,GetModuleHandleW,ShellExecuteExW,GetLastError,LoadStringW,LoadStringW,MessageBoxW,GetModuleFileNameW,GetLastError,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegCloseKey,PathRemoveExtensionW,PathRemoveExtensionW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegCloseKey,RegCreateKeyExW,RegSetValueExW,RegCloseKey,

10_2_00007FFD6D9D0370

Source: C:\Users\user\Desktop\ep_setup.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"	Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ep_setup.exe

Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exe

Jump to behavior

Source: C:\Windows\explorer.exe

Code function: 10_2_00007FFD6D9BE860 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,GetLengthSid,CopySid,DeriveAppContainerSidFromAppContainerName,SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,LocalFree,CreateMutexExW,FreeSid,

10_2_00007FFD6D9BE860

Source: C:\Windows\explorer.exe

Code function: 10_2_00007FFD6D9BD7C0 AllocateAndInitializeSid,CheckTokenMembership,GetLastError,FreeSid,

10_2_00007FFD6D9BD7C0

Source: ep_setup.exe, 00000000.00000003.11830929955.000001C873D31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmp, ExplorerPatcher.amd64.dll.0.dr	Binary or memory string: Progman: %d
Source: ep_setup.exe, 00000000.00000003.11830929955.000001C873D31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmp, ExplorerPatcher.amd64.dll.0.dr	Binary or memory string: Progman hook: %d
Source: ep_setup.exe, 00000000.00000003.11822543132.000001C874031000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ClockButtonTrayClockWClassintlshell\explorer\ClockButton.cppShell_TrayWndShowSecondsInSystemClockSoftware\Microsoft\Windows\CurrentVersion\Explorer\AdvancedControl Panel\TimeDate\AdditionalClocks\%uEnableDisplayNameTzRegKeyName ()
Source: explorer.exe, 0000000A.00000003.11858848202.0000000004745000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.11847883206.00000000037A4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11870074674.0000000004022000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanProxy DesktopLocal\ExplorerIsShellMutex58
Source: explorer.exe	Binary or memory string: Shell_TrayWnd
Source: ep_setup.exe	Binary or memory string: runasExplorerPatcherntdll.dllRtlGetVersion\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersionUBRShell_TrayWnd\explorer.exeopenep_taskbar.0.dllep_taskbar.1.dllep_taskbar.2.dllep_taskbar.3.dllep_taskbar.4.dllep_taskbar.5.dll\ExplorerFrame.dll (ExplorerPatcher).lnk\shell32.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcherUninstallStringDisplayNameVALINET Solutions SRLPublisherNoModifyNoRepair\ExplorerPatcher.amd64.dll%d.%d.%d.%dDisplayVersionVersionMajorVersionMinorDisplayIcon\ExplorerPatcher\cleanup_.tmp.preven-USmuipriep_taskbar.0.dllep_taskbar.2.dllep_taskbar.3.dllep_taskbar.4.dllep_taskbar.5.dll\*.../extractIsWow64Process2kernel32.dllx64ARM64/uninstall/uninstall_silentep_uninstall.exe/update_silentUndockingDisabledSOFTWARE\Microsoft\Windows\CurrentVersion\Shell\Update\PackagesGlobal\ep_setup_D17F1E1A-5919-4427-8F89-A1A8503CA3EB/f /im explorer.exeGlobal\ep_dwm_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBExplorerPatcher_GUI_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}Software\ExplorerPatcherOpenPropertiesAtNextStartep_setup.exeSOFTWARE\Classes\CLSID\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}\InProcServer32\ExplorerPatcher\ExplorerPatcher.amd64.dll"\regsvr32.exeExplorerPatcher.IA-32.dllExplorerPatcher.IA-32.dllExplorerPatcher.amd64.dllExplorerPatcher.amd64.dllep_gui.dllep_gui.dllep_dwm.exeep_dwm.exeep_weather_host.dllep_weather_host.dllep_weather_host_stub.dllep_weather_host_stub.dllWebView2Loader.dllWebView2Loader.dllar-SAbg-BGca-EScs-CZda-DKde-DEel-GRen-GBes-ESes-MXet-EEeu-ESfi-FIfr-CAfr-FRgl-EShe-ILhr-HRhu-HUid-IDit-ITja-JPko-KRlt-LTlv-LVnb-NOnl-NLpl-PLpt-BRpt-PTro-ROru-RUsk-SKsl-SIsr-Latn-RSsv-SEth-THtr-TRuk-UAvi-VNzh-CNzh-TWprisStartUIWindows.UI.ShellCommon.pripnidui/Windows.UI.ShellCommon/pnidui.dllpnidui/pnidui.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{C2796011-81BA-4148-8FCA-C6643245113F}AutoStartdxgi.dll\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewywincorlib.dllep_startmenu.dllwincorlib_orig.dll\wincorlib.dll\wincorlib_orig.dllJumpViewUI_.dllJumpViewUI/JumpViewUI.dllStartUI_.dllStartUI/StartUI.dllAppResolverLegacy.dllStartTileDataLegacy.dll\en-USStartTileDataLegacy.dll.mui\pris2Windows.UI.ShellCommon.en-US.pri\SystemApps\ShellExperienceHost_cw5n1h2txyewy\rundll32.exe "\ExplorerPatcher\ep_gui.dll",ZZGUI\ExplorerPatcher\ep_setup.exe" /uninstallstart ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBdelete ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB\ExplorerPatcher\ep_weather_host.dll"\ExplorerPatcher\ep_weather_host_stub.dll"SOFTWARE\Policies\Microsoft\Windows\ExplorerSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\cleanupSOFTWARE\Microsoft\Windows\CurrentVersion\RunOncecmd /c rmdir /s /q ""ExplorerPatcherCleanupIsUpdatePendingrbr+bwb1.3.1.1-motley unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll@
Source: explorer.exe	Binary or memory string: Progman
Source: ep_setup.exe, 00000000.00000003.11820567684.000001C873E31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863036923.00000000041B0000.00000002.00000001.00040000.0000000A.sdmp	Binary or memory string: eptmpw+Unknown exceptionbad array new lengthSoftware\ExplorerPatcherLanguageen-USvector too long\Shell_TrayWnd
Source: explorer.exe, 0000000A.00000003.11858848202.0000000004745000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.11847883206.00000000037A4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11870074674.0000000004022000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %s%sLocal\AppReadinessCompletionEventAssignedAccessConfigurationSOFTWARE\Microsoft\Windows\AssignedAccessConfigurationShell_TrayWndVersion%s\%sUserStateSoftware\Microsoft\Windows\CurrentVersion\AppReadinessAppReadinessServicesActiveConfigsGroupConfigsGlobalProfileIdSOFTWARE\Microsoft\Windows Embedded\LockdownPostAppInstallTasksCompletedMicrosoft.Windows.ContentDeliveryManager_cw5n1h2txyewyWaitOnShellStartupntdll.dllRtlIsStateSeparationEnabledEnable Balloon TipStartLayoutReadyEventAppResolverReadyEventLocal\ShellStartupEventShellDesktopSwitchEventReuseImmersiveShellPointerShowOnlyQuickLaunchDeskBandAllLogonTasksTerminateShellApplicationsTestUnlockDataTestQueryDataTestReportelapsedTimeRestartSavedAppstesterrorslogversion
Source: ep_setup.exe, 00000000.00000003.11819845500.000001C871496000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ntdll.dllRtlGetVersion\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersionUBRShell_TrayWnd\explorer.exe\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI.dll\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dllep_taskbar.0.dllep_taskbar.1.dllep_taskbar.2.dllep_taskbar.3.dllep_taskbar.4.dllep_taskbar.5.dll\ExplorerPatcher\ImmersiveContextMenuArray[ROD]: Level %d Position %d/%d Status %d
Source: explorer.exe	Binary or memory string: Progman: %d
Source: explorer.exe	Binary or memory string: Progman hook: %d
Source: explorer.exe, 0000000A.00000003.11849825979.00000000037A9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11865619682.000000000356B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11869683740.0000000003560000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndIsAutoHideEnabledUndockedSearchAppExperienceManager_PositionSearchAppWindowLauncherInvokeActivitySetViewPosition~,B;+,,N
Source: ep_setup.exe, 00000000.00000003.11830929955.000001C873D31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmp, ExplorerPatcher.amd64.dll.0.dr	Binary or memory string: Microsoft-Symbol-Server/10.0.10036.206msdl.microsoft.comabcdefghijklmnopqrstuvwxyzProgmanProxy Desktop\explorer.exeopenInputSwitch.dllxx??x??xxx????xxD8t
Source: ep_setup.exe, 00000000.00000003.11830929955.000001C873D31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmp, ExplorerPatcher.amd64.dll.0.dr	Binary or memory string: Shlwapi.dllSHRegGetValueFromHKCUHKLMShell_TrayWndntdll.dllRtlGetVersion\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersionUBRMicrosoft.Windows.ShellManagedWindowAsNormalWindowShell_SecondaryTrayWndvalinet.ExplorerPatcher.ShellManagedWindowExplorerFrame.dllDesktopSHELLDLL_DefViewWorkerWComctl32.dllLoadIconWithScaleDownwin32u.dllNtUserBuildHwndListuser32.dllHungWindowFromGhostWindowGhostWindowFromHungWindowSetWindowCompositionAttributeCreateWindowInBandGetWindowBandSetWindowBandIsTopLevelWindowInternalGetWindowTextInternalGetWindowIconuxtheme.dllshcore.dll

Source: C:\Windows\explorer.exe

Code function: 10_2_00007FFD6DA198E0 cpuid

10_2_00007FFD6DA198E0

Source: C:\Windows\explorer.exe	Code function: RegCreateKeyExW,RegQueryValueExW,GetLocaleInfoW,GetLocaleInfoW,SetThreadPreferredUILanguages,RegCloseKey,		10_2_00007FFD6D9D4E90
Source: C:\Windows\explorer.exe	Code function: CoCreateInstance,IUnknown_QueryService,FindWindowW,GetPropW,GetThreadUILanguage,GetLocaleInfoW,		10_2_00007FFD6D9E93F0

Source: C:\Users\user\Desktop\ep_setup.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\ep_setup.exe

Code function: 0_2_00007FF784128E6C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF784128E6C

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9CA5A0 SHBindToObject,		10_2_00007FFD6D9CA5A0
Source: C:\Windows\explorer.exe	Code function: 10_2_00007FFD6D9F0840 SHParseDisplayName,SHBindToParent,CreatePopupMenu,TrackPopupMenuEx,RegQueryValueW,RegGetValueW,GetMenuItemInfoW,RegQueryValueW,RegGetValueW,GetMenuItemInfoW,InsertMenuItemW,InsertMenuItemW,InsertMenuItemW,GetMenuItemInfoW,DestroyMenu,CoTaskMemFree,		10_2_00007FFD6D9F0840

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	11 Input Capture	11 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 Component Object Model Hijacking	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	11 Input Capture	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	2 Windows Service	1 Component Object Model Hijacking	1 Obfuscated Files or Information	Security Account Manager	35 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Service Execution	1 Registry Run Keys / Startup Folder	2 Windows Service	1 Timestomp	NTDS	41 Security Software Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	122 Process Injection	1 DLL Side-Loading	LSA Secrets	2 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	23 Masquerading	Cached Domain Credentials	3 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	122 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Regsvr32	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ep_setup.exe	8%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll	0%	ReversingLabs
C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll	0%	ReversingLabs
C:\Program Files\ExplorerPatcher\WebView2Loader.dll	0%	ReversingLabs
C:\Program Files\ExplorerPatcher\ep_dwm.exe	3%	ReversingLabs
C:\Program Files\ExplorerPatcher\ep_gui.dll	0%	ReversingLabs
C:\Program Files\ExplorerPatcher\ep_setup.exe	8%	ReversingLabs
C:\Program Files\ExplorerPatcher\ep_taskbar.2.dll	0%	ReversingLabs
C:\Program Files\ExplorerPatcher\ep_weather_host.dll	0%	ReversingLabs
C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll	3%	ReversingLabs
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\JumpViewUI_.dll	0%	ReversingLabs
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dll	0%	ReversingLabs
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll	0%	ReversingLabs
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib.dll	0%	ReversingLabs
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\dxgi.dll	0%	ReversingLabs
C:\Windows\dxgi.dll	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
chrome.cloudflare-dns.com	162.159.61.3	true	false	high
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
github.com	20.233.83.145	true	false	high
ax-0001.ax-msedge.net	150.171.27.10	true	false	high
objects.githubusercontent.com	185.199.110.133	true	false	high
pki-goog.l.google.com	172.217.17.67	true	false	high
x1.c.lencr.org	unknown	unknown	false	high
srtb.msn.com	unknown	unknown	false	high
res.public.onecdn.static.microsoft	unknown	unknown	false	high
tse1.mm.bing.net	unknown	unknown	false	high
cxcs.microsoft.net	unknown	unknown	false	high
c.pki.goog	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://user-images.githubusercontent.com/6503598/156949459-dfe70eba-6c2c-4b1c-b51b-27c13ce7c08c.png	ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com/	WidgetBoard.exe, 00000013.00000002.13070441821.0000025EB6F13000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13070090823.0000025EB6F02000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13067144725.0000025EB52AC000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13066504454.0000025EB529B000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13067795615.0000025EB52D0000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13067395457.0000025EB52BD000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13066187459.0000025EB5288000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13068764865.0000025EB52E1000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13065517075.0000025EB5247000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13065852874.0000025EB525D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.valinet.ro)	ep_setup.exe, 00000000.00000003.11820567684.000001C873E31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863036923.00000000041B0000.00000002.00000001.00040000.0000000A.sdmp	false	unknown
https://signup.live.com/	WidgetBoard.exe, 00000013.00000002.13070441821.0000025EB6F13000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13070090823.0000025EB6F02000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13067144725.0000025EB52AC000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13066504454.0000025EB529B000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13067795615.0000025EB52D0000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13067395457.0000025EB52BD000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13066187459.0000025EB5288000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13068764865.0000025EB52E1000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13065517075.0000025EB5247000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13065852874.0000025EB525D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://go.skype.com/meetnowlearn.winshell	ep_setup.exe, 00000000.00000003.11823850464.000001C8740F7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://user-images.githubusercontent.com/6503598/156949442-63f14d44-ec0e-40b2-aa1b-8e4a27ec10f5.png	ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	false	high
https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlySunnyDay.pnges	WidgetBoard.exe, 00000013.00000002.13069121561.0000025EB52F2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com/valinet	ep_setup.exe, 00000000.00000003.11820567684.000001C873E31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863036923.00000000041B0000.00000002.00000001.00040000.0000000A.sdmp	false	high
https://user-images.githubusercontent.com/6503598/156949445-60d12efa-a21d-40e0-b9a8-1b7a84e58944.png	ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	false	high
https://user-images.githubusercontent.com/6503598/156949452-f347fe27-5005-48f2-9c9a-899bb7b8825e.png	ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	false	high
https://user-images.githubusercontent.com/6503598/156949451-269d02a3-08cb-4237-9789-f1e60fdc723d.png	ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	false	high
https://user-images.githubusercontent.com/6503598/156949465-54dd31c6-7e3a-464a-8e64-8b54b6fb7a65.png	ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	false	high
https://login.windows.local/	explorer.exe, 0000000C.00000003.11908484158.000000000831C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11912085198.000000000831C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11905805711.000000000831C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://aka.ms/Vh5j3k	explorer.exe, 0000000C.00000003.11898120553.000000000833D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11900533075.0000000008358000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11905805711.000000000833D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11907740169.000000000833D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11895871196.000000000831C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11912085198.000000000833D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://objects.githubusercontent.com/github-production-release-asset-2e65be/394318710/5e5bb508-cbdc	explorer.exe, 0000000C.00000003.12072918147.000000000A30A000.00000004.00000020.00020000.00000000.sdmp	false	high
https://account.live.com/	WidgetBoard.exe, 00000013.00000002.13070441821.0000025EB6F13000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13070090823.0000025EB6F02000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13067144725.0000025EB52AC000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13066504454.0000025EB529B000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13067795615.0000025EB52D0000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13067395457.0000025EB52BD000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13066187459.0000025EB5288000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13068764865.0000025EB52E1000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13065517075.0000025EB5247000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13065852874.0000025EB525D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://aka.ms/odirm	explorer.exe, 0000000C.00000003.11898120553.000000000833D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11900533075.0000000008358000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11905805711.000000000833D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11907740169.000000000833D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11895871196.000000000831C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11912085198.000000000833D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://login.windows.local	explorer.exe, 0000000C.00000003.11908484158.000000000831C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11912085198.000000000831C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11905805711.000000000831C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://user-images.githubusercontent.com/6503598/156949438-4e0c0e0d-67bc-4c76-b75e-e0ffcead3f48.png	ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	false	high
https://raw.githubusercontent.com/valinet/ep_make/master/ep_make_safe.ps1	ep_setup.exe, 00000000.00000003.11830929955.000001C873D31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmp, ExplorerPatcher.amd64.dll.0.dr	false	high
https://www.google.com/search?hl=%s&q=weather%s%s%s%s%s%s%s%spCoreWebView2ExecuteScriptCompletedHand	ep_setup.exe, 00000000.00000003.11821073065.000001C873D31000.00000004.00000020.00020000.00000000.sdmp, ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	false	high
https://user-images.githubusercontent.com/6503598/156949444-d3aea936-4c22-4f17-a201-02155396684d.png	ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com/	explorer.exe, 0000000C.00000003.11973400789.0000000008407000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11973802182.000000000A068000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11956784720.0000000008412000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11960065827.000000000840A000.00000004.00000020.00020000.00000000.sdmp	false	high
https://user-images.githubusercontent.com/6503598/156949443-062a0fa9-88c1-4e07-b6b1-8e52ff64f4f3.png	ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	false	high
https://user-images.githubusercontent.com/6503598/156949461-1f058cf3-6fdd-4aeb-80b7-68fa27b02845.png	ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.valinet.ro	ep_setup.exe, 00000000.00000003.11820567684.000001C873E31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863036923.00000000041B0000.00000002.00000001.00040000.0000000A.sdmp	false	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlySunnyDay.pngse	WidgetBoard.exe, 00000013.00000002.13069121561.0000025EB52F2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://user-images.githubusercontent.com/6503598/156949449-9320c6f5-15ef-4c17-9e72-740708f4828c.png	ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com/valinet)	ep_setup.exe, 00000000.00000003.11820567684.000001C873E31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.11863036923.00000000041B0000.00000002.00000001.00040000.0000000A.sdmp	false	high
https://user-images.githubusercontent.com/6503598/156949458-dc66775d-8bb9-4d04-838e-7f550d305c26.png	ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	false	high
https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlySunnyDay.png	WidgetBoard.exe, 00000013.00000002.13069121561.0000025EB52F2000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13071020949.0000025EB6F35000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13071171585.0000025EB6F46000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13071357058.0000025EB6F77000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000013.00000002.13071357058.0000025EB6F57000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com/J	explorer.exe, 0000000C.00000003.11973400789.0000000008407000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11956784720.0000000008412000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11960065827.000000000840A000.00000004.00000020.00020000.00000000.sdmp	false	high
https://user-images.githubusercontent.com/6503598/156949462-f50c21dd-85dd-4d9c-a4eb-516e6cddfb1f.png	ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	false	high
https://user-images.githubusercontent.com/6503598/156949448-cd1b69af-4028-4153-8e40-288526577b58.png	ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.winimage.com/zLibDll	ep_setup.exe	false	high
https://user-images.githubusercontent.com/6503598/156949450-7e03a3f5-580e-4414-aaeb-3a0898afd1da.png	ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	false	high
https://user-images.githubusercontent.com/6503598/156949456-04a4bdbd-ff3b-4484-bb30-8909baff8aa8.png	ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	false	high
https://user-images.githubusercontent.com/6503598/156949460-7c132d89-efb7-457f-8810-9bf235f5737f.png	ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	false	high
https://user-images.githubusercontent.com/6503598/156949447-a6658710-567e-4977-9316-a80007df3076.png	ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	false	high
https://user-images.githubusercontent.com/6503598/156949463-a427edfb-3d7f-4167-bd6f-f5019c482ea1.png	ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	false	high
https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlySunnyDay.pngin	WidgetBoard.exe, 00000013.00000002.13071357058.0000025EB6F57000.00000004.00000020.00020000.00000000.sdmp	false	high
https://user-images.githubusercontent.com/6503598/156950233-ccaadb4a-2e9a-4934-b41c-acd36a7f0d9c.png	ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	false	high
https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlySunnyDay.png_c	WidgetBoard.exe, 00000013.00000002.13071357058.0000025EB6F57000.00000004.00000020.00020000.00000000.sdmp	false	high
https://user-images.githubusercontent.com/6503598/156949454-81d5d47d-1f33-4859-a112-5a64ceb549a1.png	ep_setup.exe, 00000000.00000003.11821108769.000001C871496000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
20.233.83.145	github.com	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
185.199.110.133	objects.githubusercontent.com	Netherlands		54113	FASTLYUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578478
Start date and time:	2024-12-19 19:30:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
Number of analysed new started processes analysed:	45
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ep_setup.exe
Detection:	MAL
Classification:	mal60.evad.winEXE@18/34@10/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 73% Number of executed functions: 59 Number of non-executed functions: 201
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): SecurityHealthHost.exe, dllhost.exe, SearchHost.exe, SIHClient.exe, appidcertstorecheck.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, ShellExperienceHost.exe, conhost.exe, StartMenuExperienceHost.exe, mobsync.exe
Excluded IPs from analysis (whitelisted): 204.79.197.203, 23.215.18.210, 204.79.197.219, 20.209.117.33, 20.209.116.33, 20.209.194.1, 20.150.70.36, 20.150.38.228, 20.150.79.68, 184.30.26.134, 23.192.153.142, 20.198.119.84, 40.126.53.6, 40.126.53.9, 20.190.181.1, 20.190.181.0, 20.231.128.65, 40.126.53.19, 40.126.53.21, 40.126.53.15, 20.150.38.4, 20.199.58.43, 23.200.88.196, 23.200.88.173, 23.218.208.109, 104.126.37.176, 4.175.87.197, 104.126.37.171
Excluded domains from analysis (whitelisted): e8652.dscx.akamaiedge.net, blob.sat09prdstrz08a.trafficmanager.net, slscr.update.microsoft.com, msdl-microsoft-com.a-0016.a-msedge.net, cxcs.microsoft.net.edgekey.net, msdl.microsoft.com, vsblobprodscussu5shard73.blob.core.windows.net, res-ocdi-public.trafficmanager.net, wns.notify.trafficmanager.net, a-0016.a-msedge.net, login.live.com, th.bing.com, e3230.b.akamaiedge.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, www.bing.com, client.wns.windows.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, fd.api.iris.microsoft.com, a-0003.a-msedge.net, www.tm.v4.a.prd.aadg.trafficmanager.net, blob.sat12prdstrz10a.store.core.windows.net, ctldl.windowsupdate.com, www-msn-com.a-0003.a-msedge.net, res-1.public.onecdn.static.microsoft.edgekey.net, login.msa.msidentity.com, blob.sat12prdstrz10a.trafficmanager.net, vsblobprodscussu5shard86.blob.core.windows.net, mm-mm.bing.net.trafficmanager.net, blob.sa
Execution Graph export aborted for target ep_setup.exe, PID 8360 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: ep_setup.exe

Simulations

Behavior and APIs

Time	Type	Description
13:31:22	API Interceptor	979x Sleep call for process: explorer.exe modified
19:31:25	Task Scheduler	Run new task: CreateExplorerShellUnelevatedTask path: C:\Windows\explorer.exe s>/NoUACCheck

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
20.233.83.145	Y5kEUsYDFr.exe	Get hash	malicious	Unknown	Browse	github.com/keygroup777-Ransomware/DOWNLOADER/raw/refs/heads/main/telefron.exe
185.199.110.133	sys_upd.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_menu..ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_phshop..ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_atCAD.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	vF20HtY4a4.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	xK44OOt7vD.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	Lm9IJ4r9oO.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_crypter.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dll	Get hash	malicious	Metasploit	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_mnr.txt

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ax-0001.ax-msedge.net	https://pdf.ac/3eQ2md	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	150.171.28.10
	IzFEtXcext.dll	Get hash	malicious	Unknown	Browse	150.171.27.10
	slifdgjsidfg19.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	150.171.28.10
	1AqzGcCKey.exe	Get hash	malicious	Quasar	Browse	150.171.27.10
	kqeGVKtpy2.exe	Get hash	malicious	Quasar	Browse	150.171.28.10
	22054200882739718047.js	Get hash	malicious	Strela Downloader	Browse	150.171.27.10
	bPkG0wTVon.exe	Get hash	malicious	Unknown	Browse	150.171.27.10
	https://pdf.ac/4lLzbt	Get hash	malicious	Unknown	Browse	150.171.28.10
	https://www.bing.com/ck/a?!&&p=24da94b1cbc4e30be5abd9acb5737b3bdb775a56c39aac0141dd9c17c937dea1JmltdHM9MTczMzI3MDQwMA&ptn=3&ver=2&hsh=4&fclid=1bf8b81c-3b95-652f-24ec-ad573a81643b&u=a1aHR0cHM6Ly93d3cueXV4aW5na2V0YW5nLmNvbS9jb2xsZWN0aW9ucy90aHJvdy1ibGFua2V0cw#aHR0cHM6Ly9Uby5lZW1qaGl1bHoucnUvek83UkZORy8=	Get hash	malicious	Unknown	Browse	150.171.28.10
	vOizfcQSGf.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	150.171.27.10
chrome.cloudflare-dns.com	file.exe	Get hash	malicious	ScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar	Browse	172.64.41.3
	QhR8Zp6fZs.lnk	Get hash	malicious	RHADAMANTHYS	Browse	162.159.61.3
	CNUXJvLcgw.lnk	Get hash	malicious	RHADAMANTHYS	Browse	172.64.41.3
	xWpAZpLw47.lnk	Get hash	malicious	RHADAMANTHYS	Browse	172.64.41.3
	File di reclamo per violazione del copyright File di reclamo per violazione del copyright.lnk.d.lnk	Get hash	malicious	Unknown	Browse	172.64.41.3
	pM3fQBuTLy.exe	Get hash	malicious	Vidar	Browse	162.159.61.3
	tasktow.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	QIo3SytSZA.exe	Get hash	malicious	Vidar	Browse	162.159.61.3
	R4qP4YM0QX.lnk	Get hash	malicious	Unknown	Browse	172.64.41.3
	g8ix97hz.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	162.159.61.3
github.com	https://pdf.ac/3eQ2md	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	140.82.112.3
	file.exe	Get hash	malicious	ScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar	Browse	140.82.121.4
	Tii6ue74NB.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, Vidar	Browse	20.233.83.145
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS	Browse	20.233.83.145
	https://github.com/starise/win11-virtual-desktop-extension/releases/download/1.1.0/VirtualDesktopExtension-1.1.0.msi	Get hash	malicious	Unknown	Browse	20.233.83.145
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS	Browse	20.233.83.145
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	20.233.83.145
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	20.233.83.145
	main.exe	Get hash	malicious	Unknown	Browse	20.233.83.145
	pyld611114.exe	Get hash	malicious	Unknown	Browse	20.233.83.145
bg.microsoft.map.fastly.net	2JSGOlbNym.dll	Get hash	malicious	Unknown	Browse	199.232.214.172
	4hSuRTwnWJ.dll	Get hash	malicious	Unknown	Browse	199.232.214.172
	I3FtIOCni3.dll	Get hash	malicious	GhostRat	Browse	199.232.214.172
	26B1sczZ88.dll	Get hash	malicious	Virut	Browse	199.232.210.172
	UV0zBp62hW.dll	Get hash	malicious	Virut	Browse	199.232.210.172
	Gioia Faggioli-End Of Year-Bonus.docx	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://tfsroanoke.com/home/tfs/public_html/new/ckfinder/userfiles/files/12719803849.pdf	Get hash	malicious	PDFPhish	Browse	199.232.214.172
	jhsdgfjkh236.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	199.232.214.172
	RECOUVREMENT -FACTURER1184521.pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	QhR8Zp6fZs.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	(Lhambright)VWAV.html	Get hash	malicious	Unknown	Browse	151.101.194.137
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	185.199.109.133
	EFT Remittance_(Dmorris)CQDM.html	Get hash	malicious	Unknown	Browse	151.101.66.137
	Timesheet ACH-Tbconsulting.November 16, 2024.html	Get hash	malicious	Unknown	Browse	151.101.2.137
	https://whtt.termlicari.ru/HnkNbg/	Get hash	malicious	Unknown	Browse	151.101.2.137
	https://go.eu.sparkpostmail1.com/f/a/lgobNkIfvQXGgmbryxpFvQ~~/AAGCxAA~/RgRpPCorP0QoaHR0cHM6Ly9iZXJhemVsLmNvbS93ZWxsbmVzcy9zb3V0aC9pbmRleFcFc3BjZXVCCmdVK6VZZ3GvOmFSFmV0aGFubG9nYW40M0BnbWFpbC5jb21YBAAAAAE~#a3RhdHJvZUBob3VzaW5nY2VudGVyLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	199.232.168.159
	https://gmail.net-login.com/Xb1Rnb3pKRC9CUEdpbldIVTREbHhIK1Vza1NvaWlrblBIbkN4aUdCZUt0Y2NlSGJiWmZ2d0M1dTB5dEpRbnRoVDdBVkFTcEJqWGowNVZycWJNWHlIUHlLOG1qS0FvemVPSXpFRFhGcUhmaVU1ekQwMklrVmM0QjVpNmhLaDdoY1I4UlhMcFo1TTJaSFhtaWpiWWFqWGZ5WEg4TnBiOUl4MDI1RFMyWStQRFoyNFo5UFZNUUpmWXBtaUg0Y0FjUG1jejdSVnFVOXJQL2VzdmNLM1lEaWtmRkZnZEk2Vi0tVHFIeU0vOWxTN01YVEtXbS0tTTh5Skh1eEtsc0xTT0J5Rzg2Q2ZJQT09?cid=2330416057%3EOpen	Get hash	malicious	KnowBe4	Browse	199.232.196.193
	https://pdf.ac/3eQ2md	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	185.199.108.133
	file.exe	Get hash	malicious	ScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar	Browse	185.199.109.133
	Gioia Faggioli-End Of Year-Bonus.docx	Get hash	malicious	Unknown	Browse	151.101.2.137
MICROSOFT-CORP-MSN-AS-BLOCKUS	(Lhambright)VWAV.html	Get hash	malicious	Unknown	Browse	52.98.61.34
	6CWcISKhf1.msi	Get hash	malicious	AteraAgent	Browse	20.50.88.227
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	20.233.83.145
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	22.164.114.95
	https://whtt.termlicari.ru/HnkNbg/	Get hash	malicious	Unknown	Browse	52.123.128.14
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	20.203.184.73
	mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	20.47.11.21
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	40.64.15.168
	https://pdf.ac/3eQ2md	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	52.146.76.30
	file.exe	Get hash	malicious	ScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar	Browse	204.79.197.219

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files\ExplorerPatcher\WebView2Loader.dll	https://github.com/valinet/ExplorerPatcher	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	156672
Entropy (8bit):	6.364786295249098
Encrypted:	false
SSDEEP:	3072:cwWidqj5vQxW0UwC7yqs2Pa+lpshaVXPHefiCaSveMhouw:cwWioKUwC7yqPaKpdmfUAw
MD5:	E5BB14C2B9AF4D5BF6C38E0759F454DD
SHA1:	8CE23BE643A9AC1745EE824FF91621A0B8FCDAF8
SHA-256:	A4FD75AC8F852EDC8BDB88A705EEEE2C93F6EC51EF9FA0739A11A690A067C66D
SHA-512:	D2E0E3176304289F0EFE635D3F751A6389B48AFFF4E2348E478993A29ABA7941624E53F076BC09BBA4BA0470E171CD2582254261584D2369D7CEB9DBD45A56CB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$R..`3..`3..`3..+K..j3..+K...3..+K..t3..p...t3..p...q3..p...A3..+K..u3..`3...3..+...f3..+...a3..+.;.a3..`3S.a3..+...a3..Rich`3..........................PE..L.../,&g...........!...).z...........J....................................................@.........................0...x............P...0..........................P...p...............................@...............T............................text....x.......z.................. ..`.rdata..,............~..............@..@.data........0......................@....rsrc....0...P...2..................@..@.reloc...............N..............@..B................................................................................................................................................................................................................................................................................

C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	716288
Entropy (8bit):	6.218933147794801
Encrypted:	false
SSDEEP:	12288:tAZZrKVjXMzFheHhMwJXOI8mw03edresazpaek4Yc9edrtvL9suuuuuuaW5q77gt:6ZBsjXMzFhySwJXOIpOSsgpapXcqrNO7
MD5:	8BFCA71ADD96D3DE75173D464792E2B9
SHA1:	FE6BC3C30C26D6CE1C149B173B5D79C80102D5B9
SHA-256:	5AAA6BAB20B7116B32BDDBA1DF216F7476557BB48397E1968A49EDE14E6C377D
SHA-512:	B560415727D15CEEB09E5D9E39EA2B4043848BF4239FBF5068AAAC86F64B3D05D4E21EB197416DB0FB4172C68F782C05AEAE18AC70C27F80566040B6BA79159A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........%.^.D...D...D...<...D...<..uD.......D.......D...<4..D....Z..D.......D.......D.......D...<...D...<...D...D...F.......D.......D....X..D...D0..D.......D..Rich.D..................PE..d...m,&g.........." ...).....N......l........................................P............`..........................................U......DZ...........0.......I...........@......`\|..p...............................@...............h............................text............................... ..`.rdata..v...........................@..@.data...H...........................@....pdata...I.......J...d..............@..@.rsrc....0.......2..................@..@.reloc.......@......................@..B................................................................................................................................................................................................

C:\Program Files\ExplorerPatcher\StartUI\Assets\Fonts\BitMDL2.ttf

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	TrueType Font data, 15 tables, 1st "OS/2", 37 names, Microsoft, language 0x403, type 2 string, Normaloby
Category:	dropped
Size (bytes):	4860
Entropy (8bit):	4.810458524638355
Encrypted:	false
SSDEEP:	96:Szb3zrXjrLaiL94z8C6ktlOEknTJOOY8NIBKYzzsnxiZbxS/:SzrHzrOB8C1IdxiNxY
MD5:	47EDFB34AA1D759AA24AB417F1723725
SHA1:	460DED5841C518D900F690B4222BFE0C3D48BFAC
SHA-256:	54C6D49B8F5B28ABB78B35C21E39F3C40997450D462246599BDDE44782AC754E
SHA-512:	10A167AA25376F04EA600B61AD374AD84641205EA381CB1372800E593680135E9BBC1C0A773EDA06AC68148C5D969E62AF6816A77302C52746F715A67B31CDBC
Malicious:	false
Preview:	...........pOS/2JZr........`VDMX.^.q...\....cmap.Q.!...<...Dcvt ...........fpgm..........Ygasp............glyf=P.7.......Nhead..86...d...6hhea...........$hmtx.[..........loca............maxp.y.c....... name.L.........post.Q.w....... prepx......(.................3.......3.....f..............................MS .@............................. ................................................................................................................................................................... . ...!.!..."."...#.#...$.$...%.%...&.&...'.'...(.(...).)....*...+.+...,.,...-.-........././...0.0...1.1...2.2...3.3...4.4...5.5...6.6...7.7...8.8...9.9...:.:...;.;...<.<...=.=...>.>...?.?...@.@...A.A...B.B...C.C...D.D...E.E...F.F...G.G...H.H...I.I...J.J...K.K...L.L...M.M...N.N...O.O...P.P...Q.Q...R.R...S.S...T.T...U.U...V.V...W.W...X.X...Y.Y...Z.Z...[.[...\.\...].]...^.^..._._...`.`...a.a...b.b...c.c...d.d...e.e...f.f...g.g...h.h...i.i...j.j...k.k...l.l...m.m...n.n...o.o...p.p...q.q..

C:\Program Files\ExplorerPatcher\StartUI\Assets\Fonts\SkypeUISymbol-Regular.ttf

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	TrueType Font data, 15 tables, 1st "OS/2", 37 names, Microsoft, language 0x403, type 2 string, Normaloby
Category:	dropped
Size (bytes):	7492
Entropy (8bit):	5.707445677539256
Encrypted:	false
SSDEEP:	192:szrHzrkB8aoRIkPRPfPHS5oX8G7/xqNxY:arnkB8fImRHKOsq/xqo
MD5:	7DBD65D015C1085F472D9408C4CD560A
SHA1:	3712986F8B7EEDD4BA875DB4FCBA9B4DE149D22A
SHA-256:	991B0F2E9C2CDE7E2F78E79CE31EBF5BD7BCFF085FC7CA120B787556A6ABD30D
SHA-512:	2A6EB6CFF77085FB5DEEB2A9E3EACA3E817E11FA466F4A83D72E782760B941A7E495BC6EBC10EEB3C6C431A61AADC7BC5EAB284840DA031EDD58C6E50B732F5D
Malicious:	false
Preview:	...........pOS/2JZz........`VDMX.^.q...\....cmap.......<...\|cvt ...........fpgm..........Ygasp.......@....glyft<....L...Phead..J .......6hhea...........$hmtx...f.......$loca............maxp.......8... name.Bh....X....post.Q.w...P... prepx......p.......6.........3.......3.....f..............................MS .@............................. ................................................................................................................................................................... . ...!.!..."."...#.#...$.$...%.%...&.&...'.'...(.(...).).......+.+...,.,...-.-........././...0.0...1.1...2.2...3.3...4.4...5.5...6.6...7.7...8.8...9.9...:.:...;.;...<.<...=.=...>.>...?.?...@.@...A.A...B.B...C.C...D.D...E.E...F.F...G.G...H.H...I.I...J.J...K.K...L.L...M.M...N.N...O.O...P.P...Q.Q...R.R...S.S...T.T...U.U...V.V...W.W...X.X...Y.Y...Z.Z...[.[...\.\...].]...^.^..._._...`.`...a.a...b.b...c.c...d.d...e.e...f.f...g.g...h.h...i.i...j.j...k.k...l.l...m.m...n.n...o.o...p.p...q.q..

C:\Program Files\ExplorerPatcher\StartUI\Assets\officehub150x150.png

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	PNG image data, 300 x 300, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	7723
Entropy (8bit):	7.82866767742915
Encrypted:	false
SSDEEP:	96:y9O6OFOhjDn7dga5zMwatQ6QW57bUvbIYWikhF12EQuG9wmmnsvlVoliWTKAHOOK:yTDdga5AwaVLbUjRDEQuCmRliWvi
MD5:	4801FD82293A7B77B553635E733AD81C
SHA1:	F1BBBFF5A1618CA5851A8CB6DD7B79118C95097C
SHA-256:	B0134C30F2F35B00E050262005FF4EE0663498688572EDED15433C8A8CBABB5E
SHA-512:	072C3224EB764A652228B1DE032F25C89A7CBD0D44F988C21E56DFF941E6925BC20C245031524FBE6CE94614DC93A172F40A2F825934B52D02C099263225283E
Malicious:	false
Preview:	.PNG........IHDR...,...,.....y}.u....IDATx....\U...U...,Dv...Q@.Q....Q.\..a@....a.4&.DH@x ..F....e..Y .{d.$f1..Nz..NU..U.n.s.w.}.9Sk7.......O............#........a.....@X............@X...................... ,.........a.. ,.........a.. ,.@X......a.....@X...x...a.. ,.@X......a.....@X............@X...................... ,.........a.. ,.........a.. ,.@X............@X...................... ,.........a.. ,.........a.. ,.@X......a.....@X........bY.h]}a.....`.{W.......0.2A`...O..MR.[.....J.2.H....y!,.P..D!.g.V.c....M....;...2..H.m.H..<..~.!0@X...J..&.YP...FTQ..... .PQ..e^.ExnP...a.....c&e.,!...=..x....WTy......T.UT1..ez.L#..A.R..Q....F..t%.J@.U.[......d..y.^..q!,.%..!.A..J.......Q'....`..T..a......7...,}....v.QGSq......T%.d.k..D.KM..\.?.t./;@^AM{+......q....(M.....g~Xa.....nn}'n.{b.:..u.FX...U.I\...I.2I...`..?.Set......5.....W.VM.Y..h[gO.......g.fY......\a=}.q....'\|.019D\.!e.i.+&.S..A.BZ...0U...t..1Er.'.Y&U..QU..'U......X...s...e.,b./........OX..?[,.z..

C:\Program Files\ExplorerPatcher\StartUI\Assets\officehub71x71.png

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	PNG image data, 142 x 142, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4827
Entropy (8bit):	7.927350997586525
Encrypted:	false
SSDEEP:	96:RtM05MPLNlyr6x0zh99tQ7h8Zdi1vHzamUyNcdnA2Pm:RtMF+rK0zhg8ZMp4dnPm
MD5:	61F8C73839E9E20A3F3F817884E0050A
SHA1:	79F0FE04F097025821F9F00C492DA1B86BD036E8
SHA-256:	50D38CC6013B17CA7EAAACE84EB9DF59652AEA1E7B9B8CF6F8AC1F0274B261B8
SHA-512:	2F01D2B946B019D80CB5CAC5F100DFBC24E7ABC5EFD689ED01F1762A57859F10F6B26FEB8F51AB6C3399192BCA3B115861FA9FA079AE632855322D74992AA9C2
Malicious:	false
Preview:	.PNG........IHDR...............0.....IDATx..}....{..g...K`0Y.HBX#(..0...Y6....{8q..9.C..79... .h@\..(.5.FT..\|..(l..DQ.....'3=....u....u....nR3}.s.S.EOS3...y.[..R..t..7)t..Ehpthpthpthpthpt...........................C..C..C..C..C..C..G..GG..C..k...:v.8............`X...d .%.Lo...4.Z.h..#..zH../..(.h....E..U#.N?.F<.F/.. .K.h....4".&.5...4.4....~...".......).%.. 1..E".k/.N..Q.SY.U@..2(..O.O>... ....c.K.#.....N.......^!"......P`.I.M...(.y.I..n.^.m.\>. ....).`...UI...@...Z}h?.&.0D.&u.d....@.?......6H._`..}.`._..S.zC..........?..E..`...T..p.5.Q}48.P.H.........\|...bPp.T..<..Y.....$$y..A...C{p..]d.;.....t.~._v=&q......Q...m.C.)02[R.cj.r..(.wSyp.PB....<...$..B..$.......3O..20.k.p......k....t....................xx..r..?.(........I..J....0.MB........j...?..X.dR..U..f..X..:li\.........<(.?&..\|...G...q.........Z~..a.+...5.....p.$.).... MO..o."`1Hs....j(..`2.j_.w./....._._......E..:TwU}.FV......f.i.\|..._V.~0.S..P......&...d.B.. !8....#gR..........[.

C:\Program Files\ExplorerPatcher\StartUI\Assets\onenote150x150.png

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	PNG image data, 300 x 300, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	5446
Entropy (8bit):	7.7182554234602225
Encrypted:	false
SSDEEP:	96:a3NOGqOlOUqJAksxzEKZ6bDQEwLEf17HZkyYXMUEjPtSPa43hTe2IG2ohXtFx1oc:saBozjSrn7JVQPBRHZ5LxF
MD5:	834B785D846929658BE3754439B93661
SHA1:	B7AC15FF63E5DE7021BABFD8E5E53E3D5FD43BA6
SHA-256:	EE0F4170B7841A3BE39C0B3BEE0D51384A98A1CAF3C825132EDA43030784E84C
SHA-512:	9E45A7C8A67D25B34C4E7C49B7025524249B77FAA7516531E9DF40FCA6520990E07D9B92FB163092DE4D27B047C4BB55FF8D4486B2AAF66DE964C45D120648AB
Malicious:	false
Preview:	.PNG........IHDR...,...,.....y}.u....IDATx..{.$.}...3;.....wg.C....Kd.-.#%2r8#..!.CJ.9.%E..H.,....".D.H.E.,YI..<l+..l'...`....}:.B.;...Jw..nMMUW....v..c..L.c.{.?\|.5..]....4...................... ,.........a.. ,.........a.. ,.@X......a.....@X............@X...................a.. ,.........a.. ,.@X......a.....@X............@X...................... ,.........a.. ,.........a.....@X............@X...................... ,.........a.. ,.........a.. ,.@X......a.....@X...................... ,...Tk6....>.?Pk.....i&.].. .F.#..a.j......y!,.$.Rs.?t..#....XV..cM....S5......#..Z...#...LS.-..3..ORR\m...........H[..f$+.....Y.e.I{d..rBZ..6(...T..6.Y.No.5:b...).T....LIV...<?.dlZ.h..%).X'......l@`........\.......r...FP...Tr...xn..M...}.J..+u.,T."1..5.V%'.2V\M..P5...R.RY.\...L..be.j.q[...f...[2\*KP.c1.Bb..j..'..u<.}.+.#~3...HUy...R.DiK.t..`....W....K^1....Wl.r......lRk?h.... B..R.c..c?..v.?.M.{.".....y.....1 .T.{...YU...R.h....[..\|.G....&.l....[..7...[..HrJ....`.T.-.a.?.....

C:\Program Files\ExplorerPatcher\StartUI\Assets\onenote71x71.png

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	PNG image data, 142 x 142, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3550
Entropy (8bit):	7.897867714150185
Encrypted:	false
SSDEEP:	96:zjztgfNxDuMeu66kwqBmGSJj2ddfO5yRKg4MsgpH2T9T1:nmUaC5ddwyiCH25x
MD5:	3E9B58E469D2564FE06417E5B083D409
SHA1:	6379ED82C12C5D11E67C637DF38FC605BF5B7804
SHA-256:	0D90405D6F77EDE77D6875FC635EA061AEC5599AF5D6B99C48413C84F8B6464E
SHA-512:	88682E4B76FE9CA986C33F58261641F2B0E6A02687E55571CD818FBA296EF9F97541976C92963913FAD0C9FAE53A63C86A7EBC53820ED58FA46C81DF09F5D7EA
Malicious:	false
Preview:	.PNG........IHDR...............0.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..]..V...=.....R./.QU$..I#A"x(....R.g.J.@\|.x..(.....!/....Q.T...RE.TP.JSh...!4D.M.l..c...{...sm...........x......V..bb.5ON...#&...8b.....#&...8b....#&&...8b....#&....8b....#&...8bb....#&...8b.....#.A....Ru...k3...;....G...".gu.LPX.{P.Y_hT.:5.. s..@A..Q..kj.%....8.P.Y=4..U......'......Z..&..E`..(.6..+..2...T.<......Y.+..(G`).$..Vx..Q.....{..8...DX.......^G..f.p. q.."..vQ.4.Y......i...6..ks.Yo....l1M.Laz\|.v..rD..Z\...E...r2o.."x.q.....n<....2.W.UU.8h2X.......}.w.h.....v...o..K....S.,..i..:j=.....s%.j..dS......L0.nh.-.\..]?.}8^\NU(......78.FN.!.Q..9...j7...f[[.w..y......@?p..(...t....S...H3.Uw-.sXaT..i5......G....S...=y..8..jS.8eu.........jT.,.0S..T.....BJ...MY.6.6.4..T...;..)...n.=&...M.I\UQlS.4..TI.d...p.......6...:...m..<&....+N...u..l.\|C%.AMiS.c...E..G..x...o.....d.a...V..V.t.,.k..8.E..cl...ie.t....N....eOy1@^o9iws..Q:.O$8E...........?.D.....E\|H^g......_.m.......

C:\Program Files\ExplorerPatcher\WebView2Loader.dll

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	165336
Entropy (8bit):	6.238659206665009
Encrypted:	false
SSDEEP:	3072:7evoTTlTRTyiuPThTNTKm81SbbMYSPLNsknZiZ2HZ5AaliiT88FEtJ57dXSvlCW:HTlTRTyiuPThTNTKmFQdhsknZiMHfEti
MD5:	C5F0C46E91F354C58ECEC864614157D7
SHA1:	CB6F85C0B716B4FC3810DEB3EB9053BEB07E803C
SHA-256:	465A7DDFB3A0DA4C3965DAF2AD6AC7548513F42329B58AEBC337311C10EA0A6F
SHA-512:	287756078AA08130907BD8601B957E9E006CEF9F5C6765DF25CFAA64DDD0FFF7D92FFA11F10A00A4028687F3220EFDA8C64008DBCF205BEDAE5DA296E3896E91
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....sgf.........." .....\..........@F....................................................`A........................................Y...0.......(............P.......^...'..............T...................P...(....q..@...........h...........`....................text...][.......\.................. ..`.rdata..\|....p.......`..............@..@.data...D....0......................@....pdata.......P......."..............@..@.gxfg...p....p.......8..............@..@.retplne.............J...................tls.................L..............@..._RDATA...............N..............@..@.rsrc................P..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Program Files\ExplorerPatcher\Windows.UI.ShellCommon.pri

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	data
Category:	dropped
Size (bytes):	2967344
Entropy (8bit):	5.1369255772687055
Encrypted:	false
SSDEEP:	24576:sQIx3Fyi5T+bi/Lkhai/LkhdxQe/khY+iNO+WPqsGu4udw8Y8QUVQxK3itG4BWO6:sQIx3F+gW1u+QEitG4mfy+v1R
MD5:	B5EDF00A3AD977E6587CFEAD07D22726
SHA1:	BEB46626C5B8AD2A8426B8482A0C68F9DC09298D
SHA-256:	BD15C1C4F88EEDFC86DEA1E1692F84AC37638694858D11C02B22705945D1330E
SHA-512:	48FE5DF7932A0A10C21D69571BB5C6423ED052635FBDD6A640C73E032B84BB06A8C1321D539A8ADBE0FD56DBC4145F550DA9840D57BBDCBDE6784A6C2F3D0B2D
Malicious:	false
Preview:	mrm_pri2....0G-. ...............[mrm_decn_info].................[mrm_pridescex].............h...[mrm_hschemaex] ........8.......[mrm_res_map2_].............8...[mrm_dataitem] .............X.*.[mrm_dataitem] .........`.+..(..[mrm_dataitem] .........x.,.@...[mrm_dataitem] ...........,.XW..[mrm_dataitem] ..........1-.....[mrm_dataitem] ..........2-.....[mrm_dataitem] .........`4-.p...[mrm_dataitem] ..........5-.....[mrm_dataitem] .........x7-.p...[mrm_dataitem] ..........8-.....[mrm_dataitem] ..........:-.....[mrm_dataitem] .........8<-.....[mrm_dataitem] ..........=-.....[mrm_dataitem] ..........?-.....[mrm_dataitem] .........0A-.....[mrm_dataitem] ..........B-.....[mrm_decn_info].........................1.!.................,...............................................................................................................k...........................................................................................................................................................

C:\Program Files\ExplorerPatcher\ep_dwm.exe

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	118272
Entropy (8bit):	5.883424207863698
Encrypted:	false
SSDEEP:	3072:TmxpiUI+RrEAqTZLO1bLB1bmRYOalQIO:T+iD+TqTZyXvlQ
MD5:	6563C5338177FF66050EADFE3960C567
SHA1:	20E6E7C7778861756549062C5C0715090CAD0E52
SHA-256:	315AF6DF079B31BAC26156C9DDA8CC415C76408A39972346C238888AAFF79921
SHA-512:	724B9823E36B99490CD9B86A9B6EF33C35C5F92761ABF7D6B2D00C0398B14679DFD07189519025E89F8DCEF2409B0FDFAA48EDF77B07764A4ED6CF6C683B330C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........m.^k..^k..^k......[k.......k......Tk..N...Wk..N...Nk..N...vk......Uk..^k..&k......_k......_k..^k.._k......_k..Rich^k..........PE..d...?,&g.........."....).............'.........@..........................................`....................................................x...............................h...0...p...............................@...............`............................text...`........................... ..`.rdata..Z...........................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................................

C:\Program Files\ExplorerPatcher\ep_gui.dll

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	752128
Entropy (8bit):	5.474681591921442
Encrypted:	false
SSDEEP:	6144:izq5NAtIjhy7rsdQiwHg4aG0Y/ist23ed3TqxkOyBGO:cqPA2jhyPASV
MD5:	81CD6D96F81B1E54AA327A4AF6BCBE85
SHA1:	B786C4BDE03D1566B1B040EB8970B82F7B80A007
SHA-256:	B23BAB1F5DC85C9E10145EEB32214D6CFE02FB5ABCF956A37A3C9DD7E09FEE67
SHA-512:	A1360B71BA11B529BD21F8C93C6CEEC01C4FAA9D33CA5E5FA62ACB118CEBF1E9E1D38EA17D236D1F8BD0D790F6B743329D41598D5A62C794B4786C14975782BE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.................................".....=...............................................................................Q.......9.............Rich....................PE..d...M,&g.........." ...)............x.....................................................`.................................................<...,....P...m...0.........................p...............................@............................................text... ........................... ..`.rdata..,...........................@..@.data...0#..........................@....pdata.......0......................@..@.rsrc....m...P...n..................@..@.reloc...............r..............@..B................................................................................................................................................................................................................

C:\Program Files\ExplorerPatcher\ep_setup.exe

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11143168
Entropy (8bit):	7.989614560554252
Encrypted:	false
SSDEEP:	196608:Yobw/inDWIRviYy06kRUEsyiFo2ItCC2bO+WxNtTYnepC5YbM/rN2kGBlSrnU:dw/2Bvc06kiEviXTCIKNtUnqYYA/A
MD5:	F164888A6FBC646B093F6AF6663F4E63
SHA1:	3C0BB9F9A4AD9B1C521AD9FC30EC03668577C97C
SHA-256:	8C5A3597666F418B5C857E68C9A13B7B6D037EA08A988204B572F053450ADD67
SHA-512:	F1B2173962561D3051EC6B5AA2FC0260809E37E829255D95C8A085F990C18B724DAFF4372F646D505DABE3CC3013364D4316C2340527C75D140DBC6B5EBDEEE1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!22622.4317.67.1.8bfca71add96d3deS mode....$........ uO.A...A...A...9...A...9...A.......A.......A.......A.......A...9...A...9...A...9...A...A..NA.......A.......A...A...A.......A..Rich.A..................PE..d...v,&g.........."....).P....................@.............................@............`..................................................K...............................0.......(..p...........................p'..@............`...............................text...pO.......P.................. ..`.rdata.. ....`.......T..............@..@.data...T....`.......R..............@....pdata...............^..............@..@.rsrc................z..............@..@.reloc.......0......................@..B........................................................................................................................................................................................................................

C:\Program Files\ExplorerPatcher\ep_setup.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\ExplorerPatcher\ep_taskbar.2.dll

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2309632
Entropy (8bit):	5.9603372344097245
Encrypted:	false
SSDEEP:	49152:V9X7GWGVgWGwN78HKBJfJNrkrhcxaPs/P5+/Dd:VMiQkFcxaEGDd
MD5:	DCE36294E4AB8F9F85357698ED5A8CEA
SHA1:	5511F09C022693E5A8644B59C46CF8AC9C4D0256
SHA-256:	696938E9820976C632F42A39A6B74A04C3262C4217F6B0F27D1B0E8C3280A02E
SHA-512:	99FA0E6DFB8A5BA8D38B0EA7398C131F99D2F7D83D134FD5BB03F8E7D5E4141A7BFCFD005E61D208B1FB33149D8274CC164211A453FE5833F13DDF6696902210
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$..........P[...[...[.......S..........K...R...K...K...R.A.....K...f.......B.......Z.......F...[..................Z.....-.Z...[.E.\.......Z...Rich[...........................PE..d...Ex%g.........." ...)......................................................#...........`.........................................`....,..8...D....p.......................`#.L0......p.......................(......@...............@.......@....................text...t........................... ..`.rdata...Y.......Z..................@..@.data....9...P.......:..............@....pdata...............P..............@..@.rsrc........p......."..............@..@.reloc..L0...`#..2....#.............@..B........................................................................................................................................................................................................

C:\Program Files\ExplorerPatcher\ep_weather_host.dll

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	244224
Entropy (8bit):	5.982317924874446
Encrypted:	false
SSDEEP:	3072:xjW86bHWeRLwF/ov4P3dUXqu/FYu9L33+C+TS9eEXB9aospWoU6P:xEbHWK0gv4GXZ/rpEWoh
MD5:	AAC2857727CFF3CD7B291F9500196F73
SHA1:	C86EEDFF45B672DF58885F12E7A7AEE3398C618B
SHA-256:	78ED3E3676D97C337FEF071B522805F4CF742587A40F96AF4AA4D74FEE0AF88A
SHA-512:	A4C54B4221B1745FE1DE6D53FCD7A528B4BACDA6B2C66E02D55BD5867D118E042A35490E45B64C2D24398A9AC06E356BF10A2822F83663D52C1A28E10F0A52E5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6v..X%..X%..X%.[$..X%.]$..X%.y[$..X%.y\$..X%.y]$..X%.\$..X%.Y$..X%..X%..X%..Y%'.X%.xP$..X%.xX$..X%.x.%..X%...%..X%.xZ$..X%Rich..X%................PE..d...D,&g.........." ...).............e....................................................`..........................................~......,.......................................@^..p............................]..@...............@............................text...0........................... ..`.rdata.............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	111616
Entropy (8bit):	5.926529844260868
Encrypted:	false
SSDEEP:	1536:uw+B6bvTxS8Si7ixJSHQ8YmpqvA9uf+UfKzwzsW7dJ9dlPXdremU:/3TxMpxJuQ8bpwouf+f07hJ9emU
MD5:	E477912C435DB101603781DCC44289E1
SHA1:	7B2EDA1B6055E8874F37FB9B48BCC933BF69C1C3
SHA-256:	0930D2E71353A411D96DC4DFDD473DACE98D1B7B9546AC4C185F8984F8B9C18B
SHA-512:	9F8089742099A789387381980EC5B493DEEC46BD73F39CF8FA9919BE4DD772B20C70246E5E90D625011F052D5C3B2000B42C50843956D74FB85FF1B1D18EACE9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........z.R...R...R.......W..............X...B...[...B...\...B...r.......U...R...'.......Q.......S......S.......S...RichR...........PE..d...A,&g.........." ...)............p.....................................................`.................................................X...P...............................x.......p...........................P...@...............8............................text... ........................... ..`.orpc...,........................... ..`.rdata.............................@..@.data...h...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..x...........................@..B........................................................................................................................................................................................................

C:\Program Files\ExplorerPatcher\pris\Windows.UI.ShellCommon.en-US.pri

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	data
Category:	dropped
Size (bytes):	187808
Entropy (8bit):	5.898309599415517
Encrypted:	false
SSDEEP:	3072:M+Hus1m6HLzoyVgyAIYlXilvkp+qhEUmkqCZB1+5vGFk:M+TmqIy4IWhEUmkrSvGFk
MD5:	18AF812E01A575418952ACEFBE232F0B
SHA1:	6672685B3EB8FAF7DCEEF22A0C0866F66850EAEF
SHA-256:	48DE9376E52993C66956EDD30A58EC1F8ED58F4E9AE21AD2D1A739AD952AE1FC
SHA-512:	8E4F736EDE86C5B108EC9B9C693EE82AC8C2BBEB005E15B39A1777C67C81A7A6AA0CF633BA6A21FBD8E0BB566420EFF23117A0AC6114020913BE03FBD9D776A9
Malicious:	false
Preview:	mrm_pri2........ ...............[mrm_decn_info].................[mrm_pridescex].............H...[mrm_hschemaex] ................[mrm_res_map2_].........h... P..[mrm_dataitem] .............H...[mrm_decn_info].................................................................................................E.N.-.U.S..............[mrm_pridescex].........H...........................................H...[mrm_hschemaex] ..................".....[def_hnamesx] ..........B......2...m.s.-.a.p.p.x.:././.W.i.n.d.o.w.s...U.I...S.h.e.l.l.C.o.m.m.o.n./...W.i.n.d.o.w.s...U.I...S.h.e.l.l.C.o.m.m.o.n.........1.......2...............................A..0.P......C..0.P......D..0,E[.....F..0DC,.....J..0$B......M..0.X......M..0^A......N..0n2......P..0l1......Q..0.',.....R..0.'+.....S..0..m.....S..0..>.....S..0%.....#.W.#0......+.A..!..0...).A..!../.....A..!......4.A.'!}.-...".A..!g.,.....A.!!E.+...5.A.(!..*...4.A.'!..)...3.A.&!..(...0.A.#!..'...B.A.5!s.&.....A.!!Q.%...1.A.$!,.$...0.A.#!..#.../.A."!..".....A.!!

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnk

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=39, Archive, ctime=Fri Sep 6 01:27:57 2024, mtime=Thu Dec 19 17:31:17 2024, atime=Fri Sep 6 01:27:57 2024, length=90112, window=hide
Category:	dropped
Size (bytes):	1960
Entropy (8bit):	3.3204745524577954
Encrypted:	false
SSDEEP:	24:8e80pp8jO+slTyA/PeiUHh+/Clo+sd/UW+fwT4o02N/Ykvsm:8ipaq+slt/2iAlo7d/9fMofYkU
MD5:	55891886FED0501EA75117441E6D3233
SHA1:	A75E58D3A5F9B6647AE02344612E883717375E7F
SHA-256:	AC4E19D056E78DD830406E834AA1333E9DEF1B5694DEE4CD1F31F1475F886F86
SHA-512:	8AC57B12228610E7649CFAAF3E13F2315962C444173D0627B8EE3EB7F2B2A505B87E89B6A0E3250F081D43D5DBE9B56B4FDC84240256A72422C4E4593766BC08
Malicious:	false
Preview:	L..................F.@.. ....l.b....a..1DR.....b.....`..'...................E....P.O. .:i.....+00.../C:\...................V.1......Y....Windows.@......T,.Y.....P.......................s.W.i.n.d.o.w.s.....Z.1......Y...System32..B......T,.Y.....?.....................w..S.y.s.t.e.m.3.2.....f.2..`..&Y}. .rundll32.exe..J......&Y}..Y.....9...........(...........3.r.u.n.d.l.l.3.2...e.x.e.......O...............-.......N............9XJ.....C:\Windows\System32\rundll32.exe....E.x.p.l.o.r.e.r.P.a.t.c.h.e.r./.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.r.u.n.d.l.l.3.2...e.x.e...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.3.".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.E.x.p.l.o.r.e.r.P.a.t.c.h.e.r.\.e.p._.g.u.i...d.l.l.".,.Z.Z.G.U.I...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.........%SystemRoot%\system32\shell32.dll.............................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000022.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	104880
Entropy (8bit):	3.9861212683616793
Encrypted:	false
SSDEEP:	1536:ZPTkvSXmgsjzPih1ri5Ghn2GMVUQxx14t:ZrkvSXmgsjzqhpiLG7Qx7U
MD5:	5AFF3187925E6E670ED4EEE4708165AA
SHA1:	1427D60E4B19D8729685415C2074AA50C4B46AEF
SHA-256:	EDEBCF955FDDB11F7059E2795AD7FF31208A2A06C5C40B3CAFCDD7DFDD5ED827
SHA-512:	02428F65E8F395DDE6AE373DD897D0520554A7EC43D3776A16804D69843338D4A9A5622E31722A337AC594F7BD98DCF3D826F5F4D75D6492B7CC364C39FF4051
Malicious:	false
Preview:	....h...$..............P..............Q.......X...(...............p...Q.......e.n.-.C.H.;.e.n.-.U.S...............H..............P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................M.a.o.g.a.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................. ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................M.a.o.g.a

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000023.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	104880
Entropy (8bit):	3.98709914028929
Encrypted:	false
SSDEEP:	1536:5eGkKSXmgsjz7mh1ri5Ghn1GAV4cxx14t:5HkKSXmgsjzShpiUGTcx7U
MD5:	38FA92E93AA66432DA9D8517E4FE42D4
SHA1:	C3EAC2A097E70901D52738F4F44DBDD641D2430C
SHA-256:	6C94F279A93CA3DE47EA2B48ADA9B9002100BA7CB0C7444B42644641E273FA46
SHA-512:	889B2B2C54A3C6A09A64F3F307214647A0E902BDDE7E86C19466C009A5B9B16B5E8F54847FC13376A7510B7E0162DD14AF08F6DDB22763D3298514F901231DFB
Malicious:	false
Preview:	....h...$..............P..............Q.......X...(...............p...Q.......e.n.-.C.H.;.e.n.-.U.S...............H..............P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................M.a.o.g.a.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................. ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................M.a.o.g.a

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2OIDBQCM\73C9C0571D55C7E8C1DB49D54FB957CD01BB4A564F9CFA46E57CD5F5E9D0B36800[1].blob

Download File

Process:	C:\Windows\explorer.exe
File Type:	MSVC program database ver 7.00, 4096*4923 bytes
Category:	dropped
Size (bytes):	19746816
Entropy (8bit):	5.701697211405097
Encrypted:	false
SSDEEP:	49152:B0n570xvYDTvox3Q353w3j3W3y+ZNufjNY6UbY/YILCGg59dIaEx0URA9L6+cxKN:B0nJsc42R0B14
MD5:	A4F848DADF4BA1ABF8BF460FD7EC60A7
SHA1:	4B283FE3E19387AEE382B85A9876911289620810
SHA-256:	220C082DBDAD8DC313F57829618E61295C43DB7904229E91694FD6C26E77D2AB
SHA-512:	81960F650F92E9DA7A0755D67B2D10DDC3290044E12CF8EA6B376978642331E939E95A39C9B84EB7F461B98101295BE4E577FC1EE84C7EFC5ACACF3D154D833E
Malicious:	false
Preview:	Microsoft C/C++ MSF 7.00...DS...........;....O......:...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4TJ1LROY\5BE1B1FD8C4CD469077AFBBA0798AFC8A16E31C59DCD0A1A38B2906EB5B053E500[1].blob

Download File

Process:	C:\Windows\explorer.exe
File Type:	MSVC program database ver 7.00, 4096*7685 bytes
Category:	dropped
Size (bytes):	31477760
Entropy (8bit):	5.623601438277038
Encrypted:	false
SSDEEP:	49152:FF/1V1oiaOrjDgVTub8O8/1l4Lf/45EFRiUz3Cv+gkHEpctXi7lcOT7uH6qTpLN4:7NV1vnH+1WzqgaftyWnh9RT
MD5:	F6B1F244316498EFB599C57615D0B27A
SHA1:	3463AB821F1083DE718A7330E0E266D51B62978F
SHA-256:	7191526BCEEF78B8ABF7C2A298BA3CCD7893D4D5882F995877059665415D2E60
SHA-512:	60C662E1B2FFA20268E917DCEA94186205726C672D0254C355F015FC033C53BBCBF7DC9C31B0F5C16A1C0B5E1128F88BB87A63B9B3D4F4E473FF282C279F10F5
Malicious:	false
Preview:	Microsoft C/C++ MSF 7.00...DS...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KA259YPD\212EE6F6E5D8968D8EF5025E80B96D0A21B02CF1C46C2B343900F72F34A45D3800[1].blob

Download File

Process:	C:\Windows\explorer.exe
File Type:	MSVC program database ver 7.00, 4096*1499 bytes
Category:	dropped
Size (bytes):	6139904
Entropy (8bit):	5.371192355576708
Encrypted:	false
SSDEEP:	49152:rYNFBy5AXoKJyBGF8PLn/gau9oIClD08/zORIW1hvuY+N6ND9QM3UEXHxm0dnDNN:roGYqsZ5RZQ
MD5:	6FBAD49B7063AABD0549B49A477CAAE5
SHA1:	E84776C7AB4D66BDCEB9B6BD91EE15FE23499AAC
SHA-256:	0E6B01BD708F0164329560D14EE390E3B14DB00D0776F41A330157C949DA9EE9
SHA-512:	25AC3A32503177B96559D2C03520A29A0CB9801687036DAF0A955E911546ECF1027B40588210B2E5BC709948A395C11CD990CA0DCC818EE0259C95601526AFF7
Malicious:	false
Preview:	Microsoft C/C++ MSF 7.00...DS...............,...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ExplorerPatcher\StartDocked.pdb

Download File

Process:	C:\Windows\explorer.exe
File Type:	MSVC program database ver 7.00, 4096*4923 bytes
Category:	dropped
Size (bytes):	19746816
Entropy (8bit):	5.701334182665834
Encrypted:	false
SSDEEP:	49152:B0n570xvYDTvox3Q353w3j3W3y+ZNufjNY6UbY/YILCGg59dIaEx0URA9L6+cxK4:B0nJsc42R0B1
MD5:	09A843EC981FC727FEC1296995717F78
SHA1:	25F74CB1880C73375BE028301FF2D0E1F67DF269
SHA-256:	650265150FE815193313647F8A5C042EEEB51B57F9416060CADC0CF34BFC1082
SHA-512:	95E5FE684C646004419323994173F6B04152A4A082384319F8F6E4DDD517F4C9FF4E8B21BA63C5F6EE6722E4104BFC3ED260943B9486F1073FB6F4FA96400DBD
Malicious:	false
Preview:	Microsoft C/C++ MSF 7.00...DS...........;....O......:...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ExplorerPatcher\explorer.pdb

Download File

Process:	C:\Windows\explorer.exe
File Type:	MSVC program database ver 7.00, 4096*1499 bytes
Category:	dropped
Size (bytes):	6139904
Entropy (8bit):	5.371192355576708
Encrypted:	false
SSDEEP:	49152:rYNFBy5AXoKJyBGF8PLn/gau9oIClD08/zORIW1hvuY+N6ND9QM3UEXHxm0dnDNN:roGYqsZ5RZQ
MD5:	6FBAD49B7063AABD0549B49A477CAAE5
SHA1:	E84776C7AB4D66BDCEB9B6BD91EE15FE23499AAC
SHA-256:	0E6B01BD708F0164329560D14EE390E3B14DB00D0776F41A330157C949DA9EE9
SHA-512:	25AC3A32503177B96559D2C03520A29A0CB9801687036DAF0A955E911546ECF1027B40588210B2E5BC709948A395C11CD990CA0DCC818EE0259C95601526AFF7
Malicious:	false
Preview:	Microsoft C/C++ MSF 7.00...DS...............,...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb

Download File

Process:	C:\Windows\explorer.exe
File Type:	MSVC program database ver 7.00, 4096*7685 bytes
Category:	dropped
Size (bytes):	31477760
Entropy (8bit):	5.623601438277038
Encrypted:	false
SSDEEP:	49152:FF/1V1oiaOrjDgVTub8O8/1l4Lf/45EFRiUz3Cv+gkHEpctXi7lcOT7uH6qTpLN4:7NV1vnH+1WzqgaftyWnh9RT
MD5:	F6B1F244316498EFB599C57615D0B27A
SHA1:	3463AB821F1083DE718A7330E0E266D51B62978F
SHA-256:	7191526BCEEF78B8ABF7C2A298BA3CCD7893D4D5882F995877059665415D2E60
SHA-512:	60C662E1B2FFA20268E917DCEA94186205726C672D0254C355F015FC033C53BBCBF7DC9C31B0F5C16A1C0B5E1128F88BB87A63B9B3D4F4E473FF282C279F10F5
Malicious:	false
Preview:	Microsoft C/C++ MSF 7.00...DS...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg

Download File

Process:	C:\Windows\explorer.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	151729
Entropy (8bit):	7.945756681484684
Encrypted:	false
SSDEEP:	3072:Jv9V0wuYm4qafQx/DHf7klXxenjkZbzSqfSnIKoZntIS:Jv9Qa+7k9GkZbzNSnSZnSS
MD5:	973B719A7B7C62DDFB1D55ED5AF3C2A0
SHA1:	6461F387ADBC02FEFC72A9778155A07CB1880FBC
SHA-256:	61D9CDC2D78B94C6C9893F71107B7B0F3377DFC6D5DC314A0DE17231EB72D87F
SHA-512:	62F1DC4493D5AD3062BD7467738C99535C7DD2D0B6F1516F2C4BCF22F33609BCECB3B6B9CB6FFE1CFBD5402C0C68EAA83A342CEA18E0B4DE3D004CA498DA60D8
Malicious:	false
Preview:	......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..u.........R..-....--......r.L..QEH.....j....u...QE:..J>..P.E...t....B.:... %..@.!.N......R.(...ih.h..h.)..P;...N.CV.E..QJ.-....E:.....KEH..-..@.E>..j....)OZ......u....m(Z.`..--.a.S..,3...N.......i.i.bQK.....v.6..h..@....6..h..F.@.E..F.@.jmI..o..6.u...h.Q@..N.j.Jku.Q@..%>...m5.......QO...E9.=..q@...A...F.m...b.}.....F...J.a.S.(....~)(....)...QN.j.Jm:...5%I.!.P.(.jJ

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\JumpViewUI_.dll

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1458176
Entropy (8bit):	6.529653043779224
Encrypted:	false
SSDEEP:	24576:MOWQVo+MVJRgjgfRCZhnNa/a63jGr64rzAiGzJ6eNUVyJppR3:M+a+u34ZJNY3k98zJ7NUgJP
MD5:	0E65A0A661148077BC24602067AC3FF7
SHA1:	3916FA695AC13A61E60EDFD39F2F8504A99FEB62
SHA-256:	3E81CECF171D697DBF08E97CDC0ED60158D6FB405E9897D54890CF20E35EF856
SHA-512:	780AECC25942FC32D5454DBC139CF02D738E474DE2B66E47D1F92F2549E01B4F79A03480A0F16D407AE398B1F2B8F25854997384E59B4B98A8F7BF6400E475BD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2A..v .@v .@v .@=X.Ar .@=X.AR .@.X1@? .@=X.Ar .@=X.A} .@v .@f%.@=X_@u .@=X.A; .@=X.Aw .@=X]@w .@=X.Aw .@Richv .@........PE..d...Bf............" .....f...........................................................P....`Q............................................t...4........@.......P...............P..lF......p.......................(.......@.......................`....................text....e.......f.................. ..`.rdata...............j..............@..@.data...P,... ......................@....pdata.......P....... ..............@..@.didat.. ....0......................@....rsrc........@......................@..@.reloc..lF...P...H..................@..B................................................................................................................................................................................................................

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dll

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	8694272
Entropy (8bit):	6.576367943733818
Encrypted:	false
SSDEEP:	49152:mcvhib+lfmq53jlhFdDRqzVUW+qn47Y1sqjQ7y9GVshaTBLHiNLbEr1zIcmQn9aD:mCjdCQ1zIWx5KDegEgHnrQV
MD5:	20B55D5C6DCE22F8011906281E4E6999
SHA1:	27735EAD648E104D3715DABFCFFF410CDCFC706C
SHA-256:	715B75B289DD2EFC34FB0FFD924FCD38A34FEE9FC5E93A207FCADA7CB38F6508
SHA-512:	87CE3569C9803380F31638C181F5C9D3BD1BBA497D162405EF0D0271ABEF1FC91BADAAEB8D79C30F8EE0F5313BF8DDA161BEC7DE0A57E1F4BF10FCABB3D28DB2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%Du.a%..a%..a%..]..e%..]..D%..]..q%..h].._%..]..j%..a%... ..]..b%..]..j$..]..`%..]..`%..*]..`%..Richa%..........................PE..d...D............" ......^...%......l....................................... ............`Q........................................ {w.p....{w.............. }.\y..............._.. .c.p....................=d.(....c.@.............^......uw......................text.....^.......^................. ..`.rdata........^.......^.............@..@.data...4Q....w..,....w.............@....pdata..\y... }..z....\|.............@..@.didat...............D..............@....rsrc................F..............@..@.reloc..._.......`...J..............@..B................................................................................................................................................................................................

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	716288
Entropy (8bit):	6.218933147794801
Encrypted:	false
SSDEEP:	12288:tAZZrKVjXMzFheHhMwJXOI8mw03edresazpaek4Yc9edrtvL9suuuuuuaW5q77gt:6ZBsjXMzFhySwJXOIpOSsgpapXcqrNO7
MD5:	8BFCA71ADD96D3DE75173D464792E2B9
SHA1:	FE6BC3C30C26D6CE1C149B173B5D79C80102D5B9
SHA-256:	5AAA6BAB20B7116B32BDDBA1DF216F7476557BB48397E1968A49EDE14E6C377D
SHA-512:	B560415727D15CEEB09E5D9E39EA2B4043848BF4239FBF5068AAAC86F64B3D05D4E21EB197416DB0FB4172C68F782C05AEAE18AC70C27F80566040B6BA79159A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........%.^.D...D...D...<...D...<..uD.......D.......D...<4..D....Z..D.......D.......D.......D...<...D...<...D...D...F.......D.......D....X..D...D0..D.......D..Rich.D..................PE..d...m,&g.........." ...).....N......l........................................P............`..........................................U......DZ...........0.......I...........@......`\|..p...............................@...............h............................text............................... ..`.rdata..v...........................@..@.data...H...........................@....pdata...I.......J...d..............@..@.rsrc....0.......2..................@..@.reloc.......@......................@..B................................................................................................................................................................................................

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib.dll

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	168448
Entropy (8bit):	6.180419967116705
Encrypted:	false
SSDEEP:	3072:dRH0518Qus3amg8D/O6tF+eie3cBHqveM:v0f8Q/xDmoiWcB
MD5:	B80816EE9FCDB1D9076B73FD929FC96B
SHA1:	FF9A5A12DCA164652419F5DEE082AF4A49B8A03B
SHA-256:	D63B9FC13C99000CF77D02EE6E5E84C825D02A92D87B728CB601681B5EB21671
SHA-512:	21CEBCA787A0FA0976B44315BF05B6EB4719306653DDBBFCE41231244219BCD288CD8045980BACF21481DDABCF464C82795147DB755148CC0E23167BBB874FD7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............e...e...e...f...e...`. .e...a...e...f...e...a...e...`...e.......e...d...e...d...e...m...e...e...e.......e.....e...g...e.Rich..e.................PE..d...G,&g.........." ...)..................................................................`.................................................>..x........0...p..................T.......p...............................@............ ...............................text...P........................... ..`.rdata...(... ...*..................@..@.data........P.......:..............@....pdata.......p.......F..............@..@.rsrc....0.......2...X..............@..@.reloc..T...........................@..B........................................................................................................................................................................................................................

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\dxgi.dll

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	716288
Entropy (8bit):	6.218933147794801
Encrypted:	false
SSDEEP:	12288:tAZZrKVjXMzFheHhMwJXOI8mw03edresazpaek4Yc9edrtvL9suuuuuuaW5q77gt:6ZBsjXMzFhySwJXOIpOSsgpapXcqrNO7
MD5:	8BFCA71ADD96D3DE75173D464792E2B9
SHA1:	FE6BC3C30C26D6CE1C149B173B5D79C80102D5B9
SHA-256:	5AAA6BAB20B7116B32BDDBA1DF216F7476557BB48397E1968A49EDE14E6C377D
SHA-512:	B560415727D15CEEB09E5D9E39EA2B4043848BF4239FBF5068AAAC86F64B3D05D4E21EB197416DB0FB4172C68F782C05AEAE18AC70C27F80566040B6BA79159A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........%.^.D...D...D...<...D...<..uD.......D.......D...<4..D....Z..D.......D.......D.......D...<...D...<...D...D...F.......D.......D....X..D...D0..D.......D..Rich.D..................PE..d...m,&g.........." ...).....N......l........................................P............`..........................................U......DZ...........0.......I...........@......`\|..p...............................@...............h............................text............................... ..`.rdata..v...........................@..@.data...H...........................@....pdata...I.......J...d..............@..@.rsrc....0.......2..................@..@.reloc.......@......................@..B................................................................................................................................................................................................

C:\Windows\dxgi.dll

Download File

Process:	C:\Users\user\Desktop\ep_setup.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	716288
Entropy (8bit):	6.2189942777653355
Encrypted:	false
SSDEEP:	12288:NAZZrKVjXMzFheHhMwJXOI8mw03edresazpaek4Yc9edrtvL9suuuuuuaW5q77gt:aZBsjXMzFhySwJXOIpOSsgpapXcqrNO7
MD5:	047B192A9C703FC5A2C2764DB869FF5C
SHA1:	8C1494ACC3119FBF8332AE3B6A4F854E5B4D37CB
SHA-256:	1971C57F88849B4069BE06D3784E0968755C916FA1564A3F8F05610D3B02CDCC
SHA-512:	C7F80703DB23611D56618A8B1B4FFFF814A9264135E3846DF99120C0FFC16DA9D5B37C6465AC25D61D4F6E386D36B3DE640C57C460098F06778C658CC19454CC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................0...........!..L.!22622.4317.67.1.8bfca71add96d3deS mode....$........%.^.D...D...D...<...D...<..uD.......D.......D...<4..D....Z..D.......D.......D.......D...<...D...<...D...D...F.......D.......D....X..D...D0..D.......D..Rich.D..................PE..d...m,&g.........." ...).....N......l........................................P............`..........................................U......DZ...........0.......I...........@......`\|..p...............................@...............h............................text............................... ..`.rdata..v...........................@..@.data...H...........................@....pdata...I.......J...d..............@..@.rsrc....0.......2..................@..@.reloc.......@......................@..B................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.989614560554252
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ep_setup.exe
File size:	11'143'168 bytes
MD5:	f164888a6fbc646b093f6af6663f4e63
SHA1:	3c0bb9f9a4ad9b1c521ad9fc30ec03668577c97c
SHA256:	8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67
SHA512:	f1b2173962561d3051ec6b5aa2fc0260809e37e829255d95c8a085f990c18b724daff4372f646d505dabe3cc3013364d4316c2340527c75d140dbc6b5ebdeee1
SSDEEP:	196608:Yobw/inDWIRviYy06kRUEsyiFo2ItCC2bO+WxNtTYnepC5YbM/rN2kGBlSrnU:dw/2Bvc06kiEviXTCIKNtUnqYYA/A
TLSH:	E3B6332A77E505CAF97BC378A4B71586A1AABD072334D93E8660058E8D337F18C38775
File Content Preview:	MZ......................@...............................................!..L.!22622.4317.67.1.8bfca71add96d3deS mode....$........ uO.A...A...A...9...A...9...A.......A.......A.......A.......A...9...A...9...A...9...A...A..NA.......A.......A...A...A.......A.

File Icon


Icon Hash:	2086969696969600

Static PE Info

General

Entrypoint:	0x140008c18
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67262C76 [Sat Nov 2 13:43:18 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	f1499aa854493f33c80eb31e0ab8ae92

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F7208DAF7A0h
dec eax
add esp, 28h
jmp 00007F7208DAF3CFh
int3
int3
dec eax
sub esp, 28h
call 00007F7208DAFE38h
test eax, eax
je 00007F7208DAF573h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F7208DAF557h
dec eax
cmp ecx, eax
je 00007F7208DAF566h
xor eax, eax
dec eax
cmpxchg dword ptr [0002E420h], ecx
jne 00007F7208DAF540h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F7208DAF549h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F7208DAF559h
mov byte ptr [0002E409h], 00000001h
call 00007F7208DAFB25h
call 00007F7208DB31B0h
test al, al
jne 00007F7208DAF556h
xor al, al
jmp 00007F7208DAF566h
call 00007F7208DBE98Fh
test al, al
jne 00007F7208DAF55Bh
xor ecx, ecx
call 00007F7208DB31C0h
jmp 00007F7208DAF53Ch
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [0002E3D0h], 00000000h
mov ebx, ecx
jne 00007F7208DAF5B9h
cmp ecx, 01h
jnbe 00007F7208DAF5BCh
call 00007F7208DAFDAEh
test eax, eax
je 00007F7208DAF57Ah
test ebx, ebx
jne 00007F7208DAF576h
dec eax
lea ecx, dword ptr [0002E3BAh]
call 00007F7208DBE7AEh
test eax, eax
jne 00007F7208DAF562h
dec eax
lea ecx, dword ptr [0002E3C2h]
call 00007F7208DAF59Eh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x34bfc	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3a000	0xa68508	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x38000	0x1aac	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xaa3000	0x6a4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x328b0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x32770	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x26000	0x508	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x24f70	0x25000	1f4fc22d148d6d3135755eea43c697e1	False	0.5402172191722973	data	6.471346143888643	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x26000	0xfd20	0xfe00	aa96a95a51639aa280d1a0d77a982305	False	0.48357529527559057	data	5.3687460432728695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x36000	0x1f54	0xc00	70729d2ec4f7f720830ce88e7a8defb2	False	0.138671875	data	1.9570761316523926	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x38000	0x1aac	0x1c00	bd20803e644778b5c525e4bcf2d8d029	False	0.46861049107142855	PEX Binary Archive	5.289454763459752	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x3a000	0xa68508	0xa68600	b66e28f0c9dd840431c3f09702e7e354	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xaa3000	0x6a4	0x800	5ea92cc594f6f022327f422ccdb67dfd	False	0.51025390625	data	5.001664792945668	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_STRING	0xaa1ed0	0x13e	data	Chinese	Taiwan	0.7327044025157232
RT_STRING	0xa9a140	0x2ae	data	German	Germany	0.43731778425655976
RT_STRING	0xa998c0	0x2a2	data	English	United States	0.4169139465875371
RT_STRING	0xa9abb0	0x2b8	data	French	France	0.43103448275862066
RT_STRING	0xa9b540	0x280	data	Hungarian	Hungary	0.46875
RT_STRING	0xa9c740	0x1b2	data	Japanese	Japan	0.6428571428571429
RT_STRING	0xa9cc98	0x170	data	Korean	North Korea	0.7010869565217391
RT_STRING	0xa9cc98	0x170	data	Korean	South Korea	0.7010869565217391
RT_STRING	0xa9da88	0x294	data	Dutch	Netherlands	0.4393939393939394
RT_STRING	0xa9e3c0	0x2ac	data	Polish	Poland	0.4473684210526316
RT_STRING	0xa9ed48	0x2a2	data	Portuguese	Brazil	0.4287833827893175
RT_STRING	0xa9f590	0x294	data	Romanian	Romania	0.4348484848484849
RT_STRING	0xa9ff20	0x2ac	data	Russian	Russia	0.4780701754385965
RT_STRING	0xaa0800	0x2c4	data	Turkish	Turkey	0.4477401129943503
RT_STRING	0xa9be68	0x292	data	Indonesian	Indonesia	0.4133738601823708
RT_STRING	0xaa11c8	0x2fe	data	Ukrainian	Ukrain	0.4804177545691906
RT_STRING	0xa9d178	0x2c8	data	Lithuanian	Lithuania	0.45365168539325845
RT_STRING	0xaa1b40	0x132	data	Chinese	China	0.7320261437908496
RT_STRING	0xaa2010	0x272	data	Chinese	Taiwan	0.6597444089456869
RT_STRING	0xa9a3f0	0x7bc	data	German	Germany	0.33636363636363636
RT_STRING	0xa99b68	0x5d4	data	English	United States	0.36126005361930297
RT_STRING	0xa9ae68	0x6d2	data	French	France	0.35051546391752575
RT_STRING	0xa9b7c0	0x6a2	data	Hungarian	Hungary	0.37809187279151946
RT_STRING	0xa9c8f8	0x39c	data	Japanese	Japan	0.5703463203463204
RT_STRING	0xa9ce08	0x36c	data	Korean	North Korea	0.5753424657534246
RT_STRING	0xa9ce08	0x36c	data	Korean	South Korea	0.5753424657534246
RT_STRING	0xa9dd20	0x69a	data	Dutch	Netherlands	0.3502958579881657
RT_STRING	0xa9e670	0x6d2	data	Polish	Poland	0.3722794959908362
RT_STRING	0xa9eff0	0x59e	data	Portuguese	Brazil	0.3588317107093185
RT_STRING	0xa9f828	0x6f8	data	Romanian	Romania	0.34697309417040356
RT_STRING	0xaa01d0	0x62e	data	Russian	Russia	0.3950695322376738
RT_STRING	0xaa0ac8	0x700	data	Turkish	Turkey	0.34933035714285715
RT_STRING	0xa9c100	0x63c	data	Indonesian	Indonesia	0.3533834586466165
RT_STRING	0xaa14c8	0x678	data	Ukrainian	Ukrain	0.39492753623188404
RT_STRING	0xa9d440	0x648	data	Lithuanian	Lithuania	0.36691542288557216
RT_STRING	0xaa1c78	0x258	data	Chinese	China	0.66
RT_RCDATA	0x3a7e0	0xa5f0d9	Zip archive data, at least v2.0 to extract, compression method=deflate	English	United States	0.9992485046386719
RT_VERSION	0x3a460	0x380	data	English	United States	0.4341517857142857
RT_MANIFEST	0xaa2288	0x27e	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5517241379310345

Imports

DLL	Import
KERNEL32.dll	TerminateProcess, RemoveDirectoryW, GetModuleFileNameW, FindClose, K32GetProcessImageFileNameW, GetUserPreferredUILanguages, OpenProcess, MultiByteToWideChar, CreateThread, K32EnumProcesses, GetCurrentDirectoryW, GetProcAddress, GetCurrentProcessId, GetModuleHandleW, FreeLibrary, CopyFileW, CreateSymbolicLinkW, lstrcmpW, MoveFileW, GetProcessTimes, LoadLibraryExW, WriteConsoleW, SetEndOfFile, WriteFile, HeapSize, FlushFileBuffers, GetProcessHeap, GetStringTypeW, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindFirstFileExW, ReadConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, FindNextFileW, SetLastError, FindFirstFileW, GetExitCodeProcess, MapViewOfFile, CreateFileMappingW, LocalFree, GetWindowsDirectoryW, FindResourceW, LoadResource, CloseHandle, DeleteFileW, LockResource, GetLastError, Sleep, CreateEventW, FreeResource, UnmapViewOfFile, GetSystemDirectoryW, CreateFileW, LocalAlloc, WaitForSingleObject, GetCurrentProcess, GetFileSizeEx, SizeofResource, ReadFile, HeapReAlloc, CreateDirectoryW, LCMapStringW, FlsFree, FlsSetValue, FlsGetValue, FlsAlloc, GetFileType, HeapFree, HeapAlloc, GetStdHandle, GetModuleHandleExW, ExitProcess, RtlPcToFileHeader, RaiseException, EncodePointer, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, RtlUnwindEx, GetStartupInfoW, IsDebuggerPresent, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead
USER32.dll	ExitWindowsEx, GetWindowThreadProcessId, SetProcessDpiAwarenessContext, SendMessageTimeoutW, MessageBoxW, SendMessageW, LoadStringW, FindWindowW
ADVAPI32.dll	RevertToSelf, EqualSid, RegDeleteKeyW, AllocateAndInitializeSid, RegDeleteKeyValueW, RegCreateKeyExW, CreateProcessWithTokenW, ImpersonateLoggedOnUser, RegDeleteTreeW, RegSetValueExW, FreeSid, CheckTokenMembership, DuplicateTokenEx, RegOpenKeyW, RegQueryValueExW, GetTokenInformation, LookupPrivilegeValueW, AdjustTokenPrivileges, RegCloseKey, OpenProcessToken, RegOpenKeyExW, RegGetValueW
SHELL32.dll	SHGetFolderPathW, ShellExecuteW, SHFileOperationW, CommandLineToArgvW, ShellExecuteExW
ole32.dll	CoInitialize, CoUninitialize, CoCreateInstance
RstrtMgr.DLL	RmRegisterResources, RmGetList, RmStartSession, RmShutdown
VERSION.dll	VerQueryValueW
SHLWAPI.dll	PathRemoveExtensionW, PathRemoveFileSpecW, PathStripPathW, PathFileExistsW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan
German	Germany
English	United States
French	France
Hungarian	Hungary
Japanese	Japan
Korean	North Korea
Korean	South Korea
Dutch	Netherlands
Polish	Poland
Portuguese	Brazil
Romanian	Romania
Russian	Russia
Turkish	Turkey
Indonesian	Indonesia
Ukrainian	Ukrain
Lithuanian	Lithuania
Chinese	China

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-19T19:31:35.085160+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.24	49789	20.233.83.145	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 19:31:32.538368940 CET	49789	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:32.538407087 CET	443	49789	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:32.538552999 CET	49789	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:32.539485931 CET	49789	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:32.539505005 CET	443	49789	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:34.149265051 CET	443	49789	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:34.149324894 CET	49789	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:34.150454998 CET	49789	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:34.150471926 CET	443	49789	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:34.152089119 CET	443	49789	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:34.152153969 CET	49789	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:34.153358936 CET	49789	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:34.153449059 CET	443	49789	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:34.153512001 CET	49789	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:34.153521061 CET	443	49789	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:34.153574944 CET	49789	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:34.154747009 CET	49789	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:34.195374966 CET	443	49789	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:35.085242987 CET	443	49789	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:35.085438013 CET	443	49789	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:35.085520029 CET	49789	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:35.085541964 CET	443	49789	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:35.085582018 CET	49789	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:35.085855961 CET	443	49789	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:35.085906982 CET	49789	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:35.085913897 CET	443	49789	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:35.085951090 CET	49789	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:35.085988045 CET	443	49789	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:35.086034060 CET	49789	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:35.159662962 CET	49789	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:35.159674883 CET	443	49789	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:35.160104990 CET	49790	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:35.160119057 CET	443	49790	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:35.160183907 CET	49790	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:35.161041021 CET	49790	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:35.161053896 CET	443	49790	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:36.783418894 CET	443	49790	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:36.783899069 CET	49790	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:36.785398960 CET	49790	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:36.785412073 CET	443	49790	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:36.786578894 CET	443	49790	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:36.791064978 CET	49790	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:36.792823076 CET	49790	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:36.792923927 CET	49790	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:36.793014050 CET	443	49790	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:36.798212051 CET	49790	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:37.698949099 CET	443	49790	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:37.699208975 CET	443	49790	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:37.699268103 CET	443	49790	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:37.700860023 CET	49790	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:40.232127905 CET	49790	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:31:40.232166052 CET	443	49790	20.233.83.145	192.168.2.24
Dec 19, 2024 19:31:40.373835087 CET	49795	443	192.168.2.24	185.199.110.133
Dec 19, 2024 19:31:40.373889923 CET	443	49795	185.199.110.133	192.168.2.24
Dec 19, 2024 19:31:40.382414103 CET	49795	443	192.168.2.24	185.199.110.133
Dec 19, 2024 19:31:40.383637905 CET	49795	443	192.168.2.24	185.199.110.133
Dec 19, 2024 19:31:40.383656979 CET	443	49795	185.199.110.133	192.168.2.24
Dec 19, 2024 19:31:41.602294922 CET	443	49795	185.199.110.133	192.168.2.24
Dec 19, 2024 19:31:41.602368116 CET	49795	443	192.168.2.24	185.199.110.133
Dec 19, 2024 19:31:41.603523016 CET	49795	443	192.168.2.24	185.199.110.133
Dec 19, 2024 19:31:41.603544950 CET	443	49795	185.199.110.133	192.168.2.24
Dec 19, 2024 19:31:41.605078936 CET	443	49795	185.199.110.133	192.168.2.24
Dec 19, 2024 19:31:41.605093002 CET	443	49795	185.199.110.133	192.168.2.24
Dec 19, 2024 19:31:41.605144024 CET	49795	443	192.168.2.24	185.199.110.133
Dec 19, 2024 19:31:44.330612898 CET	49795	443	192.168.2.24	185.199.110.133
Dec 19, 2024 19:31:44.330826998 CET	443	49795	185.199.110.133	192.168.2.24
Dec 19, 2024 19:31:44.333215952 CET	49795	443	192.168.2.24	185.199.110.133
Dec 19, 2024 19:31:44.333230019 CET	443	49795	185.199.110.133	192.168.2.24
Dec 19, 2024 19:31:44.338532925 CET	49795	443	192.168.2.24	185.199.110.133
Dec 19, 2024 19:31:52.049823046 CET	49795	443	192.168.2.24	185.199.110.133
Dec 19, 2024 19:31:52.091358900 CET	443	49795	185.199.110.133	192.168.2.24
Dec 19, 2024 19:31:52.399723053 CET	443	49795	185.199.110.133	192.168.2.24
Dec 19, 2024 19:31:52.400599957 CET	443	49795	185.199.110.133	192.168.2.24
Dec 19, 2024 19:31:52.400698900 CET	443	49795	185.199.110.133	192.168.2.24
Dec 19, 2024 19:31:52.401547909 CET	443	49795	185.199.110.133	192.168.2.24
Dec 19, 2024 19:31:52.409972906 CET	443	49795	185.199.110.133	192.168.2.24
Dec 19, 2024 19:31:52.410072088 CET	443	49795	185.199.110.133	192.168.2.24
Dec 19, 2024 19:31:52.416393995 CET	49795	443	192.168.2.24	185.199.110.133
Dec 19, 2024 19:31:52.416471958 CET	443	49795	185.199.110.133	192.168.2.24
Dec 19, 2024 19:31:52.416636944 CET	49795	443	192.168.2.24	185.199.110.133
Dec 19, 2024 19:31:52.416935921 CET	49795	443	192.168.2.24	185.199.110.133
Dec 19, 2024 19:33:36.004601955 CET	49822	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:33:36.004663944 CET	443	49822	20.233.83.145	192.168.2.24
Dec 19, 2024 19:33:36.004733086 CET	49822	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:33:36.007407904 CET	49822	443	192.168.2.24	20.233.83.145
Dec 19, 2024 19:33:36.007436991 CET	443	49822	20.233.83.145	192.168.2.24

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 19:31:07.952917099 CET	62398	53	192.168.2.24	1.1.1.1
Dec 19, 2024 19:31:08.089551926 CET	53	62398	1.1.1.1	192.168.2.24
Dec 19, 2024 19:31:08.967894077 CET	62398	53	192.168.2.24	1.1.1.1
Dec 19, 2024 19:31:14.788727045 CET	62398	53	192.168.2.24	1.1.1.1
Dec 19, 2024 19:31:15.765856981 CET	54001	53	192.168.2.24	1.1.1.1
Dec 19, 2024 19:31:32.400322914 CET	54001	53	192.168.2.24	1.1.1.1
Dec 19, 2024 19:31:32.537748098 CET	53	54001	1.1.1.1	192.168.2.24
Dec 19, 2024 19:31:40.234369993 CET	54001	53	192.168.2.24	1.1.1.1
Dec 19, 2024 19:31:40.371951103 CET	53	54001	1.1.1.1	192.168.2.24
Dec 19, 2024 19:31:55.475090027 CET	54001	53	192.168.2.24	1.1.1.1
Dec 19, 2024 19:32:01.504827023 CET	54001	53	192.168.2.24	1.1.1.1
Dec 19, 2024 19:32:01.653183937 CET	53	54001	1.1.1.1	192.168.2.24
Dec 19, 2024 19:32:03.249938011 CET	54001	53	192.168.2.24	1.1.1.1
Dec 19, 2024 19:33:35.846441984 CET	54001	53	192.168.2.24	1.1.1.1
Dec 19, 2024 19:33:35.984091997 CET	53	54001	1.1.1.1	192.168.2.24

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 19, 2024 19:31:07.952917099 CET	192.168.2.24	1.1.1.1	0x1da3	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Dec 19, 2024 19:31:08.967894077 CET	192.168.2.24	1.1.1.1	0x72b9	Standard query (0)	srtb.msn.com	A (IP address)	IN (0x0001)	false
Dec 19, 2024 19:31:14.788727045 CET	192.168.2.24	1.1.1.1	0x8c71	Standard query (0)	cxcs.microsoft.net	A (IP address)	IN (0x0001)	false
Dec 19, 2024 19:31:15.765856981 CET	192.168.2.24	1.1.1.1	0x561f	Standard query (0)	tse1.mm.bing.net	A (IP address)	IN (0x0001)	false
Dec 19, 2024 19:31:32.400322914 CET	192.168.2.24	1.1.1.1	0xc17b	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false
Dec 19, 2024 19:31:40.234369993 CET	192.168.2.24	1.1.1.1	0x29ce	Standard query (0)	objects.githubusercontent.com	A (IP address)	IN (0x0001)	false
Dec 19, 2024 19:31:55.475090027 CET	192.168.2.24	1.1.1.1	0x19ec	Standard query (0)	res.public.onecdn.static.microsoft	A (IP address)	IN (0x0001)	false
Dec 19, 2024 19:32:01.504827023 CET	192.168.2.24	1.1.1.1	0x5a94	Standard query (0)	c.pki.goog	A (IP address)	IN (0x0001)	false
Dec 19, 2024 19:32:03.249938011 CET	192.168.2.24	1.1.1.1	0x1914	Standard query (0)	x1.c.lencr.org	A (IP address)	IN (0x0001)	false
Dec 19, 2024 19:33:35.846441984 CET	192.168.2.24	1.1.1.1	0xb292	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 19:31:08.089551926 CET	1.1.1.1	192.168.2.24	0x1da3	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Dec 19, 2024 19:31:08.089551926 CET	1.1.1.1	192.168.2.24	0x1da3	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Dec 19, 2024 19:31:09.105376959 CET	1.1.1.1	192.168.2.24	0x72b9	No error (0)	srtb.msn.com	www.msn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 19, 2024 19:31:09.105376959 CET	1.1.1.1	192.168.2.24	0x72b9	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 19, 2024 19:31:14.926197052 CET	1.1.1.1	192.168.2.24	0x8c71	No error (0)	cxcs.microsoft.net	cxcs.microsoft.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 19, 2024 19:31:15.951864004 CET	1.1.1.1	192.168.2.24	0x561f	No error (0)	tse1.mm.bing.net	mm-mm.bing.net.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 19, 2024 19:31:15.951864004 CET	1.1.1.1	192.168.2.24	0x561f	No error (0)	ax-0001.ax-msedge.net		150.171.27.10	A (IP address)	IN (0x0001)	false
Dec 19, 2024 19:31:15.951864004 CET	1.1.1.1	192.168.2.24	0x561f	No error (0)	ax-0001.ax-msedge.net		150.171.28.10	A (IP address)	IN (0x0001)	false
Dec 19, 2024 19:31:32.537748098 CET	1.1.1.1	192.168.2.24	0xc17b	No error (0)	github.com		20.233.83.145	A (IP address)	IN (0x0001)	false
Dec 19, 2024 19:31:40.371951103 CET	1.1.1.1	192.168.2.24	0x29ce	No error (0)	objects.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)	false
Dec 19, 2024 19:31:40.371951103 CET	1.1.1.1	192.168.2.24	0x29ce	No error (0)	objects.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)	false
Dec 19, 2024 19:31:40.371951103 CET	1.1.1.1	192.168.2.24	0x29ce	No error (0)	objects.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)	false
Dec 19, 2024 19:31:40.371951103 CET	1.1.1.1	192.168.2.24	0x29ce	No error (0)	objects.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)	false
Dec 19, 2024 19:31:55.707034111 CET	1.1.1.1	192.168.2.24	0x19ec	No error (0)	res.public.onecdn.static.microsoft	res-ocdi-public.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 19, 2024 19:31:55.707034111 CET	1.1.1.1	192.168.2.24	0x19ec	No error (0)	res-1.public.onecdn.static.microsoft	res-1.public.onecdn.static.microsoft.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 19, 2024 19:32:01.653183937 CET	1.1.1.1	192.168.2.24	0x5a94	No error (0)	c.pki.goog	pki-goog.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 19, 2024 19:32:01.653183937 CET	1.1.1.1	192.168.2.24	0x5a94	No error (0)	pki-goog.l.google.com		172.217.17.67	A (IP address)	IN (0x0001)	false
Dec 19, 2024 19:32:03.387236118 CET	1.1.1.1	192.168.2.24	0x1914	No error (0)	x1.c.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 19, 2024 19:32:04.911567926 CET	1.1.1.1	192.168.2.24	0x954a	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 19, 2024 19:32:04.911567926 CET	1.1.1.1	192.168.2.24	0x954a	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 19, 2024 19:33:35.984091997 CET	1.1.1.1	192.168.2.24	0xb292	No error (0)	github.com		20.233.83.145	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

github.com

objects.githubusercontent.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.24	49789	20.233.83.145	443	9004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 18:31:34 UTC	126	OUT	GET /valinet/ExplorerPatcher/releases/latest/download/ep_setup.exe HTTP/1.1 User-Agent: ExplorerPatcher Host: github.com
2024-12-19 18:31:35 UTC	547	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Thu, 19 Dec 2024 18:31:34 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Location: https://github.com/valinet/ExplorerPatcher/releases/download/22621.4317.67.1_b93337a/ep_setup.exe Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2024-12-19 18:31:35 UTC	3283	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co
2024-12-19 18:31:35 UTC	782	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 67 68 5f 73 65 73 73 3d 56 6d 66 71 6f 31 64 49 77 36 64 44 37 4d 51 59 38 65 48 25 32 46 35 56 43 76 66 71 7a 6f 37 25 32 42 42 33 25 32 46 6f 69 77 34 53 75 25 32 46 77 72 4e 6f 6c 61 49 38 36 54 50 44 4f 31 25 32 46 62 33 71 55 6e 47 47 49 69 56 32 6c 41 52 4f 4b 38 51 38 69 51 4e 41 50 52 77 74 41 79 55 77 39 4b 37 54 75 74 37 43 76 49 52 5a 54 78 66 53 65 4c 76 36 63 35 44 62 56 4b 65 25 32 46 33 58 69 57 6b 69 30 51 53 31 4e 48 73 32 43 75 6e 34 78 6d 41 4e 62 51 70 50 57 25 32 46 4d 66 4d 34 43 47 59 4e 68 4e 49 25 32 42 47 46 31 52 73 69 6d 62 48 4c 75 4b 68 39 30 66 4a 65 53 41 4e 75 75 62 53 45 54 69 6f 52 31 63 50 66 72 67 41 72 5a 36 25 32 42 36 7a 55 58 6b 66 66 6b 58 47 79 35 51 71 6d 35 79 77 49 73 61 Data Ascii: Set-Cookie: _gh_sess=Vmfqo1dIw6dD7MQY8eH%2F5VCvfqzo7%2BB3%2Foiw4Su%2FwrNolaI86TPDO1%2Fb3qUnGGIiV2lAROK8Q8iQNAPRwtAyUw9K7Tut7CvIRZTxfSeLv6c5DbVKe%2F3XiWki0QS1NHs2Cun4xmANbQpPW%2FMfM4CGYNhNI%2BGF1RsimbHLuKh90fJeSANuubSETioR1cPfrgArZ6%2B6zUXkffkXGy5Qqm5ywIsa

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.24	49790	20.233.83.145	443	9004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 18:31:36 UTC	167	OUT	GET /valinet/ExplorerPatcher/releases/download/22621.4317.67.1_b93337a/ep_setup.exe HTTP/1.1 User-Agent: ExplorerPatcher Host: github.com Connection: Keep-Alive
2024-12-19 18:31:37 UTC	959	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Thu, 19 Dec 2024 18:31:37 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/394318710/5e5bb508-cbdc-44fb-9830-5b535df6ab52?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241219%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241219T183137Z&X-Amz-Expires=300&X-Amz-Signature=4d931bfe0e120653753e28b648e701fc63ba39cdd52171ce1869c497ee2b4b17&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dep_setup.exe&response-content-type=application%2Foctet-stream Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2024-12-19 18:31:37 UTC	3380	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.24	49795	185.199.110.133	443	9004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 18:31:52 UTC	579	OUT	GET /github-production-release-asset-2e65be/394318710/5e5bb508-cbdc-44fb-9830-5b535df6ab52?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241219%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241219T183137Z&X-Amz-Expires=300&X-Amz-Signature=4d931bfe0e120653753e28b648e701fc63ba39cdd52171ce1869c497ee2b4b17&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dep_setup.exe&response-content-type=application%2Foctet-stream HTTP/1.1 User-Agent: ExplorerPatcher Connection: Keep-Alive Host: objects.githubusercontent.com
2024-12-19 18:31:52 UTC	798	IN	HTTP/1.1 200 OK Connection: close Content-Length: 11143168 Content-Type: application/octet-stream Last-Modified: Sat, 02 Nov 2024 13:44:53 GMT ETag: "0x8DCFB44880C75E8" Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0 x-ms-request-id: 8f07ddc9-a01e-000c-442d-2d765d000000 x-ms-version: 2024-08-04 x-ms-creation-time: Sat, 02 Nov 2024 13:44:53 GMT x-ms-lease-status: unlocked x-ms-lease-state: available x-ms-blob-type: BlockBlob Content-Disposition: attachment; filename=ep_setup.exe x-ms-server-encrypted: true Via: 1.1 varnish, 1.1 varnish Fastly-Restarts: 1 Accept-Ranges: bytes Date: Thu, 19 Dec 2024 18:31:52 GMT Age: 5712 X-Served-By: cache-iad-kiad7000060-IAD, cache-ewr-kewr1740043-EWR X-Cache: HIT, HIT X-Cache-Hits: 38, 1 X-Timer: S1734633112.209044,VS0,VE1
2024-12-19 18:31:52 UTC	1378	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 32 32 36 32 32 2e 34 33 31 37 2e 36 37 2e 31 2e 38 62 66 63 61 37 31 61 64 64 39 36 64 33 64 65 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 20 75 4f 83 41 1b 1c 83 41 1b 1c 83 41 1b 1c c8 39 18 1d 86 41 1b 1c c8 39 1e 1d 14 41 1b 1c c8 c4 1f 1d 85 41 1b 1c 93 c5 18 1d 8a 41 1b 1c 93 c5 1f 1d 93 41 1b 1c 93 c5 1e 1d ab 41 1b 1c c8 39 1f 1d 8c 41 1b 1c c8 39 1d 1d 82 41 1b 1c c8 39 1a 1d 96 41 1b 1c 83 41 1a 1c 4e 41 1b 1c c8 c4 13 1d 87 41 1b 1c c8 c4 e4 1c 82 41 1b 1c 83 41 8c 1c 91 41 1b 1c c8 c4 19 1d 82 41 1b Data Ascii: MZ@!L!22622.4317.67.1.8bfca71add96d3deS mode.$ uOAAA9A9AAAAA9A9A9AANAAAAAA
2024-12-19 18:31:52 UTC	1378	IN	Data Raw: 20 ba 26 00 00 00 33 c9 ff 15 c8 52 02 00 4c 8d 05 a9 f7 02 00 ba 04 01 00 00 48 8d 8d e0 01 00 00 e8 24 3f 01 00 4c 8d 05 b9 f7 02 00 ba 04 01 00 00 48 8d 8d e0 01 00 00 e8 0c 3f 01 00 ba 04 01 00 00 48 8d 8d 00 06 00 00 ff 15 96 50 02 00 4c 8d 05 a7 f7 02 00 ba 04 01 00 00 48 8d 8d 00 06 00 00 e8 e2 3e 01 00 ba 04 01 00 00 48 8d 8d 10 08 00 00 ff 15 c4 50 02 00 4c 8d 05 95 f7 02 00 ba 04 01 00 00 48 8d 8d 10 08 00 00 e8 b8 3e 01 00 48 8d 0d 9d f7 02 00 83 fb 03 48 8d 05 a3 f7 02 00 ba 28 0a 00 00 48 0f 44 c1 4c 8d 4d d0 48 89 44 24 40 4c 8d 05 72 f8 02 00 48 8d 45 d0 48 89 44 24 38 48 8d 8d 20 0a 00 00 48 8d 45 d0 48 89 44 24 30 48 8d 05 82 f7 02 00 48 89 44 24 28 48 8d 85 e0 01 00 00 48 89 44 24 20 e8 1c fe ff ff 48 8d 45 d0 ba 28 0a 00 00 4c 8d 4d d0 Data Ascii: &3RLH$?LH?HPLH>HPLH>HH(HDLMHD$@LrHEHD$8H HEHD$0HHD$(HHD$ HE(LM
2024-12-19 18:31:52 UTC	1378	IN	Data Raw: 8b 0d aa 53 03 00 48 8d 44 24 54 4c 8d 4c 24 70 48 89 44 24 20 4c 8d 44 24 50 c7 44 24 50 10 00 00 00 48 8d 54 24 58 ff 15 27 4d 02 00 83 7c 24 54 00 75 14 8b 0d 76 53 03 00 45 33 c0 ba 01 00 00 00 ff 15 1c 4d 02 00 33 c0 48 8b 8c 24 30 2a 00 00 48 33 cc e8 e2 6f 00 00 48 81 c4 48 2a 00 00 c3 cc cc cc cc cc cc cc cc cc cc 40 55 56 57 41 56 41 57 48 8d ac 24 40 fa ff ff 48 81 ec c0 06 00 00 48 8b 05 b2 48 03 00 48 33 c4 48 89 85 b0 05 00 00 4d 8b f0 48 8b f2 8b f9 33 d2 41 b8 04 01 00 00 48 8d 8d a0 03 00 00 e8 ac 38 02 00 33 d2 48 8d 8d 90 01 00 00 41 b8 04 01 00 00 e8 98 38 02 00 ba 04 01 00 00 48 8d 8d 90 01 00 00 ff 15 06 4b 02 00 4c 8d 05 b7 f8 02 00 ba 04 01 00 00 48 8d 8d 90 01 00 00 e8 fa 38 01 00 45 33 ff 85 ff 74 7f 33 d2 48 8d 8d 90 01 00 00 41 Data Ascii: SHD$TLL$pHD$ LD$PD$PHT$X'M\|$TuvSE3M3H$0H3oHH@UVWAVAWH$@HHHH3HMH3AH83HA8HKLH8E3t3HA
2024-12-19 18:31:52 UTC	1378	IN	Data Raw: 41 b9 01 00 00 00 48 89 44 24 20 45 33 c0 ff 15 0e 44 02 00 8b d8 85 c0 0f 85 b6 02 00 00 48 8b 4d cf 48 8d 45 df c7 44 24 28 04 00 00 00 48 8d 15 dd f5 02 00 41 b9 04 00 00 00 48 89 44 24 20 45 33 c0 c7 45 df 01 00 00 00 ff 15 d2 43 02 00 8b d8 85 c0 0f 85 7a 02 00 00 48 8b 4d cf 48 8d 45 df c7 44 24 28 04 00 00 00 48 8d 15 b9 f5 02 00 41 b9 04 00 00 00 48 89 44 24 20 45 33 c0 c7 45 df 01 00 00 00 ff 15 96 43 02 00 8b d8 85 c0 0f 85 3e 02 00 00 49 8d 4d 02 ff 15 aa 47 02 00 4c 8d 05 9b f5 02 00 ba 02 01 00 00 49 8d 4d 02 e8 d1 33 01 00 33 d2 49 8d 4d 02 41 b8 02 00 00 00 ff 15 6b 44 02 00 48 89 45 c7 48 8b f8 48 85 c0 0f 84 a2 01 00 00 48 89 b4 24 f0 00 00 00 ba 01 00 00 00 41 b8 10 00 00 00 4c 89 b4 24 08 01 00 00 48 8b c8 ff 15 2f 45 02 00 48 8b d0 48 Data Ascii: AHD$ E3DHMHED$(HAHD$ E3ECzHMHED$(HAHD$ E3EC>IMGLIM33IMAkDHEHHH$AL$H/EHH
2024-12-19 18:31:52 UTC	1378	IN	Data Raw: 00 4c 89 b4 24 b0 00 00 00 e8 5a 3f 00 00 e9 2b ff ff ff cc cc cc cc cc 40 53 48 81 ec 80 02 00 00 48 8b 05 50 3e 03 00 48 33 c4 48 89 84 24 70 02 00 00 48 8b d9 48 8d 44 24 60 33 c9 48 89 44 24 20 45 33 c9 45 33 c0 ba 1a 00 00 00 ff 15 5d 42 02 00 4c 8d 05 4e f1 02 00 ba 04 01 00 00 48 8d 4c 24 60 e8 bb 2e 01 00 33 d2 48 8d 4c 24 60 ff 15 ea 40 02 00 4c 8d 05 bb e6 02 00 ba 04 01 00 00 48 8d 4c 24 60 e8 98 2e 01 00 ff 15 fe 3e 02 00 41 b9 0a 00 00 00 48 8d 54 24 30 45 8b c1 8b c8 e8 c1 3e 01 00 4c 8d 44 24 30 ba 04 01 00 00 48 8d 4c 24 60 e8 69 2e 01 00 4c 8d 05 1a f1 02 00 ba 04 01 00 00 48 8d 4c 24 60 e8 53 2e 01 00 8b 0d 11 48 03 00 48 8d 54 24 48 41 b9 0a 00 00 00 45 8b c1 8d 41 01 89 05 fa 47 03 00 e8 75 3e 01 00 4c 8d 44 24 48 ba 04 01 00 00 48 8d Data Ascii: L$Z?+@SHHP>H3H$pHHD$`3HD$ E3E3]BLNHL$`.3HL$`@LHL$`.>AHT$0E>LD$0HL$`i.LHL$`S.HHT$HAEAGu>LD$HH
2024-12-19 18:31:52 UTC	1378	IN	Data Raw: 85 db 74 32 48 8b d3 49 8b c8 e8 47 53 00 00 85 c0 74 10 33 ff 83 f8 9c 40 0f 94 c7 8b c7 e9 ab 00 00 00 48 8b ce e8 7b 5a 00 00 85 c0 74 07 33 c0 e9 98 00 00 00 4d 8b c6 48 8d 4c 24 30 ba 04 01 00 00 e8 de 39 01 00 4c 8d 05 87 e1 02 00 ba 04 01 00 00 48 8d 4c 24 30 e8 64 29 01 00 4d 8b c7 48 8d 4c 24 30 ba 04 01 00 00 e8 52 29 01 00 4c 8d 4c 24 30 4c 8b c6 48 8b d5 8b cf e8 64 fb ff ff 8b e8 85 ff 74 44 48 85 f6 74 3f 48 85 db 74 3a 48 8b 9e 10 01 00 00 48 85 db 74 2e 48 8b 0b e8 88 32 01 00 33 ff 83 7b 68 08 48 89 3b 75 09 48 8d 4b 08 e8 2c 86 00 00 48 8b cb 89 7b 68 e8 69 32 01 00 48 89 be 10 01 00 00 8b c5 48 8b 8c 24 40 02 00 00 48 33 cc e8 38 5f 00 00 48 8b 9c 24 80 02 00 00 48 81 c4 50 02 00 00 41 5f 41 5e 5f 5e 5d c3 cc 48 89 5c 24 20 57 48 81 ec Data Ascii: t2HIGSt3@H{Zt3MHL$09LHL$0d)MHL$0R)LL$0LHdtDHt?Ht:HHt.H23{hH;uHK,H{hi2HH$@H38_H$HPA_A^_^]H\$ WH

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.24	49822	20.233.83.145	443

Timestamp	Bytes transferred	Direction	Data
2024-12-19 18:33:37 UTC	126	OUT	GET /valinet/ExplorerPatcher/releases/latest/download/ep_setup.exe HTTP/1.1 User-Agent: ExplorerPatcher Host: github.com

Target ID:	0
Start time:	13:31:16
Start date:	19/12/2024
Path:	C:\Users\user\Desktop\ep_setup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ep_setup.exe"
Imagebase:	0x7ff784120000
File size:	11'143'168 bytes
MD5 hash:	F164888A6FBC646B093F6AF6663F4E63
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:31:17
Start date:	19/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskkill.exe" /f /im explorer.exe
Imagebase:	0x7ff726fc0000
File size:	114'688 bytes
MD5 hash:	050ED22BB515A81ED6FC73D042CE5DB4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:31:17
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6038b0000
File size:	1'040'384 bytes
MD5 hash:	9698384842DA735D80D278A427A229AB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:31:18
Start date:	19/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Imagebase:	0x7ff719cb0000
File size:	98'304 bytes
MD5 hash:	FF2A4319FA5531F0D7B98DBBA9ABBD4A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:31:18
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6038b0000
File size:	1'040'384 bytes
MD5 hash:	9698384842DA735D80D278A427A229AB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:31:20
Start date:	19/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Imagebase:	0x7ff719cb0000
File size:	98'304 bytes
MD5 hash:	FF2A4319FA5531F0D7B98DBBA9ABBD4A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:31:21
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6038b0000
File size:	1'040'384 bytes
MD5 hash:	9698384842DA735D80D278A427A229AB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:31:21
Start date:	19/12/2024
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
Imagebase:	0x7ff6564e0000
File size:	45'056 bytes
MD5 hash:	AF0CDEF5F6ECB9B8EBEF4E480EBAAA5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:31:21
Start date:	19/12/2024
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
Imagebase:	0x7ff6564e0000
File size:	45'056 bytes
MD5 hash:	AF0CDEF5F6ECB9B8EBEF4E480EBAAA5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:31:22
Start date:	19/12/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\explorer.exe"
Imagebase:	0x7ff63b640000
File size:	5'583'864 bytes
MD5 hash:	E2D1F700066D39814081317462A0FD74
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:31:23
Start date:	19/12/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\explorer.exe" /NoUACCheck
Imagebase:	0x7ff63b640000
File size:	5'583'864 bytes
MD5 hash:	E2D1F700066D39814081317462A0FD74
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	13:31:29
Start date:	19/12/2024
Path:	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe" -RegisterProcessAsComServer -ServerName:Microsoft.Windows.WidgetBoardServer
Imagebase:	0x7ff7ca420000
File size:	60'336 bytes
MD5 hash:	FE1C0C15EF5C6C2B0A1508BF23EAD6CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00007FF784128E6C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF784128E98
GetCurrentThreadId.KERNEL32 ref: 00007FF784128EA6
GetCurrentProcessId.KERNEL32 ref: 00007FF784128EB2
QueryPerformanceCounter.KERNEL32 ref: 00007FF784128EC2

Memory Dump Source

Source File: 00000000.00000002.11849255929.00007FF784121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF784120000, based on PE: true

Associated: 00000000.00000002.11849232653.00007FF784120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11849290024.00007FF784146000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11849317316.00007FF784156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11849341559.00007FF784158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.11849341559.00007FF784B58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff784120000_ep_setup.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 68e3125686cfe63efa0959c9405ff9fad71e5682ea60b199cc3bad7d618fc792
Instruction ID: d211ad03608b919e92fd257bbeca52da5e4900dcb5586334150cacc4f33e6f4a
Opcode Fuzzy Hash: 68e3125686cfe63efa0959c9405ff9fad71e5682ea60b199cc3bad7d618fc792
Instruction Fuzzy Hash: CF114F22F14B0189EB00DF65E8942B977A4F719758F840A31DA6D82754EF7CD155C390

Analysis Process: explorer.exePID: 8820, Parent PID: 8360COMMON

Executed Functions

Function 00007FFD6D9CD980 Relevance: 358.4, APIs: 83, Strings: 121, Instructions: 1429libraryloaderthreadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FFD6D9CD9C5

Part of subcall function 00007FFD6DA07CA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA07CCE

CreateEventW.KERNEL32 ref: 00007FFD6D9CDA26
CreateEventW.KERNEL32 ref: 00007FFD6D9CDA3D
CreateEventW.KERNEL32 ref: 00007FFD6D9CDA8C
CreateThread.KERNEL32 ref: 00007FFD6D9CDE47
CloseHandle.KERNEL32 ref: 00007FFD6D9CDE5F
SHGetFolderPathW.SHELL32 ref: 00007FFD6D9CDF53
PathFileExistsW.SHLWAPI ref: 00007FFD6D9CDF78
CreateDirectoryW.KERNEL32 ref: 00007FFD6D9CDF8B
CreateMutexExW.KERNEL32 ref: 00007FFD6D9CE07A
CreateEventW.KERNEL32 ref: 00007FFD6D9CE08A
CreateEventW.KERNEL32 ref: 00007FFD6D9CE0A1
CreateThread.KERNEL32 ref: 00007FFD6D9CE0C6
CreateThread.KERNEL32 ref: 00007FFD6D9CE161
LoadLibraryW.KERNEL32 ref: 00007FFD6D9CE16E
GetProcAddress.KERNEL32 ref: 00007FFD6D9CE181
GetProcAddress.KERNEL32 ref: 00007FFD6D9CE198
GetProcAddress.KERNEL32 ref: 00007FFD6D9CE1A8
GetProcAddress.KERNEL32 ref: 00007FFD6D9CE1B8
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9CE217
GetCurrentProcess.KERNEL32 ref: 00007FFD6D9CE220
K32GetModuleInformation.KERNEL32 ref: 00007FFD6D9CE237
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9CE2B5
GetProcAddress.KERNEL32 ref: 00007FFD6D9CE2C3
IsOS.SHLWAPI ref: 00007FFD6D9CE403
GetCurrentProcess.KERNEL32 ref: 00007FFD6D9CE505
K32GetModuleInformation.KERNEL32 ref: 00007FFD6D9CE51C
LoadLibraryExW.KERNEL32 ref: 00007FFD6D9CE60B
LoadLibraryW.KERNEL32 ref: 00007FFD6D9CE864
GetProcAddress.KERNEL32 ref: 00007FFD6D9CE872
FreeLibraryAndExitThread.KERNEL32 ref: 00007FFD6D9CE8C0
FreeLibraryAndExitThread.KERNEL32 ref: 00007FFD6D9CE8FC
LoadLibraryW.KERNEL32 ref: 00007FFD6D9CE90A
GetProcAddress.KERNEL32 ref: 00007FFD6D9CE91B
GetProcAddress.KERNEL32 ref: 00007FFD6D9CE929
GetProcAddress.KERNEL32 ref: 00007FFD6D9CE937
GetProcAddress.KERNEL32 ref: 00007FFD6D9CE945
GetProcAddress.KERNEL32 ref: 00007FFD6D9CE95A
GetProcAddress.KERNEL32 ref: 00007FFD6D9CE96F
GetProcAddress.KERNEL32 ref: 00007FFD6D9CE984
GetProcAddress.KERNEL32 ref: 00007FFD6D9CE999
GetProcAddress.KERNEL32 ref: 00007FFD6D9CE9A7
GetProcAddress.KERNEL32 ref: 00007FFD6D9CE9B5
LoadLibraryW.KERNEL32 ref: 00007FFD6D9CEAAC
LoadLibraryExW.KERNEL32 ref: 00007FFD6D9CEB80
LoadLibraryExW.KERNEL32 ref: 00007FFD6D9CEC06
LoadLibraryExW.KERNEL32 ref: 00007FFD6D9CECFE
LoadLibraryExW.KERNEL32 ref: 00007FFD6D9CED40
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9CED6B
GetProcAddress.KERNEL32 ref: 00007FFD6D9CED89
SHELL32_Create_IEnumUICommand.SHELL32 ref: 00007FFD6D9CEDC5
VirtualProtect.KERNEL32 ref: 00007FFD6D9CEE49
VirtualProtect.KERNEL32 ref: 00007FFD6D9CEE88
VirtualProtect.KERNEL32 ref: 00007FFD6D9CEEF2
VirtualProtect.KERNEL32 ref: 00007FFD6D9CEF24
LoadLibraryW.KERNEL32 ref: 00007FFD6D9CF01C
GetProcAddress.KERNEL32 ref: 00007FFD6D9CF033
LoadLibraryExW.KERNEL32 ref: 00007FFD6D9CF0A0
GetModuleHandleExW.KERNEL32 ref: 00007FFD6D9CF0C9
GetCurrentProcess.KERNEL32 ref: 00007FFD6D9CF0DB
K32GetModuleInformation.KERNEL32 ref: 00007FFD6D9CF0F4
VirtualProtect.KERNEL32 ref: 00007FFD6D9CF13B
VirtualProtect.KERNEL32 ref: 00007FFD6D9CF15F
GetCurrentProcess.KERNEL32 ref: 00007FFD6D9CF1A3
K32GetModuleInformation.KERNEL32 ref: 00007FFD6D9CF1BA
LoadLibraryExW.KERNEL32 ref: 00007FFD6D9CF215
LoadLibraryExW.KERNEL32 ref: 00007FFD6D9CF22A
GetProcAddress.KERNEL32 ref: 00007FFD6D9CF23F
LoadLibraryExW.KERNEL32 ref: 00007FFD6D9CF275
IsOS.SHLWAPI ref: 00007FFD6D9CF288
FreeLibraryAndExitThread.KERNEL32 ref: 00007FFD6D9CF2F2
GetProcAddress.KERNEL32 ref: 00007FFD6D9CEEA7

Part of subcall function 00007FFD6D9B2890: GetModuleHandleW.KERNEL32 ref: 00007FFD6D9B28AF
Part of subcall function 00007FFD6D9B2890: GetProcAddress.KERNEL32 ref: 00007FFD6D9B28C8
Part of subcall function 00007FFD6D9B2890: RegOpenKeyExW.KERNEL32 ref: 00007FFD6D9B293F
Part of subcall function 00007FFD6D9B2890: RegQueryValueExW.KERNEL32 ref: 00007FFD6D9B296F

CreateThread.KERNEL32 ref: 00007FFD6D9CF354
CreateThread.KERNEL32 ref: 00007FFD6D9CF372
CreateThread.KERNEL32 ref: 00007FFD6D9CF39C

Part of subcall function 00007FFD6D9BD290: GetModuleHandleExW.KERNEL32 ref: 00007FFD6D9BD2C6
Part of subcall function 00007FFD6D9BD290: ImageDirectoryEntryToDataEx.DBGHELP ref: 00007FFD6D9BD2F9
Part of subcall function 00007FFD6D9BD290: FreeLibrary.KERNEL32 ref: 00007FFD6D9BD32F

Part of subcall function 00007FFD6D9BD290: FreeLibrary.KERNEL32 ref: 00007FFD6D9BD3B9
Part of subcall function 00007FFD6D9BD290: VirtualQuery.KERNEL32 ref: 00007FFD6D9BD3F8
Part of subcall function 00007FFD6D9BD290: VirtualProtect.KERNEL32 ref: 00007FFD6D9BD413
Part of subcall function 00007FFD6D9BD290: VirtualProtect.KERNEL32 ref: 00007FFD6D9BD43B
Part of subcall function 00007FFD6D9BD290: FreeLibrary.KERNEL32 ref: 00007FFD6D9BD446

CreateThread.KERNEL32 ref: 00007FFD6D9CF422
CreateThread.KERNEL32 ref: 00007FFD6D9CF443
GetWindowsDirectoryW.KERNEL32 ref: 00007FFD6D9CF455
FindFirstFileW.KERNEL32 ref: 00007FFD6D9CF486
FindClose.KERNEL32 ref: 00007FFD6D9CF495
LoadLibraryW.KERNEL32 ref: 00007FFD6D9CF4A2
GetProcAddress.KERNEL32 ref: 00007FFD6D9CF4C9
GetLastError.KERNEL32 ref: 00007FFD6D9CF4F3

Strings

shell32.dll, xrefs: 00007FFD6D9CED64
CloseThemeData, xrefs: 00007FFD6D9CE5A5
USER32.DLL, xrefs: 00007FFD6D9CE700
DrawThemeTextEx, xrefs: 00007FFD6D9CE63E
Installed hooks., xrefs: 00007FFD6D9CF2F9
TrackPopupMenuEx, xrefs: 00007FFD6D9CE4E8, 00007FFD6D9CEA8F, 00007FFD6D9CEC94, 00007FFD6D9CECB8, 00007FFD6D9CED0B, 00007FFD6D9CF186
LoadLibraryExW, xrefs: 00007FFD6D9CEB0A, 00007FFD6D9CEB57
user32.dll, xrefs: 00007FFD6D9CE2EA, 00007FFD6D9CE3D2, 00007FFD6D9CE47C, 00007FFD6D9CE499, 00007FFD6D9CE4EF, 00007FFD6D9CE69C, 00007FFD6D9CE74F, 00007FFD6D9CEA22, 00007FFD6D9CEA3F, 00007FFD6D9CEA5C, 00007FFD6D9CEA79, 00007FFD6D9CEA96, 00007FFD6D9CEBBE, 00007FFD6D9CEBE4, 00007FFD6D9CEC72, 00007FFD6D9CEC9B, 00007FFD6D9CECBF, 00007FFD6D9CED12, 00007FFD6D9CEFA7, 00007FFD6D9CEFF6, 00007FFD6D9CF18D, 00007FFD6D9CF3C3
LoadMenuW, xrefs: 00007FFD6D9CE3CB, 00007FFD6D9CEA38
SendMessageW, xrefs: 00007FFD6D9CE300, 00007FFD6D9CEA55
xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx, xrefs: 00007FFD6D9CE52A, 00007FFD6D9CF1C8
shcore.dll, xrefs: 00007FFD6D9CE85D
API-MS-WIN-NTUSER-RECTANGLE-L1-1-0.DLL, xrefs: 00007FFD6D9CE6E3
SHELL32_CanDisplayWin8CopyDialog, xrefs: 00007FFD6D9CF025, 00007FFD6D9CF04C
DrawThemeBackground, xrefs: 00007FFD6D9CE588
[TB] Unsupported build, xrefs: 00007FFD6D9CE282
RegSetValueExW, xrefs: 00007FFD6D9CE374, 00007FFD6D9CEF7F
[Extra] Found library: %p., xrefs: 00007FFD6D9CF4B3
Loaded symbols, xrefs: 00007FFD6D9CE10B
slc.dll, xrefs: 00007FFD6D9CF223
RegCreateKeyExW, xrefs: 00007FFD6D9CE391, 00007FFD6D9CEF5E
SOFTWARE\Microsoft\Windows\CurrentVersion\Search, xrefs: 00007FFD6D9CDC79
stobject.dll, xrefs: 00007FFD6D9CEBFF
combase.dll, xrefs: 00007FFD6D9CEAA5
SetWindowBand, xrefs: 00007FFD6D9CE19E
Setup user32 functions done, xrefs: 00007FFD6D9CE209
Attempting to download symbol data; for now, the program may have limited functionality., xrefs: 00007FFD6D9CE122
Setup uxtheme functions done, xrefs: 00007FFD6D9CE9E7
ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll, xrefs: 00007FFD6D9CE307, 00007FFD6D9CE45F, 00007FFD6D9CF515
[Extra] Finished running entry point., xrefs: 00007FFD6D9CF4E5
SLGetWindowsInformationDWORD, xrefs: 00007FFD6D9CF235, 00007FFD6D9CF258
Setup peopleband functions done, xrefs: 00007FFD6D9CF2CB
InputSwitch.dll, xrefs: 00007FFD6D9CF099, 00007FFD6D9CF0C0
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage, xrefs: 00007FFD6D9CDB2E
GetSystemMetrics, xrefs: 00007FFD6D9CE5E9, 00007FFD6D9CEFEF
[Extra] Running entry point..., xrefs: 00007FFD6D9CF4D7
RegOpenKeyExW, xrefs: 00007FFD6D9CE4AF
SHGetValueW, xrefs: 00007FFD6D9CE3AE
Open Start on monitor thread, xrefs: 00007FFD6D9CF378
Setup inputswitch functions done, xrefs: 00007FFD6D9CF202
uxtheme.dll, xrefs: 00007FFD6D9CE572, 00007FFD6D9CE58F, 00007FFD6D9CE5AC, 00007FFD6D9CE645, 00007FFD6D9CE662, 00007FFD6D9CE67F, 00007FFD6D9CE9D8
StartTileData.dll, xrefs: 00007FFD6D9CE604
NtUserFindWindowEx, xrefs: 00007FFD6D9CE1F3
Setup stobject functions done, xrefs: 00007FFD6D9CECEB
[Extra] LoadLibraryW failed with 0x%x., xrefs: 00007FFD6D9CF4FB
RoGetActivationFactory, xrefs: 00007FFD6D9CE618
CascadeWindows, xrefs: 00007FFD6D9CE492
TrackPopupMenu, xrefs: 00007FFD6D9CEBB7, 00007FFD6D9CEC6B
uxtheme.dll, xrefs: 00007FFD6D9CE903
TileWindows, xrefs: 00007FFD6D9CE475
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People, xrefs: 00007FFD6D9CDCC1
api-ms-win-shcore-sysinfo-l1-1-0.dll, xrefs: 00007FFD6D9CE41B
IsOS, xrefs: 00007FFD6D9CE414
ext-ms-win-shell-exports-internal-l1-1-0.dll, xrefs: 00007FFD6D9CF053
api-ms-win-core-largeinteger-l1-1-0.dll, xrefs: 00007FFD6D9CF2BC
Global\EP_Weather_Killswitch_{A6EA9C2D-4982-4827-9204-0AC532959F6D}, xrefs: 00007FFD6D9CE034
ITrayUIHost = %llX, xrefs: 00007FFD6D9CE7F4
\ExplorerPatcher, xrefs: 00007FFD6D9CDF59
OpenThemeDataForDpi, xrefs: 00007FFD6D9CE56B
Software\ExplorerPatcher, xrefs: 00007FFD6D9CDAE6
Setup windows.storage functions done, xrefs: 00007FFD6D9CF062
RegisterHotKey, xrefs: 00007FFD6D9CEBDD, 00007FFD6D9CF3BC
GetThemeMetric, xrefs: 00007FFD6D9CE678
Failed to install hooks. rv = %d, xrefs: 00007FFD6D9CDE99
pnidui.dll, xrefs: 00007FFD6D9CED39
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView\AltTabViewHost, xrefs: 00007FFD6D9CDBDA
CoCreateInstance, xrefs: 00007FFD6D9CE6BF, 00007FFD6D9CEC33
SHCORE.dll, xrefs: 00007FFD6D9CF553
xx??x??xxx????xx, xrefs: 00007FFD6D9CF102
bthprops.cpl, xrefs: 00007FFD6D9CECF7
Running on Windows %d, OS Build %d.%d.%d.%d., xrefs: 00007FFD6D9CDF2E
api-ms-win-core-com-l1-1-0.dll, xrefs: 00007FFD6D9CE6C6, 00007FFD6D9CEC3A
GetWindowBand, xrefs: 00007FFD6D9CE18E
user32.dll, xrefs: 00007FFD6D9CE167, 00007FFD6D9CE2AE
api-ms-win-core-libraryloader-l1-2-0.dll, xrefs: 00007FFD6D9CEB11, 00007FFD6D9CEB5E
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer, xrefs: 00007FFD6D9CDD5F, 00007FFD6D9CDDF6
[IME] Context menu patch status: %d, xrefs: 00007FFD6D9CF16A
windows.storage.dll, xrefs: 00007FFD6D9CF015
ep_extra_EntryPoint, xrefs: 00007FFD6D9CF4BF
Software\ExplorerPatcher\sws, xrefs: 00007FFD6D9CDB84
API-MS-WIN-SHCORE-REGISTRY-L1-1-0.DLL, xrefs: 00007FFD6D9CE3B5
SHLWAPI.dll, xrefs: 00007FFD6D9CF29F
SOFTWARE\Microsoft\TabletTip\1.7, xrefs: 00007FFD6D9CDD09
Setup twinui functions done, xrefs: 00007FFD6D9CEBF3
api-ms-win-ntuser-sysparams-l1-1-0.dll, xrefs: 00007FFD6D9CE5F0
Setup combase functions done, xrefs: 00007FFD6D9CEB6D
api-ms-win-core-registry-l1-1-0.dll, xrefs: 00007FFD6D9CEC1D
CreateWindowInBand, xrefs: 00007FFD6D9CE177
Initialized taskbar centering module., xrefs: 00007FFD6D9CF562
ext-ms-win-security-slc-l1-1-0.dll, xrefs: 00007FFD6D9CF25F
win32u.dll, xrefs: 00007FFD6D9CE1FA
API-MS-WIN-CORE-REGISTRY-L1-1-0.DLL, xrefs: 00007FFD6D9CE35E, 00007FFD6D9CE37B, 00007FFD6D9CE398, 00007FFD6D9CE4B6, 00007FFD6D9CEF65, 00007FFD6D9CEF86
explorer.exe!TrayUI_CreateInstance() = %llX, xrefs: 00007FFD6D9CE80F
USER32.dll, xrefs: 00007FFD6D9CF537
GetThemeMargins, xrefs: 00007FFD6D9CE65B
Setup explorer functions done, xrefs: 00007FFD6D9CE87F
ShellExecuteW, xrefs: 00007FFD6D9CE31D
GetClientRect, xrefs: 00007FFD6D9CF50E, 00007FFD6D9CF530
EP Service Window thread, xrefs: 00007FFD6D9CF3A9
twinui.dll, xrefs: 00007FFD6D9CEB79
windowsudk.shellcommon.dll, xrefs: 00007FFD6D9CF20E
RegGetValueW, xrefs: 00007FFD6D9CE357, 00007FFD6D9CEC16
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced, xrefs: 00007FFD6D9CDC2D, 00007FFD6D9CDDB2
Setup shell32 functions done, xrefs: 00007FFD6D9CF009
ShellExecuteExW, xrefs: 00007FFD6D9CE33A
DwmUpdateThumbnailProperties, xrefs: 00007FFD6D9CE722
PeopleBand.dll, xrefs: 00007FFD6D9CF26E
api-ms-win-core-winrt-l1-1-0.dll, xrefs: 00007FFD6D9CE61F
SetRect, xrefs: 00007FFD6D9CE6DC, 00007FFD6D9CEA72
CreateWindowExW, xrefs: 00007FFD6D9CE458
shell32.dll, xrefs: 00007FFD6D9CE324, 00007FFD6D9CE341, 00007FFD6D9CE4D2
DllGetClassObject, xrefs: 00007FFD6D9CEE99
MulDiv, xrefs: 00007FFD6D9CF2B5
\ep_extra.dll, xrefs: 00007FFD6D9CF463
SetWindowCompositionAttribute, xrefs: 00007FFD6D9CE1AE, 00007FFD6D9CE695, 00007FFD6D9CE748
DeleteMenu, xrefs: 00007FFD6D9CE6F9, 00007FFD6D9CEA1B, 00007FFD6D9CEFA0
Setup bthprops functions done, xrefs: 00007FFD6D9CED21
api-ms-win-core-shlwapi-obsolete-l1-1-0.dll, xrefs: 00007FFD6D9CE3EF
dwmapi.dll, xrefs: 00007FFD6D9CE729
xxx????xxx????x????xx, xrefs: 00007FFD6D9CE77D
QISearch, xrefs: 00007FFD6D9CE3E8

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: AddressProc$Library$CreateLoad$Thread$Module$Virtual$Protect$Handle$Free$Event$CurrentInformationProcess$DirectoryExit$CloseFileFindPathQuery$CommandCreate_CriticalDataEntryEnumErrorExistsFirstFolderImageInitializeL32_LastMutexOpenSectionValueWindows_invalid_parameter_noinfo
String ID: API-MS-WIN-CORE-REGISTRY-L1-1-0.DLL$API-MS-WIN-NTUSER-RECTANGLE-L1-1-0.DLL$API-MS-WIN-SHCORE-REGISTRY-L1-1-0.DLL$Attempting to download symbol data; for now, the program may have limited functionality.$CascadeWindows$CloseThemeData$CoCreateInstance$CreateWindowExW$CreateWindowInBand$DeleteMenu$DllGetClassObject$DrawThemeBackground$DrawThemeTextEx$DwmUpdateThumbnailProperties$EP Service Window thread$Failed to install hooks. rv = %d$GetClientRect$GetSystemMetrics$GetThemeMargins$GetThemeMetric$GetWindowBand$Global\EP_Weather_Killswitch_{A6EA9C2D-4982-4827-9204-0AC532959F6D}$ITrayUIHost = %llX$Initialized taskbar centering module.$InputSwitch.dll$Installed hooks.$IsOS$LoadLibraryExW$LoadMenuW$Loaded symbols$MulDiv$NtUserFindWindowEx$Open Start on monitor thread$OpenThemeDataForDpi$PeopleBand.dll$QISearch$RegCreateKeyExW$RegGetValueW$RegOpenKeyExW$RegSetValueExW$RegisterHotKey$RoGetActivationFactory$Running on Windows %d, OS Build %d.%d.%d.%d.$SHCORE.dll$SHELL32_CanDisplayWin8CopyDialog$SHGetValueW$SHLWAPI.dll$SLGetWindowsInformationDWORD$SOFTWARE\Microsoft\TabletTip\1.7$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView\AltTabViewHost$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage$SOFTWARE\Microsoft\Windows\CurrentVersion\Search$SendMessageW$SetRect$SetWindowBand$SetWindowCompositionAttribute$Setup bthprops functions done$Setup combase functions done$Setup explorer functions done$Setup inputswitch functions done$Setup peopleband functions done$Setup shell32 functions done$Setup stobject functions done$Setup twinui functions done$Setup user32 functions done$Setup uxtheme functions done$Setup windows.storage functions done$ShellExecuteExW$ShellExecuteW$Software\ExplorerPatcher$Software\ExplorerPatcher\sws$StartTileData.dll$TileWindows$TrackPopupMenu$TrackPopupMenuEx$USER32.DLL$USER32.dll$[Extra] Finished running entry point.$[Extra] Found library: %p.$[Extra] LoadLibraryW failed with 0x%x.$[Extra] Running entry point...$[IME] Context menu patch status: %d$[TB] Unsupported build$\ExplorerPatcher$\ep_extra.dll$api-ms-win-core-com-l1-1-0.dll$api-ms-win-core-largeinteger-l1-1-0.dll$api-ms-win-core-libraryloader-l1-2-0.dll$api-ms-win-core-registry-l1-1-0.dll$api-ms-win-core-shlwapi-obsolete-l1-1-0.dll$api-ms-win-core-winrt-l1-1-0.dll$api-ms-win-ntuser-sysparams-l1-1-0.dll$api-ms-win-shcore-sysinfo-l1-1-0.dll$bthprops.cpl$combase.dll$dwmapi.dll$ep_extra_EntryPoint$explorer.exe!TrayUI_CreateInstance() = %llX$ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll$ext-ms-win-security-slc-l1-1-0.dll$ext-ms-win-shell-exports-internal-l1-1-0.dll$pnidui.dll$shcore.dll$shell32.dll$shell32.dll$slc.dll$stobject.dll$twinui.dll$user32.dll$user32.dll$uxtheme.dll$uxtheme.dll$win32u.dll$windows.storage.dll$windowsudk.shellcommon.dll$xx??x??xxx????xx$xxx????xxx????x????xx$xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx
API String ID: 1749953344-3583755957
Opcode ID: 8bc874d0ecac8ae3efb6eb63c99e942062863c4f6a095c5e1a1c3588c0aa0fdc
Instruction ID: a1ded491b39c8a393977ea11edabe2bf53170bf0e339ef2b6ad1a74813c3fe49
Opcode Fuzzy Hash: 8bc874d0ecac8ae3efb6eb63c99e942062863c4f6a095c5e1a1c3588c0aa0fdc
Instruction Fuzzy Hash: 8203FE61B1CE47D2EB14DF21F9602B923A2BFA4748F854136D90E466A5FF3CE689C350

Function 00007FFD6D9C6BA0 Relevance: 354.9, APIs: 115, Strings: 87, Instructions: 1387registrywindowCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNEL32 ref: 00007FFD6D9C6C14
RegQueryValueExW.KERNEL32 ref: 00007FFD6D9C6C59
RegOpenKeyExW.KERNEL32 ref: 00007FFD6D9C6C8C
RegSetValueExW.KERNEL32 ref: 00007FFD6D9C6DC2
RegQueryValueExW.KERNEL32 ref: 00007FFD6D9C6DF5
RegQueryValueExW.KERNEL32 ref: 00007FFD6D9C6E29
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9C6E5D
RegQueryValueExW.KERNEL32 ref: 00007FFD6D9C6E91
RegQueryValueExW.KERNEL32 ref: 00007FFD6D9C6EDB
RegCreateKeyExW.KERNEL32 ref: 00007FFD6D9C810D
RegQueryValueExW.KERNEL32 ref: 00007FFD6D9C8152
RegCloseKey.ADVAPI32 ref: 00007FFD6D9C815C
RegCreateKeyExW.KERNEL32 ref: 00007FFD6D9C8196
RegQueryValueExW.KERNEL32 ref: 00007FFD6D9C81DB
RegQueryValueExW.KERNEL32 ref: 00007FFD6D9C820E
RegCloseKey.ADVAPI32 ref: 00007FFD6D9C8218
RegCreateKeyExW.KERNEL32 ref: 00007FFD6D9C8252
RegCloseKey.ADVAPI32 ref: 00007FFD6D9C826E
RegCreateKeyExW.KERNEL32 ref: 00007FFD6D9C82A8
RegCloseKey.ADVAPI32 ref: 00007FFD6D9C82C4
RegCreateKeyExW.KERNEL32 ref: 00007FFD6D9C82FE
RegCloseKey.ADVAPI32 ref: 00007FFD6D9C831A
RegCreateKeyExW.KERNEL32 ref: 00007FFD6D9C8354
RegCloseKey.ADVAPI32 ref: 00007FFD6D9C8370
RegCreateKeyExW.KERNEL32 ref: 00007FFD6D9C83AA
RegCloseKey.ADVAPI32 ref: 00007FFD6D9C83C6
RegCreateKeyExW.KERNEL32 ref: 00007FFD6D9C8400
RegCloseKey.ADVAPI32 ref: 00007FFD6D9C841C
SendNotifyMessageW.USER32 ref: 00007FFD6D9C845B
FindWindowW.USER32 ref: 00007FFD6D9C8470
InvalidateRect.USER32 ref: 00007FFD6D9C847E
InvalidateRect.USER32 ref: 00007FFD6D9C8499
RegGetValueW.ADVAPI32 ref: 00007FFD6D9C84F1
RegSetKeyValueW.ADVAPI32 ref: 00007FFD6D9C8542
SHFlushSFCache.SHELL32 ref: 00007FFD6D9C8548
SHChangeNotify.SHELL32 ref: 00007FFD6D9C855B

Strings

PropertiesInWinX, xrefs: 00007FFD6D9C74F6
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView\AltTabViewHost, xrefs: 00007FFD6D9C8282
DisableAeroSnapQuadrants, xrefs: 00007FFD6D9C77A3
ShrinkExplorerAddressBar, xrefs: 00007FFD6D9C6F37
IMEStyle, xrefs: 00007FFD6D9C758F
WeatherLanguage, xrefs: 00007FFD6D9C7C66
HideExplorerSearchBar, xrefs: 00007FFD6D9C6F04
WeatherFixedSize, xrefs: 00007FFD6D9C7D7F
WeatherZoomFactor, xrefs: 00007FFD6D9C805D
WeatherViewMode, xrefs: 00007FFD6D9C7B3F
ClassicThemeMitigations, xrefs: 00007FFD6D9C70E5
OpenPropertiesAtNextStart, xrefs: 00007FFD6D9C6CB7, 00007FFD6D9C6D36, 00007FFD6D9C775B
OpenAtLogon, xrefs: 00007FFD6D9C81EE
OrbStyle, xrefs: 00007FFD6D9C76D7
WeatherIconPack, xrefs: 00007FFD6D9C7F5C
Attributes, xrefs: 00007FFD6D9C84C1, 00007FFD6D9C84FB
DoNotRedirectDateAndTimeToSettingsApp, xrefs: 00007FFD6D9C7809
DisableWinFHotkey, xrefs: 00007FFD6D9C78A2
TaskbarAutohideOnDoubleClick, xrefs: 00007FFD6D9C76A4
MMOldTaskbarAl, xrefs: 00007FFD6D9C6EBA
DisableImmersiveContextMenu, xrefs: 00007FFD6D9C70CB, 00007FFD6D9C7497
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer, xrefs: 00007FFD6D9C80E7
WeatherDevMode, xrefs: 00007FFD6D9C7EF5
UpdatePolicy, xrefs: 00007FFD6D9C760B
SOFTWARE\Microsoft\Windows\CurrentVersion\Search, xrefs: 00007FFD6D9C832E
WeatherTemperatureUnit, xrefs: 00007FFD6D9C7AB7
ArchiveMenu, xrefs: 00007FFD6D9C7431
IsUpdatePending, xrefs: 00007FFD6D9C6CEB, 00007FFD6D9C6D61, 00007FFD6D9C763E
WeatherLocation, xrefs: 00007FFD6D9C7BEA
NoPropertiesInContextMenu, xrefs: 00007FFD6D9C7529
Software\ExplorerPatcher\sws, xrefs: 00007FFD6D9C822C
HookStartMenu, xrefs: 00007FFD6D9C74C5
ExplorerPatcher_GUI_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}, xrefs: 00007FFD6D9C8469
WeatherContentUpdateMode, xrefs: 00007FFD6D9C7B8C
SOFTWARE\Microsoft\TabletTip\1.7, xrefs: 00007FFD6D9C83DA
SOFTWARE\Classes\CLSID\{d93ed569-3b3e-4bff-8355-3c44f6a52bb5}\InProcServer32, xrefs: 00007FFD6D9C700B
FileExplorerCommandUI, xrefs: 00007FFD6D9C6F9D, 00007FFD6D9C7037
StartDocked, xrefs: 00007FFD6D9C6D80
ReplaceNetwork, xrefs: 00007FFD6D9C73FE
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage, xrefs: 00007FFD6D9C8170
OldTaskbar, xrefs: 00007FFD6D9C72DA
WeatherLocationType, xrefs: 00007FFD6D9C7E33
WeatherTheme, xrefs: 00007FFD6D9C7DCC
DwmExtendFrameIntoClientArea, xrefs: 00007FFD6D9C726F
ToolbarSeparators, xrefs: 00007FFD6D9C7671
DoNotRedirectNotificationIconsToSettingsApp, xrefs: 00007FFD6D9C783C
SnapAssistSettings, xrefs: 00007FFD6D9C77D6
NoMenuAccelerator, xrefs: 00007FFD6D9C755C
DisableOfficeHotkeys, xrefs: 00007FFD6D9C786F
LegacyFileTransferDialog, xrefs: 00007FFD6D9C707F
AltTabSettings, xrefs: 00007FFD6D9C8139
CONOUT$, xrefs: 00007FFD6D9C7187
SpotlightUpdateSchedule, xrefs: 00007FFD6D9C7959
ClockFlyoutOnWinC, xrefs: 00007FFD6D9C7464
OldTaskbarAl, xrefs: 00007FFD6D9C6E70
UndeadStartCorner, xrefs: 00007FFD6D9C7A76
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced, xrefs: 00007FFD6D9C82D8
SpotlightDisableIcon, xrefs: 00007FFD6D9C78D5
PinnedItemsActAsQuickLaunch, xrefs: 00007FFD6D9C79DE
AllocConsole, xrefs: 00007FFD6D9C6DD5
HideIconAndTitleInExplorer, xrefs: 00007FFD6D9C728F
DoNotRedirectProgramsAndFeaturesToSettingsApp, xrefs: 00007FFD6D9C71DF
uxtheme.dll, xrefs: 00007FFD6D9C7244
MicaEffectOnTitlebar, xrefs: 00007FFD6D9C7212
HideControlCenterButton, xrefs: 00007FFD6D9C7332
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People, xrefs: 00007FFD6D9C8384
SkinIcons, xrefs: 00007FFD6D9C73CB
WeatherWindowCornerPreference, xrefs: 00007FFD6D9C7E94
en-US, xrefs: 00007FFD6D9C7D31
Software\Classes\CLSID\{2cc5ca98-6485-489a-920e-b3e88a6ccce3}\ShellFolder, xrefs: 00007FFD6D9C84D8, 00007FFD6D9C8511
Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher, xrefs: 00007FFD6D9C6C7E
UseClassicDriveGrouping, xrefs: 00007FFD6D9C6F6A
TraySettings, xrefs: 00007FFD6D9C8447
DoNotRedirectSystemToSettingsApp, xrefs: 00007FFD6D9C71AC
EnableSymbolDownload, xrefs: 00007FFD6D9C7728
SkinMenus, xrefs: 00007FFD6D9C7135
SpotlightDesktopMenuMask, xrefs: 00007FFD6D9C7926
MonitorOverride, xrefs: 00007FFD6D9C81C2
MigratedFromOldSettings, xrefs: 00007FFD6D9C6C43, 00007FFD6D9C6DA6
WeatherToLeft, xrefs: 00007FFD6D9C7FC3
Memcheck, xrefs: 00007FFD6D9C6E08, 00007FFD6D9C6E44
Software\ExplorerPatcher, xrefs: 00007FFD6D9C6BD0
dwmapi.dll, xrefs: 00007FFD6D9C7276
WeatherContentsMode, xrefs: 00007FFD6D9C8010
CenterMenus, xrefs: 00007FFD6D9C7398
RemoveExtraGapAroundPinnedItems, xrefs: 00007FFD6D9C7A2E
FlyoutMenus, xrefs: 00007FFD6D9C7365

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Value$Create$CloseQuery$InvalidateNotifyRect$CacheChangeFindFlushMessageOpenSendWindow
String ID: AllocConsole$AltTabSettings$ArchiveMenu$Attributes$CONOUT$$CenterMenus$ClassicThemeMitigations$ClockFlyoutOnWinC$DisableAeroSnapQuadrants$DisableImmersiveContextMenu$DisableOfficeHotkeys$DisableWinFHotkey$DoNotRedirectDateAndTimeToSettingsApp$DoNotRedirectNotificationIconsToSettingsApp$DoNotRedirectProgramsAndFeaturesToSettingsApp$DoNotRedirectSystemToSettingsApp$DwmExtendFrameIntoClientArea$EnableSymbolDownload$ExplorerPatcher_GUI_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$FileExplorerCommandUI$FlyoutMenus$HideControlCenterButton$HideExplorerSearchBar$HideIconAndTitleInExplorer$HookStartMenu$IMEStyle$IsUpdatePending$LegacyFileTransferDialog$MMOldTaskbarAl$Memcheck$MicaEffectOnTitlebar$MigratedFromOldSettings$MonitorOverride$NoMenuAccelerator$NoPropertiesInContextMenu$OldTaskbar$OldTaskbarAl$OpenAtLogon$OpenPropertiesAtNextStart$OrbStyle$PinnedItemsActAsQuickLaunch$PropertiesInWinX$RemoveExtraGapAroundPinnedItems$ReplaceNetwork$SOFTWARE\Classes\CLSID\{d93ed569-3b3e-4bff-8355-3c44f6a52bb5}\InProcServer32$SOFTWARE\Microsoft\TabletTip\1.7$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView\AltTabViewHost$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage$SOFTWARE\Microsoft\Windows\CurrentVersion\Search$ShrinkExplorerAddressBar$SkinIcons$SkinMenus$SnapAssistSettings$Software\Classes\CLSID\{2cc5ca98-6485-489a-920e-b3e88a6ccce3}\ShellFolder$Software\ExplorerPatcher$Software\ExplorerPatcher\sws$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher$SpotlightDesktopMenuMask$SpotlightDisableIcon$SpotlightUpdateSchedule$StartDocked$TaskbarAutohideOnDoubleClick$ToolbarSeparators$TraySettings$UndeadStartCorner$UpdatePolicy$UseClassicDriveGrouping$WeatherContentUpdateMode$WeatherContentsMode$WeatherDevMode$WeatherFixedSize$WeatherIconPack$WeatherLanguage$WeatherLocation$WeatherLocationType$WeatherTemperatureUnit$WeatherTheme$WeatherToLeft$WeatherViewMode$WeatherWindowCornerPreference$WeatherZoomFactor$dwmapi.dll$en-US$uxtheme.dll
API String ID: 1717770317-57872525
Opcode ID: f51902a58995f62331a862b594c66282f405a89b1a8b8cff3d216cb37eb7798e
Instruction ID: 4a96e9e38f52dcaef20fa089a1ec4138eb708011ba0312f4c8dc963795632637
Opcode Fuzzy Hash: f51902a58995f62331a862b594c66282f405a89b1a8b8cff3d216cb37eb7798e
Instruction Fuzzy Hash: F8F2C976B18E52CAEB10CB64F8606A937B4FB98758F405136DA4E13B68EF3CD149CB44

Function 00007FFD6D9E5AC0 Relevance: 159.8, APIs: 52, Strings: 39, Instructions: 591
registryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFD6D9B2890: GetModuleHandleW.KERNEL32 ref: 00007FFD6D9B28AF
Part of subcall function 00007FFD6D9B2890: GetProcAddress.KERNEL32 ref: 00007FFD6D9B28C8
Part of subcall function 00007FFD6D9B2890: RegOpenKeyExW.KERNEL32 ref: 00007FFD6D9B293F
Part of subcall function 00007FFD6D9B2890: RegQueryValueExW.KERNEL32 ref: 00007FFD6D9B296F

RegCreateKeyExW.KERNEL32 ref: 00007FFD6D9E5BA0
GetWindowsDirectoryW.KERNEL32 ref: 00007FFD6D9E5BC4
RegQueryValueExA.KERNEL32 ref: 00007FFD6D9E5C2D
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E5C89
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E5CD3
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E5CFE
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E5D29
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E5D54
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E5D7F
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E5DAA
RegCloseKey.KERNEL32 ref: 00007FFD6D9E5DD9
RegDeleteTreeW.KERNEL32 ref: 00007FFD6D9E5DF1
RegCreateKeyExW.KERNEL32 ref: 00007FFD6D9E5E31
GetSystemDirectoryW.KERNEL32 ref: 00007FFD6D9E5E55
RegQueryValueExA.KERNEL32 ref: 00007FFD6D9E5EC5
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E5F21
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E5F6F
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E5F9A
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E5FC5
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E5FF0
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E601B
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E6046
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E6071
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E609C
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E60C7
RegCloseKey.ADVAPI32 ref: 00007FFD6D9E60D2
RegCreateKeyExW.KERNEL32 ref: 00007FFD6D9E6187
GetWindowsDirectoryW.KERNEL32 ref: 00007FFD6D9E6199
RegQueryValueExA.KERNEL32 ref: 00007FFD6D9E6209
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E6265
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E62B3
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E62DE
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E6309
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E6334
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E635F
RegCloseKey.ADVAPI32 ref: 00007FFD6D9E638D
RegDeleteTreeW.KERNEL32 ref: 00007FFD6D9E63AE
RegCreateKeyExW.KERNEL32 ref: 00007FFD6D9E63FF
GetWindowsDirectoryW.KERNEL32 ref: 00007FFD6D9E6411
FindFirstFileW.KERNEL32 ref: 00007FFD6D9E643D
FindClose.KERNEL32 ref: 00007FFD6D9E644C
GetWindowsDirectoryW.KERNEL32 ref: 00007FFD6D9E6460

Part of subcall function 00007FFD6DA07C0C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA07C35

RegQueryValueExA.KERNEL32 ref: 00007FFD6D9E64D0
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E652C
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9E6572
RegCloseKey.ADVAPI32 ref: 00007FFD6D9E659F
RegDeleteTreeW.KERNEL32 ref: 00007FFD6D9E65B7
RegCreateKeyExW.KERNEL32 ref: 00007FFD6D9E65F7
RegDeleteValueW.KERNEL32 ref: 00007FFD6D9E6613
RegCloseKey.ADVAPI32 ref: 00007FFD6D9E661E

Strings

StartUI::SystemListPolicyProvider::GetMaximumFrequentApps, xrefs: 00007FFD6D9E6560
Software\ExplorerPatcher\explorer, xrefs: 00007FFD6D9E5B70, 00007FFD6D9E5DE3
ImmersiveTray::RaiseWindow, xrefs: 00007FFD6D9E5CEF
\explorer.exe, xrefs: 00007FFD6D9E5BCA
!, xrefs: 00007FFD6D9E64C8
CLauncherTipContextMenu::ShowLauncherTipContextMenu, xrefs: 00007FFD6D9E6062
StartUI, xrefs: 00007FFD6D9E657F
CLauncherTipContextMenu::_ExecuteCommand, xrefs: 00007FFD6D9E6037
Software\ExplorerPatcher\twinui.pcshell, xrefs: 00007FFD6D9E5E04, 00007FFD6D9E6103
ImmersiveTray::AttachWindowToTray, xrefs: 00007FFD6D9E5CB9
SetColorPreferenceForLogonUI, xrefs: 00007FFD6D9E5D70
\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartDocked.dll, xrefs: 00007FFD6D9E619F
Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartUI, xrefs: 00007FFD6D9E63CF, 00007FFD6D9E65A9
twinui.pcshell, xrefs: 00007FFD6D9E60E2
[Symbols] Symbols for "%s" are not available., xrefs: 00007FFD6D9E5DBE, 00007FFD6D9E60E9, 00007FFD6D9E6374, 00007FFD6D9E6586
StartDocked::LauncherFrame::OnVisibilityChanged, xrefs: 00007FFD6D9E62FA
StartDocked::StartSizingFrame::StartSizingFrame, xrefs: 00007FFD6D9E6350
\twinui.pcshell.dll, xrefs: 00007FFD6D9E5E5B
ImmersiveContextMenuHelper::ApplyOwnerDrawToMenu, xrefs: 00007FFD6D9E5FB6
explorer, xrefs: 00007FFD6D9E5DB7
\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI.dll, xrefs: 00007FFD6D9E6417
StartDocked, xrefs: 00007FFD6D9E636D
CTaskBand_CreateInstance, xrefs: 00007FFD6D9E5D1A
Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartDocked, xrefs: 00007FFD6D9E6154, 00007FFD6D9E63A0
ImmersiveContextMenuHelper::RemoveOwnerDrawFromMenu, xrefs: 00007FFD6D9E5FE1
CLauncherTipContextMenu::GetMenuItemsAsync, xrefs: 00007FFD6D9E5F8B
CLauncherTipContextMenu::_ExecuteShutdownCommand, xrefs: 00007FFD6D9E600C
\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dll, xrefs: 00007FFD6D9E6466
Version, xrefs: 00007FFD6D9E5C65, 00007FFD6D9E5EFD, 00007FFD6D9E6241, 00007FFD6D9E6508
CMultitaskingViewManager::_CreateDCompMTVHost, xrefs: 00007FFD6D9E60B8
CImmersiveContextMenuOwnerDrawHelper::s_ContextMenuWndProc, xrefs: 00007FFD6D9E5F5D
StartDocked::LauncherFrame::ShowAllApps, xrefs: 00007FFD6D9E62A1, 00007FFD6D9E62CF
TrayUI::_UpdatePearlSize, xrefs: 00007FFD6D9E5D9B
Software\ExplorerPatcher, xrefs: 00007FFD6D9E65CA
StartDocked::SystemListPolicyProvider::GetMaximumFrequentApps, xrefs: 00007FFD6D9E6325
OSBuild, xrefs: 00007FFD6D9E660C
CMultitaskingViewManager::_CreateXamlMTVHost, xrefs: 00007FFD6D9E608D
Hash, xrefs: 00007FFD6D9E5C0C, 00007FFD6D9E5EA4, 00007FFD6D9E61E1, 00007FFD6D9E64A8
HandleFirstTimeLegacy, xrefs: 00007FFD6D9E5D45

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Value$Query$Close$CreateDirectory$DeleteWindows$Tree$Find$AddressFileFirstHandleModuleOpenProcSystem_invalid_parameter_noinfo
String ID: !$CImmersiveContextMenuOwnerDrawHelper::s_ContextMenuWndProc$CLauncherTipContextMenu::GetMenuItemsAsync$CLauncherTipContextMenu::ShowLauncherTipContextMenu$CLauncherTipContextMenu::_ExecuteCommand$CLauncherTipContextMenu::_ExecuteShutdownCommand$CMultitaskingViewManager::_CreateDCompMTVHost$CMultitaskingViewManager::_CreateXamlMTVHost$CTaskBand_CreateInstance$HandleFirstTimeLegacy$Hash$ImmersiveContextMenuHelper::ApplyOwnerDrawToMenu$ImmersiveContextMenuHelper::RemoveOwnerDrawFromMenu$ImmersiveTray::AttachWindowToTray$ImmersiveTray::RaiseWindow$OSBuild$SetColorPreferenceForLogonUI$Software\ExplorerPatcher$Software\ExplorerPatcher\explorer$Software\ExplorerPatcher\twinui.pcshell$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartDocked$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartUI$StartDocked$StartDocked::LauncherFrame::OnVisibilityChanged$StartDocked::LauncherFrame::ShowAllApps$StartDocked::StartSizingFrame::StartSizingFrame$StartDocked::SystemListPolicyProvider::GetMaximumFrequentApps$StartUI$StartUI::SystemListPolicyProvider::GetMaximumFrequentApps$TrayUI::_UpdatePearlSize$Version$[Symbols] Symbols for "%s" are not available.$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartDocked.dll$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI.dll$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dll$\explorer.exe$\twinui.pcshell.dll$explorer$twinui.pcshell
API String ID: 3716114926-1751072635
Opcode ID: fd27692403affaef06e9a0b146a16345ee8274103fc62b0fe9eb1b47b4af4d31
Instruction ID: 6e2d59b89d3173b08779e306ddc2c7686cdef359c3b2cfaded51a22eb9b9cfc2
Opcode Fuzzy Hash: fd27692403affaef06e9a0b146a16345ee8274103fc62b0fe9eb1b47b4af4d31
Instruction Fuzzy Hash: 1F62327271CE82D6EB20CF54F8606AA77A5FB94798F401232D68D47A68EF7CD245CB40

Function 00007FFD6D9D1640 Relevance: 152.7, APIs: 49, Strings: 38, Instructions: 444
libraryloaderregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFD6D9B2890: GetModuleHandleW.KERNEL32 ref: 00007FFD6D9B28AF
Part of subcall function 00007FFD6D9B2890: GetProcAddress.KERNEL32 ref: 00007FFD6D9B28C8
Part of subcall function 00007FFD6D9B2890: RegOpenKeyExW.KERNEL32 ref: 00007FFD6D9B293F
Part of subcall function 00007FFD6D9B2890: RegQueryValueExW.KERNEL32 ref: 00007FFD6D9B296F

GetModuleFileNameW.KERNEL32 ref: 00007FFD6D9D16AD
PathStripPathW.SHLWAPI ref: 00007FFD6D9D16BA

Part of subcall function 00007FFD6DA07DF4: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA07E11

GetCurrentProcessId.KERNEL32 ref: 00007FFD6D9D16DF
OpenProcess.KERNEL32 ref: 00007FFD6D9D16EF
QueryFullProcessImageNameW.KERNEL32 ref: 00007FFD6D9D1718
CloseHandle.KERNEL32 ref: 00007FFD6D9D1721
GetSystemDirectoryW.KERNEL32 ref: 00007FFD6D9D1733
GetWindowsDirectoryW.KERNEL32 ref: 00007FFD6D9D1776
GetWindowsDirectoryW.KERNEL32 ref: 00007FFD6D9D17BF
GetWindowsDirectoryW.KERNEL32 ref: 00007FFD6D9D17FD
GetSystemDirectoryW.KERNEL32 ref: 00007FFD6D9D1855
LoadLibraryExW.KERNEL32 ref: 00007FFD6D9D187A
GetProcAddress.KERNEL32 ref: 00007FFD6D9D188D
GetProcAddress.KERNEL32 ref: 00007FFD6D9D18A4
GetProcAddress.KERNEL32 ref: 00007FFD6D9D18BB
GetProcAddress.KERNEL32 ref: 00007FFD6D9D18D2
GetProcAddress.KERNEL32 ref: 00007FFD6D9D18E9
GetProcAddress.KERNEL32 ref: 00007FFD6D9D1900
GetProcAddress.KERNEL32 ref: 00007FFD6D9D1917
GetProcAddress.KERNEL32 ref: 00007FFD6D9D192E
GetProcAddress.KERNEL32 ref: 00007FFD6D9D1945
GetProcAddress.KERNEL32 ref: 00007FFD6D9D195C
GetProcAddress.KERNEL32 ref: 00007FFD6D9D1973
GetProcAddress.KERNEL32 ref: 00007FFD6D9D198A
GetProcAddress.KERNEL32 ref: 00007FFD6D9D19A1
GetProcAddress.KERNEL32 ref: 00007FFD6D9D19B8
GetProcAddress.KERNEL32 ref: 00007FFD6D9D19CF
GetProcAddress.KERNEL32 ref: 00007FFD6D9D19E6
GetProcAddress.KERNEL32 ref: 00007FFD6D9D19FD
GetProcAddress.KERNEL32 ref: 00007FFD6D9D1A14
GetProcAddress.KERNEL32 ref: 00007FFD6D9D1A2B
GetSystemMetrics.USER32 ref: 00007FFD6D9D1A4D
RegGetValueW.KERNEL32 ref: 00007FFD6D9D1AA0
RegGetValueW.KERNEL32 ref: 00007FFD6D9D1B54
FindWindowExW.USER32 ref: 00007FFD6D9D1BA1
FindWindowExW.USER32 ref: 00007FFD6D9D1BBE
GetAsyncKeyState.USER32 ref: 00007FFD6D9D1BE6
GetAsyncKeyState.USER32 ref: 00007FFD6D9D1BF6
GetAsyncKeyState.USER32 ref: 00007FFD6D9D1C06
RegSetKeyValueW.KERNELBASE ref: 00007FFD6D9D1C59
SHCreateThread.SHLWAPI ref: 00007FFD6D9D1C71
RegSetKeyValueW.ADVAPI32 ref: 00007FFD6D9D1CAC
SHCreateThread.SHLWAPI ref: 00007FFD6D9D1CC1
LoadLibraryW.KERNEL32 ref: 00007FFD6D9D1D0B
RegOpenKeyW.ADVAPI32 ref: 00007FFD6D9D1DAE
RegCloseKey.ADVAPI32 ref: 00007FFD6D9D1DBD
LoadLibraryW.KERNEL32 ref: 00007FFD6D9D1DCA
LoadLibraryW.KERNEL32 ref: 00007FFD6D9D1E2C
GetModuleHandleExW.KERNEL32 ref: 00007FFD6D9D1E59

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE, xrefs: 00007FFD6D9D1A82
PIXEndCapture, xrefs: 00007FFD6D9D19D5
CreateDXGIFactory, xrefs: 00007FFD6D9D18C1
PIXBeginCapture, xrefs: 00007FFD6D9D19BE
\explorer.exe, xrefs: 00007FFD6D9D177C
PIXGetCaptureState, xrefs: 00007FFD6D9D19EC
SetAppCompatStringPointer, xrefs: 00007FFD6D9D1A03
dxgi.dll, xrefs: 00007FFD6D9D16C0
Windows.UI.QuickActions.dll, xrefs: 00007FFD6D9D1DC3
api-ms-win-core-sysinfo-l1-2-0.dll, xrefs: 00007FFD6D9D1DE6
DXGID3D10RegisterLayers, xrefs: 00007FFD6D9D194B
LaunchUserOOBE, xrefs: 00007FFD6D9D1A69
DXGIGetDebugInterface1, xrefs: 00007FFD6D9D1990
UpdateHMDEmulationStatus, xrefs: 00007FFD6D9D1A1A
LaunchCflScenario, xrefs: 00007FFD6D9D1B1D
CreateDXGIFactory2, xrefs: 00007FFD6D9D18EF
DXGIDeclareAdapterRemovalSupport, xrefs: 00007FFD6D9D1962
Proxy Desktop, xrefs: 00007FFD6D9D1BB3
GetProductInfo, xrefs: 00007FFD6D9D1DDF
\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe, xrefs: 00007FFD6D9D17C5
DXGID3D10CreateLayeredDevice, xrefs: 00007FFD6D9D191D
Windows.UI.Xaml.dll, xrefs: 00007FFD6D9D1D04, 00007FFD6D9D1E25
DXGIDumpJournal, xrefs: 00007FFD6D9D1979
CompatValue, xrefs: 00007FFD6D9D18AA
Progman, xrefs: 00007FFD6D9D1B96
SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\CFL\ExperienceManagerData, xrefs: 00007FFD6D9D1B36
DXGID3D10CreateDevice, xrefs: 00007FFD6D9D1906
DXGIReportAdapterConfiguration, xrefs: 00007FFD6D9D19A7
ApplyCompatResolutionQuirking, xrefs: 00007FFD6D9D1883
\dxgi.dll, xrefs: 00007FFD6D9D185B
DXGID3D10GetLayeredDeviceSize, xrefs: 00007FFD6D9D1934
CompatString, xrefs: 00007FFD6D9D1893
CrashCounter, xrefs: 00007FFD6D9D1C34, 00007FFD6D9D1C93
\SearchIndexer.exe, xrefs: 00007FFD6D9D1739
CreateDXGIFactory1, xrefs: 00007FFD6D9D18D8
Control Panel\Quick Actions\Control Center\QuickActionsStateCapture\ExplorerPatcher, xrefs: 00007FFD6D9D1DA7
\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe, xrefs: 00007FFD6D9D1803
Software\ExplorerPatcher, xrefs: 00007FFD6D9D1C46, 00007FFD6D9D1C9E

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: AddressProc$DirectoryValue$LibraryLoad$AsyncHandleModuleOpenProcessStateSystemWindows$CloseCreateFindNamePathQueryThreadWindow$CurrentFileFullImageMetricsStrip_invalid_parameter_noinfo
String ID: ApplyCompatResolutionQuirking$CompatString$CompatValue$Control Panel\Quick Actions\Control Center\QuickActionsStateCapture\ExplorerPatcher$CrashCounter$CreateDXGIFactory$CreateDXGIFactory1$CreateDXGIFactory2$DXGID3D10CreateDevice$DXGID3D10CreateLayeredDevice$DXGID3D10GetLayeredDeviceSize$DXGID3D10RegisterLayers$DXGIDeclareAdapterRemovalSupport$DXGIDumpJournal$DXGIGetDebugInterface1$DXGIReportAdapterConfiguration$GetProductInfo$LaunchCflScenario$LaunchUserOOBE$PIXBeginCapture$PIXEndCapture$PIXGetCaptureState$Progman$Proxy Desktop$SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\CFL\ExperienceManagerData$SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE$SetAppCompatStringPointer$Software\ExplorerPatcher$UpdateHMDEmulationStatus$Windows.UI.QuickActions.dll$Windows.UI.Xaml.dll$\SearchIndexer.exe$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe$\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe$\dxgi.dll$\explorer.exe$api-ms-win-core-sysinfo-l1-2-0.dll$dxgi.dll
API String ID: 425412005-3433049922
Opcode ID: d744e352e7b308f232d75c32410c439890585d235a3956cecc81558c517fa1f1
Instruction ID: 90caa0d24574210505baab2c6b334224c4ee7d00f0e764a9c60cf1795130619e
Opcode Fuzzy Hash: d744e352e7b308f232d75c32410c439890585d235a3956cecc81558c517fa1f1
Instruction Fuzzy Hash: 1E320F62B0CE43D6EB14DB21F8642B923A1FFA5744F840236DA4E566A8FF7CE549C740

Function 00007FFD6D9CBFE0 Relevance: 75.5, APIs: 17, Strings: 26, Instructions: 277
libraryloaderregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32 ref: 00007FFD6D9CC00B
GetCurrentProcess.KERNEL32 ref: 00007FFD6D9CC31C
K32GetModuleInformation.KERNEL32 ref: 00007FFD6D9CC333
LoadLibraryExW.KERNEL32 ref: 00007FFD6D9CC3B6
RegGetValueW.KERNEL32 ref: 00007FFD6D9CC4A2
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9CC4DB
GetProcAddress.KERNEL32 ref: 00007FFD6D9CC4EB
LoadLibraryW.KERNEL32 ref: 00007FFD6D9CC542
GetProcAddress.KERNEL32 ref: 00007FFD6D9CC020

Part of subcall function 00007FFD6D9BD290: GetModuleHandleExW.KERNEL32 ref: 00007FFD6D9BD2C6
Part of subcall function 00007FFD6D9BD290: ImageDirectoryEntryToDataEx.DBGHELP ref: 00007FFD6D9BD2F9
Part of subcall function 00007FFD6D9BD290: FreeLibrary.KERNEL32 ref: 00007FFD6D9BD32F

Part of subcall function 00007FFD6D9BD290: FreeLibrary.KERNEL32 ref: 00007FFD6D9BD3B9
Part of subcall function 00007FFD6D9BD290: VirtualQuery.KERNEL32 ref: 00007FFD6D9BD3F8
Part of subcall function 00007FFD6D9BD290: VirtualProtect.KERNEL32 ref: 00007FFD6D9BD413
Part of subcall function 00007FFD6D9BD290: VirtualProtect.KERNEL32 ref: 00007FFD6D9BD43B
Part of subcall function 00007FFD6D9BD290: FreeLibrary.KERNEL32 ref: 00007FFD6D9BD446

LoadLibraryW.KERNEL32 ref: 00007FFD6D9CC03C
GetCurrentProcess.KERNEL32 ref: 00007FFD6D9CC0B1
K32GetModuleInformation.KERNEL32 ref: 00007FFD6D9CC0C8
LoadLibraryW.KERNEL32 ref: 00007FFD6D9CC18E
GetProcAddress.KERNEL32 ref: 00007FFD6D9CC1A1
LoadLibraryExW.KERNEL32 ref: 00007FFD6D9CC1B5
GetCurrentProcess.KERNEL32 ref: 00007FFD6D9CC1F0
K32GetModuleInformation.KERNEL32 ref: 00007FFD6D9CC207

Strings

shell32.dll, xrefs: 00007FFD6D9CC02D
ntdll.dll, xrefs: 00007FFD6D9CC4D4
CoCreateInstance, xrefs: 00007FFD6D9CC39C
CompareStringOrdinal, xrefs: 00007FFD6D9CC2EC
LoadLibraryExW, xrefs: 00007FFD6D9CC552
user32.dll, xrefs: 00007FFD6D9CC095, 00007FFD6D9CC121, 00007FFD6D9CC14D, 00007FFD6D9CC178, 00007FFD6D9CC1D1, 00007FFD6D9CC260, 00007FFD6D9CC2A8, 00007FFD6D9CC2D3, 00007FFD6D9CC310, 00007FFD6D9CC3DA, 00007FFD6D9CC3FA, 00007FFD6D9CC426, 00007FFD6D9CC451
ExplorerFrame.dll, xrefs: 00007FFD6D9CC1AE
GetSystemMetricsForDpi, xrefs: 00007FFD6D9CC309
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, xrefs: 00007FFD6D9CC48B
xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx, xrefs: 00007FFD6D9CC0D2, 00007FFD6D9CC211
shcore.dll, xrefs: 00007FFD6D9CC187
api-ms-win-core-com-l1-1-0.dll, xrefs: 00007FFD6D9CC3A3
api-ms-win-core-libraryloader-l1-2-0.dll, xrefs: 00007FFD6D9CC559
Shlwapi.dll, xrefs: 00007FFD6D9CC000
shcore.dll, xrefs: 00007FFD6D9CC279
SHRegGetValueFromHKCUHKLM, xrefs: 00007FFD6D9CC016
TrackPopupMenu, xrefs: 00007FFD6D9CC087, 00007FFD6D9CC1CA, 00007FFD6D9CC3D3
Failed to hook RtlQueryFeatureConfiguration(). rv = %d, xrefs: 00007FFD6D9CC522
SetWindowLongPtrW, xrefs: 00007FFD6D9CC16A, 00007FFD6D9CC2C5, 00007FFD6D9CC443
combase.dll, xrefs: 00007FFD6D9CC53B
CreateWindowExW, xrefs: 00007FFD6D9CC13F, 00007FFD6D9CC29A, 00007FFD6D9CC418
API-MS-WIN-CORE-STRING-L1-1-0.DLL, xrefs: 00007FFD6D9CC2F3
Windows.UI.FileExplorer.dll, xrefs: 00007FFD6D9CC3AF
Start_ShowClassicMode, xrefs: 00007FFD6D9CC472
RtlQueryFeatureConfiguration, xrefs: 00007FFD6D9CC4E4
SystemParametersInfoW, xrefs: 00007FFD6D9CC11A, 00007FFD6D9CC259, 00007FFD6D9CC3F3

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Library$Load$Module$AddressCurrentFreeInformationProcProcessVirtual$HandleProtect$DataDirectoryEntryImageQueryValue
String ID: API-MS-WIN-CORE-STRING-L1-1-0.DLL$CoCreateInstance$CompareStringOrdinal$CreateWindowExW$ExplorerFrame.dll$Failed to hook RtlQueryFeatureConfiguration(). rv = %d$GetSystemMetricsForDpi$LoadLibraryExW$RtlQueryFeatureConfiguration$SHRegGetValueFromHKCUHKLM$SetWindowLongPtrW$Shlwapi.dll$Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced$Start_ShowClassicMode$SystemParametersInfoW$TrackPopupMenu$Windows.UI.FileExplorer.dll$api-ms-win-core-com-l1-1-0.dll$api-ms-win-core-libraryloader-l1-2-0.dll$combase.dll$ntdll.dll$shcore.dll$shcore.dll$shell32.dll$user32.dll$xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx
API String ID: 404060323-2645642614
Opcode ID: f4cd2397a1639e05ab3541b870c8a7fdcfc3b3e29febcced4b2b1e5de95f46e9
Instruction ID: 233c2c7a0ce14d95ec4cf705e2fd4715f611a256f5a9be1d414a3fe9b6a6a760
Opcode Fuzzy Hash: f4cd2397a1639e05ab3541b870c8a7fdcfc3b3e29febcced4b2b1e5de95f46e9
Instruction Fuzzy Hash: 98F1DEA0B4DE47D1FA14DB62F9746B523A1AFA4794F880137D80E062A9FF7CE649C350

Function 00007FFD6D9E53F0 Relevance: 58.1, APIs: 18, Strings: 15, Instructions: 354
registrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 00007FFD6D9E5436

Part of subcall function 00007FFD6D9D4E90: RegCreateKeyExW.KERNEL32 ref: 00007FFD6D9D4EEC
Part of subcall function 00007FFD6D9D4E90: RegQueryValueExW.KERNEL32 ref: 00007FFD6D9D4F41
Part of subcall function 00007FFD6D9D4E90: GetLocaleInfoW.KERNEL32 ref: 00007FFD6D9D4F8A
Part of subcall function 00007FFD6D9D4E90: GetLocaleInfoW.KERNEL32 ref: 00007FFD6D9D4FA5
Part of subcall function 00007FFD6D9D4E90: SetThreadPreferredUILanguages.KERNEL32 ref: 00007FFD6D9D505B
Part of subcall function 00007FFD6D9D4E90: RegCloseKey.KERNEL32 ref: 00007FFD6D9D506B

SHGetFolderPathW.SHELL32 ref: 00007FFD6D9E547A

Part of subcall function 00007FFD6DA07C0C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA07C35

LoadLibraryExW.KERNEL32 ref: 00007FFD6D9E54A7

Part of subcall function 00007FFD6D9B2890: GetModuleHandleW.KERNEL32 ref: 00007FFD6D9B28AF
Part of subcall function 00007FFD6D9B2890: GetProcAddress.KERNEL32 ref: 00007FFD6D9B28C8
Part of subcall function 00007FFD6D9B2890: RegOpenKeyExW.KERNEL32 ref: 00007FFD6D9B293F
Part of subcall function 00007FFD6D9B2890: RegQueryValueExW.KERNEL32 ref: 00007FFD6D9B296F

RegCreateKeyExW.KERNEL32 ref: 00007FFD6D9E5549
RegQueryValueExW.KERNEL32 ref: 00007FFD6D9E5587
LoadStringW.USER32 ref: 00007FFD6D9E55EF
LoadStringW.USER32 ref: 00007FFD6D9E562D
RegSetValueExW.KERNEL32 ref: 00007FFD6D9E56DE
RegCloseKey.ADVAPI32 ref: 00007FFD6D9E56E9
SHGetFolderPathA.SHELL32 ref: 00007FFD6D9E572F
CreateDirectoryA.KERNEL32 ref: 00007FFD6D9E5756
LoadStringW.USER32 ref: 00007FFD6D9E58A6
LoadStringW.USER32 ref: 00007FFD6D9E58E4
LoadStringW.USER32 ref: 00007FFD6D9E591D
LoadStringW.USER32 ref: 00007FFD6D9E595B
LoadStringW.USER32 ref: 00007FFD6D9E59AE
LoadStringW.USER32 ref: 00007FFD6D9E59EC
FreeLibrary.KERNEL32 ref: 00007FFD6D9E5A71

Strings

SymbolsLastNotifiedOSBuild, xrefs: 00007FFD6D9E555E, 00007FFD6D9E56BF
<toast scenario="reminder" activationType="protocol" launch="%s" duration="%s"><visual><binding template="ToastGeneric">, xrefs: 00007FFD6D9E5657, 00007FFD6D9E5991, 00007FFD6D9E5A16
long, xrefs: 00007FFD6D9E58F6
\ExplorerPatcher, xrefs: 00007FFD6D9E5735
@, xrefs: 00007FFD6D9E557F
[Symbols] Finished "Download symbols" thread., xrefs: 00007FFD6D9E5A77
[Symbols] Finished gathering symbol data., xrefs: 00007FFD6D9E5871
[Symbols] Attempting to download symbols for OS version %s., xrefs: 00007FFD6D9E56F6
short, xrefs: 00007FFD6D9E55BE, 00007FFD6D9E5979, 00007FFD6D9E5A1D
[Symbols] Downloading to "%s"., xrefs: 00007FFD6D9E577B
Software\ExplorerPatcher, xrefs: 00007FFD6D9E54F4
[Symbols] Started "Download symbols" thread., xrefs: 00007FFD6D9E543C
\ExplorerPatcher\ep_gui.dll, xrefs: 00007FFD6D9E5480
%d.%d.%d.%d, xrefs: 00007FFD6D9E54BC
https://github.com/valinet/ExplorerPatcher/wiki/Symbols, xrefs: 00007FFD6D9E5644, 00007FFD6D9E5985, 00007FFD6D9E5A03

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Load$String$Value$CreateQuery$CloseFolderInfoLibraryLocalePath$AddressDirectoryFreeHandleLanguagesModuleOpenPreferredProcSleepThread_invalid_parameter_noinfo
String ID: %d.%d.%d.%d$<toast scenario="reminder" activationType="protocol" launch="%s" duration="%s"><visual><binding template="ToastGeneric">$@$Software\ExplorerPatcher$SymbolsLastNotifiedOSBuild$[Symbols] Attempting to download symbols for OS version %s.$[Symbols] Downloading to "%s".$[Symbols] Finished "Download symbols" thread.$[Symbols] Finished gathering symbol data.$[Symbols] Started "Download symbols" thread.$\ExplorerPatcher$\ExplorerPatcher\ep_gui.dll$https://github.com/valinet/ExplorerPatcher/wiki/Symbols$long$short
API String ID: 3080592855-3895060210
Opcode ID: cd2a7bf6685323c641195e45c791c4b7ff78798fbc8744bb4d81aada5da5ce8f
Instruction ID: eb6bc0829519d0854c2da8359b45d433c2ff4be9efa726a1cbf178f83b262d77
Opcode Fuzzy Hash: cd2a7bf6685323c641195e45c791c4b7ff78798fbc8744bb4d81aada5da5ce8f
Instruction Fuzzy Hash: 8F022036B18E82D9EB60DF60F8606EA23A5FB94348F805136D94D47A99FF3CD649C740

Function 00007FFD6D9EF040 Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 315
registrysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RoInitialize.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFD6D9EF076
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9EF0A5
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFD6D9EF0C2
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9EF0F2
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFD6D9EF10F
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9EF159
FindWindowExW.USER32 ref: 00007FFD6D9EF1AA
Sleep.KERNEL32 ref: 00007FFD6D9EF1BA
FindWindowExW.USER32 ref: 00007FFD6D9EF1CE
Sleep.KERNEL32 ref: 00007FFD6D9EF1DC
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9EF219
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9EF25A
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFD6D9EF277
CreateEventW.KERNEL32 ref: 00007FFD6D9EF28F
CreateEventW.KERNEL32 ref: 00007FFD6D9EF2A7
CreateEventW.KERNEL32 ref: 00007FFD6D9EF2BF
RegCreateKeyExW.ADVAPI32 ref: 00007FFD6D9EF3B1
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9EF3F0
RegCloseKey.ADVAPI32 ref: 00007FFD6D9EF3FA
WaitForMultipleObjects.KERNEL32 ref: 00007FFD6D9EF442

Strings

EP_Ev_InstallUpdates_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}, xrefs: 00007FFD6D9EF299
IsUpdatePending, xrefs: 00007FFD6D9EF3E9
Windows.UI.Notifications.ToastNotificationManager, xrefs: 00007FFD6D9EF09E, 00007FFD6D9EF0EB
[Updates] Starting daemon., xrefs: 00007FFD6D9EF1E2
ep_updates, xrefs: 00007FFD6D9EF152
EP_Ev_CheckForUpdates_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}, xrefs: 00007FFD6D9EF281
Shell_TrayWnd, xrefs: 00007FFD6D9EF19F, 00007FFD6D9EF1C3
Windows.UI.Notifications.ToastNotification, xrefs: 00007FFD6D9EF253
Software\ExplorerPatcher, xrefs: 00007FFD6D9EF3A3
EP_Ev_InstallUpdatesNoConfirm_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}, xrefs: 00007FFD6D9EF2B1
Microsoft.Windows.Explorer, xrefs: 00007FFD6D9EF212

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Create$ReferenceStringWindows$ActivationEventFactory$FindSleepWindow$CloseInitializeMultipleObjectsValueWait
String ID: EP_Ev_CheckForUpdates_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$EP_Ev_InstallUpdatesNoConfirm_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$EP_Ev_InstallUpdates_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$IsUpdatePending$Microsoft.Windows.Explorer$Shell_TrayWnd$Software\ExplorerPatcher$Windows.UI.Notifications.ToastNotification$Windows.UI.Notifications.ToastNotificationManager$[Updates] Starting daemon.$ep_updates
API String ID: 515347756-3464217809
Opcode ID: 141e73fe10307a8e4ed6ca383c051ecabf987df7d80384f8b23417421a64e425
Instruction ID: ea88fa54d81d5e6e98dd0157f0b119309a6e5443d78bd9212e3161deee969d89
Opcode Fuzzy Hash: 141e73fe10307a8e4ed6ca383c051ecabf987df7d80384f8b23417421a64e425
Instruction Fuzzy Hash: 17E11432B19F42DAEB00DF61F8646A933A5FB98B48F444536DA0D57A98EF3CE615C340

Function 00007FFD6D9E4420 Relevance: 52.7, APIs: 13, Strings: 17, Instructions: 191
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32 ref: 00007FFD6D9E4491
GetWindowsDirectoryA.KERNEL32 ref: 00007FFD6D9E44F8

Part of subcall function 00007FFD6DA0A224: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA0A24C

GetWindowsDirectoryW.KERNEL32 ref: 00007FFD6D9E451F

Part of subcall function 00007FFD6DA07C0C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA07C35

Part of subcall function 00007FFD6D9EFC70: CreateFileW.KERNEL32 ref: 00007FFD6D9EFCEB
Part of subcall function 00007FFD6D9EFC70: GetLastError.KERNEL32 ref: 00007FFD6D9EFCFA

Part of subcall function 00007FFD6D9BCE30: CreateFileA.KERNEL32 ref: 00007FFD6D9BCEAB

RegSetValueExW.ADVAPI32 ref: 00007FFD6D9E4607
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9E4633
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9E465F
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9E468B
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9E46B7
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9E46E3
RegSetValueExA.ADVAPI32 ref: 00007FFD6D9E4723
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9E4758
RegCloseKey.ADVAPI32 ref: 00007FFD6D9E4768
RegCloseKey.ADVAPI32 ref: 00007FFD6D9E478F

Strings

[Symbols] Failure in reading symbols for "%s"., xrefs: 00007FFD6D9E4779
Software\ExplorerPatcher\explorer, xrefs: 00007FFD6D9E4471
CTaskBand_CreateInstance, xrefs: 00007FFD6D9E464A
ImmersiveTray::RaiseWindow, xrefs: 00007FFD6D9E461E
\explorer.exe, xrefs: 00007FFD6D9E4525
[Symbols] Please refer to "https://github.com/valinet/ExplorerPatcher/wiki/Symbols" for more information., xrefs: 00007FFD6D9E4583
[Symbols] Reading symbols..., xrefs: 00007FFD6D9E4594
[Symbols] Downloading symbols for "%s" ("%s")..., xrefs: 00007FFD6D9E4557
ImmersiveTray::AttachWindowToTray, xrefs: 00007FFD6D9E45EA
SetColorPreferenceForLogonUI, xrefs: 00007FFD6D9E46A2
[Symbols] Symbols for "%s" are not available - unable to download., xrefs: 00007FFD6D9E4577
Version, xrefs: 00007FFD6D9E473B
[Symbols] Unable to create registry key., xrefs: 00007FFD6D9E4797
TrayUI::_UpdatePearlSize, xrefs: 00007FFD6D9E46CE
\explorer.exe, xrefs: 00007FFD6D9E44FE
Hash, xrefs: 00007FFD6D9E4703
HandleFirstTimeLegacy, xrefs: 00007FFD6D9E4676

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Value$Create$CloseDirectoryFileWindows_invalid_parameter_noinfo$ErrorLast
String ID: CTaskBand_CreateInstance$HandleFirstTimeLegacy$Hash$ImmersiveTray::AttachWindowToTray$ImmersiveTray::RaiseWindow$SetColorPreferenceForLogonUI$Software\ExplorerPatcher\explorer$TrayUI::_UpdatePearlSize$Version$[Symbols] Downloading symbols for "%s" ("%s")...$[Symbols] Failure in reading symbols for "%s".$[Symbols] Please refer to "https://github.com/valinet/ExplorerPatcher/wiki/Symbols" for more information.$[Symbols] Reading symbols...$[Symbols] Symbols for "%s" are not available - unable to download.$[Symbols] Unable to create registry key.$\explorer.exe$\explorer.exe
API String ID: 3922731654-964289750
Opcode ID: 53834da91cdd93d32d2240879c9034b85a01688b3d2370aeaf152d951d341480
Instruction ID: c87ac41062ca2daef8f333aa1a380d27f9e5ffa0a51e1c2a8720294aec8aaa2d
Opcode Fuzzy Hash: 53834da91cdd93d32d2240879c9034b85a01688b3d2370aeaf152d951d341480
Instruction Fuzzy Hash: F5A15572B1CE82C6EB10DF64F8606A97361FB98758F414232DA4D43AA9EF7CD245CB40

Function 00007FFD6D9BCE30 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 248
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFD6DA0A224: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA0A24C

CreateFileA.KERNEL32 ref: 00007FFD6D9BCEAB
CreateFileMappingW.KERNELBASE ref: 00007FFD6D9BCEE3
CloseHandle.KERNEL32 ref: 00007FFD6D9BCEF4

Strings

%08lX%04hX%04hX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX, xrefs: 00007FFD6D9BD111
%x/, xrefs: 00007FFD6D9BD17E
/download/symbols/, xrefs: 00007FFD6D9BCE6C
RSDS, xrefs: 00007FFD6D9BD063

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CreateFile$CloseHandleMapping_invalid_parameter_noinfo
String ID: %08lX%04hX%04hX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX$%x/$/download/symbols/$RSDS
API String ID: 1983873661-2402091955
Opcode ID: 487057ca424dff22dcf5c02e0f811aaff343f7eb314c5405646703778120c259
Instruction ID: 7aa69a9ae4412b941195d26a0570cd0cc33bdde056632cb93e5df7ca03b9565b
Opcode Fuzzy Hash: 487057ca424dff22dcf5c02e0f811aaff343f7eb314c5405646703778120c259
Instruction Fuzzy Hash: 56B16D71B0CAC2C6EB249B11B8247BA67A1FBD9B64F444232DA5E03B94EF3CE555C710

Function 00007FFD6D9C8690 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 190
registrywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6D9C8441), ref: 00007FFD6D9C8707
RegQueryValueExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6D9C8441), ref: 00007FFD6D9C8745
RegQueryValueExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6D9C8441), ref: 00007FFD6D9C878E
RegQueryValueExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6D9C8441), ref: 00007FFD6D9C87D8
RegCloseKey.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6D9C8441), ref: 00007FFD6D9C87F9
RegCreateKeyExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6D9C8441), ref: 00007FFD6D9C8846
RegQueryValueExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6D9C8441), ref: 00007FFD6D9C8883
SendNotifyMessageW.USER32 ref: 00007FFD6D9C88D0
FindWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6D9C8441), ref: 00007FFD6D9C88E4
FindWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6D9C8441), ref: 00007FFD6D9C88FE
FindWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6D9C8441), ref: 00007FFD6D9C8918
GetWindowLongPtrW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6D9C8441), ref: 00007FFD6D9C892B
InvalidateRect.USER32 ref: 00007FFD6D9C8954
FindWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6D9C8441), ref: 00007FFD6D9C896F

Strings

TaskbarDa, xrefs: 00007FFD6D9C87B8
SOFTWARE\Microsoft\Windows\CurrentVersion\Search, xrefs: 00007FFD6D9C8821
TraySettings, xrefs: 00007FFD6D9C88B4
ClockButton, xrefs: 00007FFD6D9C897D
Shell_TrayWnd, xrefs: 00007FFD6D9C88D9
SearchboxTaskbarMode, xrefs: 00007FFD6D9C8866
TrayClockWClass, xrefs: 00007FFD6D9C8909
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced, xrefs: 00007FFD6D9C86E2
Shell_SecondaryTrayWnd, xrefs: 00007FFD6D9C8963
TrayNotifyWnd, xrefs: 00007FFD6D9C88F2
ShowTaskViewButton, xrefs: 00007FFD6D9C876E
TaskbarSmallIcons, xrefs: 00007FFD6D9C872F

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Window$FindQueryValue$Create$CloseInvalidateLongMessageNotifyRectSend
String ID: ClockButton$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SOFTWARE\Microsoft\Windows\CurrentVersion\Search$SearchboxTaskbarMode$Shell_SecondaryTrayWnd$Shell_TrayWnd$ShowTaskViewButton$TaskbarDa$TaskbarSmallIcons$TrayClockWClass$TrayNotifyWnd$TraySettings
API String ID: 3959271719-3714636963
Opcode ID: c3af02eb9a0f9d0028d15f10a385c4bd2d7ad293acaf007663b4e5da45b8078f
Instruction ID: 2441238fd73833de975d902e2d1b4b2c1d41706ac08d5a70fb995d194242af38
Opcode Fuzzy Hash: c3af02eb9a0f9d0028d15f10a385c4bd2d7ad293acaf007663b4e5da45b8078f
Instruction Fuzzy Hash: C2915772B08E42CAEB64CF61F8A06A937A0FB88758F444536DA5D53B98EF3CE145C740

Function 00007FFD6D9EFC70 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 172
encryptionfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00007FFD6D9EFCEB
GetLastError.KERNEL32 ref: 00007FFD6D9EFCFA
GetFileSizeEx.KERNEL32 ref: 00007FFD6D9EFD14
GetLastError.KERNEL32 ref: 00007FFD6D9EFD22
CloseHandle.KERNEL32 ref: 00007FFD6D9EFD2D
CryptGetHashParam.ADVAPI32 ref: 00007FFD6D9EFE9D
GetLastError.KERNEL32 ref: 00007FFD6D9EFEEF
CryptDestroyHash.ADVAPI32 ref: 00007FFD6D9EFEFC
CryptReleaseContext.ADVAPI32 ref: 00007FFD6D9EFF08
CloseHandle.KERNEL32 ref: 00007FFD6D9EFF11

Strings

%c%c, xrefs: 00007FFD6D9EFEB2

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CryptErrorLast$CloseFileHandleHash$ContextCreateDestroyParamReleaseSize
String ID: %c%c
API String ID: 1362656601-3228636524
Opcode ID: 52d77b80a9fca7d3515aa4d75993a4acf861e8ec7ba6742f5aec9a2b58382632
Instruction ID: 9537596294b5c0f9208b19714b2e08e6bd57c9ba8e8e081becc166818f624675
Opcode Fuzzy Hash: 52d77b80a9fca7d3515aa4d75993a4acf861e8ec7ba6742f5aec9a2b58382632
Instruction Fuzzy Hash: 24711E21B08E92DAEB109F61F8647B923A1FF98B98F004136DD4E56A55EF3CE646C700

Function 00007FFD6D9BE500 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 122
windowregistrytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStockObject.GDI32 ref: 00007FFD6D9BE547
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9BE557
LoadCursorW.USER32 ref: 00007FFD6D9BE578
RegisterClassW.USER32 ref: 00007FFD6D9BE58B
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9BE593
CreateWindowExW.USER32 ref: 00007FFD6D9BE5CB
SetEvent.KERNEL32 ref: 00007FFD6D9BE735

Part of subcall function 00007FFD6D9F07D0: RegOpenKeyExW.KERNEL32(?,?,?,?,?,?,?,00007FFD6D9BE4B6), ref: 00007FFD6D9F080D
Part of subcall function 00007FFD6D9F07D0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00007FFD6D9BE4B6), ref: 00007FFD6D9F0821

SetTimer.USER32 ref: 00007FFD6D9BE60A
RegisterHotKey.USER32 ref: 00007FFD6D9BE630
RegisterHotKey.USER32 ref: 00007FFD6D9BE64E
GetMessageW.USER32 ref: 00007FFD6D9BE664
EnterCriticalSection.KERNEL32 ref: 00007FFD6D9BE699
InvalidateRect.USER32 ref: 00007FFD6D9BE6D2
LeaveCriticalSection.KERNEL32 ref: 00007FFD6D9BE6DF
TranslateMessage.USER32 ref: 00007FFD6D9BE6EF
DispatchMessageW.USER32 ref: 00007FFD6D9BE6FD
GetMessageW.USER32 ref: 00007FFD6D9BE713
DestroyWindow.USER32 ref: 00007FFD6D9BE728

Strings

EP_Service_Window_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}, xrefs: 00007FFD6D9BE55D

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Message$Register$CriticalHandleModuleSectionWindow$ClassCloseCreateCursorDestroyDispatchEnterEventInvalidateLeaveLoadObjectOpenRectStockTimerTranslate
String ID: EP_Service_Window_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}
API String ID: 124686274-1881722731
Opcode ID: a1be8459bcfd7c7e29579554fa6886f80e0ea524c161cc7a1dc958779796ac26
Instruction ID: f2a4c4495d2fbfca57b02a53e3b005a2fa72f7acdbe1f5347573b183898f6b70
Opcode Fuzzy Hash: a1be8459bcfd7c7e29579554fa6886f80e0ea524c161cc7a1dc958779796ac26
Instruction Fuzzy Hash: 7451FA71B0CE42C2EB208B25F96477A73A4FFA4754F510036DA8E86AA4EF7CE455CB00

Function 00007FFD6D9BE860 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 173synchronizationCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FFD6D9BE8A0
OpenProcessToken.ADVAPI32 ref: 00007FFD6D9BE8B2
GetTokenInformation.KERNELBASE ref: 00007FFD6D9BE8D8
GetLastError.KERNEL32 ref: 00007FFD6D9BE8E6
GetTokenInformation.KERNELBASE ref: 00007FFD6D9BE923
GetLengthSid.ADVAPI32 ref: 00007FFD6D9BE936
CopySid.ADVAPI32 ref: 00007FFD6D9BE95D
DeriveAppContainerSidFromAppContainerName.USERENV ref: 00007FFD6D9BE986
SetEntriesInAclW.ADVAPI32 ref: 00007FFD6D9BEA19
InitializeSecurityDescriptor.ADVAPI32 ref: 00007FFD6D9BEA42
SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FFD6D9BEA5B
LocalFree.KERNEL32 ref: 00007FFD6D9BEA7D
CreateMutexExW.KERNEL32 ref: 00007FFD6D9BEAB2
FreeSid.ADVAPI32 ref: 00007FFD6D9BEAE7

Strings

Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy, xrefs: 00007FFD6D9BE97F
EPStart10_AnimationsPatched_{A6EA9C2D-4982-4827-9204-0AC532959F6D}, xrefs: 00007FFD6D9BEA95
[SMA] Advertising successful animations patching., xrefs: 00007FFD6D9BEABD

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Token$ContainerDescriptorFreeInformationProcessSecurity$CopyCreateCurrentDaclDeriveEntriesErrorFromInitializeLastLengthLocalMutexNameOpen
String ID: EPStart10_AnimationsPatched_{A6EA9C2D-4982-4827-9204-0AC532959F6D}$Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy$[SMA] Advertising successful animations patching.
API String ID: 2912553727-3824306247
Opcode ID: 407ba461e208563470b06a0706544f121f028c5564f226ea9bc464ba71e69338
Instruction ID: 96fc8d7e888e7264eef203afacc38bdb77697a7b01d77a3dfd1232f3f9e51d98
Opcode Fuzzy Hash: 407ba461e208563470b06a0706544f121f028c5564f226ea9bc464ba71e69338
Instruction Fuzzy Hash: 37714C22F08E42CAFB50DFA1E8203B923A6BB94B98F054535DE4D57B99EF3CE5458350

Function 00007FFD6D9DA120 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 78windowsleepsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 00007FFD6D9DA141
WaitForSingleObject.KERNEL32 ref: 00007FFD6D9DA179
GetShellWindow.USER32 ref: 00007FFD6D9DA190
Sleep.KERNEL32 ref: 00007FFD6D9DA1A3
GetWindowThreadProcessId.USER32 ref: 00007FFD6D9DA1BF
SetWindowsHookExW.USER32 ref: 00007FFD6D9DA1D7
GetMessageW.USER32 ref: 00007FFD6D9DA20B
TranslateMessage.USER32 ref: 00007FFD6D9DA225
DispatchMessageW.USER32 ref: 00007FFD6D9DA230
GetMessageW.USER32 ref: 00007FFD6D9DA243

Strings

Started "Open Start on current monitor" thread., xrefs: 00007FFD6D9DA17F
ShellDesktopSwitchEvent, xrefs: 00007FFD6D9DA133
Progman hook: %d, xrefs: 00007FFD6D9DA1E0
Ended "Open Start on current monitor" thread., xrefs: 00007FFD6D9DA24D
Failed to start "Open Start on current monitor" thread., xrefs: 00007FFD6D9DA14C
Progman: %d, xrefs: 00007FFD6D9DA1AE

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Message$Window$CreateDispatchEventHookObjectProcessShellSingleSleepThreadTranslateWaitWindows
String ID: Ended "Open Start on current monitor" thread.$Failed to start "Open Start on current monitor" thread.$Progman hook: %d$Progman: %d$ShellDesktopSwitchEvent$Started "Open Start on current monitor" thread.
API String ID: 2718461970-1416847937
Opcode ID: 98d9f44ce5530b2e72feb06b820638aa275c917d4530f1a663fb7d6f082da4f1
Instruction ID: 3e6447e47992a6fcfa67fcc71329e58a991f98e7f2bc0fe37f3752d0d584ba45
Opcode Fuzzy Hash: 98d9f44ce5530b2e72feb06b820638aa275c917d4530f1a663fb7d6f082da4f1
Instruction Fuzzy Hash: 98313E22F1CE42C2FB20AB21FC7167A6361BFE9784F855236D64E46A65FE2CE545C700

Function 00007FFD6D9BC6A0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 137networkfileCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET ref: 00007FFD6D9BC6DB
InternetConnectA.WININET ref: 00007FFD6D9BC728
HttpOpenRequestA.WININET ref: 00007FFD6D9BC763
HttpSendRequestA.WININET ref: 00007FFD6D9BC7A8
InternetReadFile.WININET ref: 00007FFD6D9BC814
InternetReadFile.WININET ref: 00007FFD6D9BC853
InternetCloseHandle.WININET ref: 00007FFD6D9BC886
InternetCloseHandle.WININET ref: 00007FFD6D9BC88F
InternetCloseHandle.WININET ref: 00007FFD6D9BC8A4

Strings

msdl.microsoft.com, xrefs: 00007FFD6D9BC6F2
Microsoft-Symbol-Server/10.0.10036.206, xrefs: 00007FFD6D9BC6C4
Content-Type: application/octet-stream;, xrefs: 00007FFD6D9BC79E
GET, xrefs: 00007FFD6D9BC73F

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSend
String ID: Content-Type: application/octet-stream;$GET$Microsoft-Symbol-Server/10.0.10036.206$msdl.microsoft.com
API String ID: 1354133546-1066975914
Opcode ID: 8b8864af0b72b60bbfcc2f9ec87b3006f8447792da80049f262a9c102a6ab130
Instruction ID: d0c532258907abe54655fd652ba02ee25764fd08a5438e05243fc1479b128bb6
Opcode Fuzzy Hash: 8b8864af0b72b60bbfcc2f9ec87b3006f8447792da80049f262a9c102a6ab130
Instruction Fuzzy Hash: 1D517421B0CF42C6EB60DB21B86076A67A5FB99B90F540136EE5D47B99EF7DD500C700

Function 00007FFD6D9D4E90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 107registrythreadCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNEL32 ref: 00007FFD6D9D4EEC
RegQueryValueExW.KERNEL32 ref: 00007FFD6D9D4F41
GetLocaleInfoW.KERNEL32 ref: 00007FFD6D9D4F8A
GetLocaleInfoW.KERNEL32 ref: 00007FFD6D9D4FA5
SetThreadPreferredUILanguages.KERNEL32 ref: 00007FFD6D9D505B
RegCloseKey.KERNEL32 ref: 00007FFD6D9D506B

Strings

Language, xrefs: 00007FFD6D9D4F1C
Software\ExplorerPatcher, xrefs: 00007FFD6D9D4EBA

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: InfoLocale$CloseCreateLanguagesPreferredQueryThreadValue
String ID: Language$Software\ExplorerPatcher
API String ID: 3850668847-1772575399
Opcode ID: 52014fd3a97edb677402ed2ccdf88578b23b11aae323a7ed2b061de0df453f21
Instruction ID: d119d822eef711a1e71b42a19b2740d28252fc07e89b0ad3d1afa888ec58d322
Opcode Fuzzy Hash: 52014fd3a97edb677402ed2ccdf88578b23b11aae323a7ed2b061de0df453f21
Instruction Fuzzy Hash: 73514C66B18FC182E7218F28E5543A97360F7E9B54F44A235DB8D13A56EF38E2D8C700

Function 00007FFD6D9BD920 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49fileCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32 ref: 00007FFD6D9BD96D
FindFirstFileW.KERNEL32 ref: 00007FFD6D9BD999
FindClose.KERNEL32 ref: 00007FFD6D9BD9A8

Part of subcall function 00007FFD6D9B2890: GetModuleHandleW.KERNEL32 ref: 00007FFD6D9B28AF
Part of subcall function 00007FFD6D9B2890: GetProcAddress.KERNEL32 ref: 00007FFD6D9B28C8
Part of subcall function 00007FFD6D9B2890: RegOpenKeyExW.KERNEL32 ref: 00007FFD6D9B293F
Part of subcall function 00007FFD6D9B2890: RegQueryValueExW.KERNEL32 ref: 00007FFD6D9B296F

GetWindowsDirectoryW.KERNEL32 ref: 00007FFD6D9BD9D8

Part of subcall function 00007FFD6DA07C0C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA07C35

FindFirstFileW.KERNEL32 ref: 00007FFD6D9BDA04

Strings

\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI.dll, xrefs: 00007FFD6D9BD973
\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dll, xrefs: 00007FFD6D9BD9DE

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Find$DirectoryFileFirstWindows$AddressCloseHandleModuleOpenProcQueryValue_invalid_parameter_noinfo
String ID: \SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI.dll$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dll
API String ID: 658624814-2596525942
Opcode ID: b62b830e267208c48e4dde00723fdab4d41165d18bb6ff7cca443691e1877037
Instruction ID: 4d8372c1aaf7bbf8f2b97e432bb9b56c77e36ed6e57b241d8b6d07f7237e5b82
Opcode Fuzzy Hash: b62b830e267208c48e4dde00723fdab4d41165d18bb6ff7cca443691e1877037
Instruction Fuzzy Hash: C821ED61B1CD82C2FF60DB24F8653AA2351BBA4328F805632C26E466E5EE7CD509CB40

Function 00007FFD6D9F2E20 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146memorywindowCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FFD6D9F2F2B
GetLastError.KERNEL32 ref: 00007FFD6D9F2F3A
FormatMessageA.KERNEL32 ref: 00007FFD6D9F2F6D

Strings

Unknown Error, xrefs: 00007FFD6D9F2F79
commit page %p (base=%p(used=%d), idx=%llu, size=%llu), xrefs: 00007FFD6D9F3005
Failed to commit page %p (base=%p(used=%d), idx=%llu, size=%llu, error=%lu(%s)), xrefs: 00007FFD6D9F2FC6

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: AllocErrorFormatLastMessageVirtual
String ID: commit page %p (base=%p(used=%d), idx=%llu, size=%llu)$Failed to commit page %p (base=%p(used=%d), idx=%llu, size=%llu, error=%lu(%s))$Unknown Error
API String ID: 1689221563-3447313879
Opcode ID: b44925e47d1e0ccb1ee2569ab82a625ac04b462aafab48c4de13057f39da817c
Instruction ID: b091c42571a0c74d75f2ab9636bb9775a8f200f23186b0ae595d48d0e0706985
Opcode Fuzzy Hash: b44925e47d1e0ccb1ee2569ab82a625ac04b462aafab48c4de13057f39da817c
Instruction Fuzzy Hash: B3515F72B1CE92C6EB20CB16F86076667A5FB99B94F400136ED8C87B65EF3CD5468700

Function 00007FFD6D9BD7C0 Relevance: 6.0, APIs: 4, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 00007FFD6D9BD829
CheckTokenMembership.KERNELBASE ref: 00007FFD6D9BD83F
GetLastError.KERNEL32 ref: 00007FFD6D9BD849
FreeSid.ADVAPI32 ref: 00007FFD6D9BD85B

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: AllocateCheckErrorFreeInitializeLastMembershipToken
String ID:
API String ID: 3835361876-0
Opcode ID: 9bc4818ac291dff88db8240e3eeb39b943aa672b01a7781d9cca6c2466c65656
Instruction ID: 409199fbb7b2f9b0770d9602858806d6b3af4607b56a1a3d62515f3ea1a7f0c9
Opcode Fuzzy Hash: 9bc4818ac291dff88db8240e3eeb39b943aa672b01a7781d9cca6c2466c65656
Instruction Fuzzy Hash: FF11A572A08B4186EA108F66F49031AF6E9FBD4784F10513AE68A83A69DF7CD005CF40

Function 00007FFD6D9CA6C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00007FFD6D9CA721

Part of subcall function 00007FFD6D9B2890: GetModuleHandleW.KERNEL32 ref: 00007FFD6D9B28AF
Part of subcall function 00007FFD6D9B2890: GetProcAddress.KERNEL32 ref: 00007FFD6D9B28C8
Part of subcall function 00007FFD6D9B2890: RegOpenKeyExW.KERNEL32 ref: 00007FFD6D9B293F
Part of subcall function 00007FFD6D9B2890: RegQueryValueExW.KERNEL32 ref: 00007FFD6D9B296F

CoCreateInstance.OLE32 ref: 00007FFD6D9CA8E5

Strings

Taskbar10.cpp, xrefs: 00007FFD6D9CA819, 00007FFD6D9CA8B0

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CreateInstance$AddressHandleModuleOpenProcQueryValue
String ID: Taskbar10.cpp
API String ID: 1469795854-890630466
Opcode ID: 37d9e288e64ff9b9a0fa8de99ee5d15b55503672d42105cba423a497aee4d9dc
Instruction ID: c7a93036cb7f5f17a01c18671d81772c430f2cc5df78d8fc0bd092d874840af7
Opcode Fuzzy Hash: 37d9e288e64ff9b9a0fa8de99ee5d15b55503672d42105cba423a497aee4d9dc
Instruction Fuzzy Hash: 22510435B1CE42C2FB609B16F9A477963A1BB64B94F408436DA4E477A0EF3CE845C740

Function 00007FFD6D9F2D90 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FFD6D9F1E89), ref: 00007FFD6D9F2DA5

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: e4d82352877221a0b517692e33a5f3ddb88e79afc553e17f30fd7a49fed66e58
Instruction ID: 258d7befd21e873227f9dff0cad71df6899becc3d709149f749abbd004d3edd0
Opcode Fuzzy Hash: e4d82352877221a0b517692e33a5f3ddb88e79afc553e17f30fd7a49fed66e58
Instruction Fuzzy Hash: 00F0F8B5B1EE52C6EF148B05FC6066873A1FBA9B85F004135DA4D86764EE3CD1408B00

Function 00007FFD6D9EB190 Relevance: 70.4, APIs: 14, Strings: 26, Instructions: 427
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6D9CE9FC), ref: 00007FFD6D9EB1C4
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6D9CE9FC), ref: 00007FFD6D9EB1CD
K32GetModuleInformation.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6D9CE9FC), ref: 00007FFD6D9EB1E3

Part of subcall function 00007FFD6D9EAC80: GetSystemDirectoryW.KERNEL32 ref: 00007FFD6D9EACAB
Part of subcall function 00007FFD6D9EAC80: CreateFileW.KERNEL32 ref: 00007FFD6D9EACF1

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6D9CE9FC), ref: 00007FFD6D9EB2E4
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6D9CE9FC), ref: 00007FFD6D9EB303
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6D9CE9FC), ref: 00007FFD6D9EB4C6
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6D9CE9FC), ref: 00007FFD6D9EB4FF
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6D9CE9FC), ref: 00007FFD6D9EB618
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6D9CE9FC), ref: 00007FFD6D9EB653
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6D9CE9FC), ref: 00007FFD6D9EB70F
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6D9CE9FC), ref: 00007FFD6D9EB74D
LoadLibraryExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6D9CE9FC), ref: 00007FFD6D9EB766
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6D9CE9FC), ref: 00007FFD6D9EB76F
K32GetModuleInformation.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6D9CE9FC), ref: 00007FFD6D9EB785

Strings

Setup twinui.pcshell functions done, xrefs: 00007FFD6D9EB8C6
xxxx?xxxx?xxxxxxx?xxx, xrefs: 00007FFD6D9EB797
[TV] firstCallCall = %llX, xrefs: 00007FFD6D9EB6EB
API-MS-WIN-CORE-REGISTRY-L1-1-0.DLL, xrefs: 00007FFD6D9EB8BA
[TV] Patched!, xrefs: 00007FFD6D9EB753
[AC] blockBegin = %llX, xrefs: 00007FFD6D9EB464
[CC] blockBegin = %llX, xrefs: 00007FFD6D9EB5B6
[AC] Patched!, xrefs: 00007FFD6D9EB505
xxx?xxxxx?x, xrefs: 00007FFD6D9EB550
PenMenuSystemTrayManager::GetDynamicSystemTrayHeightForMonitor() = %llX, xrefs: 00007FFD6D9EB7C2
RegGetValueW, xrefs: 00007FFD6D9EB8B3
xxxx?xxxxx?x, xrefs: 00007FFD6D9EB518
[TV] firstCallPrep = %llX, xrefs: 00007FFD6D9EB6CD
Failed to hook CMultitaskingViewManager::_CreateXamlMTVHost(). rv = %d, xrefs: 00007FFD6D9EB34F
[CC] rcWorkAssignment = %llX, xrefs: 00007FFD6D9EB57B
[CC] rcMonitorAssignment = %llX, xrefs: 00007FFD6D9EB541
Failed to hook PenMenuSystemTrayManager::GetDynamicSystemTrayHeightForMonitor(). rv = %d, xrefs: 00007FFD6D9EB7F8
Windows.Internal.HardwareConfirmator.dll, xrefs: 00007FFD6D9EB75F
[CC] Patched!, xrefs: 00007FFD6D9EB659
[AC] rcMonitorAssignment = %llX, xrefs: 00007FFD6D9EB3EA
x?xxx?xx?x????xxxx, xrefs: 00007FFD6D9EB672
x?xxxx?xx?x????xxxx, xrefs: 00007FFD6D9EB6A5
twinui.pcshell.dll, xrefs: 00007FFD6D9EB1B9
[CC] blockEnd = %llX, xrefs: 00007FFD6D9EB5F2
xxx?xxx?x???xxx, xrefs: 00007FFD6D9EB3B8
[AC] blockEnd = %llX, xrefs: 00007FFD6D9EB4A0

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ProtectVirtual$CurrentInformationLibraryLoadModuleProcess$CreateDirectoryFileSystem
String ID: API-MS-WIN-CORE-REGISTRY-L1-1-0.DLL$Failed to hook CMultitaskingViewManager::_CreateXamlMTVHost(). rv = %d$Failed to hook PenMenuSystemTrayManager::GetDynamicSystemTrayHeightForMonitor(). rv = %d$PenMenuSystemTrayManager::GetDynamicSystemTrayHeightForMonitor() = %llX$RegGetValueW$Setup twinui.pcshell functions done$Windows.Internal.HardwareConfirmator.dll$[AC] Patched!$[AC] blockBegin = %llX$[AC] blockEnd = %llX$[AC] rcMonitorAssignment = %llX$[CC] Patched!$[CC] blockBegin = %llX$[CC] blockEnd = %llX$[CC] rcMonitorAssignment = %llX$[CC] rcWorkAssignment = %llX$[TV] Patched!$[TV] firstCallCall = %llX$[TV] firstCallPrep = %llX$twinui.pcshell.dll$x?xxx?xx?x????xxxx$x?xxxx?xx?x????xxxx$xxx?xxx?x???xxx$xxx?xxxxx?x$xxxx?xxxx?xxxxxxx?xxx$xxxx?xxxxx?x
API String ID: 823495189-2291248886
Opcode ID: 0f444e1ea3bf13eef14b3f971964f943a03b0b1a0ff66da87add6c7d42846c41
Instruction ID: 09348ba8a01390d6394000660cb631f21be89733eec051259e949212e4a095ae
Opcode Fuzzy Hash: 0f444e1ea3bf13eef14b3f971964f943a03b0b1a0ff66da87add6c7d42846c41
Instruction Fuzzy Hash: F2224661B0CE42D9FB10DB64F8642BA33A5AF50798F854136CA0D976A5FF3CEA49C340

Function 00007FFD6D9E9AC0 Relevance: 56.4, APIs: 12, Strings: 20, Instructions: 370
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 00007FFD6D9E9EC7
VirtualProtect.KERNEL32 ref: 00007FFD6D9E9EE8
VirtualProtect.KERNEL32 ref: 00007FFD6D9E9F19
VirtualProtect.KERNEL32 ref: 00007FFD6D9E9F3A
VirtualProtect.KERNEL32 ref: 00007FFD6D9E9F6B
VirtualProtect.KERNEL32 ref: 00007FFD6D9E9F8C
VirtualProtect.KERNEL32 ref: 00007FFD6D9E9FBD
VirtualProtect.KERNEL32 ref: 00007FFD6D9E9FDE
VirtualProtect.KERNEL32 ref: 00007FFD6D9EA006
VirtualProtect.KERNEL32 ref: 00007FFD6D9EA026
VirtualProtect.KERNEL32 ref: 00007FFD6D9EA043
VirtualProtect.KERNEL32 ref: 00007FFD6D9EA063

Strings

[SMA] matchVtable = %llX, xrefs: 00007FFD6D9E9B39
[SMA] matchHideB in CStartExperienceManager::Hide() = %llX, xrefs: 00007FFD6D9E9E39
[SMA] matchSingleViewShellExperienceFields = %llX, xrefs: 00007FFD6D9E9B8C
xxx????xxxxxxxxx, xrefs: 00007FFD6D9E9B4B
xxx????xx????xxxx, xrefs: 00007FFD6D9E9BA1
[SMA] matchAnimationHelperFields = %llX, +0x%X, +0x%X, xrefs: 00007FFD6D9E9BC0
xx?x????x?xxxx????xxx?x, xrefs: 00007FFD6D9E9C3A
[SMA] matchHideA in CStartExperienceManager::Hide() = %llX, xrefs: 00007FFD6D9E9D7D, 00007FFD6D9E9DF5
[SMA] matchTransitioningToCortanaField = %llX, +0x%X, xrefs: 00007FFD6D9E9C1A
xxxxxxxxxx, xrefs: 00007FFD6D9E9D14
[SMA] Not all offsets were found, cannot perform patch, xrefs: 00007FFD6D9EA0AB
[SMA] CExperienceManagerAnimationHelper::End() = %llX, xrefs: 00007FFD6D9E9D46
[SMA] CStartExperienceManager::GetMonitorInformation() = %llX, xrefs: 00007FFD6D9E9C75
xx????xx?xxxx, xrefs: 00007FFD6D9E9BEC
[SMA] CExperienceManagerAnimationHelper::Begin() = %llX, xrefs: 00007FFD6D9E9D05
x??xxxxxx, xrefs: 00007FFD6D9E9D55, 00007FFD6D9E9D8F, 00007FFD6D9E9DCD, 00007FFD6D9E9E0E
xxxxxx????x????xxxx, xrefs: 00007FFD6D9E9CC9
xxxx????xxxx, xrefs: 00007FFD6D9E9C8B
Failed to hook CStartExperienceManager::GetMonitorInformation(). rv = %d, xrefs: 00007FFD6D9EA098
xxxxxxx????xxxxxxxxx, xrefs: 00007FFD6D9E9AE8

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ProtectVirtual
String ID: Failed to hook CStartExperienceManager::GetMonitorInformation(). rv = %d$[SMA] CExperienceManagerAnimationHelper::Begin() = %llX$[SMA] CExperienceManagerAnimationHelper::End() = %llX$[SMA] CStartExperienceManager::GetMonitorInformation() = %llX$[SMA] Not all offsets were found, cannot perform patch$[SMA] matchAnimationHelperFields = %llX, +0x%X, +0x%X$[SMA] matchHideA in CStartExperienceManager::Hide() = %llX$[SMA] matchHideB in CStartExperienceManager::Hide() = %llX$[SMA] matchSingleViewShellExperienceFields = %llX$[SMA] matchTransitioningToCortanaField = %llX, +0x%X$[SMA] matchVtable = %llX$x??xxxxxx$xx????xx?xxxx$xx?x????x?xxxx????xxx?x$xxx????xx????xxxx$xxx????xxxxxxxxx$xxxx????xxxx$xxxxxx????x????xxxx$xxxxxxx????xxxxxxxxx$xxxxxxxxxx
API String ID: 544645111-3813412712
Opcode ID: 0d09f94010ae1e65d397a5051b4cdc0f876fd0969f648fb582ba5b286792c2a0
Instruction ID: 6090fb2b434f0b73914c0d845101842bca15d486400344655095de1644749e29
Opcode Fuzzy Hash: 0d09f94010ae1e65d397a5051b4cdc0f876fd0969f648fb582ba5b286792c2a0
Instruction Fuzzy Hash: 0E025661B18E42DAEA10CF25F8606BA63A1FF94784F454536DA4D477A4FF3CEA49C700

Function 00007FFD6D9EAC80 Relevance: 47.6, APIs: 5, Strings: 22, Instructions: 332
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32 ref: 00007FFD6D9EACAB

Part of subcall function 00007FFD6DA07C0C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA07C35

CreateFileW.KERNEL32 ref: 00007FFD6D9EACF1
GetFileSize.KERNEL32 ref: 00007FFD6D9EAD2E
ReadFile.KERNEL32 ref: 00007FFD6D9EAD58

Strings

Failed to open twinui.pcshell.dll, xrefs: 00007FFD6D9EAD00
xxxx?xxxx?xxxxxxxxxxxxxxx, xrefs: 00007FFD6D9EAEEA
CImmersiveContextMenuOwnerDrawHelper::s_ContextMenuWndProc() = %lX, xrefs: 00007FFD6D9EADDC
ImmersiveContextMenuHelper::ApplyOwnerDrawToMenu() = %lX, xrefs: 00007FFD6D9EAECA
xx?x????xxxxxxx????xxxx?xxx, xrefs: 00007FFD6D9EAF82
ImmersiveContextMenuHelper::RemoveOwnerDrawFromMenu() = %lX, xrefs: 00007FFD6D9EAF13
CLauncherTipContextMenu::_ExecuteShutdownCommand() = %lX, xrefs: 00007FFD6D9EAF62
xx?x????xx?xx?xxxx????x, xrefs: 00007FFD6D9EAF33
CMultitaskingViewManager::_CreateDCompMTVHost() = %lX, xrefs: 00007FFD6D9EB12E
xxxx??x??x?xxxxxx????x, xrefs: 00007FFD6D9EAFF3, 00007FFD6D9EB09D
CLauncherTipContextMenu::_ExecuteCommand() = %lX, xrefs: 00007FFD6D9EAFD0
ILauncherTipContextMenuVtbl = %lX, xrefs: 00007FFD6D9EAE4D
xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx, xrefs: 00007FFD6D9EAEA1
xxx????xxxxxxxxx????xxxxxxx????xxxxxxx????xxxxxxx????xxxx, xrefs: 00007FFD6D9EADEF
xxx?????x?x??x??x?xxxxxxxx, xrefs: 00007FFD6D9EB022, 00007FFD6D9EB0C8
xx?x????xxxxxxx????xxxx????x, xrefs: 00007FFD6D9EAFA1
\twinui.pcshell.dll, xrefs: 00007FFD6D9EACB1
CLauncherTipContextMenu::GetMenuItemsAsync() = %lX, xrefs: 00007FFD6D9EAE81
xxxxx????x????xxx, xrefs: 00007FFD6D9EADAE
Failed to read twinui.pcshell.dll, xrefs: 00007FFD6D9EB13C
CLauncherTipContextMenu::ShowLauncherTipContextMenu() = %lX, xrefs: 00007FFD6D9EAE6A
CMultitaskingViewManager::_CreateXamlMTVHost() = %lX, xrefs: 00007FFD6D9EB07A

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: File$CreateDirectoryReadSizeSystem_invalid_parameter_noinfo
String ID: CImmersiveContextMenuOwnerDrawHelper::s_ContextMenuWndProc() = %lX$CLauncherTipContextMenu::GetMenuItemsAsync() = %lX$CLauncherTipContextMenu::ShowLauncherTipContextMenu() = %lX$CLauncherTipContextMenu::_ExecuteCommand() = %lX$CLauncherTipContextMenu::_ExecuteShutdownCommand() = %lX$CMultitaskingViewManager::_CreateDCompMTVHost() = %lX$CMultitaskingViewManager::_CreateXamlMTVHost() = %lX$Failed to open twinui.pcshell.dll$Failed to read twinui.pcshell.dll$ILauncherTipContextMenuVtbl = %lX$ImmersiveContextMenuHelper::ApplyOwnerDrawToMenu() = %lX$ImmersiveContextMenuHelper::RemoveOwnerDrawFromMenu() = %lX$\twinui.pcshell.dll$xx?x????xx?xx?xxxx????x$xx?x????xxxxxxx????xxxx????x$xx?x????xxxxxxx????xxxx?xxx$xxx?????x?x??x??x?xxxxxxxx$xxx????xxxxxxxxx????xxxxxxx????xxxxxxx????xxxxxxx????xxxx$xxxx??x??x?xxxxxx????x$xxxx?xxxx?xxxxxxxxxxxxxxx$xxxxx????x????xxx$xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx
API String ID: 1602095072-688399519
Opcode ID: f4ab24ebba49a967ff7068f433ad58aed7619b8e4c8df7d2400c578b1b2f85b8
Instruction ID: 69f05ca145e45261e787afca7b74432417217be68f18bfe7d106d426856243ff
Opcode Fuzzy Hash: f4ab24ebba49a967ff7068f433ad58aed7619b8e4c8df7d2400c578b1b2f85b8
Instruction Fuzzy Hash: BFF15162B0CE42CAEA54DF24F9606B973A1AF50764F454232DA5D832E5FF3CEA45C780

Function 00007FFD6D9F29B0 Relevance: 37.0, APIs: 11, Strings: 10, Instructions: 226
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 00007FFD6D9F29EA
VirtualQuery.KERNEL32 ref: 00007FFD6D9F2A85
GetLastError.KERNEL32 ref: 00007FFD6D9F2A94
FormatMessageA.KERNEL32 ref: 00007FFD6D9F2AC7
VirtualAlloc.KERNEL32 ref: 00007FFD6D9F2B0E
GetLastError.KERNEL32 ref: 00007FFD6D9F2B20
FormatMessageA.KERNEL32 ref: 00007FFD6D9F2B53
VirtualAlloc.KERNEL32 ref: 00007FFD6D9F2C08
GetLastError.KERNEL32 ref: 00007FFD6D9F2C1A
FormatMessageA.KERNEL32 ref: 00007FFD6D9F2C4D
VirtualFree.KERNEL32 ref: 00007FFD6D9F2CC4

Strings

reserve memory %p (hint=%p, size=%llu), xrefs: 00007FFD6D9F2BD8
process map: %08llx-%08llx %s, xrefs: 00007FFD6D9F2A14
used, xrefs: 00007FFD6D9F2A08
free, xrefs: 00007FFD6D9F29F9
Failed to commit memory %p for read-write (hint=%p, size=%llu, error=%lu(%s)), xrefs: 00007FFD6D9F2C94
Unknown Error, xrefs: 00007FFD6D9F2AD7, 00007FFD6D9F2B5F, 00007FFD6D9F2C59
commit memory %p for read-write (hint=%p, size=%llu), xrefs: 00007FFD6D9F2CD6
Failed to reserve memory %p (hint=%p, size=%llu, errro=%lu(%s)), xrefs: 00007FFD6D9F2BA2
Failed to execute VirtualQuery (addr=%p, error=%lu(%s)), xrefs: 00007FFD6D9F2D58
change hint address from %p to %p, xrefs: 00007FFD6D9F2AE6

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Virtual$ErrorFormatLastMessage$AllocQuery$Free
String ID: change hint address from %p to %p$ commit memory %p for read-write (hint=%p, size=%llu)$ process map: %08llx-%08llx %s$ reserve memory %p (hint=%p, size=%llu)$Failed to commit memory %p for read-write (hint=%p, size=%llu, error=%lu(%s))$Failed to execute VirtualQuery (addr=%p, error=%lu(%s))$Failed to reserve memory %p (hint=%p, size=%llu, errro=%lu(%s))$Unknown Error$free$used
API String ID: 2999834170-966645287
Opcode ID: 8954e7f1f4c74206c707921dadd97844bae45565a732bf98f7726cddd87cb0b5
Instruction ID: ca082c9e75283c1e146a729d591260e1bc213eab05f4f1d39c21a6d928a1c971
Opcode Fuzzy Hash: 8954e7f1f4c74206c707921dadd97844bae45565a732bf98f7726cddd87cb0b5
Instruction Fuzzy Hash: 66A13921B1DF82C6EB608B16F8603B967A5FB99B84F540136D98D87BA5FF3CD5058B00

Function 00007FFD6D9C89C0 Relevance: 35.3, APIs: 9, Strings: 11, Instructions: 301
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetAncestor.USER32 ref: 00007FFD6D9C8B65
GetClassNameW.USER32 ref: 00007FFD6D9C8B7C
GetClassNameW.USER32 ref: 00007FFD6D9C8C38
CreateWindowExW.USER32 ref: 00007FFD6D9C8CCD
#410.COMCTL32 ref: 00007FFD6D9C8E09
GetCurrentThreadId.KERNEL32 ref: 00007FFD6D9C8E0F
SetWindowsHookExW.USER32 ref: 00007FFD6D9C8E27
FindWindowW.USER32 ref: 00007FFD6D9C8E8E
#410.COMCTL32 ref: 00007FFD6D9C8EAF

Strings

SysTreeView32, xrefs: 00007FFD6D9C8B16
CabinetWClass, xrefs: 00007FFD6D9C8B8D
ClockButton, xrefs: 00007FFD6D9C8D35
NotifyIconOverflowWindow, xrefs: 00007FFD6D9C8AAA
Shell_TrayWnd, xrefs: 00007FFD6D9C8C49, 00007FFD6D9C8DC9, 00007FFD6D9C8E36
TrayClockWClass, xrefs: 00007FFD6D9C8CEC
ReBarWindow32, xrefs: 00007FFD6D9C8BC0, 00007FFD6D9C8E76
Shell_SecondaryTrayWnd, xrefs: 00007FFD6D9C8E43
TrayNotifyWnd, xrefs: 00007FFD6D9C8A7D
TrayShowDesktopButtonWClass, xrefs: 00007FFD6D9C8D7D
SysListView32, xrefs: 00007FFD6D9C8AEA

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: #410ClassNameWindow$AncestorCreateCurrentFindHookThreadWindows
String ID: CabinetWClass$ClockButton$NotifyIconOverflowWindow$ReBarWindow32$Shell_SecondaryTrayWnd$Shell_TrayWnd$SysListView32$SysTreeView32$TrayClockWClass$TrayNotifyWnd$TrayShowDesktopButtonWClass
API String ID: 2746137922-373551488
Opcode ID: 7fff841f66bb9f0377a613a03398ed6c11275bed224b490feb09b733b40c26fb
Instruction ID: 10bc5763e59d93d959e9aa59c873859d704e42666bb4eb680355233656563df8
Opcode Fuzzy Hash: 7fff841f66bb9f0377a613a03398ed6c11275bed224b490feb09b733b40c26fb
Instruction Fuzzy Hash: 25E142A6B08E52C5EB689B15B42067973A1FBA4F50F844133DE4E436A8FF3CE895C714

Function 00007FFD6D9BE350 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 106registrywindowCOMMON

Download Yara Rule

APIs

RegisterWindowMessageW.USER32 ref: 00007FFD6D9BE37F
DefWindowProcW.USER32 ref: 00007FFD6D9BE4E1

Strings

d, xrefs: 00007FFD6D9BE4AB
Refreshed Spotlight, xrefs: 00007FFD6D9BE4CA
TaskbarAl, xrefs: 00007FFD6D9BE476
TaskbarCreated, xrefs: 00007FFD6D9BE378
Windows.UI.Core.CoreWindow, xrefs: 00007FFD6D9BE44A
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced, xrefs: 00007FFD6D9BE485

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Window$MessageProcRegister
String ID: Refreshed Spotlight$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$TaskbarAl$TaskbarCreated$Windows.UI.Core.CoreWindow$d
API String ID: 136062168-2101710627
Opcode ID: 7faffbf9f6db06a131fc6fc84afc2d1a480241f71897be6f2f9758cbfbd10773
Instruction ID: 0fe8de795a644c2610cb503dfbda3b83bb400669c89a515b677d59bc0aed1247
Opcode Fuzzy Hash: 7faffbf9f6db06a131fc6fc84afc2d1a480241f71897be6f2f9758cbfbd10773
Instruction Fuzzy Hash: CE416C60F1CE02C5FA609B22FC746BA2259AFA5794F450572E90E82694FF2CE444C761

Function 00007FFD6D9E90A0 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 00007FFD6D9E92E4
VirtualProtect.KERNEL32 ref: 00007FFD6D9E9336
VirtualProtect.KERNEL32 ref: 00007FFD6D9E935B

Part of subcall function 00007FFD6D9B2890: GetModuleHandleW.KERNEL32 ref: 00007FFD6D9B28AF
Part of subcall function 00007FFD6D9B2890: GetProcAddress.KERNEL32 ref: 00007FFD6D9B28C8
Part of subcall function 00007FFD6D9B2890: RegOpenKeyExW.KERNEL32 ref: 00007FFD6D9B293F
Part of subcall function 00007FFD6D9B2890: RegQueryValueExW.KERNEL32 ref: 00007FFD6D9B296F

VirtualProtect.KERNEL32 ref: 00007FFD6D9E9383

Strings

xxx????xx, xrefs: 00007FFD6D9E90CC
[HC] Patched!, xrefs: 00007FFD6D9E9389
xxx?xxxx, xrefs: 00007FFD6D9E910A
xxx?x, xrefs: 00007FFD6D9E9159
[HC] match1 = %llX, xrefs: 00007FFD6D9E90EC
[HC] match2 = %llX, xrefs: 00007FFD6D9E9139
[HC] writeAt = %llX, xrefs: 00007FFD6D9E918E
[HC] cleanup = %llX-%llX, xrefs: 00007FFD6D9E91E6

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ProtectVirtual$AddressHandleModuleOpenProcQueryValue
String ID: [HC] Patched!$[HC] cleanup = %llX-%llX$[HC] match1 = %llX$[HC] match2 = %llX$[HC] writeAt = %llX$xxx????xx$xxx?x$xxx?xxxx
API String ID: 1029361184-3401359449
Opcode ID: be6e20bea0f676e2d818be911ca7bb33ea0c16d1633b35f75cf92cd14009bcb5
Instruction ID: 24cee40b7d5f7c74956335c1584ad33024ac9b83bf040b8ee1ceecc7cb5e790a
Opcode Fuzzy Hash: be6e20bea0f676e2d818be911ca7bb33ea0c16d1633b35f75cf92cd14009bcb5
Instruction Fuzzy Hash: 8A918762B18A92D9EB00CF61E8645BE77A1AF44B84F458436DA0E57B89FF3CE605C740

Function 00007FFD6D9BF530 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 92librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FFD6D9BF547
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9BF560

Part of subcall function 00007FFD6D9BF230: RegGetValueW.ADVAPI32 ref: 00007FFD6D9BF287

GetProcAddress.KERNEL32 ref: 00007FFD6D9BF59A

Part of subcall function 00007FFD6D9BF170: GetCurrentProcess.KERNEL32 ref: 00007FFD6D9BF190
Part of subcall function 00007FFD6D9BF170: K32GetModuleInformation.KERNEL32 ref: 00007FFD6D9BF1A7
Part of subcall function 00007FFD6D9BF170: VirtualProtect.KERNEL32 ref: 00007FFD6D9BF1F5
Part of subcall function 00007FFD6D9BF170: VirtualProtect.KERNEL32 ref: 00007FFD6D9BF214

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9BF5CF
VirtualProtect.KERNEL32 ref: 00007FFD6D9BF63A
VirtualProtect.KERNEL32 ref: 00007FFD6D9BF671
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9BF692

Strings

Windows.UI.Xaml.dll, xrefs: 00007FFD6D9BF559
Error in Windows11v22H2_combase_LoadLibraryExW on DllGetActivationFactory, xrefs: 00007FFD6D9BF5A8
Error in Windows11v22H2_combase_LoadLibraryExW on WindowsCreateStringReference, xrefs: 00007FFD6D9BF5D9
Windows.UI.Xaml.Hosting.WindowsXamlManager, xrefs: 00007FFD6D9BF5C8
DllGetActivationFactory, xrefs: 00007FFD6D9BF582

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ProtectVirtual$ModuleStringWindows$AddressCreateCurrentDeleteHandleInformationLibraryLoadProcProcessReferenceValue
String ID: DllGetActivationFactory$Error in Windows11v22H2_combase_LoadLibraryExW on DllGetActivationFactory$Error in Windows11v22H2_combase_LoadLibraryExW on WindowsCreateStringReference$Windows.UI.Xaml.Hosting.WindowsXamlManager$Windows.UI.Xaml.dll
API String ID: 2113071911-1359692214
Opcode ID: c6c868296f6492aff193e6ba6c5acef1592af5d7ac0fb65ba097415c29c3b94b
Instruction ID: 3b2915ad7dcf11a54b59467746f3e5ffd5dee2c02f95f2b45cdfbe596c28782e
Opcode Fuzzy Hash: c6c868296f6492aff193e6ba6c5acef1592af5d7ac0fb65ba097415c29c3b94b
Instruction Fuzzy Hash: 78411426B1DE46C2EA50DF25F86016A6360FF98B98F451036EE4E43BA8EF3DE545C710

Function 00007FFD6D9E42B0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 90COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE ref: 00007FFD6D9E42D4
RoInitialize.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFD6D9E42DF
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9E42FB
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9E4318
RoActivateInstance.COMBASE ref: 00007FFD6D9E4339
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9E43F0
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9E43FB

Strings

Windows.Data.Xml.Dom.XmlDocument, xrefs: 00007FFD6D9E42F4
%s:%d:: QueryInterface = %d, xrefs: 00007FFD6D9E4397
String2IXMLDocument, xrefs: 00007FFD6D9E438A, 00007FFD6D9E43D2
%s:%d:: RoActivateInstance = %d, xrefs: 00007FFD6D9E43DF

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: StringWindows$CreateDeleteInitializeReference$ActivateInstance
String ID: %s:%d:: QueryInterface = %d$%s:%d:: RoActivateInstance = %d$String2IXMLDocument$Windows.Data.Xml.Dom.XmlDocument
API String ID: 2286360050-3498695339
Opcode ID: 4ec89ffa7e818d8f6f94903db93d1a7205b8f2509710d7989955ba885561945b
Instruction ID: 021ce374a0ecfd855ff1ff2c3da0fb064cf8e10cf53045fcbe29d17173d53c74
Opcode Fuzzy Hash: 4ec89ffa7e818d8f6f94903db93d1a7205b8f2509710d7989955ba885561945b
Instruction Fuzzy Hash: 3D413C2671CF46C2EB109B25F8A026A67A1FFD8B95F405032EA4E83764EF7DD549CB00

Function 00007FFD6D9CB780 Relevance: 19.3, APIs: 4, Strings: 7, Instructions: 62registryCOMMON

Download Yara Rule

APIs

RegGetValueW.KERNEL32 ref: 00007FFD6D9CB829
GetDpiForSystem.USER32 ref: 00007FFD6D9CB84F
MulDiv.KERNEL32 ref: 00007FFD6D9CB85F
GetSystemMetrics.USER32 ref: 00007FFD6D9CB869

Strings

IconSpacing, xrefs: 00007FFD6D9CB7E1
', xrefs: 00007FFD6D9CB7EA
Control Panel\Desktop\WindowMetrics, xrefs: 00007FFD6D9CB808
&, xrefs: 00007FFD6D9CB7DC
MinWidth, xrefs: 00007FFD6D9CB7D5
9, xrefs: 00007FFD6D9CB83F
IconVerticalSpacing, xrefs: 00007FFD6D9CB7ED

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: System$MetricsValue
String ID: &$'$9$Control Panel\Desktop\WindowMetrics$IconSpacing$IconVerticalSpacing$MinWidth
API String ID: 1597967150-2735893900
Opcode ID: 938e79a5f4417f6df2efa723607223f6b844bda69fdcea2ab12127382762ddd3
Instruction ID: ffbf5b0ecaa959b020f8fd2ceff78d9a622fb3b447634e1a6d9fc89f055eabf5
Opcode Fuzzy Hash: 938e79a5f4417f6df2efa723607223f6b844bda69fdcea2ab12127382762ddd3
Instruction Fuzzy Hash: 83215E25B0CF42C2EB208B12F8A47BA73B1BFA5758F540136D95D42AA5EF7CE5488740

Function 00007FFD6D9E8CC0 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 00007FFD6D9E8E32
VirtualProtect.KERNEL32 ref: 00007FFD6D9E8E70

Strings

[TC] Patched!, xrefs: 00007FFD6D9E8E76
xxx??xxx?xx, xrefs: 00007FFD6D9E8D69
[TC] rcMonitorAssignment = %llX, xrefs: 00007FFD6D9E8D8B
xxx??xxxx?xx, xrefs: 00007FFD6D9E8D18
[TC] blockEnd = %llX, xrefs: 00007FFD6D9E8E04
xxx??xxxx?xxx, xrefs: 00007FFD6D9E8CEA
xxx??xxx?xxx, xrefs: 00007FFD6D9E8D3A
[TC] blockBegin = %llX, xrefs: 00007FFD6D9E8DC5

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ProtectVirtual
String ID: [TC] Patched!$[TC] blockBegin = %llX$[TC] blockEnd = %llX$[TC] rcMonitorAssignment = %llX$xxx??xxx?xx$xxx??xxx?xxx$xxx??xxxx?xx$xxx??xxxx?xxx
API String ID: 544645111-3560911239
Opcode ID: 7ef1aaaae73d535f98026d1072f40cf453ae44ca0f579e52d7b4416d2ef6128e
Instruction ID: 308272f13860279ad01e35592f47862466aef287ce87d3dbc0a250a20e732dab
Opcode Fuzzy Hash: 7ef1aaaae73d535f98026d1072f40cf453ae44ca0f579e52d7b4416d2ef6128e
Instruction Fuzzy Hash: 43518E21B0CE42D9EB14DB6AF8201BA23A1AF94B84F8A4533DA4C47755FF3CE645C740

Function 00007FFD6D9E40F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 110COMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00007FFD6D9E4115
RoInitialize.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFD6D9E4120
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9E413A
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9E4175

Strings

Windows.UI.Notifications.ToastNotification, xrefs: 00007FFD6D9E41E4
Windows.UI.Notifications.ToastNotificationManager, xrefs: 00007FFD6D9E416E
Microsoft.Windows.Explorer, xrefs: 00007FFD6D9E4133

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CreateInitializeReferenceStringWindows
String ID: Microsoft.Windows.Explorer$Windows.UI.Notifications.ToastNotification$Windows.UI.Notifications.ToastNotificationManager
API String ID: 3973075819-205246331
Opcode ID: 61fe052dac5bbf871d41a08c977f99300e810394ad62dcf125acb6468106a64f
Instruction ID: 0a8d0f2771cd92bb17168aea29e54d319899dd23cd6a12b02ac7b7abab9f3fcd
Opcode Fuzzy Hash: 61fe052dac5bbf871d41a08c977f99300e810394ad62dcf125acb6468106a64f
Instruction Fuzzy Hash: 6C51B766B08E06DAEB00DBA5E4A43AD2371FB98B88F400432CE0E97B54EF7DD549C751

Function 00007FFD6D9CD870 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD6D9BD290: GetModuleHandleExW.KERNEL32 ref: 00007FFD6D9BD2C6
Part of subcall function 00007FFD6D9BD290: ImageDirectoryEntryToDataEx.DBGHELP ref: 00007FFD6D9BD2F9
Part of subcall function 00007FFD6D9BD290: FreeLibrary.KERNEL32 ref: 00007FFD6D9BD32F

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00007FFD6D9C30C8), ref: 00007FFD6D9CD8F3
K32GetModuleInformation.KERNEL32(?,?,?,?,?,?,?,00007FFD6D9C30C8), ref: 00007FFD6D9CD90A

Part of subcall function 00007FFD6D9BD290: FreeLibrary.KERNEL32 ref: 00007FFD6D9BD3B9
Part of subcall function 00007FFD6D9BD290: VirtualQuery.KERNEL32 ref: 00007FFD6D9BD3F8
Part of subcall function 00007FFD6D9BD290: VirtualProtect.KERNEL32 ref: 00007FFD6D9BD413
Part of subcall function 00007FFD6D9BD290: VirtualProtect.KERNEL32 ref: 00007FFD6D9BD43B
Part of subcall function 00007FFD6D9BD290: FreeLibrary.KERNEL32 ref: 00007FFD6D9BD446

Strings

xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx, xrefs: 00007FFD6D9CD914
TrackPopupMenu, xrefs: 00007FFD6D9CD8D9
CoCreateInstance, xrefs: 00007FFD6D9CD893
api-ms-win-core-registry-l1-1-0.dll, xrefs: 00007FFD6D9CD8C3
Setup pnidui functions done, xrefs: 00007FFD6D9CD952
api-ms-win-core-com-l1-1-0.dll, xrefs: 00007FFD6D9CD89A
user32.dll, xrefs: 00007FFD6D9CD8E0
RegGetValueW, xrefs: 00007FFD6D9CD8BC

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: FreeLibraryVirtual$ModuleProtect$CurrentDataDirectoryEntryHandleImageInformationProcessQuery
String ID: CoCreateInstance$RegGetValueW$Setup pnidui functions done$TrackPopupMenu$api-ms-win-core-com-l1-1-0.dll$api-ms-win-core-registry-l1-1-0.dll$user32.dll$xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx
API String ID: 430087472-2450567920
Opcode ID: 0c157bf8712ebea2149f69c88d5e9c5f816ba651df63a06dc4cec4d17ce86d98
Instruction ID: 7424f36f1fdf324cc97fb620975571cbb5a371f26773baf2de2e20f15c8b60f4
Opcode Fuzzy Hash: 0c157bf8712ebea2149f69c88d5e9c5f816ba651df63a06dc4cec4d17ce86d98
Instruction Fuzzy Hash: BD21F361B0CE46D1FA10DF62F9601E62362AF98784F884133D94E16769FF7CE189C780

Function 00007FFD6D9C62C0 Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 46sleepwindowCOMMON

Download Yara Rule

APIs

FindWindowExW.USER32 ref: 00007FFD6D9C62EE
FindWindowExW.USER32 ref: 00007FFD6D9C6308
IsWindowVisible.USER32 ref: 00007FFD6D9C6316
SleepEx.KERNEL32 ref: 00007FFD6D9C6325
Sleep.KERNEL32 ref: 00007FFD6D9C633C
SetEvent.KERNEL32 ref: 00007FFD6D9C6349

Strings

Ended "Signal shell ready" thread., xrefs: 00007FFD6D9C6369
Start, xrefs: 00007FFD6D9C62FC
Shell_TrayWnd, xrefs: 00007FFD6D9C62E3
Started "Signal shell ready" thread., xrefs: 00007FFD6D9C62C8

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Window$FindSleep$EventVisible
String ID: Ended "Signal shell ready" thread.$Shell_TrayWnd$Start$Started "Signal shell ready" thread.
API String ID: 3652910701-782476775
Opcode ID: 247a5b9a3272aa9d4b6fa25156f3d4a27cc8ff7abbbe85a81eb08c1eab5ae117
Instruction ID: 3a8b3db250b4f1c436a969583a8fc5752bc19f2d070f47fb824f4f1aeb706d3a
Opcode Fuzzy Hash: 247a5b9a3272aa9d4b6fa25156f3d4a27cc8ff7abbbe85a81eb08c1eab5ae117
Instruction Fuzzy Hash: 6C112E60F0CE03C2FF58AB61BC756B527A1AFA5741F44503AC90E462E1FF7CA489C690

Function 00007FFD6D9CCB20 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegGetValueW.KERNEL32 ref: 00007FFD6D9CCB9B
RegGetValueW.KERNEL32 ref: 00007FFD6D9CCBDF
RegGetValueW.KERNEL32 ref: 00007FFD6D9CCC24
RegGetValueW.KERNEL32 ref: 00007FFD6D9CCC73

Strings

CrashCounterThreshold, xrefs: 00007FFD6D9CCC4E
CrashCounter, xrefs: 00007FFD6D9CCBBA
CrashThresholdTime, xrefs: 00007FFD6D9CCBFF
Software\ExplorerPatcher, xrefs: 00007FFD6D9CCB7A, 00007FFD6D9CCBC6, 00007FFD6D9CCC0B, 00007FFD6D9CCC5A
CrashCounterDisabled, xrefs: 00007FFD6D9CCB6E

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Value
String ID: CrashCounter$CrashCounterDisabled$CrashCounterThreshold$CrashThresholdTime$Software\ExplorerPatcher
API String ID: 3702945584-694238707
Opcode ID: a676f1da80b7d5bea20316a3c839fd19d2768aa93fa861a519cfd8a81d9524ca
Instruction ID: c8a10454de0d931ca063f691ec0bd0241ebfc5cdaad4b61706ad2d3903a967ec
Opcode Fuzzy Hash: a676f1da80b7d5bea20316a3c839fd19d2768aa93fa861a519cfd8a81d9524ca
Instruction Fuzzy Hash: 33413572608B41CAEB20CF15F45029A7BA0FB84B54F944236EB9D07B98EF3ED255CB44

Function 00007FFD6D9CC8F0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FFD6D9CC90C
GetCurrentProcess.KERNEL32 ref: 00007FFD6D9CC915
K32GetModuleInformation.KERNEL32 ref: 00007FFD6D9CC92C

Part of subcall function 00007FFD6D9BD460: GetModuleHandleExW.KERNEL32 ref: 00007FFD6D9BD494
Part of subcall function 00007FFD6D9BD460: VirtualProtect.KERNEL32 ref: 00007FFD6D9BD538
Part of subcall function 00007FFD6D9BD460: VirtualProtect.KERNEL32 ref: 00007FFD6D9BD55B
Part of subcall function 00007FFD6D9BD460: FreeLibrary.KERNEL32 ref: 00007FFD6D9BD566

Strings

api-ms-win-core-winrt-l1-1-0.dll, xrefs: 00007FFD6D9CC943
x?xxxx????xxx, xrefs: 00007FFD6D9CC953
CAppResolverCacheBuilder::_AddUserPinnedShortcutToStart() = %llX, xrefs: 00007FFD6D9CC98B
Failed to hook CAppResolverCacheBuilder::_AddUserPinnedShortcutToStart(). rv = %d, xrefs: 00007FFD6D9CC9CC
AppResolver.dll, xrefs: 00007FFD6D9CC905
RoGetActivationFactory, xrefs: 00007FFD6D9CC93C

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: LibraryModuleProtectVirtual$CurrentFreeHandleInformationLoadProcess
String ID: AppResolver.dll$CAppResolverCacheBuilder::_AddUserPinnedShortcutToStart() = %llX$Failed to hook CAppResolverCacheBuilder::_AddUserPinnedShortcutToStart(). rv = %d$RoGetActivationFactory$api-ms-win-core-winrt-l1-1-0.dll$x?xxxx????xxx
API String ID: 1174645330-3507426587
Opcode ID: ef56db7a44096efa6d059a2cc3badf64a5ecbf803e44633e99018f49d43da3e0
Instruction ID: e4caf990c69ab3c91214c14151f0ebbe916f9bc0d9c766418d8777e340156250
Opcode Fuzzy Hash: ef56db7a44096efa6d059a2cc3badf64a5ecbf803e44633e99018f49d43da3e0
Instruction Fuzzy Hash: 1A2105A1B0DE42D1FA00DB62F8B56B62360AFA4794F841536D94E463A9FE3CE54AC340

Function 00007FFD6D9F25E0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 161COMMON

Download Yara Rule

Strings

Could not allocate memory near address %p, xrefs: 00007FFD6D9F2718
Could not modify already-installed funchook handle., xrefs: 00007FFD6D9F260D
failed to get page, xrefs: 00007FFD6D9F2739
failed to make trampoline, xrefs: 00007FFD6D9F2663

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID: failed to get page$ failed to make trampoline$Could not allocate memory near address %p$Could not modify already-installed funchook handle.
API String ID: 0-2189554615
Opcode ID: 0dcd918d6a9fb1b435397edfb2b92d1158f24f494b900e2e2f09df01581675ed
Instruction ID: ddfcd502646a4c5d5982622f14eb9dc4ef812884de83c43286e10d08977669c3
Opcode Fuzzy Hash: 0dcd918d6a9fb1b435397edfb2b92d1158f24f494b900e2e2f09df01581675ed
Instruction Fuzzy Hash: C471F926B19F81C6DB609B25F8502AA73A0FB99B84F445436EE8E87B55EF3CE544C700

Function 00007FFD6D9B2890 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFD6D9B28AF
GetProcAddress.KERNEL32 ref: 00007FFD6D9B28C8
RegOpenKeyExW.KERNEL32 ref: 00007FFD6D9B293F
RegQueryValueExW.KERNEL32 ref: 00007FFD6D9B296F

Strings

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00007FFD6D9B28FD
ntdll.dll, xrefs: 00007FFD6D9B28A8
RtlGetVersion, xrefs: 00007FFD6D9B28BE
UBR, xrefs: 00007FFD6D9B2958

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: AddressHandleModuleOpenProcQueryValue
String ID: RtlGetVersion$UBR$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion$ntdll.dll
API String ID: 3749297518-2374052841
Opcode ID: 9d87f9b91261a5ef74bccfdd57653f5feb03a1092f759d2651c69dcd4f025410
Instruction ID: b596384cc75c1ff927d7538537601844f371e5b310d3781ab01acf1cb9d9dd14
Opcode Fuzzy Hash: 9d87f9b91261a5ef74bccfdd57653f5feb03a1092f759d2651c69dcd4f025410
Instruction Fuzzy Hash: 19213E21B18E52C2EF50DB25F8A166A73A1FB94794F845132EA9E477A5FF3CD105CB00

Function 00007FFD6D9F35A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92memorywindowCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 00007FFD6D9F3613
GetLastError.KERNEL32 ref: 00007FFD6D9F364C
FormatMessageA.KERNEL32 ref: 00007FFD6D9F367D
GetLastError.KERNEL32 ref: 00007FFD6D9F36C1

Strings

Failed to unprotect memory %p (size=%llu) <- %p (size=%llu, error=%lu(%s)), xrefs: 00007FFD6D9F36CB
Unknown Error, xrefs: 00007FFD6D9F368A
unprotect memory %p (size=%llu) <- %p (size=%llu), xrefs: 00007FFD6D9F3621

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ErrorLast$FormatMessageProtectVirtual
String ID: unprotect memory %p (size=%llu) <- %p (size=%llu)$Failed to unprotect memory %p (size=%llu) <- %p (size=%llu, error=%lu(%s))$Unknown Error
API String ID: 2888148163-2742179861
Opcode ID: 76f81bbd27526eec4d54eb52136fd5565e358d5aa963c2d15698727e3856a4dd
Instruction ID: 3acd30e54b4112fa344bb196540968c53bf5e31968d27eab3fadd2fb7c957ac6
Opcode Fuzzy Hash: 76f81bbd27526eec4d54eb52136fd5565e358d5aa963c2d15698727e3856a4dd
Instruction Fuzzy Hash: 4D417F22B1CF86C1EB208B21F8613B967A0FB99B88F044136EA8D57B59EF3CD555C700

Function 00007FFD6D9F3720 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68memorywindowCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 00007FFD6D9F3755
GetLastError.KERNEL32 ref: 00007FFD6D9F3784
FormatMessageA.KERNEL32 ref: 00007FFD6D9F37B5
GetLastError.KERNEL32 ref: 00007FFD6D9F37FF

Strings

protect memory %p (size=%llu), xrefs: 00007FFD6D9F3763
Unknown Error, xrefs: 00007FFD6D9F37C2
Failed to protect memory %p (size=%llu, error=%lu(%s)), xrefs: 00007FFD6D9F3809

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ErrorLast$FormatMessageProtectVirtual
String ID: protect memory %p (size=%llu)$Failed to protect memory %p (size=%llu, error=%lu(%s))$Unknown Error
API String ID: 2888148163-2522531280
Opcode ID: f6b57e912bedf80b5fb7971f670bf1aa8c7e6dba204ad976d1cd2a023942e529
Instruction ID: 4a5c05fdd8400e322c707123624328b9f4ccd40ce8f792b65d726ddafa6043cc
Opcode Fuzzy Hash: f6b57e912bedf80b5fb7971f670bf1aa8c7e6dba204ad976d1cd2a023942e529
Instruction Fuzzy Hash: 4E316F21B0CE82C2EB608B21F4203BAA7A1FB98B88F444536DA8D57B54EF7CD545CB40

Function 00007FFD6D9F3290 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 67memorywindowCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 00007FFD6D9F32CA
GetLastError.KERNEL32 ref: 00007FFD6D9F32FC
FormatMessageA.KERNEL32 ref: 00007FFD6D9F332D
GetLastError.KERNEL32 ref: 00007FFD6D9F3371

Strings

protect page %p (size=%llu, prot=read,exec), xrefs: 00007FFD6D9F32DB
Failed to protect page %p (size=%llu, prot=read,exec, error=%lu(%s)), xrefs: 00007FFD6D9F337E
Unknown Error, xrefs: 00007FFD6D9F333A

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ErrorLast$FormatMessageProtectVirtual
String ID: protect page %p (size=%llu, prot=read,exec)$Failed to protect page %p (size=%llu, prot=read,exec, error=%lu(%s))$Unknown Error
API String ID: 2888148163-3855186111
Opcode ID: d43fbaa4eeae4fc359402d00be4e85badc5513ee881c4fe30d7a734a902469b8
Instruction ID: 7e757108765602038c086b1ea235f6ec1f4599e2532fc58f82164caf0907221c
Opcode Fuzzy Hash: d43fbaa4eeae4fc359402d00be4e85badc5513ee881c4fe30d7a734a902469b8
Instruction Fuzzy Hash: 66314F21B1CE82C2FB608B66F8203BA67A1FB98B84F444536D98D47BA5EF7CD145C700

Function 00007FFD6D9CAAB0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 50memorystringregistryCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32 ref: 00007FFD6D9CAAE8
VirtualProtect.KERNEL32 ref: 00007FFD6D9CAB05
lstrcpyW.KERNEL32 ref: 00007FFD6D9CAB19
VirtualProtect.KERNEL32 ref: 00007FFD6D9CAB31
RegOpenKeyExW.KERNEL32 ref: 00007FFD6D9CAB48

Strings

Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB, xrefs: 00007FFD6D9CAB0F
Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify, xrefs: 00007FFD6D9CAAD8

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ProtectVirtual$Openlstrcmpilstrcpy
String ID: Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB$Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify
API String ID: 3588037206-2075971939
Opcode ID: fe4b2c8db1d22a09de3faee1197f5fe09447eefd6e4f7c3f1b905d291895351f
Instruction ID: f17cb8536e87796ab2c6724c80e0466880162bc4437a6778913b35eaebe0ee68
Opcode Fuzzy Hash: fe4b2c8db1d22a09de3faee1197f5fe09447eefd6e4f7c3f1b905d291895351f
Instruction Fuzzy Hash: 22113C61B29A5282FB508F12BC20A6A6761FB99BD4F845036ED4E47B14EF3CE449C700

Function 00007FFD6D9F155C Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFD6D9F1584
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFD6D9F15D6
_RTC_Initialize.LIBCMT ref: 00007FFD6D9F1604
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFD6D9F162A
__scrt_release_startup_lock.LIBCMT ref: 00007FFD6D9F1655

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 3b4f6e87e4b416f9f5b326fcb725a3830c06083ff715e3015abc40643045dafa
Instruction ID: 20395377c063bde96a0ef1fe04c3c46f1f0f60a6cd59a992bcb8a56cac5d5412
Opcode Fuzzy Hash: 3b4f6e87e4b416f9f5b326fcb725a3830c06083ff715e3015abc40643045dafa
Instruction Fuzzy Hash: 2681E6A1F0CE43C6FB109B65B4712B96290AF62780F444537D94DA7796FF3CE5458780

Function 00007FFD6D9BD290 Relevance: 12.1, APIs: 8, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FFD6D9BD2C6
ImageDirectoryEntryToDataEx.DBGHELP ref: 00007FFD6D9BD2F9
FreeLibrary.KERNEL32 ref: 00007FFD6D9BD32F
FreeLibrary.KERNEL32 ref: 00007FFD6D9BD3B9
VirtualQuery.KERNEL32 ref: 00007FFD6D9BD3F8
VirtualProtect.KERNEL32 ref: 00007FFD6D9BD413
VirtualProtect.KERNEL32 ref: 00007FFD6D9BD43B
FreeLibrary.KERNEL32 ref: 00007FFD6D9BD446

Part of subcall function 00007FFD6DA0A154: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA0A171

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: FreeLibraryVirtual$Protect$DataDirectoryEntryHandleImageModuleQuery_invalid_parameter_noinfo
String ID:
API String ID: 3041990818-0
Opcode ID: 4e1dd611ff582084d51b0f53564d14d9bfa321502564381179b35b6334ffa167
Instruction ID: df4e718f8c511ad66009b05c67792d7d96317901f04373347d809f837c206ce9
Opcode Fuzzy Hash: 4e1dd611ff582084d51b0f53564d14d9bfa321502564381179b35b6334ffa167
Instruction Fuzzy Hash: 1D513166B1CE42C2EB509B26F8607BE63A0FBD4B94F055036EA4E87799EE3CD444C710

Function 00007FFD6D9D9C13 Relevance: 10.7, APIs: 7, Instructions: 165registrysynchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 00007FFD6D9D9CA4
RegCreateKeyExW.KERNEL32 ref: 00007FFD6D9D9D07
RegNotifyChangeKeyValue.KERNEL32 ref: 00007FFD6D9D9D38
WaitForMultipleObjects.KERNEL32 ref: 00007FFD6D9D9D5F
WaitForSingleObject.KERNEL32 ref: 00007FFD6D9D9DA9
CloseHandle.KERNEL32 ref: 00007FFD6D9D9E09
RegCloseKey.ADVAPI32 ref: 00007FFD6D9D9E1F

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CloseCreateWait$ChangeEventHandleMultipleNotifyObjectObjectsSingleValue
String ID:
API String ID: 3111792343-0
Opcode ID: 4c2129d9bc8a76230afcfdcd18323b87a713b67d6f41ba40eb583d8e29a3cb42
Instruction ID: a1bb19e5620e7d7343275d93ff4809dfa0000ebc1d3e4eb0883098909e9c0406
Opcode Fuzzy Hash: 4c2129d9bc8a76230afcfdcd18323b87a713b67d6f41ba40eb583d8e29a3cb42
Instruction Fuzzy Hash: F8619F32B18E42D6EB54DB25E4B477963A0FB84B88F088236DE5E47794EE3CD845C300

Function 00007FFD6DA101F8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0000DCB06BC72D17,00007FFD6DA0BEC9,?,?,?,?,00007FFD6DA104C2,?,?,00000000,00007FFD6DA14E97,?,?,?), ref: 00007FFD6DA10207
FlsSetValue.KERNEL32(?,?,0000DCB06BC72D17,00007FFD6DA0BEC9,?,?,?,?,00007FFD6DA104C2,?,?,00000000,00007FFD6DA14E97,?,?,?), ref: 00007FFD6DA1023D
FlsSetValue.KERNEL32(?,?,0000DCB06BC72D17,00007FFD6DA0BEC9,?,?,?,?,00007FFD6DA104C2,?,?,00000000,00007FFD6DA14E97,?,?,?), ref: 00007FFD6DA1026A
FlsSetValue.KERNEL32(?,?,0000DCB06BC72D17,00007FFD6DA0BEC9,?,?,?,?,00007FFD6DA104C2,?,?,00000000,00007FFD6DA14E97,?,?,?), ref: 00007FFD6DA1027B
FlsSetValue.KERNEL32(?,?,0000DCB06BC72D17,00007FFD6DA0BEC9,?,?,?,?,00007FFD6DA104C2,?,?,00000000,00007FFD6DA14E97,?,?,?), ref: 00007FFD6DA1028C
SetLastError.KERNEL32(?,?,0000DCB06BC72D17,00007FFD6DA0BEC9,?,?,?,?,00007FFD6DA104C2,?,?,00000000,00007FFD6DA14E97,?,?,?), ref: 00007FFD6DA102A7

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 05146f3defd5b154050a0e41d8ba5e3575e6762bff0db976e6a432829816c894
Instruction ID: 91d075a1ff1db86ea06ce61a85dbc95f387c570d7ad78471be41097960efb47c
Opcode Fuzzy Hash: 05146f3defd5b154050a0e41d8ba5e3575e6762bff0db976e6a432829816c894
Instruction Fuzzy Hash: 8411AF21B0DE42C2FE546722B9B103932829FB87B4F544738EA3E17BD6FE2CA451C205

Function 00007FFD6D9CAC50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53registrystringCOMMON

Download Yara Rule

APIs

lstrcmpW.KERNEL32 ref: 00007FFD6D9CACA1
RegGetValueW.ADVAPI32 ref: 00007FFD6D9CACDC

Part of subcall function 00007FFD6D9B2890: GetModuleHandleW.KERNEL32 ref: 00007FFD6D9B28AF
Part of subcall function 00007FFD6D9B2890: GetProcAddress.KERNEL32 ref: 00007FFD6D9B28C8
Part of subcall function 00007FFD6D9B2890: RegOpenKeyExW.KERNEL32 ref: 00007FFD6D9B293F
Part of subcall function 00007FFD6D9B2890: RegQueryValueExW.KERNEL32 ref: 00007FFD6D9B296F

RegGetValueW.KERNEL32 ref: 00007FFD6D9CAD1C

Strings

TaskbarDa, xrefs: 00007FFD6D9CACB3
ShowCortanaButton, xrefs: 00007FFD6D9CAC97

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Value$AddressHandleModuleOpenProcQuerylstrcmp
String ID: ShowCortanaButton$TaskbarDa
API String ID: 4138643572-1008683796
Opcode ID: e7516b54919ff180e0a7479432527fd70eb951aefdb24062e04a04032aec6d71
Instruction ID: 13fde7c17cb760c473509afdeeeabe3b99ab2980a1124b368c4e474c5099e3a6
Opcode Fuzzy Hash: e7516b54919ff180e0a7479432527fd70eb951aefdb24062e04a04032aec6d71
Instruction Fuzzy Hash: D821F671A0CF41C6EB208B12F85466AB3A5FB98BC4F544136EA8D47B69EF3CD541CB00

Function 00007FFD6D9BD460 Relevance: 7.6, APIs: 5, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FFD6D9BD494
FreeLibrary.KERNEL32 ref: 00007FFD6D9BD5BB

Part of subcall function 00007FFD6DA0A154: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA0A171

VirtualProtect.KERNEL32 ref: 00007FFD6D9BD538
VirtualProtect.KERNEL32 ref: 00007FFD6D9BD55B
FreeLibrary.KERNEL32 ref: 00007FFD6D9BD566

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: FreeLibraryProtectVirtual$HandleModule_invalid_parameter_noinfo
String ID:
API String ID: 172810297-0
Opcode ID: dae4ad9bb35fcd49da65b17bf2118d8f1734c85b4c447c57c7e2259dea9c94da
Instruction ID: 285931311f53a28179252cfbe4005a50184d1d772b65b4b646f10d54b9563679
Opcode Fuzzy Hash: dae4ad9bb35fcd49da65b17bf2118d8f1734c85b4c447c57c7e2259dea9c94da
Instruction Fuzzy Hash: 79413F62B18E41C2EB64CF51F86067A67A1FB99BD8F054036EE8E47758EE7CE440C710

Function 00007FFD6D9CBE40 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFD6D9CBE77
GetProcAddress.KERNEL32 ref: 00007FFD6D9CBE87

Strings

NtUserFindWindowEx, xrefs: 00007FFD6D9CBE80
win32u.dll, xrefs: 00007FFD6D9CBE70

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtUserFindWindowEx$win32u.dll
API String ID: 1646373207-2703420062
Opcode ID: 83859f7c66667c9c358b2b8106913d927510356cc0bb071f2510942001acc61e
Instruction ID: 4cd37de17fc4795f29187d0f70e9c6c636e478797eac1ed021e7cef1a06aa2cf
Opcode Fuzzy Hash: 83859f7c66667c9c358b2b8106913d927510356cc0bb071f2510942001acc61e
Instruction Fuzzy Hash: 58015B26B1CE51C5EA00CB12F85042AB7A4BBA8FD4F550536DE8D57725EF3CE4428740

Function 00007FFD6D9CD340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20registryCOMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 00007FFD6D9CD353
RegSetKeyValueW.KERNELBASE ref: 00007FFD6D9CD38E

Strings

CrashCounter, xrefs: 00007FFD6D9CD371
Software\ExplorerPatcher, xrefs: 00007FFD6D9CD380

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: SleepValue
String ID: CrashCounter$Software\ExplorerPatcher
API String ID: 1540188156-2892006628
Opcode ID: ed63f36741d272485b999506698d90b264502b0eb51f636bacafd351425c53ee
Instruction ID: 28130e6e72a7d1b637620f0c21709dc1b77473a0db497404adcf5edb7882e074
Opcode Fuzzy Hash: ed63f36741d272485b999506698d90b264502b0eb51f636bacafd351425c53ee
Instruction Fuzzy Hash: 97F0DAA5B28E41C5EB50DB11F86525577A0FB987A4F801235E64E067A9EF3CD105CB44

Function 00007FFD6D9F2060 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00007FFD6D9F203B,?,?,00000000,00007FFD6D9C1EA7), ref: 00007FFD6D9F2145
FlushInstructionCache.KERNEL32(?,00007FFD6D9F203B,?,?,00000000,00007FFD6D9C1EA7), ref: 00007FFD6D9F2154

Strings

Patched Instructions:, xrefs: 00007FFD6D9F2163

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcess
String ID: Patched Instructions:
API String ID: 2564211676-4020029282
Opcode ID: f3366050c6bc144045223ff0fb4e42f33b3c7d9e2d4a1136741ca7e68a8572d8
Instruction ID: cd5ba3b88ed10f21e8542ff8e1a35fdd5134c951ab67c58881e150da31b8be54
Opcode Fuzzy Hash: f3366050c6bc144045223ff0fb4e42f33b3c7d9e2d4a1136741ca7e68a8572d8
Instruction Fuzzy Hash: F5414C6272CEC2C1EA60DB21F4603AAA7A5FB94B84F845032DF4D93A49EF7CE505C705

Function 00007FFD6D9F07D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,?,?,?,?,?,?,00007FFD6D9BE4B6), ref: 00007FFD6D9F080D
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00007FFD6D9BE4B6), ref: 00007FFD6D9F0821

Strings

Software\Classes\CLSID\{2CC5CA98-6485-489A-920E-B3E88A6CCCE3}, xrefs: 00007FFD6D9F07FF

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CloseOpen
String ID: Software\Classes\CLSID\{2CC5CA98-6485-489A-920E-B3E88A6CCCE3}
API String ID: 47109696-1447196730
Opcode ID: 459941ef0f60087ec151cbdb1b6a71f2f3f312f2b353b135781bacdd490fabe1
Instruction ID: d09235fa4095b308cf5eaa766c339c7c6965ddb5b56102deddc692b74e7ca682
Opcode Fuzzy Hash: 459941ef0f60087ec151cbdb1b6a71f2f3f312f2b353b135781bacdd490fabe1
Instruction Fuzzy Hash: 40F03061B2CF82C2FB508B26F8A16267394FF98794F802135E98F46B54EF2CD1558B00

Function 00007FFD6DA0DBDC Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,834800000B7CE800,00007FFD6DA1743A,?,?,?,00007FFD6DA17477,?,?,00000000,00007FFD6DA15459,?,?,00007FFD6DA0CF3A,00007FFD6DA1538B), ref: 00007FFD6DA0DBF2
GetLastError.KERNEL32(?,?,834800000B7CE800,00007FFD6DA1743A,?,?,?,00007FFD6DA17477,?,?,00000000,00007FFD6DA15459,?,?,00007FFD6DA0CF3A,00007FFD6DA1538B), ref: 00007FFD6DA0DBFC

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 05ac9442f5ffea28a1eb1d21a830cbea16c909aefcadef8ffdc5edb47fdf31e1
Instruction ID: 50a9f9f2a4a1a0f511f65e75aa7759129392844ea479d3556fca4bcaa4eaa11d
Opcode Fuzzy Hash: 05ac9442f5ffea28a1eb1d21a830cbea16c909aefcadef8ffdc5edb47fdf31e1
Instruction Fuzzy Hash: B4E08CA5F0CE02C2FF186BB2B97503821A5AFF8744F044038C90D47292FE2CA886C251

Function 00007FFD6DA12BF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA12C23

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3711b984e4991261f0e53ccc1e653d5e4836b509d74f60138b4e8019087179fd
Instruction ID: f7fceaee3d16e945da05905734281b04969edee15d3532def34e27c69380808f
Opcode Fuzzy Hash: 3711b984e4991261f0e53ccc1e653d5e4836b509d74f60138b4e8019087179fd
Instruction Fuzzy Hash: C3116A36B1DE82C2E2209F14F8A217963A5FFA5740F054934E79D477A6FE3CE8108B40

Function 00007FFD6DA17244 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7a9823117b8e8457534ed740180dd486be6ae34585640664a697e8c0078950d
Instruction ID: ac1955ca63aa4a76ff3e6229856e37ecaa32dadd848497dfaa61bd2f6caf8c51
Opcode Fuzzy Hash: b7a9823117b8e8457534ed740180dd486be6ae34585640664a697e8c0078950d
Instruction Fuzzy Hash: 51F05E26F2CE16C4EE585B60ECB12BC2661AFB5704F541631E60E87396FE2CA1968602

Function 00007FFD6D9F1358 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFD6D9F136C

Part of subcall function 00007FFD6D9FA948: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FFD6D9FA950
Part of subcall function 00007FFD6D9FA948: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FFD6D9FA955

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
String ID:
API String ID: 1208906642-0
Opcode ID: b849d5d5db9ec032d2834ab2f9a910a3d2d2ea980f48a76a8b15cbc11d9ac2e5
Instruction ID: b6d023151b20fd59957516010f8f961ded079cb959eb54efdb39a46c79d95679
Opcode Fuzzy Hash: b849d5d5db9ec032d2834ab2f9a910a3d2d2ea980f48a76a8b15cbc11d9ac2e5
Instruction Fuzzy Hash: FCE0ECA1F0CE43C2FE582B6131326B802501F27358F50457BE81E629D3BD9E719716A2

Function 00007FFD6DA0DB64 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FFD6DA1025A,?,?,0000DCB06BC72D17,00007FFD6DA0BEC9,?,?,?,?,00007FFD6DA104C2,?,?,00000000), ref: 00007FFD6DA0DBB9

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 55f2dc2961d20ebe61b3e15a53eaada1012a5273e33508384d1903945a15730e
Instruction ID: 7ba932f45a81e243067c56e6e73e84a76d2f9cca11910edea42287bba4afdaf7
Opcode Fuzzy Hash: 55f2dc2961d20ebe61b3e15a53eaada1012a5273e33508384d1903945a15730e
Instruction Fuzzy Hash: B5F06D52B0DA07C1FE556A61B9703B562915FEABA8F1C1430C90E8ABD2FE2CE481C221

Function 00007FFD6DA0E420 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FFD6DA104A9,?,?,00000000,00007FFD6DA14E97,?,?,?,00007FFD6DA0CC63,?,?,?,00007FFD6DA0CB59), ref: 00007FFD6DA0E45E

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 93e5887e88414e6a8d65827f5456db655349e80249961f9d2f06a4db9c598047
Instruction ID: 73d521ec58efe95e4bff65cb87e91db0c05631ee7974aa9ac73886a34a5ad017
Opcode Fuzzy Hash: 93e5887e88414e6a8d65827f5456db655349e80249961f9d2f06a4db9c598047
Instruction Fuzzy Hash: 8BF03011F1DE07C5FE646BB179B127511909FA8BA4F080734DD2EC63C2FE6EE581A522

Non-executed Functions

Function 00007FFD6D9B7B50 Relevance: 180.1, APIs: 97, Strings: 5, Instructions: 1573timewindowkeyboardCOMMON

Download Yara Rule

APIs

SetWindowLongPtrW.USER32 ref: 00007FFD6D9B7BAE
SetTimer.USER32 ref: 00007FFD6D9B7BC5
GetWindow.USER32 ref: 00007FFD6D9B7C18
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFD6D9B7C47
#339.COMCTL32 ref: 00007FFD6D9B7C74
GetForegroundWindow.USER32 ref: 00007FFD6D9B7C87
#334.COMCTL32 ref: 00007FFD6D9B7CD2
GetWindowLongPtrW.USER32 ref: 00007FFD6D9B7D56
GetAsyncKeyState.USER32 ref: 00007FFD6D9B7D89
KillTimer.USER32 ref: 00007FFD6D9B7DA6
KillTimer.USER32 ref: 00007FFD6D9B7DC6
SendMessageW.USER32 ref: 00007FFD6D9B7DE9
KillTimer.USER32 ref: 00007FFD6D9B7DF6
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFD6D9B7E5A
#339.COMCTL32 ref: 00007FFD6D9B7E89
GetWindow.USER32 ref: 00007FFD6D9B7EB7
GetLastActivePopup.USER32 ref: 00007FFD6D9B7EC7
KillTimer.USER32 ref: 00007FFD6D9B7F47
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFD6D9B804A
#339.COMCTL32 ref: 00007FFD6D9B8077
DefWindowProcW.USER32 ref: 00007FFD6D9B883B
IsWindowVisible.USER32 ref: 00007FFD6D9B885F
GetPropW.USER32 ref: 00007FFD6D9B88A1
GetPropW.USER32 ref: 00007FFD6D9B88B6
#328.COMCTL32 ref: 00007FFD6D9B88DA
EnumWindows.USER32 ref: 00007FFD6D9B88ED
#329.COMCTL32 ref: 00007FFD6D9B897D
CompareStringOrdinal.KERNEL32 ref: 00007FFD6D9B89B5
DestroyWindow.USER32 ref: 00007FFD6D9B89DA
PostQuitMessage.USER32 ref: 00007FFD6D9B89ED
SetEvent.KERNEL32 ref: 00007FFD6D9B89FA
KillTimer.USER32 ref: 00007FFD6D9B8A1D
KillTimer.USER32 ref: 00007FFD6D9B8A2B
SystemParametersInfoW.USER32 ref: 00007FFD6D9B8A5B
SystemParametersInfoW.USER32 ref: 00007FFD6D9B8A9E
SystemParametersInfoW.USER32 ref: 00007FFD6D9B8AC7
RedrawWindow.USER32 ref: 00007FFD6D9B8C7B
ShowWindow.USER32 ref: 00007FFD6D9B8D18
GetKeyState.USER32 ref: 00007FFD6D9B8D77
IsWindowVisible.USER32 ref: 00007FFD6D9B8EB3
GetWindow.USER32 ref: 00007FFD6D9B8F41
IsWindowVisible.USER32 ref: 00007FFD6D9B8F52
GetKeyState.USER32 ref: 00007FFD6D9B8FD4
RedrawWindow.USER32 ref: 00007FFD6D9B92E2
SetForegroundWindow.USER32 ref: 00007FFD6D9B92EC
IsHungAppWindow.USER32 ref: 00007FFD6D9B940E
ShowWindow.USER32 ref: 00007FFD6D9B941E
GetCurrentThreadId.KERNEL32 ref: 00007FFD6D9B943D
GetThreadDesktop.USER32 ref: 00007FFD6D9B9445
SHCreateThread.SHLWAPI ref: 00007FFD6D9B9462
EndTask.USER32 ref: 00007FFD6D9B947C
PostMessageW.USER32 ref: 00007FFD6D9B9495

Strings

ImmersiveColorSet, xrefs: 00007FFD6D9B89A8
\rundll32.exe, xrefs: 00007FFD6D9B866D
Microsoft.Windows.ShellManagedWindowAsNormalWindow, xrefs: 00007FFD6D9B8897
valinet.ExplorerPatcher.ShellManagedWindow, xrefs: 00007FFD6D9B88AC
&, xrefs: 00007FFD6D9B911F

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Window$Timer$KillSystemTime$#339FileInfoMessageParametersStateThreadVisible$ForegroundLongPostPropRedrawShow$#328#329#334ActiveAsyncCompareCreateCurrentDesktopDestroyEnumEventHungLastOrdinalPopupProcQuitSendStringTaskWindows
String ID: &$ImmersiveColorSet$Microsoft.Windows.ShellManagedWindowAsNormalWindow$\rundll32.exe$valinet.ExplorerPatcher.ShellManagedWindow
API String ID: 1047848470-551150430
Opcode ID: 64337aac1fd03d2777278660dab291e4e160faa3f45063e07ad4405cc4142390
Instruction ID: b1da9178005fc8cf0e757c3e0fccfae7c31d7f4166191761c7e79b4aa70f9c5b
Opcode Fuzzy Hash: 64337aac1fd03d2777278660dab291e4e160faa3f45063e07ad4405cc4142390
Instruction Fuzzy Hash: F4E29D21B09E43D6EB688F25F46427A77A1FB98B44F064236DA1E47790EF3CE891C750

Function 00007FFD6D9E6DE0 Relevance: 149.6, APIs: 75, Strings: 10, Instructions: 867windowregistryCOMMON

Download Yara Rule

APIs

RegisterWindowMessageW.USER32 ref: 00007FFD6D9E6E27
GetClassWord.USER32 ref: 00007FFD6D9E6E63
RegisterWindowMessageW.USER32 ref: 00007FFD6D9E6E87
GetParent.USER32 ref: 00007FFD6D9E6E96
GetClassWord.USER32 ref: 00007FFD6D9E6EA7
GetPropW.USER32 ref: 00007FFD6D9E6EE4
RemovePropW.USER32 ref: 00007FFD6D9E6EF9
GetParent.USER32 ref: 00007FFD6D9E6F17
GetParent.USER32 ref: 00007FFD6D9E6F25
FindWindowExW.USER32 ref: 00007FFD6D9E6F3D
GetWindowLongPtrW.USER32 ref: 00007FFD6D9E6F4D
FindWindowExW.USER32 ref: 00007FFD6D9E6F8B
FindWindowExW.USER32 ref: 00007FFD6D9E6FA3
GetClientRect.USER32 ref: 00007FFD6D9E7010
FindWindowExW.USER32 ref: 00007FFD6D9E7033
IsWindowVisible.USER32 ref: 00007FFD6D9E7058
GetClientRect.USER32 ref: 00007FFD6D9E7069
FindWindowExW.USER32 ref: 00007FFD6D9E709F
GetWindowRect.USER32 ref: 00007FFD6D9E70C7
MonitorFromWindow.USER32 ref: 00007FFD6D9E70ED
GetMonitorInfoW.USER32 ref: 00007FFD6D9E70FA
GetPropW.USER32 ref: 00007FFD6D9E7124
SetWindowPos.USER32 ref: 00007FFD6D9E718A
GetClientRect.USER32 ref: 00007FFD6D9E7197
FindWindowExW.USER32 ref: 00007FFD6D9E71C9
IsWindowVisible.USER32 ref: 00007FFD6D9E71EF
GetClientRect.USER32 ref: 00007FFD6D9E7200
MoveWindow.USER32 ref: 00007FFD6D9E7235
InvalidateRect.USER32 ref: 00007FFD6D9E724B
FindWindowExW.USER32 ref: 00007FFD6D9E7278
SetWindowPos.USER32 ref: 00007FFD6D9E72AE
GetClientRect.USER32 ref: 00007FFD6D9E72BB
FindWindowExW.USER32 ref: 00007FFD6D9E72ED
IsWindowVisible.USER32 ref: 00007FFD6D9E730E
GetClientRect.USER32 ref: 00007FFD6D9E731F
MoveWindow.USER32 ref: 00007FFD6D9E7353
InvalidateRect.USER32 ref: 00007FFD6D9E7364
FindWindowExW.USER32 ref: 00007FFD6D9E738A
InvalidateRect.USER32 ref: 00007FFD6D9E73BC
GetClientRect.USER32 ref: 00007FFD6D9E73E3
GetClientRect.USER32 ref: 00007FFD6D9E73F5
GetWindowRect.USER32 ref: 00007FFD6D9E7402
GetClientRect.USER32 ref: 00007FFD6D9E7437
SetWindowPos.USER32 ref: 00007FFD6D9E758B
GetClientRect.USER32 ref: 00007FFD6D9E7598
FindWindowExW.USER32 ref: 00007FFD6D9E75CA
IsWindowVisible.USER32 ref: 00007FFD6D9E75FF
GetClientRect.USER32 ref: 00007FFD6D9E7610
MoveWindow.USER32 ref: 00007FFD6D9E7643
InvalidateRect.USER32 ref: 00007FFD6D9E7659
FindWindowExW.USER32 ref: 00007FFD6D9E768A
SetWindowPos.USER32 ref: 00007FFD6D9E76D0
GetClientRect.USER32 ref: 00007FFD6D9E76DD
FindWindowExW.USER32 ref: 00007FFD6D9E770F
IsWindowVisible.USER32 ref: 00007FFD6D9E772E
GetClientRect.USER32 ref: 00007FFD6D9E773F
MoveWindow.USER32 ref: 00007FFD6D9E7776
InvalidateRect.USER32 ref: 00007FFD6D9E7787
FindWindowExW.USER32 ref: 00007FFD6D9E77B4
InvalidateRect.USER32 ref: 00007FFD6D9E77E2
RegisterWindowMessageW.USER32 ref: 00007FFD6D9E7813
SendMessageW.USER32 ref: 00007FFD6D9E7861
GetClassWord.USER32 ref: 00007FFD6D9E7870
SendMessageW.USER32 ref: 00007FFD6D9E78AB
SendMessageW.USER32 ref: 00007FFD6D9E7917
GetClassWord.USER32 ref: 00007FFD6D9E792B
SendMessageW.USER32 ref: 00007FFD6D9E795D
SendMessageW.USER32 ref: 00007FFD6D9E798F
SendNotifyMessageW.USER32 ref: 00007FFD6D9E79B2
SendMessageW.USER32 ref: 00007FFD6D9E79C6
SendMessageW.USER32 ref: 00007FFD6D9E7A25
GetClassWord.USER32 ref: 00007FFD6D9E7A39
GetClientRect.USER32 ref: 00007FFD6D9E7A62
SendMessageW.USER32 ref: 00007FFD6D9E7A9B
GetClientRect.USER32 ref: 00007FFD6D9E7AB6

Strings

TraySettings, xrefs: 00007FFD6D9E799E
TrayDummySearchControl, xrefs: 00007FFD6D9E6FF9, 00007FFD6D9E7048, 00007FFD6D9E71AC, 00007FFD6D9E725A, 00007FFD6D9E72C5, 00007FFD6D9E72FF, 00007FFD6D9E75AD, 00007FFD6D9E7668, 00007FFD6D9E76E7, 00007FFD6D9E7796
MSTaskSwWClass, xrefs: 00007FFD6D9E6E80
!@, xrefs: 00007FFD6D9E755B
Start, xrefs: 00007FFD6D9E6F2E
TrayButton, xrefs: 00007FFD6D9E701D, 00007FFD6D9E7041, 00007FFD6D9E71A1, 00007FFD6D9E71E0, 00007FFD6D9E72D0, 00007FFD6D9E75A2, 00007FFD6D9E75F0, 00007FFD6D9E7674, 00007FFD6D9E76F2
EPTBLEN, xrefs: 00007FFD6D9E6EDA, 00007FFD6D9E6EEF, 00007FFD6D9E711A
ReBarWindow32, xrefs: 00007FFD6D9E6F7F
PeopleBand, xrefs: 00007FFD6D9E6F94, 00007FFD6D9E780C
MSTaskListWClass, xrefs: 00007FFD6D9E6E20

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Window$Rect$Client$Find$Message$Send$Invalidate$ClassVisibleWord$Move$ParentPropRegister$Monitor$FromInfoLongNotifyRemove
String ID: !@$EPTBLEN$MSTaskListWClass$MSTaskSwWClass$PeopleBand$ReBarWindow32$Start$TrayButton$TrayDummySearchControl$TraySettings
API String ID: 2509908205-217918233
Opcode ID: 711883755e967174166c771be66c080798932c6e11d56cd6f74aa121bd91870f
Instruction ID: 4963c00d7290276789c270f532c8fc07fadc0c2f8683154624abcc9dea14e764
Opcode Fuzzy Hash: 711883755e967174166c771be66c080798932c6e11d56cd6f74aa121bd91870f
Instruction Fuzzy Hash: D9826A32F08A52CAEB10CF25F8606A937A1FF98B88F145535EA4A57B59EF3CE544C700

Function 00007FFD6D9B6F20 Relevance: 117.9, APIs: 64, Strings: 3, Instructions: 685windowtimeregistryCOMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32 ref: 00007FFD6D9B6F60
QueryPerformanceCounter.KERNEL32 ref: 00007FFD6D9B6F6F
GetTickCount.KERNEL32 ref: 00007FFD6D9B6F87
SetRect.USER32 ref: 00007FFD6D9B6FB4
IsWindow.USER32 ref: 00007FFD6D9B6FC1
GetWindowRect.USER32 ref: 00007FFD6D9B6FD7
GetClassWord.USER32 ref: 00007FFD6D9B6FE9
RegisterWindowMessageW.USER32 ref: 00007FFD6D9B700D
EnumWindows.USER32 ref: 00007FFD6D9B703B
#329.COMCTL32 ref: 00007FFD6D9B7061
GetCursorPos.USER32 ref: 00007FFD6D9B7082
IsWindowVisible.USER32 ref: 00007FFD6D9B709D
EnumDisplayMonitors.USER32 ref: 00007FFD6D9B70C3
MonitorFromPoint.USER32 ref: 00007FFD6D9B70E7
#328.COMCTL32 ref: 00007FFD6D9B71C5
EnumWindows.USER32 ref: 00007FFD6D9B71D8
QueryPerformanceFrequency.KERNEL32 ref: 00007FFD6D9B71E3
QueryPerformanceCounter.KERNEL32 ref: 00007FFD6D9B71F2
GetTickCount.KERNEL32 ref: 00007FFD6D9B720A
#339.COMCTL32 ref: 00007FFD6D9B7249
QueryPerformanceFrequency.KERNEL32 ref: 00007FFD6D9B7284
QueryPerformanceCounter.KERNEL32 ref: 00007FFD6D9B7293
GetTickCount.KERNEL32 ref: 00007FFD6D9B72AA
#338.COMCTL32 ref: 00007FFD6D9B72C7
QueryPerformanceFrequency.KERNEL32 ref: 00007FFD6D9B72D1
QueryPerformanceCounter.KERNEL32 ref: 00007FFD6D9B72DF
GetTickCount.KERNEL32 ref: 00007FFD6D9B72F5
GetWindowThreadProcessId.USER32 ref: 00007FFD6D9B7353
GetLastError.KERNEL32 ref: 00007FFD6D9B735D
OpenProcess.KERNEL32 ref: 00007FFD6D9B7382
K32GetModuleFileNameExW.KERNEL32 ref: 00007FFD6D9B739F
CloseHandle.KERNEL32 ref: 00007FFD6D9B73A8
#386.COMCTL32 ref: 00007FFD6D9B7431
QueryPerformanceFrequency.KERNEL32 ref: 00007FFD6D9B743B
QueryPerformanceCounter.KERNEL32 ref: 00007FFD6D9B744A
GetTickCount.KERNEL32 ref: 00007FFD6D9B7464

Part of subcall function 00007FFD6D9B42C0: IsWindowVisible.USER32 ref: 00007FFD6D9B4329
Part of subcall function 00007FFD6D9B42C0: QueryPerformanceFrequency.KERNEL32 ref: 00007FFD6D9B4355
Part of subcall function 00007FFD6D9B42C0: QueryPerformanceCounter.KERNEL32 ref: 00007FFD6D9B4364
Part of subcall function 00007FFD6D9B42C0: GetForegroundWindow.USER32(?), ref: 00007FFD6D9B4393
Part of subcall function 00007FFD6D9B42C0: GetWindow.USER32 ref: 00007FFD6D9B43A4
Part of subcall function 00007FFD6D9B42C0: IsWindowVisible.USER32 ref: 00007FFD6D9B43B5
Part of subcall function 00007FFD6D9B42C0: QueryPerformanceFrequency.KERNEL32 ref: 00007FFD6D9B4416
Part of subcall function 00007FFD6D9B42C0: QueryPerformanceCounter.KERNEL32 ref: 00007FFD6D9B4425
Part of subcall function 00007FFD6D9B42C0: QueryPerformanceFrequency.KERNEL32(?), ref: 00007FFD6D9B445B
Part of subcall function 00007FFD6D9B42C0: QueryPerformanceCounter.KERNEL32 ref: 00007FFD6D9B446A

ShowWindow.USER32 ref: 00007FFD6D9B74E4
EndBufferedPaint.UXTHEME ref: 00007FFD6D9B7502
ReleaseDC.USER32 ref: 00007FFD6D9B7513
GetDC.USER32 ref: 00007FFD6D9B752C
SetRect.USER32 ref: 00007FFD6D9B7575
BeginBufferedPaint.UXTHEME ref: 00007FFD6D9B759D
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFD6D9B75FA
#339.COMCTL32 ref: 00007FFD6D9B762A
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFD6D9B76A4
#339.COMCTL32 ref: 00007FFD6D9B76D3
DwmUpdateThumbnailProperties.DWMAPI ref: 00007FFD6D9B775A
IsWindowVisible.USER32 ref: 00007FFD6D9B776B
DwmSetWindowAttribute.DWMAPI ref: 00007FFD6D9B7799
SetEvent.KERNEL32 ref: 00007FFD6D9B77A6
DwmSetWindowAttribute.DWMAPI ref: 00007FFD6D9B77C7
SetEvent.KERNEL32 ref: 00007FFD6D9B77E4
SetWindowPos.USER32 ref: 00007FFD6D9B780E
ShowWindow.USER32 ref: 00007FFD6D9B781D
SetForegroundWindow.USER32 ref: 00007FFD6D9B7827
InvalidateRect.USER32 ref: 00007FFD6D9B7858

Part of subcall function 00007FFD6DA07DF4: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA07E11

GetSystemDirectoryW.KERNEL32 ref: 00007FFD6D9B78BF
QueryPerformanceFrequency.KERNEL32 ref: 00007FFD6D9B794E
QueryPerformanceCounter.KERNEL32 ref: 00007FFD6D9B795D
GetTickCount.KERNEL32 ref: 00007FFD6D9B7974
IsHungAppWindow.USER32 ref: 00007FFD6D9B79AC
SetTimer.USER32 ref: 00007FFD6D9B79C8
SendMessageCallbackW.USER32 ref: 00007FFD6D9B79ED
SetTimer.USER32 ref: 00007FFD6D9B7A42

Strings

[sws] WindowSwitcher::Show %x [[ %lld + %lld + %lld + %lld = %lld ]], xrefs: 00007FFD6D9B74A5
\rundll32.exe, xrefs: 00007FFD6D9B78C5
WorkerW, xrefs: 00007FFD6D9B7006

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: PerformanceQuery$Window$CounterFrequency$CountTick$RectTimeVisible$#339EnumFileSystem$AttributeBufferedEventForegroundMessagePaintProcessShowTimerWindows$#328#329#338#386BeginCallbackClassCloseCursorDirectoryDisplayErrorFromHandleHungInvalidateLastModuleMonitorMonitorsNameOpenPointPropertiesRegisterReleaseSendThreadThumbnailUpdateWord_invalid_parameter_noinfo
String ID: WorkerW$[sws] WindowSwitcher::Show %x [[ %lld + %lld + %lld + %lld = %lld ]]$\rundll32.exe
API String ID: 3472475047-3998000322
Opcode ID: 9a413534fa984566833dd8f5c11ca7e7d72c86cce713ba5ad28cdbd871385550
Instruction ID: 7b72a7ce672209a4dbb502f19be37b155dbc0176812716f121c45a73eff881ad
Opcode Fuzzy Hash: 9a413534fa984566833dd8f5c11ca7e7d72c86cce713ba5ad28cdbd871385550
Instruction Fuzzy Hash: 5F723832B08F82C6EB50CF25F86426A67A5FB94B98F150236DA4D477A8EF3CE545C710

Function 00007FFD6D9C4900 Relevance: 98.9, APIs: 51, Strings: 5, Instructions: 900windowthreadCOMMON

Download Yara Rule

APIs

TryEnterCriticalSection.KERNEL32 ref: 00007FFD6D9C4975
InSendMessage.USER32 ref: 00007FFD6D9C49A3
IsThemeActive.UXTHEME ref: 00007FFD6D9C49B5
GetThreadId.KERNEL32 ref: 00007FFD6D9C4A00
PostThreadMessageW.USER32 ref: 00007FFD6D9C4A13
LeaveCriticalSection.KERNEL32 ref: 00007FFD6D9C56E0

Part of subcall function 00007FFD6D9BD6E0: SystemParametersInfoW.USER32 ref: 00007FFD6D9BD715

MonitorFromWindow.USER32 ref: 00007FFD6D9C4A30
GetDpiForMonitor.API-MS-WIN-SHCORE-SCALING-L1-1-1 ref: 00007FFD6D9C4A43
SetWindowTextW.USER32 ref: 00007FFD6D9C4CE5
SystemParametersInfoForDpi.USER32 ref: 00007FFD6D9C4D39
CreateFontIndirectW.GDI32 ref: 00007FFD6D9C4E0C
CreateFontIndirectW.GDI32 ref: 00007FFD6D9C4E20
CreateCompatibleDC.GDI32 ref: 00007FFD6D9C4E38
GetSysColor.USER32 ref: 00007FFD6D9C4E81
SelectObject.GDI32 ref: 00007FFD6D9C4E95
SetRect.USER32 ref: 00007FFD6D9C4EBC
SelectObject.GDI32 ref: 00007FFD6D9C4F07
GetObjectW.GDI32 ref: 00007FFD6D9C4F1C
GdiAlphaBlend.GDI32 ref: 00007FFD6D9C4F5E
SelectObject.GDI32 ref: 00007FFD6D9C4F6A
DeleteObject.GDI32 ref: 00007FFD6D9C4F73
SetRect.USER32 ref: 00007FFD6D9C502F
DrawTextW.USER32 ref: 00007FFD6D9C5061
SetRect.USER32 ref: 00007FFD6D9C50D8
DrawTextW.USER32 ref: 00007FFD6D9C5104
MulDiv.KERNEL32 ref: 00007FFD6D9C516C
MulDiv.KERNEL32 ref: 00007FFD6D9C52E6
MulDiv.KERNEL32 ref: 00007FFD6D9C52FE
MulDiv.KERNEL32 ref: 00007FFD6D9C531E
CreateDIBSection.GDI32 ref: 00007FFD6D9C5391
SelectObject.GDI32 ref: 00007FFD6D9C53C4
GdiAlphaBlend.GDI32 ref: 00007FFD6D9C540D
SelectObject.GDI32 ref: 00007FFD6D9C5419
DeleteObject.GDI32 ref: 00007FFD6D9C5423
SelectObject.GDI32 ref: 00007FFD6D9C5493
GetObjectW.GDI32 ref: 00007FFD6D9C54A6
GdiAlphaBlend.GDI32 ref: 00007FFD6D9C54F7
SelectObject.GDI32 ref: 00007FFD6D9C5503
DeleteObject.GDI32 ref: 00007FFD6D9C550C
SelectObject.GDI32 ref: 00007FFD6D9C5585
GetObjectW.GDI32 ref: 00007FFD6D9C5599
GdiAlphaBlend.GDI32 ref: 00007FFD6D9C5627
SelectObject.GDI32 ref: 00007FFD6D9C5634
DeleteObject.GDI32 ref: 00007FFD6D9C563D
SendNotifyMessageW.USER32 ref: 00007FFD6D9C566E
SelectObject.GDI32 ref: 00007FFD6D9C567F
DeleteDC.GDI32 ref: 00007FFD6D9C5688
DeleteObject.GDI32 ref: 00007FFD6D9C5695
DeleteObject.GDI32 ref: 00007FFD6D9C56A7
IsWindowVisible.USER32 ref: 00007FFD6D9C56B4
LeaveCriticalSection.KERNEL32 ref: 00007FFD6D9C56F9

Strings

TraySettings, xrefs: 00007FFD6D9C5654
, xrefs: 00007FFD6D9C4FC3
%s %s, %s, , xrefs: 00007FFD6D9C4C65
%s%s %s, xrefs: 00007FFD6D9C4FD4
%s%s, xrefs: 00007FFD6D9C506E

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Object$Select$Delete$AlphaBlendCreateSection$CriticalMessageRectTextWindow$DrawFontIndirectInfoLeaveMonitorParametersSendSystemThread$ActiveColorCompatibleEnterFromNotifyPostThemeVisible
String ID: $%s %s, %s, $%s%s$%s%s %s$TraySettings
API String ID: 2827603905-2228986299
Opcode ID: a7bb5bb6988969f4fc3f15ba82495ba69fa07f19f2279e380f81d48ff18d126f
Instruction ID: f2245ceaef4c9e194000a488e47deddda9c696d3270db4d1919a3a74b374b294
Opcode Fuzzy Hash: a7bb5bb6988969f4fc3f15ba82495ba69fa07f19f2279e380f81d48ff18d126f
Instruction Fuzzy Hash: 86925B76B08A42CAEB60CF65F9646B977A1FB98798F004136DA4D47B58EF3CE544CB00

Function 00007FFD6D9EDD30 Relevance: 98.2, APIs: 7, Strings: 49, Instructions: 183registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD6DA07C0C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA07C35

RegCreateKeyExW.ADVAPI32 ref: 00007FFD6D9EDE10
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9EDE59
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9EDED7
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9EDF28
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9EDF59
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9EDFAB
RegCloseKey.ADVAPI32 ref: 00007FFD6D9EDFD8

Part of subcall function 00007FFD6D9EDD30: CreateEventW.KERNEL32 ref: 00007FFD6D9EC682
Part of subcall function 00007FFD6D9EDD30: WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9EC6C1
Part of subcall function 00007FFD6D9EDD30: WindowsCreateString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9EC6EB
Part of subcall function 00007FFD6D9EDD30: InternetOpenA.WININET ref: 00007FFD6D9EC72F
Part of subcall function 00007FFD6D9EDD30: WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9EC74F
Part of subcall function 00007FFD6D9EDD30: InternetOpenUrlW.WININET ref: 00007FFD6D9EC772

Strings

ConsentPromptBehaviorAdmin, xrefs: 00007FFD6D9ED2AC
open, xrefs: 00007FFD6D9ED5CD
[Updates] Failed. Read %d bytes., xrefs: 00007FFD6D9ECEAC
[Updates] Update failed because the following error has occured: %d., xrefs: 00007FFD6D9ED692, 00007FFD6D9ED6DF
/update_silent, xrefs: 00007FFD6D9ED5F7
https://github.com/valinet/ExplorerPatcher/releases/latest, xrefs: 00007FFD6D9EDDAC, 00007FFD6D9EDE6C, 00007FFD6D9EDEE9
\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00007FFD6D9ED0A3
ExplorerPatcher, xrefs: 00007FFD6D9ED572
ep_setup.exe, xrefs: 00007FFD6D9EDA14, 00007FFD6D9EDE96
kernel32.dll, xrefs: 00007FFD6D9ED25D
name, xrefs: 00007FFD6D9EDA84
[Updates] Update URL: %s, xrefs: 00007FFD6D9EDFE2
iex (irm 'https://raw.githubusercontent.com/valinet/ep_make/master/ep_make_safe.ps1'), xrefs: 00007FFD6D9ED5F0
[Updates] Update successful, File Explorer will probably restart momentarily., xrefs: 00007FFD6D9ED668
valid, xrefs: 00007FFD6D9ECAD1
[Updates] Local version obtained from hash is %d.%d.%d.%d., xrefs: 00007FFD6D9ECCDA
UpdateTimeout, xrefs: 00007FFD6D9EDF0B
https://api.github.com/repos/valinet/ExplorerPatcher/releases?per_page=1, xrefs: 00007FFD6D9EDF67, 00007FFD6D9EDFBE
ExplorerPatcher_GUI_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}, xrefs: 00007FFD6D9ED55C
CheckElevationEnabled, xrefs: 00007FFD6D9ED26D
ExplorerPatcher, xrefs: 00007FFD6D9EC728, 00007FFD6D9ECA00
UpdateURLStaging, xrefs: 00007FFD6D9EDF8E
invalid, xrefs: 00007FFD6D9ECADA
[Updates] Prerelease update URL: "%s", xrefs: 00007FFD6D9EC980
UpdateURL, xrefs: 00007FFD6D9EDE43, 00007FFD6D9EDEBE
\ExplorerPatcher\ep_gui.dll, xrefs: 00007FFD6D9ED4D0
S-1-5-, xrefs: 00007FFD6D9ED3D2
[Updates] Download path is "%s"., xrefs: 00007FFD6D9ED01C
UpdatePreferStaging, xrefs: 00007FFD6D9EDF3C
FilterAdministratorToken, xrefs: 00007FFD6D9ED437
[Updates] Update failed because the request was denied., xrefs: 00007FFD6D9ED6C0
UpdateUseLocal, xrefs: 00007FFD6D9ED06F
\Update for ExplorerPatcher from , xrefs: 00007FFD6D9ECF3C
updates.cpp, xrefs: 00007FFD6D9ED7EA, 00007FFD6D9ED873, 00007FFD6D9ED8AA, 00007FFD6D9ED90A, 00007FFD6D9ED96F, 00007FFD6D9ED9AA, 00007FFD6D9EDB5B, 00007FFD6D9EDC62, 00007FFD6D9EDC8A, 00007FFD6D9EDCB9
[Updates] Checking against hash "%s", xrefs: 00007FFD6D9EDDC4
runas, xrefs: 00007FFD6D9ED5D4
Windows.Data.Json.JsonArray, xrefs: 00007FFD6D9ED79C
browser_download_url, xrefs: 00007FFD6D9EDC20
[Updates] Release notes URL: "%s", xrefs: 00007FFD6D9EC960
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00007FFD6D9ED2B3, 00007FFD6D9ED43E
\ExplorerPatcher, xrefs: 00007FFD6D9ECF00
[Updates] Hash of remote file is "%s" (%s)., xrefs: 00007FFD6D9ECAE5
[Updates] Downloaded finished., xrefs: 00007FFD6D9ED1D5
assets, xrefs: 00007FFD6D9ED940
Software\ExplorerPatcher, xrefs: 00007FFD6D9ECE19, 00007FFD6D9ED076, 00007FFD6D9EDDE8
/download/, xrefs: 00007FFD6D9EDE81
[Updates] In order to install this update for the product "ExplorerPatcher", please allow the request., xrefs: 00007FFD6D9ED20A
html_url, xrefs: 00007FFD6D9ED8DC
UpdateAllowDowngrades, xrefs: 00007FFD6D9ECE12

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: QueryValue$CreateStringWindows$InternetOpen$BufferCloseDeleteEvent_invalid_parameter_noinfo
String ID: /download/$/update_silent$CheckElevationEnabled$ConsentPromptBehaviorAdmin$ExplorerPatcher$ExplorerPatcher$ExplorerPatcher_GUI_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$FilterAdministratorToken$S-1-5-$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System$Software\ExplorerPatcher$UpdateAllowDowngrades$UpdatePreferStaging$UpdateTimeout$UpdateURL$UpdateURLStaging$UpdateUseLocal$Windows.Data.Json.JsonArray$[Updates] Checking against hash "%s"$[Updates] Download path is "%s".$[Updates] Downloaded finished.$[Updates] Failed. Read %d bytes.$[Updates] Hash of remote file is "%s" (%s).$[Updates] In order to install this update for the product "ExplorerPatcher", please allow the request.$[Updates] Local version obtained from hash is %d.%d.%d.%d.$[Updates] Prerelease update URL: "%s"$[Updates] Release notes URL: "%s"$[Updates] Update URL: %s$[Updates] Update failed because the following error has occured: %d.$[Updates] Update failed because the request was denied.$[Updates] Update successful, File Explorer will probably restart momentarily.$\ExplorerPatcher$\ExplorerPatcher\ep_gui.dll$\Update for ExplorerPatcher from $\WindowsPowerShell\v1.0\powershell.exe$assets$browser_download_url$ep_setup.exe$html_url$https://api.github.com/repos/valinet/ExplorerPatcher/releases?per_page=1$https://github.com/valinet/ExplorerPatcher/releases/latest$iex (irm 'https://raw.githubusercontent.com/valinet/ep_make/master/ep_make_safe.ps1')$invalid$kernel32.dll$name$open$runas$updates.cpp$valid
API String ID: 1866200-3143775457
Opcode ID: 319de3e775ae7720ef6581c1d47c0e210e89b01f5ccdfc5b5dba6f971c295c6e
Instruction ID: 4e272eb5f6352fb9488103d0684e9c7ee88d20ce0c7a2a008c99d25aa6dedc9c
Opcode Fuzzy Hash: 319de3e775ae7720ef6581c1d47c0e210e89b01f5ccdfc5b5dba6f971c295c6e
Instruction Fuzzy Hash: EF91FA72B18A52DAEB20CB64F8546EA77B1FB94358F500236DA4D53BA8EF3CD145CB40

Function 00007FFD6D9B9AA0 Relevance: 89.8, APIs: 43, Strings: 8, Instructions: 577registrycomsleepCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 00007FFD6D9B9B67
RoInitialize.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFD6D9B9B87
CreateEventW.KERNEL32 ref: 00007FFD6D9B9C22
GetLastError.KERNEL32 ref: 00007FFD6D9B9C34
CreateThread.KERNEL32 ref: 00007FFD6D9B9C6F
GetLastError.KERNEL32 ref: 00007FFD6D9B9C81
CreateEventW.KERNEL32 ref: 00007FFD6D9B9CB1
GetLastError.KERNEL32 ref: 00007FFD6D9B9CC3
CreateThread.KERNEL32 ref: 00007FFD6D9B9CFE
GetLastError.KERNEL32 ref: 00007FFD6D9B9D10
#328.COMCTL32 ref: 00007FFD6D9B9D38
GetLastError.KERNEL32 ref: 00007FFD6D9B9D4A
EnumWindows.USER32 ref: 00007FFD6D9B9D73
CreateSolidBrush.GDI32 ref: 00007FFD6D9B9D96
CreateSolidBrush.GDI32 ref: 00007FFD6D9B9DB3
CreateSolidBrush.GDI32 ref: 00007FFD6D9B9DC5
CreateSolidBrush.GDI32 ref: 00007FFD6D9B9DD7
OpenThemeData.UXTHEME ref: 00007FFD6D9B9DED
RegisterWindowMessageW.USER32 ref: 00007FFD6D9B9E2A
GetLastError.KERNEL32 ref: 00007FFD6D9B9E37
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9B9E90
LoadCursorW.USER32 ref: 00007FFD6D9B9EAC
RegisterClassExW.USER32 ref: 00007FFD6D9B9EBA
GetLastError.KERNEL32 ref: 00007FFD6D9B9EC5
BufferedPaintInit.UXTHEME ref: 00007FFD6D9B9F10
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9B9F18
GetLastError.KERNEL32 ref: 00007FFD6D9B9F72
SetWinEventHook.USER32 ref: 00007FFD6D9B9FBB
GetLastError.KERNEL32 ref: 00007FFD6D9B9FC6
RegisterShellHookWindow.USER32 ref: 00007FFD6D9BA00D
GetLastError.KERNEL32 ref: 00007FFD6D9BA017
CreateEventW.KERNEL32 ref: 00007FFD6D9BA044
GetLastError.KERNEL32 ref: 00007FFD6D9BA056
CoCreateInstance.OLE32 ref: 00007FFD6D9BA09B
GetWindowLongPtrW.USER32 ref: 00007FFD6D9BA0F0
CreateWindowExW.USER32 ref: 00007FFD6D9BA138
GetLastError.KERNEL32 ref: 00007FFD6D9BA14A
CoCreateInstance.OLE32 ref: 00007FFD6D9BA192
DwmSetWindowAttribute.DWMAPI ref: 00007FFD6D9BA370
Sleep.KERNEL32 ref: 00007FFD6D9BA3A3
Sleep.KERNEL32 ref: 00007FFD6D9BA3B7
EnumWindows.USER32 ref: 00007FFD6D9BA3CC
GetWindowRect.USER32 ref: 00007FFD6D9BA3E6

Strings

SHELLHOOK, xrefs: 00007FFD6D9B9DF3
[sws] Wallpaper RECT %d %d %d %d, xrefs: 00007FFD6D9BA3EF
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView\AltTabViewHost, xrefs: 00007FFD6D9BA24E
SimpleWindowSwitcher_{BEA057BB-66C7-4758-A610-FAE6013E9F98}, xrefs: 00007FFD6D9B9E96
, xrefs: 00007FFD6D9BA272
Grid_backgroundPercent, xrefs: 00007FFD6D9BA239
ControlPanelStyle, xrefs: 00007FFD6D9B9DDD
Static, xrefs: 00007FFD6D9BA107

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CreateErrorLast$Window$BrushEventSolid$Register$EnumHandleHookInitializeInstanceModuleSleepThreadWindows$#328AttributeBufferedClassCursorDataInitLoadLongMessageOpenPaintRectShellTheme
String ID: $ControlPanelStyle$Grid_backgroundPercent$SHELLHOOK$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView\AltTabViewHost$SimpleWindowSwitcher_{BEA057BB-66C7-4758-A610-FAE6013E9F98}$Static$[sws] Wallpaper RECT %d %d %d %d
API String ID: 2117921315-4056204263
Opcode ID: 9970b2b985c22eb2a2b6fb6386b9fe4dad07aba9f0c624094b42afc2f1025e9c
Instruction ID: 6add66bfb3bd796aaa88a85b0922f76da686ce9e0b68e30a299f240c1df59d8c
Opcode Fuzzy Hash: 9970b2b985c22eb2a2b6fb6386b9fe4dad07aba9f0c624094b42afc2f1025e9c
Instruction Fuzzy Hash: 31426831B18F92D6EB149B61B8647BA32E5FB58788F00413ADA4D87695FF3CE464C720

Function 00007FFD6D9C3880 Relevance: 89.6, APIs: 45, Strings: 6, Instructions: 320windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00007FFD6D9C38AC
MonitorFromPoint.USER32 ref: 00007FFD6D9C38BB
FindWindowExW.USER32 ref: 00007FFD6D9C38DF
MonitorFromWindow.USER32 ref: 00007FFD6D9C38F0
FindWindowExW.USER32 ref: 00007FFD6D9C3915
FindWindowExW.USER32 ref: 00007FFD6D9C3934
FindWindowW.USER32 ref: 00007FFD6D9C395D
FindWindowExW.USER32 ref: 00007FFD6D9C3984
FindWindowExW.USER32 ref: 00007FFD6D9C3999
GetCursorPos.USER32 ref: 00007FFD6D9C39B4
GetCursorPos.USER32 ref: 00007FFD6D9C39C2
MonitorFromPoint.USER32 ref: 00007FFD6D9C39DB
FindWindowExW.USER32 ref: 00007FFD6D9C39FF
MonitorFromWindow.USER32 ref: 00007FFD6D9C3A10
MonitorFromPoint.USER32 ref: 00007FFD6D9C3A2A
GetMonitorInfoW.USER32 ref: 00007FFD6D9C3A37
FindWindowExW.USER32 ref: 00007FFD6D9C3A50
MonitorFromWindow.USER32 ref: 00007FFD6D9C3A61
GetMonitorInfoW.USER32 ref: 00007FFD6D9C3A6E
GetWindowRect.USER32 ref: 00007FFD6D9C3A80
SetCursorPos.USER32 ref: 00007FFD6D9C3AB4
SetCursorPos.USER32 ref: 00007FFD6D9C3ACA
FindWindowW.USER32 ref: 00007FFD6D9C3AE0
PostMessageW.USER32 ref: 00007FFD6D9C3AF4
PostMessageW.USER32 ref: 00007FFD6D9C3B1B
FindWindowExW.USER32 ref: 00007FFD6D9C3CB7
PostMessageW.USER32 ref: 00007FFD6D9C3CCE

Strings

ClockButton, xrefs: 00007FFD6D9C3B32
Shell_TrayWnd, xrefs: 00007FFD6D9C390A, 00007FFD6D9C3929, 00007FFD6D9C3A45, 00007FFD6D9C3C25, 00007FFD6D9C3CAC
TrayClockWClass, xrefs: 00007FFD6D9C398D
ClockFlyoutWindow, xrefs: 00007FFD6D9C3956, 00007FFD6D9C3AD9, 00007FFD6D9C3B60
Shell_SecondaryTrayWnd, xrefs: 00007FFD6D9C38D3, 00007FFD6D9C39F3, 00007FFD6D9C3BD3
TrayNotifyWnd, xrefs: 00007FFD6D9C3978

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Window$Find$Monitor$From$Cursor$MessagePointPost$Info$Rect
String ID: ClockButton$ClockFlyoutWindow$Shell_SecondaryTrayWnd$Shell_TrayWnd$TrayClockWClass$TrayNotifyWnd
API String ID: 3707082976-1578901108
Opcode ID: db043e6f27ac9301ff7229f1458fa8197bc1848c4032750944b5ce1de5842daa
Instruction ID: 648cc6ca6762f8e7b0e830623cb4929aa6882d18f2196f0d23d56a58182cfff3
Opcode Fuzzy Hash: db043e6f27ac9301ff7229f1458fa8197bc1848c4032750944b5ce1de5842daa
Instruction Fuzzy Hash: 9BE11565B0DE42C6FB649B32F9246B923A1EB98B94F448436D90E57B58EF3CE549C300

Function 00007FFD6D9EE620 Relevance: 88.1, APIs: 33, Strings: 17, Instructions: 568filelibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD6D9D4E90: RegCreateKeyExW.KERNEL32 ref: 00007FFD6D9D4EEC
Part of subcall function 00007FFD6D9D4E90: RegQueryValueExW.KERNEL32 ref: 00007FFD6D9D4F41
Part of subcall function 00007FFD6D9D4E90: GetLocaleInfoW.KERNEL32 ref: 00007FFD6D9D4F8A
Part of subcall function 00007FFD6D9D4E90: GetLocaleInfoW.KERNEL32 ref: 00007FFD6D9D4FA5
Part of subcall function 00007FFD6D9D4E90: SetThreadPreferredUILanguages.KERNEL32 ref: 00007FFD6D9D505B
Part of subcall function 00007FFD6D9D4E90: RegCloseKey.KERNEL32 ref: 00007FFD6D9D506B

SHGetFolderPathW.SHELL32 ref: 00007FFD6D9EE69B

Part of subcall function 00007FFD6DA07C0C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA07C35

LoadLibraryExW.KERNEL32 ref: 00007FFD6D9EE6C8
FindResourceW.KERNEL32 ref: 00007FFD6D9EE70F
SizeofResource.KERNEL32 ref: 00007FFD6D9EE71E
LoadResource.KERNEL32 ref: 00007FFD6D9EE72D
LockResource.KERNEL32 ref: 00007FFD6D9EE739
LocalAlloc.KERNEL32 ref: 00007FFD6D9EE74A
FreeResource.KERNEL32 ref: 00007FFD6D9EE764
VerQueryValueW.VERSION ref: 00007FFD6D9EE77D
LocalFree.KERNEL32 ref: 00007FFD6D9EE7B4
LoadStringW.USER32 ref: 00007FFD6D9EE8E1
LoadStringW.USER32 ref: 00007FFD6D9EE913
LoadStringW.USER32 ref: 00007FFD6D9EE942
GetModuleFileNameW.KERNEL32 ref: 00007FFD6D9EEA32
CreateFileW.KERNEL32 ref: 00007FFD6D9EEA95
CreateFileMappingW.KERNEL32 ref: 00007FFD6D9EEAC0
CloseHandle.KERNEL32 ref: 00007FFD6D9EEAD1
MapViewOfFile.KERNEL32 ref: 00007FFD6D9EEAEC
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD6D9EEB1C
UnmapViewOfFile.KERNEL32 ref: 00007FFD6D9EEB24
CloseHandle.KERNEL32 ref: 00007FFD6D9EEB2D
CloseHandle.KERNEL32 ref: 00007FFD6D9EEB36
LoadStringW.USER32 ref: 00007FFD6D9EEC62
LoadStringW.USER32 ref: 00007FFD6D9EEC7D
LoadStringW.USER32 ref: 00007FFD6D9EED6A
LoadStringW.USER32 ref: 00007FFD6D9EED7E
LoadStringW.USER32 ref: 00007FFD6D9EEDCF
LoadStringW.USER32 ref: 00007FFD6D9EEDF2
FreeLibrary.KERNEL32 ref: 00007FFD6D9EEEBF
LoadStringW.USER32 ref: 00007FFD6D9EEF30
LoadStringW.USER32 ref: 00007FFD6D9EEF42
LoadStringW.USER32 ref: 00007FFD6D9EEF5D
FreeLibrary.KERNEL32 ref: 00007FFD6D9EEFFF

Strings

[Updates] Configured update policy on this system: "Install updates automatically"., xrefs: 00007FFD6D9EE8BA
<toast scenario="reminder" activationType="protocol" launch="%s" duration="%s"><visual><binding template="ToastGeneric">, xrefs: 00007FFD6D9EE7FA
[Updates] Using hardcoded hash., xrefs: 00007FFD6D9EEB7B
[Updates] No updates are available., xrefs: 00007FFD6D9EEED7
[Updates] An update is available., xrefs: 00007FFD6D9EEBEA
[Updates] Unable to check for updates because the remote server is unavailable., xrefs: 00007FFD6D9EEED0
This, xrefs: 00007FFD6D9EEB4B
[Updates] Configured update policy on this system: "Manually check for updates"., xrefs: 00007FFD6D9EE7E4
https://github.com/valinet/ExplorerPatcher/releases/latest, xrefs: 00007FFD6D9EE6E9
long, xrefs: 00007FFD6D9EE891, 00007FFD6D9EEE50
action=update, xrefs: 00007FFD6D9EEDF8
short, xrefs: 00007FFD6D9EECB0, 00007FFD6D9EEF90
<progress value="{progressValue}" status="{progressStatus}"/>, xrefs: 00007FFD6D9EE8E7
<actions><action content="%s" arguments="%s"/></actions>, xrefs: 00007FFD6D9EEE0B
\ExplorerPatcher\ep_gui.dll, xrefs: 00007FFD6D9EE6A1
[Updates] Path to module: %s, xrefs: 00007FFD6D9EEA3F
[Updates] Configured update policy on this system: "Check for updates but let me choose whether to download and install them"., xrefs: 00007FFD6D9EE8A8

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Load$String$FileResource$CloseFree$CreateHandleLibrary$InfoLocalLocaleQueryValueView_invalid_parameter_noinfo$AllocFindFolderLanguagesLockMappingModuleNamePathPreferredSizeofThreadUnmap
String ID: <progress value="{progressValue}" status="{progressStatus}"/>$<actions><action content="%s" arguments="%s"/></actions>$<toast scenario="reminder" activationType="protocol" launch="%s" duration="%s"><visual><binding template="ToastGeneric">$This$[Updates] An update is available.$[Updates] Configured update policy on this system: "Check for updates but let me choose whether to download and install them".$[Updates] Configured update policy on this system: "Install updates automatically".$[Updates] Configured update policy on this system: "Manually check for updates".$[Updates] No updates are available.$[Updates] Path to module: %s$[Updates] Unable to check for updates because the remote server is unavailable.$[Updates] Using hardcoded hash.$\ExplorerPatcher\ep_gui.dll$action=update$https://github.com/valinet/ExplorerPatcher/releases/latest$long$short
API String ID: 3445338827-2029114158
Opcode ID: 2b7518c4077cf4b46e995eb4a2df385a6ddb7e8cb5ac04be183befdb69271ac8
Instruction ID: 0270fc7e581427fc6b33b96d1df7d2646da4a56d0d2280251093d81bc8a5fc2a
Opcode Fuzzy Hash: 2b7518c4077cf4b46e995eb4a2df385a6ddb7e8cb5ac04be183befdb69271ac8
Instruction Fuzzy Hash: 4B524A32B18F86CAEB20CF25E8606EA63A1FB94748F405236DA4D57B59EF3CD645C740

Function 00007FFD6D9D0AE0 Relevance: 87.9, APIs: 24, Strings: 26, Instructions: 393librarythreadloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FFD6D9D0B8A
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9D0B97
LoadLibraryW.KERNEL32 ref: 00007FFD6D9D0BC9
LoadLibraryW.KERNEL32 ref: 00007FFD6D9D0BDE

Part of subcall function 00007FFD6D9BD290: GetModuleHandleExW.KERNEL32 ref: 00007FFD6D9BD2C6
Part of subcall function 00007FFD6D9BD290: ImageDirectoryEntryToDataEx.DBGHELP ref: 00007FFD6D9BD2F9
Part of subcall function 00007FFD6D9BD290: FreeLibrary.KERNEL32 ref: 00007FFD6D9BD32F

Part of subcall function 00007FFD6D9BD290: FreeLibrary.KERNEL32 ref: 00007FFD6D9BD3B9
Part of subcall function 00007FFD6D9BD290: VirtualQuery.KERNEL32 ref: 00007FFD6D9BD3F8
Part of subcall function 00007FFD6D9BD290: VirtualProtect.KERNEL32 ref: 00007FFD6D9BD413
Part of subcall function 00007FFD6D9BD290: VirtualProtect.KERNEL32 ref: 00007FFD6D9BD43B
Part of subcall function 00007FFD6D9BD290: FreeLibrary.KERNEL32 ref: 00007FFD6D9BD446

CreateEventW.KERNEL32 ref: 00007FFD6D9D0E4B

Part of subcall function 00007FFD6D9B2890: GetModuleHandleW.KERNEL32 ref: 00007FFD6D9B28AF
Part of subcall function 00007FFD6D9B2890: GetProcAddress.KERNEL32 ref: 00007FFD6D9B28C8
Part of subcall function 00007FFD6D9B2890: RegOpenKeyExW.KERNEL32 ref: 00007FFD6D9B293F
Part of subcall function 00007FFD6D9B2890: RegQueryValueExW.KERNEL32 ref: 00007FFD6D9B296F

GetCurrentProcess.KERNEL32 ref: 00007FFD6D9D0C36
K32GetModuleInformation.KERNEL32 ref: 00007FFD6D9D0C4C
LoadLibraryW.KERNEL32 ref: 00007FFD6D9D0C68
GetCurrentProcess.KERNEL32 ref: 00007FFD6D9D0C7A
K32GetModuleInformation.KERNEL32 ref: 00007FFD6D9D0C90
FindResourceW.KERNEL32 ref: 00007FFD6D9D0CA8
LoadResource.KERNEL32 ref: 00007FFD6D9D0CC4
LockResource.KERNEL32 ref: 00007FFD6D9D0CD6
SizeofResource.KERNEL32 ref: 00007FFD6D9D0CED
LoadLibraryW.KERNEL32 ref: 00007FFD6D9D0DB4
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9D0DC1
CreateThread.KERNEL32 ref: 00007FFD6D9D0FF6
LoadLibraryW.KERNEL32 ref: 00007FFD6D9D1017
GetProcAddress.KERNEL32 ref: 00007FFD6D9D103A
FreeLibrary.KERNEL32 ref: 00007FFD6D9D112B
FreeLibraryAndExitThread.KERNEL32 ref: 00007FFD6D9D118A
FreeLibraryAndExitThread.KERNEL32 ref: 00007FFD6D9D11CF
FreeLibraryAndExitThread.KERNEL32 ref: 00007FFD6D9D1214
FreeLibraryAndExitThread.KERNEL32 ref: 00007FFD6D9D1232

Strings

StartUI::SystemListPolicyProvider::GetMaximumFrequentApps, xrefs: 00007FFD6D9D1108
RegOpenKeyExW, xrefs: 00007FFD6D9D0DD1
StartUI.dll, xrefs: 00007FFD6D9D0BC2
RegQueryValueExW, xrefs: 00007FFD6D9D0DF1
StartUI_.dll, xrefs: 00007FFD6D9D0BD7
Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartUI, xrefs: 00007FFD6D9D1119
StartDocked::LauncherFrame::OnVisibilityChanged, xrefs: 00007FFD6D9D10B0
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced, xrefs: 00007FFD6D9D0F03
xxxxxxxxx?xxxxxx, xrefs: 00007FFD6D9D0D5A
Shlwapi.dll, xrefs: 00007FFD6D9D1010
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 00007FFD6D9D0F89
Windows.UI.Xaml.dll, xrefs: 00007FFD6D9D0C61
SHRegGetValueFromHKCUHKLM, xrefs: 00007FFD6D9D1029
Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartDocked, xrefs: 00007FFD6D9D1069, 00007FFD6D9D1095, 00007FFD6D9D10C1, 00007FFD6D9D10ED
StartDocked.dll, xrefs: 00007FFD6D9D0B83, 00007FFD6D9D0B90
SOFTWARE\Policies\Microsoft\Windows\Explorer, xrefs: 00007FFD6D9D0F46
RegCloseKey, xrefs: 00007FFD6D9D0E0E
Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher, xrefs: 00007FFD6D9D0EC0
Windows.CloudStore.dll, xrefs: 00007FFD6D9D0DAD, 00007FFD6D9D0DBA
StartDocked::LauncherFrame::ShowAllApps, xrefs: 00007FFD6D9D1058, 00007FFD6D9D1084
api-ms-win-core-registry-l1-1-0.dll, xrefs: 00007FFD6D9D0DDB, 00007FFD6D9D0DF8, 00007FFD6D9D0E15
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage, xrefs: 00007FFD6D9D0E88
ext-ms-win-ntuser-draw-l1-1-0.dll, xrefs: 00007FFD6D9D0BB1, 00007FFD6D9D0BF8
xxxxx????xx, xrefs: 00007FFD6D9D0CF6
StartDocked::SystemListPolicyProvider::GetMaximumFrequentApps, xrefs: 00007FFD6D9D10DC
SetWindowRgn, xrefs: 00007FFD6D9D0BA7, 00007FFD6D9D0BF1

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Library$Free$Load$Module$Thread$ExitHandleResource$Virtual$AddressCreateCurrentInformationProcProcessProtectQuery$DataDirectoryEntryEventFindImageLockOpenSizeofValue
String ID: RegCloseKey$RegOpenKeyExW$RegQueryValueExW$SHRegGetValueFromHKCUHKLM$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer$SOFTWARE\Policies\Microsoft\Windows\Explorer$SetWindowRgn$Shlwapi.dll$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartDocked$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartUI$StartDocked.dll$StartDocked::LauncherFrame::OnVisibilityChanged$StartDocked::LauncherFrame::ShowAllApps$StartDocked::SystemListPolicyProvider::GetMaximumFrequentApps$StartUI.dll$StartUI::SystemListPolicyProvider::GetMaximumFrequentApps$StartUI_.dll$Windows.CloudStore.dll$Windows.UI.Xaml.dll$api-ms-win-core-registry-l1-1-0.dll$ext-ms-win-ntuser-draw-l1-1-0.dll$xxxxx????xx$xxxxxxxxx?xxxxxx
API String ID: 1727790171-714608195
Opcode ID: e950ed00653e032db4e482b52af393de17c103ed94e17248d0a23da7e8baa243
Instruction ID: 940a8d68340409f6f12c2b37b1954a453c5d03a06819e73313939b644cd6710d
Opcode Fuzzy Hash: e950ed00653e032db4e482b52af393de17c103ed94e17248d0a23da7e8baa243
Instruction Fuzzy Hash: 5B22F1B1B09F42D5EB00DB61F8602A933A5FBA4798F94453ACA4D476A8FF3CE549C350

Function 00007FFD6D9E47D0 Relevance: 68.5, APIs: 18, Strings: 21, Instructions: 256registrymemoryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32 ref: 00007FFD6D9E483E
GetSystemDirectoryA.KERNEL32 ref: 00007FFD6D9E48A5

Part of subcall function 00007FFD6DA0A224: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA0A24C

GetSystemDirectoryW.KERNEL32 ref: 00007FFD6D9E48F6

Part of subcall function 00007FFD6DA07C0C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA07C35

Part of subcall function 00007FFD6D9EFC70: CreateFileW.KERNEL32 ref: 00007FFD6D9EFCEB
Part of subcall function 00007FFD6D9EFC70: GetLastError.KERNEL32 ref: 00007FFD6D9EFCFA

Part of subcall function 00007FFD6D9BCE30: CreateFileA.KERNEL32 ref: 00007FFD6D9BCEAB

VirtualProtect.KERNEL32 ref: 00007FFD6D9E49B8
VirtualProtect.KERNEL32 ref: 00007FFD6D9E49E6
RegCloseKey.ADVAPI32 ref: 00007FFD6D9E4A5A
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9E4AB0
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9E4ADC
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9E4B08
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9E4B34
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9E4B60
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9E4B8C
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9E4BB8
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9E4BE4
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9E4C10
RegSetValueExA.ADVAPI32 ref: 00007FFD6D9E4C50
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9E4C85

Part of subcall function 00007FFD6D9B2890: GetModuleHandleW.KERNEL32 ref: 00007FFD6D9B28AF
Part of subcall function 00007FFD6D9B2890: GetProcAddress.KERNEL32 ref: 00007FFD6D9B28C8
Part of subcall function 00007FFD6D9B2890: RegOpenKeyExW.KERNEL32 ref: 00007FFD6D9B293F
Part of subcall function 00007FFD6D9B2890: RegQueryValueExW.KERNEL32 ref: 00007FFD6D9B296F

RegCloseKey.ADVAPI32 ref: 00007FFD6D9E4C95

Strings

[Symbols] Failure in reading symbols for "%s"., xrefs: 00007FFD6D9E4A40
CLauncherTipContextMenu::ShowLauncherTipContextMenu, xrefs: 00007FFD6D9E4BA3
[Symbols] Please refer to "https://github.com/valinet/ExplorerPatcher/wiki/Symbols" for more information., xrefs: 00007FFD6D9E495A
[Symbols] Reading symbols..., xrefs: 00007FFD6D9E496B
[Symbols] Downloading symbols for "%s" ("%s")..., xrefs: 00007FFD6D9E492E
ImmersiveContextMenuHelper::RemoveOwnerDrawFromMenu, xrefs: 00007FFD6D9E4B1F
CLauncherTipContextMenu::GetMenuItemsAsync, xrefs: 00007FFD6D9E4AC7
CLauncherTipContextMenu::_ExecuteShutdownCommand, xrefs: 00007FFD6D9E4B4B
CLauncherTipContextMenu::_ExecuteCommand, xrefs: 00007FFD6D9E4B77
Software\ExplorerPatcher\twinui.pcshell, xrefs: 00007FFD6D9E4816
[Symbols] Symbols for "%s" are not available - unable to download., xrefs: 00007FFD6D9E494E
Version, xrefs: 00007FFD6D9E4C68
[Symbols] Unable to create registry key., xrefs: 00007FFD6D9E4CA2
CMultitaskingViewManager::_CreateDCompMTVHost, xrefs: 00007FFD6D9E4BFB
CImmersiveContextMenuOwnerDrawHelper::s_ContextMenuWndProc, xrefs: 00007FFD6D9E4A93
twinui.pcshell, xrefs: 00007FFD6D9E48C0
.dll, xrefs: 00007FFD6D9E48D5
\twinui.pcshell.dll, xrefs: 00007FFD6D9E48FC
ImmersiveContextMenuHelper::ApplyOwnerDrawToMenu, xrefs: 00007FFD6D9E4AF3
CMultitaskingViewManager::_CreateXamlMTVHost, xrefs: 00007FFD6D9E4BCF
Hash, xrefs: 00007FFD6D9E4C30

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Value$Create$CloseDirectoryFileProtectSystemVirtual_invalid_parameter_noinfo$AddressErrorHandleLastModuleOpenProcQuery
String ID: .dll$CImmersiveContextMenuOwnerDrawHelper::s_ContextMenuWndProc$CLauncherTipContextMenu::GetMenuItemsAsync$CLauncherTipContextMenu::ShowLauncherTipContextMenu$CLauncherTipContextMenu::_ExecuteCommand$CLauncherTipContextMenu::_ExecuteShutdownCommand$CMultitaskingViewManager::_CreateDCompMTVHost$CMultitaskingViewManager::_CreateXamlMTVHost$Hash$ImmersiveContextMenuHelper::ApplyOwnerDrawToMenu$ImmersiveContextMenuHelper::RemoveOwnerDrawFromMenu$Software\ExplorerPatcher\twinui.pcshell$Version$[Symbols] Downloading symbols for "%s" ("%s")...$[Symbols] Failure in reading symbols for "%s".$[Symbols] Please refer to "https://github.com/valinet/ExplorerPatcher/wiki/Symbols" for more information.$[Symbols] Reading symbols...$[Symbols] Symbols for "%s" are not available - unable to download.$[Symbols] Unable to create registry key.$\twinui.pcshell.dll$twinui.pcshell
API String ID: 2736650789-497210955
Opcode ID: bbc9de1918b5c50e6156900777e1e91b97cf8309caaa219869fc72e4ad09c773
Instruction ID: dc6581214fcc19e238c5bcdf963ffaac39e348cd3e58a351e7df0ba82728eb02
Opcode Fuzzy Hash: bbc9de1918b5c50e6156900777e1e91b97cf8309caaa219869fc72e4ad09c773
Instruction Fuzzy Hash: 45D14176B1CE52C6EB20DF65F8602AA7361FB98758F414132DA4D43AA4EF7CD249CB40

Function 00007FFD6D9C5B50 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 337memorylibraryCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 00007FFD6D9C5BA8
GetWindowLongPtrW.USER32 ref: 00007FFD6D9C5BF0
GetWindowLongPtrW.USER32 ref: 00007FFD6D9C5C68
IsBadCodePtr.KERNEL32 ref: 00007FFD6D9C5CC1
GetWindowTextW.USER32 ref: 00007FFD6D9C5CF3
LoadLibraryExW.KERNEL32 ref: 00007FFD6D9C5D08
LoadStringW.USER32 ref: 00007FFD6D9C5D2B
FreeLibrary.KERNEL32 ref: 00007FFD6D9C5D34
VirtualProtect.KERNEL32 ref: 00007FFD6D9C5DCC
VirtualProtect.KERNEL32 ref: 00007FFD6D9C5E0E
VirtualProtect.KERNEL32 ref: 00007FFD6D9C5E2B
VirtualProtect.KERNEL32 ref: 00007FFD6D9C5E6D
VirtualProtect.KERNEL32 ref: 00007FFD6D9C5EF3
VirtualProtect.KERNEL32 ref: 00007FFD6D9C5F1D

Strings

CortanaButton, xrefs: 00007FFD6D9C5D6F
MultitaskingButton, xrefs: 00007FFD6D9C5E78
pnidui.dll, xrefs: 00007FFD6D9C6135
TrayButton, xrefs: 00007FFD6D9C5C20
ControlCenterButton, xrefs: 00007FFD6D9C5BB7
PeopleButton, xrefs: 00007FFD6D9C5CB5
PeopleBand.dll, xrefs: 00007FFD6D9C5CFB

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ProtectVirtual$Window$LibraryLoadLong$ClassCodeFreeNameStringText
String ID: ControlCenterButton$CortanaButton$MultitaskingButton$PeopleBand.dll$PeopleButton$TrayButton$pnidui.dll
API String ID: 3103532507-4160915873
Opcode ID: b070c62dda4f0acebd15081496e05f432ac68a8b5508638680c13191efce15b5
Instruction ID: 6faa1d1e57c3e9290f0c91cabe738440d61a8423398fde50487f2f640d74a66c
Opcode Fuzzy Hash: b070c62dda4f0acebd15081496e05f432ac68a8b5508638680c13191efce15b5
Instruction Fuzzy Hash: 01023461B1CE52C6EB509B11F8247B933A1FBA5B44F808536DA4E476A4FF3CE989C740

Function 00007FFD6D9CF5E0 Relevance: 61.6, APIs: 20, Strings: 15, Instructions: 322registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32 ref: 00007FFD6D9CF63B
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9CF680
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9CF6B3
RegCloseKey.ADVAPI32 ref: 00007FFD6D9CF6BD
RegCreateKeyExW.ADVAPI32 ref: 00007FFD6D9CF6F6
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9CF742
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9CF78E
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9CF7DC
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9CF82A
RegCloseKey.ADVAPI32 ref: 00007FFD6D9CF855
RegCreateKeyExW.ADVAPI32 ref: 00007FFD6D9CF88E
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9CF903
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9CF988
RegCloseKey.ADVAPI32 ref: 00007FFD6D9CF9B4
RegCreateKeyExW.ADVAPI32 ref: 00007FFD6D9CF9ED
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9CFA32
RegCloseKey.ADVAPI32 ref: 00007FFD6D9CFA55
RegCreateKeyExW.ADVAPI32 ref: 00007FFD6D9CFA8E
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9CFACB
RegCloseKey.ADVAPI32 ref: 00007FFD6D9CFAEA

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 00007FFD6D9CFA69
StartUI_EnableRoundedCorners, xrefs: 00007FFD6D9CF7AD
StartDocked_DisableRecommendedSection, xrefs: 00007FFD6D9CF75F
NoStartMenuMorePrograms, xrefs: 00007FFD6D9CFAB2
Start_MaximumFrequentApps, xrefs: 00007FFD6D9CF725
MakeAllAppsDefault, xrefs: 00007FFD6D9CF667
SOFTWARE\Policies\Microsoft\Windows\Explorer, xrefs: 00007FFD6D9CF9C8
Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher, xrefs: 00007FFD6D9CF6D1
ForceStartSize, xrefs: 00007FFD6D9CFA19
MonitorOverride, xrefs: 00007FFD6D9CF693
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage, xrefs: 00007FFD6D9CF60B
TaskbarAl, xrefs: 00007FFD6D9CF95D
Start_ShowClassicMode, xrefs: 00007FFD6D9CF8DC
StartUI_ShowMoreTiles, xrefs: 00007FFD6D9CF7FB
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced, xrefs: 00007FFD6D9CF869

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: QueryValue$CloseCreate
String ID: ForceStartSize$MakeAllAppsDefault$MonitorOverride$NoStartMenuMorePrograms$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer$SOFTWARE\Policies\Microsoft\Windows\Explorer$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher$StartDocked_DisableRecommendedSection$StartUI_EnableRoundedCorners$StartUI_ShowMoreTiles$Start_MaximumFrequentApps$Start_ShowClassicMode$TaskbarAl
API String ID: 2657993070-1512199074
Opcode ID: 17cb75b7e1b677187ab5d7863d7c201edff69ff77205526d46f5ce14c109d75a
Instruction ID: 2d4c57aeeb35432ac8b658a2df19a5eacafddc92bb9c97eb3a4bc795dcb3ce1f
Opcode Fuzzy Hash: 17cb75b7e1b677187ab5d7863d7c201edff69ff77205526d46f5ce14c109d75a
Instruction Fuzzy Hash: 71F10576B19B12CAEB20CF64F9A06A937B4FB94358F501236DA4D53A68EF3CD544CB40

Function 00007FFD6D9EBD00 Relevance: 54.8, APIs: 21, Strings: 10, Instructions: 574libraryCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32 ref: 00007FFD6D9EBD47
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9EBD78
RoActivateInstance.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFD6D9EBD90
StrFormatByteSizeW.SHLWAPI ref: 00007FFD6D9EBF7D
StrFormatByteSizeW.SHLWAPI ref: 00007FFD6D9EBF9A
SHGetFolderPathW.SHELL32 ref: 00007FFD6D9EC006
LoadLibraryExW.KERNEL32 ref: 00007FFD6D9EC033
LoadStringW.USER32 ref: 00007FFD6D9EC052
FreeLibrary.KERNEL32 ref: 00007FFD6D9EC061
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9EC0B0
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9EC0DB

Part of subcall function 00007FFD6DA07CA8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA07CCE

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9EC19D
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9EC1CA
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9EC314
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9EC470
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9EC524

Strings

progressStatus, xrefs: 00007FFD6D9EC1C3
indeterminate, xrefs: 00007FFD6D9EBF4E
ep_updates, xrefs: 00007FFD6D9EC30D
action=update, xrefs: 00007FFD6D9EC4B6
EP_Ev_InstallUpdatesNoConfirm_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}, xrefs: 00007FFD6D9EC4E2
updates.cpp, xrefs: 00007FFD6D9EBDA6, 00007FFD6D9EBE1C, 00007FFD6D9EBE84, 00007FFD6D9EC10B, 00007FFD6D9EC1FA, 00007FFD6D9EC27F, 00007FFD6D9EC345, 00007FFD6D9EC447, 00007FFD6D9EC493
progressValue, xrefs: 00007FFD6D9EC0D4
\ExplorerPatcher\ep_gui.dll, xrefs: 00007FFD6D9EC00C
%s / %s, xrefs: 00007FFD6D9EBFA8
Windows.UI.Notifications.NotificationData, xrefs: 00007FFD6D9EBD71

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: String$Windows$CreateReference$ByteDeleteFormatLibraryLoadSize$ActivateCounterFolderFreeInstancePathPerformanceQuery_invalid_parameter_noinfo
String ID: %s / %s$EP_Ev_InstallUpdatesNoConfirm_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$Windows.UI.Notifications.NotificationData$\ExplorerPatcher\ep_gui.dll$action=update$ep_updates$indeterminate$progressStatus$progressValue$updates.cpp
API String ID: 2375332063-2428038664
Opcode ID: d9f4d5dde8a7d03f1098689d6001779440e47441b912f1d012fa573a0040d778
Instruction ID: d4c57f33eb27b171e2f0075cfb82fc29068b53737232ba53d393a156e577cb7f
Opcode Fuzzy Hash: d9f4d5dde8a7d03f1098689d6001779440e47441b912f1d012fa573a0040d778
Instruction Fuzzy Hash: 5B324A32B08F46CAEB149B65F8606AE67A1FF84B84F445136DA8E53B64EF3CE544C740

Function 00007FFD6D9E4CE0 Relevance: 50.9, APIs: 12, Strings: 17, Instructions: 182registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32 ref: 00007FFD6D9E4D51
GetWindowsDirectoryA.KERNEL32 ref: 00007FFD6D9E4DB8

Part of subcall function 00007FFD6DA0A224: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA0A24C

GetWindowsDirectoryW.KERNEL32 ref: 00007FFD6D9E4E09

Part of subcall function 00007FFD6DA07C0C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA07C35

Part of subcall function 00007FFD6D9EFC70: CreateFileW.KERNEL32 ref: 00007FFD6D9EFCEB
Part of subcall function 00007FFD6D9EFC70: GetLastError.KERNEL32 ref: 00007FFD6D9EFCFA

Part of subcall function 00007FFD6D9BCE30: CreateFileA.KERNEL32 ref: 00007FFD6D9BCEAB

RegCloseKey.ADVAPI32 ref: 00007FFD6D9E4EC1
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9E4EEE
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9E4F1A
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9E4F46
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9E4F72
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9E4F9E
RegSetValueExA.ADVAPI32 ref: 00007FFD6D9E4FDE
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9E5013
RegCloseKey.ADVAPI32 ref: 00007FFD6D9E5023

Strings

StartDocked, xrefs: 00007FFD6D9E4DD3
Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartDocked, xrefs: 00007FFD6D9E4D31
[Symbols] Failure in reading symbols for "%s"., xrefs: 00007FFD6D9E4EA7
[Symbols] Please refer to "https://github.com/valinet/ExplorerPatcher/wiki/Symbols" for more information., xrefs: 00007FFD6D9E4E6D
[Symbols] Reading symbols..., xrefs: 00007FFD6D9E4E7B
[Symbols] Downloading symbols for "%s" ("%s")..., xrefs: 00007FFD6D9E4E41
[Symbols] Symbols for "%s" are not available - unable to download., xrefs: 00007FFD6D9E4E61
\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartDocked.dll, xrefs: 00007FFD6D9E4E0F
Version, xrefs: 00007FFD6D9E4FF6
[Symbols] Unable to create registry key., xrefs: 00007FFD6D9E5030
StartDocked::LauncherFrame::ShowAllApps, xrefs: 00007FFD6D9E4ED1, 00007FFD6D9E4F05
StartDocked::LauncherFrame::OnVisibilityChanged, xrefs: 00007FFD6D9E4F31
StartDocked::StartSizingFrame::StartSizingFrame, xrefs: 00007FFD6D9E4F89
.dll, xrefs: 00007FFD6D9E4DE8
StartDocked::SystemListPolicyProvider::GetMaximumFrequentApps, xrefs: 00007FFD6D9E4F5D
\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\, xrefs: 00007FFD6D9E4DBE
Hash, xrefs: 00007FFD6D9E4FBE

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Value$Create$CloseDirectoryFileWindows_invalid_parameter_noinfo$ErrorLast
String ID: .dll$Hash$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartDocked$StartDocked$StartDocked::LauncherFrame::OnVisibilityChanged$StartDocked::LauncherFrame::ShowAllApps$StartDocked::StartSizingFrame::StartSizingFrame$StartDocked::SystemListPolicyProvider::GetMaximumFrequentApps$Version$[Symbols] Downloading symbols for "%s" ("%s")...$[Symbols] Failure in reading symbols for "%s".$[Symbols] Please refer to "https://github.com/valinet/ExplorerPatcher/wiki/Symbols" for more information.$[Symbols] Reading symbols...$[Symbols] Symbols for "%s" are not available - unable to download.$[Symbols] Unable to create registry key.$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartDocked.dll
API String ID: 3922731654-50308056
Opcode ID: 7445e1bfced21914ae7d76f3f9e228a81fe0caab155e21daa18b560fdd0e6bf6
Instruction ID: 742e5932facefd3cb1722ab374acaefa2d8a91c79e800e765fbbad5a97444c92
Opcode Fuzzy Hash: 7445e1bfced21914ae7d76f3f9e228a81fe0caab155e21daa18b560fdd0e6bf6
Instruction Fuzzy Hash: F2916572B1CE82C6EB10DF64F8606AA7361FB98758F414232DA5D43AA9EF7CD245C740

Function 00007FFD6D9B1B20 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 331windowthreadtimeCOMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FFD6D9B1B62
GetWindowThreadProcessId.USER32 ref: 00007FFD6D9B1B83
DestroyIcon.USER32 ref: 00007FFD6D9B1BE9
GetCurrentProcessId.KERNEL32 ref: 00007FFD6D9B1BFF
CopyIcon.USER32 ref: 00007FFD6D9B1C20
GetCurrentProcessId.KERNEL32 ref: 00007FFD6D9B1C6D
DestroyIcon.USER32 ref: 00007FFD6D9B1C7C
OpenProcess.KERNEL32 ref: 00007FFD6D9B1CF8
K32GetModuleFileNameExW.KERNEL32 ref: 00007FFD6D9B1D19
CharLowerW.USER32 ref: 00007FFD6D9B1D26
SHGetFileInfoW.SHELL32 ref: 00007FFD6D9B1D5D
SHGetPropertyStoreForWindow.SHELL32 ref: 00007FFD6D9B1D9D
SHCreateItemInKnownFolder.SHELL32 ref: 00007FFD6D9B1E1F
ImageList_Create.COMCTL32 ref: 00007FFD6D9B1E95
ImageList_Add.COMCTL32 ref: 00007FFD6D9B1EA9
ImageList_GetIcon.COMCTL32 ref: 00007FFD6D9B1EC0
ImageList_Destroy.COMCTL32 ref: 00007FFD6D9B1ECC
DeleteObject.GDI32 ref: 00007FFD6D9B1ED7
IsHungAppWindow.USER32 ref: 00007FFD6D9B206B
KillTimer.USER32 ref: 00007FFD6D9B2086
SendMessageW.USER32 ref: 00007FFD6D9B209E

Strings

\imageres.dll, xrefs: 00007FFD6D9B1FAA

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: IconImageList_ProcessWindow$Destroy$CreateCurrentFile$CharCopyDeleteFolderHungInfoItemKillKnownLongLowerMessageModuleNameObjectOpenPropertySendStoreThreadTimer
String ID: \imageres.dll
API String ID: 2056515760-856694671
Opcode ID: 89d8d9eedc8965e04acaadf2cb3e0ac2d071cdf30c3d8f2a56d2f93332be19bc
Instruction ID: db3333684cb2c78a89f6547c86f9633d00e62d5bcd220c506e0a18c5eb4b2731
Opcode Fuzzy Hash: 89d8d9eedc8965e04acaadf2cb3e0ac2d071cdf30c3d8f2a56d2f93332be19bc
Instruction Fuzzy Hash: 9BF16C32B08E81C6EB24DF25F8A467A73A1FB95B84F414536DA4E47AA4EF3DE445C700

Function 00007FFD6D9CCF80 Relevance: 43.9, APIs: 13, Strings: 12, Instructions: 197libraryloaderwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD6D9CCB20: RegGetValueW.KERNEL32 ref: 00007FFD6D9CCB9B
Part of subcall function 00007FFD6D9CCB20: RegGetValueW.KERNEL32 ref: 00007FFD6D9CCBDF
Part of subcall function 00007FFD6D9CCB20: RegGetValueW.KERNEL32 ref: 00007FFD6D9CCC24
Part of subcall function 00007FFD6D9CCB20: RegGetValueW.KERNEL32 ref: 00007FFD6D9CCC73

Part of subcall function 00007FFD6D9D4E90: RegCreateKeyExW.KERNEL32 ref: 00007FFD6D9D4EEC
Part of subcall function 00007FFD6D9D4E90: RegQueryValueExW.KERNEL32 ref: 00007FFD6D9D4F41
Part of subcall function 00007FFD6D9D4E90: GetLocaleInfoW.KERNEL32 ref: 00007FFD6D9D4F8A
Part of subcall function 00007FFD6D9D4E90: GetLocaleInfoW.KERNEL32 ref: 00007FFD6D9D4FA5
Part of subcall function 00007FFD6D9D4E90: SetThreadPreferredUILanguages.KERNEL32 ref: 00007FFD6D9D505B
Part of subcall function 00007FFD6D9D4E90: RegCloseKey.KERNEL32 ref: 00007FFD6D9D506B

SHGetFolderPathW.SHELL32 ref: 00007FFD6D9CCFE7

Part of subcall function 00007FFD6DA07C0C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA07C35

LoadLibraryExW.KERNEL32 ref: 00007FFD6D9CD014
LoadStringW.USER32 ref: 00007FFD6D9CD03B
LoadStringW.USER32 ref: 00007FFD6D9CD06C
LoadStringW.USER32 ref: 00007FFD6D9CD07D
SHGetFolderPathW.SHELL32 ref: 00007FFD6D9CD0D6
LoadStringW.USER32 ref: 00007FFD6D9CD109
LoadStringW.USER32 ref: 00007FFD6D9CD1BE
GetModuleHandleA.KERNEL32 ref: 00007FFD6D9CD25E
GetProcAddress.KERNEL32 ref: 00007FFD6D9CD273
MessageBoxW.USER32 ref: 00007FFD6D9CD2C2
ShellExecuteW.SHELL32 ref: 00007FFD6D9CD2F8
FreeLibrary.KERNEL32 ref: 00007FFD6D9CD311

Strings

https://github.com/valinet/ExplorerPatcher/discussions/1102, xrefs: 00007FFD6D9CD133
https://github.com/valinet/ExplorerPatcher/discussions, xrefs: 00007FFD6D9CD172
eplink://update, xrefs: 00007FFD6D9CD18F
TaskDialogIndirect, xrefs: 00007FFD6D9CD269
\ExplorerPatcher\ep_setup.exe' /uninstall, xrefs: 00007FFD6D9CD0DC
Would you like to open the ExplorerPatcher status web page on GitHub in your default browser?, xrefs: 00007FFD6D9CD298
open, xrefs: 00007FFD6D9CD2EF
Comctl32.dll, xrefs: 00007FFD6D9CD1FB
https://github.com/valinet/ExplorerPatcher/issues, xrefs: 00007FFD6D9CD166
ExplorerPatcher, xrefs: 00007FFD6D9CD1EF
https://github.com/valinet/ExplorerPatcher/releases, xrefs: 00007FFD6D9CD17E
\ExplorerPatcher\ep_gui.dll, xrefs: 00007FFD6D9CCFED

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Load$StringValue$FolderInfoLibraryLocalePath$AddressCloseCreateExecuteFreeHandleLanguagesMessageModulePreferredProcQueryShellThread_invalid_parameter_noinfo
String ID: Would you like to open the ExplorerPatcher status web page on GitHub in your default browser?$Comctl32.dll$ExplorerPatcher$TaskDialogIndirect$\ExplorerPatcher\ep_gui.dll$\ExplorerPatcher\ep_setup.exe' /uninstall$eplink://update$https://github.com/valinet/ExplorerPatcher/discussions$https://github.com/valinet/ExplorerPatcher/discussions/1102$https://github.com/valinet/ExplorerPatcher/issues$https://github.com/valinet/ExplorerPatcher/releases$open
API String ID: 2492175686-1032208078
Opcode ID: 1c02c93ae3f276dc31b28fa1b31d935f5bf574aa33f71d65fe083c84c4d68c7a
Instruction ID: c6c140bc558b59c525ed6d49b30eeba167b97f5e0e6202407017d14d5e9f98a6
Opcode Fuzzy Hash: 1c02c93ae3f276dc31b28fa1b31d935f5bf574aa33f71d65fe083c84c4d68c7a
Instruction Fuzzy Hash: B8A10936B18F81DAE720CF25F8206E923A5FB98748F844136EA4D46A99EF3CD645C740

Function 00007FFD6D9CFE40 Relevance: 40.6, APIs: 18, Strings: 5, Instructions: 349COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9CFE8C
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFD6D9CFEBE
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9CFF2F
OpenMutexW.KERNEL32 ref: 00007FFD6D9CFF7B
CloseHandle.KERNEL32 ref: 00007FFD6D9CFF89
ShowWindow.USER32 ref: 00007FFD6D9CFF9E
EnumDisplayMonitors.USER32 ref: 00007FFD6D9D0020
MonitorFromPoint.USER32 ref: 00007FFD6D9D003C
FindWindowExW.USER32 ref: 00007FFD6D9D0056
MonitorFromWindow.USER32 ref: 00007FFD6D9D006C
FindWindowExW.USER32 ref: 00007FFD6D9D008F
MonitorFromWindow.USER32 ref: 00007FFD6D9D00A5
MonitorFromWindow.USER32 ref: 00007FFD6D9D00EB
GetMonitorInfoW.USER32 ref: 00007FFD6D9D00F8
GetWindowRect.USER32 ref: 00007FFD6D9D0111
GetCursorPos.USER32 ref: 00007FFD6D9D0157
SetWindowPos.USER32 ref: 00007FFD6D9D02DA
SetWindowRgn.USER32 ref: 00007FFD6D9D0345

Strings

Shell_TrayWnd, xrefs: 00007FFD6D9D0048
Windows.UI.Xaml.Window, xrefs: 00007FFD6D9CFE81
EPStart10_AnimationsPatched_{A6EA9C2D-4982-4827-9204-0AC532959F6D}, xrefs: 00007FFD6D9CFF6D
Shell_SecondaryTrayWnd, xrefs: 00007FFD6D9D0083
!@, xrefs: 00007FFD6D9D02C3

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Window$Monitor$From$FindStringWindows$ActivationCloseCreateCursorDeleteDisplayEnumFactoryHandleInfoMonitorsMutexOpenPointRectReferenceShow
String ID: !@$EPStart10_AnimationsPatched_{A6EA9C2D-4982-4827-9204-0AC532959F6D}$Shell_SecondaryTrayWnd$Shell_TrayWnd$Windows.UI.Xaml.Window
API String ID: 3798604058-3529946197
Opcode ID: 2bb6d137ec69ddbf412731f1f2d1c6663742f2265f7e0906dd7cea1ed288a300
Instruction ID: 0aa1d965743e16d2b88cea13e163e412311f172f3f74e91347f343ccbc94f715
Opcode Fuzzy Hash: 2bb6d137ec69ddbf412731f1f2d1c6663742f2265f7e0906dd7cea1ed288a300
Instruction Fuzzy Hash: EAF12A36B09E02DAFB20CB66E9646BD33B1BB54788F444536CE0D57A98EF3CA549C700

Function 00007FFD6D9CCCB0 Relevance: 40.4, APIs: 15, Strings: 8, Instructions: 163sleepregistryprocessCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 00007FFD6D9CCDA7
CloseHandle.KERNEL32 ref: 00007FFD6D9CCDB6
CloseHandle.KERNEL32 ref: 00007FFD6D9CCDC1
RegSetKeyValueW.ADVAPI32 ref: 00007FFD6D9CCE74
SetLastError.KERNEL32 ref: 00007FFD6D9CCE7C
CreateEventW.KERNEL32 ref: 00007FFD6D9CCE90
GetLastError.KERNEL32 ref: 00007FFD6D9CCE9E
SetEvent.KERNEL32 ref: 00007FFD6D9CCEAE
CreateThread.KERNEL32 ref: 00007FFD6D9CCED0
Sleep.KERNEL32 ref: 00007FFD6D9CCEDB
SetLastError.KERNEL32 ref: 00007FFD6D9CCEE3
CreateEventW.KERNEL32 ref: 00007FFD6D9CCEF7
GetLastError.KERNEL32 ref: 00007FFD6D9CCF05
SetEvent.KERNEL32 ref: 00007FFD6D9CCF15
ShellExecuteW.SHELL32 ref: 00007FFD6D9CCF3F

Strings

EP_Ev_InstallUpdates_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}, xrefs: 00007FFD6D9CCE82, 00007FFD6D9CCEE9
eplink://update/stable, xrefs: 00007FFD6D9CCE0B
eplink://update, xrefs: 00007FFD6D9CCDEE
open, xrefs: 00007FFD6D9CCF36
h, xrefs: 00007FFD6D9CCD2E
Software\ExplorerPatcher, xrefs: 00007FFD6D9CCE6D
UpdatePreferStaging, xrefs: 00007FFD6D9CCE5F
eplink://update/staging, xrefs: 00007FFD6D9CCE2C

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CreateErrorEventLast$CloseHandle$ExecuteProcessShellSleepThreadValue
String ID: EP_Ev_InstallUpdates_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$Software\ExplorerPatcher$UpdatePreferStaging$eplink://update$eplink://update/stable$eplink://update/staging$h$open
API String ID: 2028834884-198725195
Opcode ID: a274810f2dd4b0325282cfab0de87efade91e6e96364b1a32c500caf592512fb
Instruction ID: 646e77c3e03a3d1952c6809149d3bc150541ee2bae3e45ceceecf98d65174f5f
Opcode Fuzzy Hash: a274810f2dd4b0325282cfab0de87efade91e6e96364b1a32c500caf592512fb
Instruction Fuzzy Hash: 18714121B1CF82C2EB609B15B96036A6761FB98794F541236DA8D42A94FF7CE581C700

Function 00007FFD6D9BFBE0 Relevance: 38.8, APIs: 17, Strings: 5, Instructions: 274comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00007FFD6D9BFC85
GetClassNameW.USER32 ref: 00007FFD6D9BFD74
IsWindow.USER32 ref: 00007FFD6D9BFD7F

Part of subcall function 00007FFD6D9B2890: GetModuleHandleW.KERNEL32 ref: 00007FFD6D9B28AF
Part of subcall function 00007FFD6D9B2890: GetProcAddress.KERNEL32 ref: 00007FFD6D9B28C8
Part of subcall function 00007FFD6D9B2890: RegOpenKeyExW.KERNEL32 ref: 00007FFD6D9B293F
Part of subcall function 00007FFD6D9B2890: RegQueryValueExW.KERNEL32 ref: 00007FFD6D9B296F

GetAncestor.USER32 ref: 00007FFD6D9BFE0E
FindWindowExW.USER32 ref: 00007FFD6D9BFE23
IsWindow.USER32 ref: 00007FFD6D9BFE2F
FindWindowExW.USER32 ref: 00007FFD6D9BFE48
IsWindow.USER32 ref: 00007FFD6D9BFE54
SysFreeString.OLEAUT32 ref: 00007FFD6D9C0007
SysFreeString.OLEAUT32 ref: 00007FFD6D9C001A

Strings

Windows.UI.Composition.DesktopWindowContentBridge, xrefs: 00007FFD6D9BFE17
Windows.UI.Input.InputSite.WindowClass, xrefs: 00007FFD6D9BFD94
Taskbar.TaskbarFrameAutomationPeer, xrefs: 00007FFD6D9BFD11
WorkerW, xrefs: 00007FFD6D9BFF81
MSTaskListWClass, xrefs: 00007FFD6D9BFDCE

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Window$FindFreeString$AddressAncestorClassCreateHandleInstanceModuleNameOpenProcQueryValue
String ID: MSTaskListWClass$Taskbar.TaskbarFrameAutomationPeer$Windows.UI.Composition.DesktopWindowContentBridge$Windows.UI.Input.InputSite.WindowClass$WorkerW
API String ID: 1963979031-3829649249
Opcode ID: c1dc6a0013d7558da047cee5b2989912034ac38a1a66c3ed5ee20b1efcabf398
Instruction ID: 39da45aacbf87b18b4cbe16e9fbd8ba163e612fb9ed29498407d9d1ad1a53e51
Opcode Fuzzy Hash: c1dc6a0013d7558da047cee5b2989912034ac38a1a66c3ed5ee20b1efcabf398
Instruction Fuzzy Hash: 38D1477AB08E42C2EB508F26F86427A67A1FB84F94F455136EE4E43A68EF3DD444C710

Function 00007FFD6D9F0840 Relevance: 37.1, APIs: 16, Strings: 5, Instructions: 327windowregistryCOMMON

Download Yara Rule

APIs

SHParseDisplayName.SHELL32 ref: 00007FFD6D9F0891
SHBindToParent.SHELL32 ref: 00007FFD6D9F08B6
CreatePopupMenu.USER32 ref: 00007FFD6D9F090B
TrackPopupMenuEx.USER32 ref: 00007FFD6D9F0970
RegQueryValueW.ADVAPI32 ref: 00007FFD6D9F0A5A
RegQueryValueW.ADVAPI32 ref: 00007FFD6D9F0B01
InsertMenuItemW.USER32 ref: 00007FFD6D9F0BE6
DestroyMenu.USER32 ref: 00007FFD6D9F0D7F
CoTaskMemFree.OLE32 ref: 00007FFD6D9F0DA6

Strings

InfoTip, xrefs: 00007FFD6D9F0A78, 00007FFD6D9F0B1F
Software\Classes\CLSID\{2cc5ca98-6485-489a-920e-b3e88a6ccce3}, xrefs: 00007FFD6D9F0A43, 00007FFD6D9F0AEA
::{2CC5CA98-6485-489A-920E-B3E88A6CCCE3}, xrefs: 00007FFD6D9F0884
P, xrefs: 00007FFD6D9F0CF8
c, xrefs: 00007FFD6D9F0C02

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Menu$PopupQueryValue$BindCreateDestroyDisplayFreeInsertItemNameParentParseTaskTrack
String ID: ::{2CC5CA98-6485-489A-920E-B3E88A6CCCE3}$InfoTip$P$Software\Classes\CLSID\{2cc5ca98-6485-489a-920e-b3e88a6ccce3}$c
API String ID: 3796425743-3612032762
Opcode ID: a3025c20c2c8cb159d850756db8d98c40d3405841d8a9de28b2ff5de5fd1304c
Instruction ID: 3cb84215e3b80af486d0ba8e3cba091aed13e531272b1b87eaafc4e8f8371369
Opcode Fuzzy Hash: a3025c20c2c8cb159d850756db8d98c40d3405841d8a9de28b2ff5de5fd1304c
Instruction Fuzzy Hash: E6E14C32B18B51C6E7108F66F8503A977A5FB98B58F104236EE9D47A98EF7CD544CB00

Function 00007FFD6D9F0540 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 137networkfilesleepCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET ref: 00007FFD6D9F0580
InternetOpenUrlA.WININET ref: 00007FFD6D9F05B7
InternetReadFile.WININET ref: 00007FFD6D9F0603
SHGetFolderPathW.SHELL32 ref: 00007FFD6D9F0638

Part of subcall function 00007FFD6DA07C0C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA07C35

CreateDirectoryW.KERNEL32 ref: 00007FFD6D9F0659
GetLastError.KERNEL32 ref: 00007FFD6D9F0663
ShellExecuteExW.SHELL32 ref: 00007FFD6D9F0730
WaitForSingleObject.KERNEL32 ref: 00007FFD6D9F0748
CloseHandle.KERNEL32 ref: 00007FFD6D9F0752
Sleep.KERNEL32 ref: 00007FFD6D9F075D
DeleteFileW.KERNEL32 ref: 00007FFD6D9F0767
InternetCloseHandle.WININET ref: 00007FFD6D9F077D
InternetCloseHandle.WININET ref: 00007FFD6D9F078E

Strings

\ExplorerPatcher, xrefs: 00007FFD6D9F063E
https://go.microsoft.com/fwlink/p/?LinkId=2124703, xrefs: 00007FFD6D9F0597
@, xrefs: 00007FFD6D9F06FB
p, xrefs: 00007FFD6D9F06DD
\MicrosoftEdgeWebview2Setup.exe, xrefs: 00007FFD6D9F0674
ExplorerPatcher, xrefs: 00007FFD6D9F056D

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Internet$CloseHandle$FileOpen$CreateDeleteDirectoryErrorExecuteFolderLastObjectPathReadShellSingleSleepWait_invalid_parameter_noinfo
String ID: @$ExplorerPatcher$\ExplorerPatcher$\MicrosoftEdgeWebview2Setup.exe$https://go.microsoft.com/fwlink/p/?LinkId=2124703$p
API String ID: 2895610840-1819798696
Opcode ID: df0cf5f14f591cbc611f32a44d28127dde357b49adabe2f52cba13da870d6ab4
Instruction ID: 9b4f286c141561020dd74de640591e4e010b394db0a25adf9f4c2db2705eb0db
Opcode Fuzzy Hash: df0cf5f14f591cbc611f32a44d28127dde357b49adabe2f52cba13da870d6ab4
Instruction Fuzzy Hash: 1A616E22B1CF82C6FB109F61F8607AA63A5FBA5784F444236DA8D43A55EF3CD545CB40

Function 00007FFD6D9BCAC0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FFD6D9BCAF2
SymGetOptions.DBGHELP ref: 00007FFD6D9BCB02
SymSetOptions.DBGHELP ref: 00007FFD6D9BCB12
SymInitialize.DBGHELP ref: 00007FFD6D9BCB22
SymLoadModuleEx.DBGHELP ref: 00007FFD6D9BCB6F
SymCleanup.DBGHELP ref: 00007FFD6D9BCB82

Strings

Failed to open pool-size guide file., xrefs: 00007FFD6D9BCE0E

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Options$CleanupInfoInitializeLoadModuleSystem
String ID: Failed to open pool-size guide file.
API String ID: 4119312768-3392875237
Opcode ID: 3aa42feae01dc2c1582e6510eefd5af89794617637a948f42949ebad37c5cd0c
Instruction ID: 2df74263e40c5309cef88d96a22a26be06b0432a2bed7fa07e23a0d76aa68238
Opcode Fuzzy Hash: 3aa42feae01dc2c1582e6510eefd5af89794617637a948f42949ebad37c5cd0c
Instruction Fuzzy Hash: 8E918D65B0CE42C2EB209F26B86437A66A2FBD8755F054236DA5E477D4EF3CE505CB00

Function 00007FFD6D9BEF90 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 94windowsleepregistryCOMMON

Download Yara Rule

APIs

GetStockObject.GDI32 ref: 00007FFD6D9BEFDD
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9BEFED
LoadCursorW.USER32 ref: 00007FFD6D9BF00E
RegisterClassW.USER32 ref: 00007FFD6D9BF021
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9BF029
CreateWindowExW.USER32 ref: 00007FFD6D9BF061
GetMessageW.USER32 ref: 00007FFD6D9BF083
TranslateMessage.USER32 ref: 00007FFD6D9BF09D
DispatchMessageW.USER32 ref: 00007FFD6D9BF0AB
GetMessageW.USER32 ref: 00007FFD6D9BF0C1
DestroyWindow.USER32 ref: 00007FFD6D9BF0CE
SHAppBarMessage.SHELL32 ref: 00007FFD6D9BF0EC
SHAppBarMessage.SHELL32 ref: 00007FFD6D9BF10D
Sleep.KERNEL32 ref: 00007FFD6D9BF118
SHAppBarMessage.SHELL32 ref: 00007FFD6D9BF137
SetEvent.KERNEL32 ref: 00007FFD6D9BF144

Strings

FixTaskbarAutohide_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}, xrefs: 00007FFD6D9BEFF3
0, xrefs: 00007FFD6D9BF0DC

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Message$HandleModuleWindow$ClassCreateCursorDestroyDispatchEventLoadObjectRegisterSleepStockTranslate
String ID: 0$FixTaskbarAutohide_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}
API String ID: 2692392126-3745785993
Opcode ID: 372ee5a78053523f1f732c44edd9fd8a641ae2e0514952c61d0baf2847e36725
Instruction ID: a24920c7ee8ee7d958f71abeeb64889b9041082444336036cb450817814435b4
Opcode Fuzzy Hash: 372ee5a78053523f1f732c44edd9fd8a641ae2e0514952c61d0baf2847e36725
Instruction Fuzzy Hash: 5D410E3270CF82C2EB248B24F86436AB3A5FBD8744F544536D68E46AA4EF7CD049CB00

Function 00007FFD6D9E7D80 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 244windowsleepregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFD6D9E7E03
LoadCursorW.USER32 ref: 00007FFD6D9E7E18
GetStockObject.GDI32 ref: 00007FFD6D9E7E24
RegisterClassW.USER32 ref: 00007FFD6D9E7E41
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9E7E67
CreateWindowInBand.USER32 ref: 00007FFD6D9E7EAF
SetForegroundWindow.USER32 ref: 00007FFD6D9E7EBB
Sleep.KERNEL32 ref: 00007FFD6D9E7EE5
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9E7F1F
LoadStringW.USER32 ref: 00007FFD6D9E7F36
GetMenuItemCount.USER32 ref: 00007FFD6D9E7FD9
InsertMenuItemW.USER32 ref: 00007FFD6D9E7FEF
TrackPopupMenu.USER32 ref: 00007FFD6D9E807B
RemoveMenu.USER32 ref: 00007FFD6D9E80BD
SendMessageW.USER32 ref: 00007FFD6D9E814C

Strings

LauncherTipWnd, xrefs: 00007FFD6D9E7E32
ExplorerFrame.dll, xrefs: 00007FFD6D9E7F18

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Menu$HandleModule$ItemLoadWindow$BandClassCountCreateCursorForegroundInsertMessageObjectPopupRegisterRemoveSendSleepStockStringTrack
String ID: ExplorerFrame.dll$LauncherTipWnd
API String ID: 1231917228-1828045394
Opcode ID: 5676c89afdf6bcbbae7d620a374ba3e5c7efe4007a58b015cbb39207c9efa398
Instruction ID: 6ed46e69206a6e0926cf9e2834a9e07750d56e4542d74cd4d3015f4be86e9707
Opcode Fuzzy Hash: 5676c89afdf6bcbbae7d620a374ba3e5c7efe4007a58b015cbb39207c9efa398
Instruction Fuzzy Hash: 3BC11332B09F42CAEB508F65F8646A933A4FB98B88F10453ADA4D57BA4EF3DD554C700

Function 00007FFD6D9E8820 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 179comwindowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00007FFD6D9E886D
FindWindowExW.USER32 ref: 00007FFD6D9E8883
FindWindowExW.USER32 ref: 00007FFD6D9E88A1
GetCursorPos.USER32 ref: 00007FFD6D9E88C0
MonitorFromPoint.USER32 ref: 00007FFD6D9E88D9
FindWindowExW.USER32 ref: 00007FFD6D9E88FF
MonitorFromWindow.USER32 ref: 00007FFD6D9E8910
FindWindowExW.USER32 ref: 00007FFD6D9E8950
MonitorFromWindow.USER32 ref: 00007FFD6D9E8961
GetMonitorInfoW.USER32 ref: 00007FFD6D9E896E
GetWindowRect.USER32 ref: 00007FFD6D9E8980
CoCreateInstance.OLE32 ref: 00007FFD6D9E89E6

Strings

Start, xrefs: 00007FFD6D9E8895
Shell_TrayWnd, xrefs: 00007FFD6D9E8878, 00007FFD6D9E8945
Shell_SecondaryTrayWnd, xrefs: 00007FFD6D9E88F3

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Window$FindMonitor$From$CreateCursorInfoInstanceMessagePointRectSend
String ID: Shell_SecondaryTrayWnd$Shell_TrayWnd$Start
API String ID: 3957573836-2175658619
Opcode ID: 7d5b0573b76e2f28007cb4b648ccba6ba01dc73f564d0536a8582c9ff69fe12d
Instruction ID: 3d2d1e530f42679c32fa4e0e1976f3b4dc7c5e1c00d6d0cd20a4640e7e87be4d
Opcode Fuzzy Hash: 7d5b0573b76e2f28007cb4b648ccba6ba01dc73f564d0536a8582c9ff69fe12d
Instruction Fuzzy Hash: EA811B36B09E42DAEB04CFA5F8646A923A1FB98B88B444436CD0E53B58EF3CD509C340

Function 00007FFD6D9C2FD0 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 193registrylibrarysynchronizationCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32 ref: 00007FFD6D9C3073

Part of subcall function 00007FFD6DA07C0C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA07C35

LoadLibraryW.KERNEL32 ref: 00007FFD6D9C309A
GetProcAddress.KERNEL32 ref: 00007FFD6D9C30B2

Part of subcall function 00007FFD6D9CD870: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00007FFD6D9C30C8), ref: 00007FFD6D9CD8F3
Part of subcall function 00007FFD6D9CD870: K32GetModuleInformation.KERNEL32(?,?,?,?,?,?,?,00007FFD6D9C30C8), ref: 00007FFD6D9CD90A

WaitForSingleObject.KERNEL32 ref: 00007FFD6D9C322E
WaitForSingleObject.KERNEL32 ref: 00007FFD6D9C3251
CloseHandle.KERNEL32 ref: 00007FFD6D9C325E
RegCreateKeyExW.ADVAPI32 ref: 00007FFD6D9C32A8
RegCloseKey.ADVAPI32 ref: 00007FFD6D9C32B7
Sleep.KERNEL32 ref: 00007FFD6D9C32E0
CreateThread.KERNEL32 ref: 00007FFD6D9C32FF
CoCreateInstance.OLE32 ref: 00007FFD6D9C331D

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\ImmersiveShell, xrefs: 00007FFD6D9C319C
UseWin32BatteryFlyout, xrefs: 00007FFD6D9C3185
\ExplorerPatcher\pnidui.dll, xrefs: 00007FFD6D9C3079
Control Panel\Quick Actions\Control Center\QuickActionsStateCapture\ExplorerPatcher, xrefs: 00007FFD6D9C327A
DllGetClassObject, xrefs: 00007FFD6D9C30A8

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Create$CloseObjectSingleWait$AddressCurrentFolderHandleInformationInstanceLibraryLoadModulePathProcProcessSleepThread_invalid_parameter_noinfo
String ID: Control Panel\Quick Actions\Control Center\QuickActionsStateCapture\ExplorerPatcher$DllGetClassObject$SOFTWARE\Microsoft\Windows\CurrentVersion\ImmersiveShell$UseWin32BatteryFlyout$\ExplorerPatcher\pnidui.dll
API String ID: 1967696875-3120677660
Opcode ID: 746c03439a40a58e83d8ca3c901a36170888dac9372360057a13f75af7fc3504
Instruction ID: 8a185437d1febbbd98fdad8d96c63d0b5f68d16b151d40174125a5924aaa6305
Opcode Fuzzy Hash: 746c03439a40a58e83d8ca3c901a36170888dac9372360057a13f75af7fc3504
Instruction Fuzzy Hash: E7912531B0CE42D6EB609B21F8A02BA77A1BFA4794F844136D94E47BA4EF7CE445C740

Function 00007FFD6D9B3EF0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 147registrywindowCOMMON

Download Yara Rule

APIs

LoadKeyboardLayoutW.USER32 ref: 00007FFD6D9B3F45
FindWindowW.USER32 ref: 00007FFD6D9B3F57
PostMessageW.USER32 ref: 00007FFD6D9B3F6B
RegOpenKeyExW.ADVAPI32 ref: 00007FFD6D9B3FD2
RegQueryInfoKeyW.ADVAPI32 ref: 00007FFD6D9B401C
RegEnumKeyExW.ADVAPI32 ref: 00007FFD6D9B4066
RegGetValueW.ADVAPI32 ref: 00007FFD6D9B40D0
RegCloseKey.ADVAPI32 ref: 00007FFD6D9B413F

Strings

Layout Id, xrefs: 00007FFD6D9B4097
%08x, xrefs: 00007FFD6D9B3F27
SimpleWindowSwitcher_{BEA057BB-66C7-4758-A610-FAE6013E9F98}, xrefs: 00007FFD6D9B3F4D, 00007FFD6D9B4117
SYSTEM\CurrentControlSet\Control\Keyboard Layouts, xrefs: 00007FFD6D9B3FC4
%04x, xrefs: 00007FFD6D9B3F76, 00007FFD6D9B3F97

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CloseEnumFindInfoKeyboardLayoutLoadMessageOpenPostQueryValueWindow
String ID: %04x$%08x$Layout Id$SYSTEM\CurrentControlSet\Control\Keyboard Layouts$SimpleWindowSwitcher_{BEA057BB-66C7-4758-A610-FAE6013E9F98}
API String ID: 3475777497-1477449099
Opcode ID: 2cc275d6c984852e879192a0ef0c866e41c82a68c228ad7057553920e4d4441f
Instruction ID: 67d15185cab9365ea55fbefcd64433cb653558fe469974945b6094763845eadd
Opcode Fuzzy Hash: 2cc275d6c984852e879192a0ef0c866e41c82a68c228ad7057553920e4d4441f
Instruction Fuzzy Hash: 45610832B18E42DAE710CBA1F8606AE73A5EB98748F414136DA4D53A98EF3CD549C750

Function 00007FFD6D9BDEA0 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 127sleepregistryCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00007FFD6D9BDEE6
GetClassNameW.USER32 ref: 00007FFD6D9BDEFA
Sleep.KERNEL32 ref: 00007FFD6D9BDF3F
GetForegroundWindow.USER32 ref: 00007FFD6D9BDF57
GetClassNameW.USER32 ref: 00007FFD6D9BDF6B
GetForegroundWindow.USER32 ref: 00007FFD6D9BDFB7
GetClassNameW.USER32 ref: 00007FFD6D9BDFCE
RegDeleteTreeW.ADVAPI32 ref: 00007FFD6D9BE0AE
Sleep.KERNEL32 ref: 00007FFD6D9BE0BE

Strings

Started "Check foreground window" thread., xrefs: 00007FFD6D9BDEC6
Control Panel\Quick Actions\Control Center\QuickActionsStateCapture\ExplorerPatcher, xrefs: 00007FFD6D9BE0A0
Windows.UI.Core.CoreWindow, xrefs: 00007FFD6D9BDF0C
Ended "Check foreground window" thread., xrefs: 00007FFD6D9BE0C4

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ClassForegroundNameWindow$Sleep$DeleteTree
String ID: Control Panel\Quick Actions\Control Center\QuickActionsStateCapture\ExplorerPatcher$Ended "Check foreground window" thread.$Started "Check foreground window" thread.$Windows.UI.Core.CoreWindow
API String ID: 2021506011-749137266
Opcode ID: 6d2d520a23ce87c41f09d52bbca6666febd7bbc91658e9d2df2aa38a332627d6
Instruction ID: 6474e1409f788f712e5c3345f7669b6a5f94ae2b4fd9e2bb90da597326fca146
Opcode Fuzzy Hash: 6d2d520a23ce87c41f09d52bbca6666febd7bbc91658e9d2df2aa38a332627d6
Instruction Fuzzy Hash: 9B514E26B1CE52C1EA649B25F4602BA3761FBD5B60F844332DAAE026D8FF3CE545C710

Function 00007FFD6D9BBFA0 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 124windowsleepcomCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FFD6D9BBFC7
CoInitialize.OLE32 ref: 00007FFD6D9BBFDB
GetStockObject.GDI32 ref: 00007FFD6D9BC025
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9BC035
LoadCursorW.USER32 ref: 00007FFD6D9BC059
RegisterClassW.USER32 ref: 00007FFD6D9BC06F
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9BC077
CoCreateInstance.OLE32 ref: 00007FFD6D9BC0F9
ShowWindow.USER32 ref: 00007FFD6D9BC125
GetMessageW.USER32 ref: 00007FFD6D9BC182
TranslateMessage.USER32 ref: 00007FFD6D9BC198
DispatchMessageW.USER32 ref: 00007FFD6D9BC1A6
GetMessageW.USER32 ref: 00007FFD6D9BC1BC

Strings

ArchiveMenuWindowExplorer, xrefs: 00007FFD6D9BC03B
Started "Archive menu" thread., xrefs: 00007FFD6D9BBFCD
Ended "Archive menu" thread., xrefs: 00007FFD6D9BC1C6

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Message$HandleModule$ClassCreateCursorDispatchInitializeInstanceLoadObjectRegisterShowSleepStockTranslateWindow
String ID: ArchiveMenuWindowExplorer$Ended "Archive menu" thread.$Started "Archive menu" thread.
API String ID: 3032281874-998171920
Opcode ID: 9b0c678c5f064ba50305d1bb622670d1f0f9f35267b3ae6155e6264606a80b89
Instruction ID: 536d2a9a5e49add5e3bd8a3117f83daff9c611c3aced9293ba17eba545fdf33d
Opcode Fuzzy Hash: 9b0c678c5f064ba50305d1bb622670d1f0f9f35267b3ae6155e6264606a80b89
Instruction Fuzzy Hash: EB510C32B1CE96C2EB208B25F86076A73A4FBD8B44F515136DA8D52A68EF3CD055CB10

Function 00007FFD6D9C2C20 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 177registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FFD6D9C2C9F
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9C2CD9
RegCloseKey.ADVAPI32 ref: 00007FFD6D9C2CE6
RegOpenKeyExW.ADVAPI32 ref: 00007FFD6D9C2D1D
RegQueryValueExW.ADVAPI32 ref: 00007FFD6D9C2D57
RegCloseKey.ADVAPI32 ref: 00007FFD6D9C2D64
#410.COMCTL32 ref: 00007FFD6D9C2DEB
#410.COMCTL32 ref: 00007FFD6D9C2E20
#410.COMCTL32 ref: 00007FFD6D9C2E42
LoadLibraryW.KERNEL32 ref: 00007FFD6D9C2E9E
GetProcAddress.KERNEL32 ref: 00007FFD6D9C2EAC
DwmSetWindowAttribute.DWMAPI ref: 00007FFD6D9C2EE9

Strings

SOFTWARE\Classes\CLSID\{056440FD-8568-48e7-A632-72157243B55B}\InProcServer32, xrefs: 00007FFD6D9C2C8C, 00007FFD6D9C2D0F
%x %x, xrefs: 00007FFD6D9C2C65
uxtheme.dll, xrefs: 00007FFD6D9C2E97

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: #410$CloseOpenQueryValue$AddressAttributeLibraryLoadProcWindow
String ID: %x %x$SOFTWARE\Classes\CLSID\{056440FD-8568-48e7-A632-72157243B55B}\InProcServer32$uxtheme.dll
API String ID: 632063587-1665220535
Opcode ID: 623fe39289075d40e9aea1bf15e31dda5c4502ec79245b3fd9ca350c6c168e2a
Instruction ID: f3a90d921a50d050fd151d2cfab5fe4d1c77c1f245ae022596dabba894c69781
Opcode Fuzzy Hash: 623fe39289075d40e9aea1bf15e31dda5c4502ec79245b3fd9ca350c6c168e2a
Instruction Fuzzy Hash: B3814721B1DE42C6EB609B11F86067973A1BFA8794F446136ED4E17AA8FF3CE545CB00

Function 00007FFD6D9C6930 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 130sleepsynchronizationwindowCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FFD6D9C697C
WaitForSingleObject.KERNEL32 ref: 00007FFD6D9C6997
Sleep.KERNEL32 ref: 00007FFD6D9C69A2
FindWindowExW.USER32 ref: 00007FFD6D9C69BE
Sleep.KERNEL32 ref: 00007FFD6D9C69E1
FindWindowExW.USER32 ref: 00007FFD6D9C69F5
Sleep.KERNEL32 ref: 00007FFD6D9C6A05
MsgWaitForMultipleObjectsEx.USER32 ref: 00007FFD6D9C6AB0
PeekMessageW.USER32 ref: 00007FFD6D9C6B05
TranslateMessage.USER32 ref: 00007FFD6D9C6B14
DispatchMessageW.USER32 ref: 00007FFD6D9C6B1F
MsgWaitForMultipleObjectsEx.USER32 ref: 00007FFD6D9C6B43
WaitForSingleObject.KERNEL32 ref: 00007FFD6D9C6B76

Part of subcall function 00007FFD6D9B2890: GetModuleHandleW.KERNEL32 ref: 00007FFD6D9B28AF
Part of subcall function 00007FFD6D9B2890: GetProcAddress.KERNEL32 ref: 00007FFD6D9B28C8
Part of subcall function 00007FFD6D9B2890: RegOpenKeyExW.KERNEL32 ref: 00007FFD6D9B293F
Part of subcall function 00007FFD6D9B2890: RegQueryValueExW.KERNEL32 ref: 00007FFD6D9B296F

Strings

[sws] Waiting for taskbar..., xrefs: 00007FFD6D9C69D0
Shell_TrayWnd, xrefs: 00007FFD6D9C69B3, 00007FFD6D9C69EA

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Wait$MessageObjectSingleSleep$FindMultipleObjectsWindow$AddressDispatchHandleModuleOpenPeekProcQueryTranslateValue
String ID: Shell_TrayWnd$[sws] Waiting for taskbar...
API String ID: 3550486598-3608668894
Opcode ID: d14c7f3b7886ca27135f606248609faa9d05ff363da3d2f945381040901c4db5
Instruction ID: fbb92a7bba1ca0d94dfe104aa2aae15c3ce3129743c5080929032268249e8310
Opcode Fuzzy Hash: d14c7f3b7886ca27135f606248609faa9d05ff363da3d2f945381040901c4db5
Instruction Fuzzy Hash: F7511231B1CE42C2FB60AB21F8747BA23A1AFA5B54F404536E55E4A6E5EF3CE445C780

Function 00007FFD6DA15C8C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FFD6DA15CDA
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA16346
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA164BC
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA1677A
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA1699A
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA16BD7
memcpy_s.LIBCPMT ref: 00007FFD6DA16CB2
memcpy_s.LIBCPMT ref: 00007FFD6DA16D5D
memcpy_s.LIBCPMT ref: 00007FFD6DA16E2C

Strings

1#QNAN, xrefs: 00007FFD6DA15DF3
1#IND, xrefs: 00007FFD6DA15DC7
1#INF, xrefs: 00007FFD6DA15E03
1#SNAN, xrefs: 00007FFD6DA15DEA

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: f350830a4adcc410153501d9ca6c2ab6903c9060955658178a02212302773db1
Instruction ID: a7d736b6796a30152af4ac8b7deebba61b5b492b39d7f88cd6ba48b8d2cd6c7d
Opcode Fuzzy Hash: f350830a4adcc410153501d9ca6c2ab6903c9060955658178a02212302773db1
Instruction Fuzzy Hash: DFB2A672B1C692CBE7658F64E9607F937A1FB64388F545135DA0D97B84EB38E900CB80

Function 00007FFD6D9B2F60 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32 ref: 00007FFD6D9B2F9B
SelectObject.GDI32 ref: 00007FFD6D9B2FAA
CreateDIBSection.GDI32 ref: 00007FFD6D9B3027
SelectObject.GDI32 ref: 00007FFD6D9B3036
SetTextColor.GDI32 ref: 00007FFD6D9B3050
SetBkColor.GDI32 ref: 00007FFD6D9B305B
SetBkMode.GDI32 ref: 00007FFD6D9B3069
DrawTextW.USER32 ref: 00007FFD6D9B3085
SelectObject.GDI32 ref: 00007FFD6D9B311D
SelectObject.GDI32 ref: 00007FFD6D9B3133
DeleteDC.GDI32 ref: 00007FFD6D9B313C

Strings

(, xrefs: 00007FFD6D9B3003

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ObjectSelect$ColorCreateText$CompatibleDeleteDrawModeSection
String ID: (
API String ID: 2711897886-3887548279
Opcode ID: 2723e664e446cf1bb65ae12c02e6f297f6a33ecf130694f51cda9177338b98d6
Instruction ID: 4c7fbcf6e13161ff686fed1551c9cff346d7c1283d6b039c7f5b92fb6c7faf4c
Opcode Fuzzy Hash: 2723e664e446cf1bb65ae12c02e6f297f6a33ecf130694f51cda9177338b98d6
Instruction Fuzzy Hash: 6451B276B18A9186EB188F16B86473AB7A1FBD5B90F145139EE8B07B54EE3CD444CB00

Function 00007FFD6D9BDCF0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 87processCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32 ref: 00007FFD6D9BDD1E

Part of subcall function 00007FFD6DA07C0C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA07C35

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FFD6D9BDD5E
Process32FirstW.KERNEL32 ref: 00007FFD6D9BDD6F
OpenProcess.KERNEL32 ref: 00007FFD6D9BDDE1
QueryFullProcessImageNameW.KERNEL32 ref: 00007FFD6D9BDE0F
TerminateProcess.KERNEL32 ref: 00007FFD6D9BDE33
CloseHandle.KERNEL32 ref: 00007FFD6D9BDE41
Process32NextW.KERNEL32 ref: 00007FFD6D9BDE4F
CloseHandle.KERNEL32 ref: 00007FFD6D9BDE76

Strings

\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe, xrefs: 00007FFD6D9BDD24
ShellExperienceHost.exe, xrefs: 00007FFD6D9BDD86

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Process$CloseHandleProcess32$CreateDirectoryFirstFullImageNameNextOpenQuerySnapshotTerminateToolhelp32Windows_invalid_parameter_noinfo
String ID: ShellExperienceHost.exe$\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
API String ID: 2097983625-1597348990
Opcode ID: 7a2044ba403adc5f9672b0f5d5dc5f399b81ca774859eaf41cb4f37d0cc271ea
Instruction ID: 4bebb8ed6a8067d16e206c2f0dde812c9e4f41000e1e915e4d2f380635e9497f
Opcode Fuzzy Hash: 7a2044ba403adc5f9672b0f5d5dc5f399b81ca774859eaf41cb4f37d0cc271ea
Instruction Fuzzy Hash: 4A413F61B0CE82C1EB649B15F4643BA63A1FBE8B54F844136C68E47B58EF3DD545C740

Function 00007FFD6D9EFF30 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32 ref: 00007FFD6D9EFF86
SizeofResource.KERNEL32 ref: 00007FFD6D9EFF95
LoadResource.KERNEL32 ref: 00007FFD6D9EFFA3
LockResource.KERNEL32 ref: 00007FFD6D9EFFAF
LocalAlloc.KERNEL32 ref: 00007FFD6D9EFFBE
FreeResource.KERNEL32 ref: 00007FFD6D9EFFD8
VerQueryValueW.VERSION ref: 00007FFD6D9EFFF2
LocalFree.KERNEL32 ref: 00007FFD6D9F000D

Strings

%d.%d.%d.%d., xrefs: 00007FFD6D9F0016

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Resource$FreeLocal$AllocFindLoadLockQuerySizeofValue
String ID: %d.%d.%d.%d.
API String ID: 4087920139-3513003344
Opcode ID: a00a34d826203b48c819052c7013d544c7fb3ed12374a7477086004bd2f0c751
Instruction ID: a3078fbcf316f24754c7531256e3162c6e3b8478e1cbbea79be3b34c120833fa
Opcode Fuzzy Hash: a00a34d826203b48c819052c7013d544c7fb3ed12374a7477086004bd2f0c751
Instruction Fuzzy Hash: 5641CE22B0CA85CAFB109F26F8243A9A791EBD5BA4F548132DD4E47795EE7CD446C700

Function 00007FFD6D9EFAB0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50sleepprocessCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FFD6D9EFACE
GetWindowsDirectoryW.KERNEL32 ref: 00007FFD6D9EFAE1

Part of subcall function 00007FFD6DA07C0C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA07C35

CreateProcessW.KERNEL32 ref: 00007FFD6D9EFB75
FreeConsole.KERNEL32 ref: 00007FFD6D9EFB7B
GetCurrentProcessId.KERNEL32 ref: 00007FFD6D9EFB81
OpenProcess.KERNEL32 ref: 00007FFD6D9EFB91
TerminateProcess.KERNEL32 ref: 00007FFD6D9EFB9C

Strings

\explorer.exe, xrefs: 00007FFD6D9EFAE7
h, xrefs: 00007FFD6D9EFB03

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Process$ConsoleCreateCurrentDirectoryFreeOpenSleepTerminateWindows_invalid_parameter_noinfo
String ID: \explorer.exe$h
API String ID: 3466857667-2845133803
Opcode ID: ad9095322ed94671079ed4175aa29252faca1442241973f6f2417f18068d89bc
Instruction ID: 8371679b58018ff3ff41693dbcff493f7108b090d1e1f6b4fde9b9f498596126
Opcode Fuzzy Hash: ad9095322ed94671079ed4175aa29252faca1442241973f6f2417f18068d89bc
Instruction Fuzzy Hash: CD211222A1CFC2C6E760DB20F8643AA67A1FBD9348F515235D68D42A69EF7CD195CB00

Function 00007FFD6D9BA4E0 Relevance: 15.7, APIs: 10, Instructions: 742COMMON

Download Yara Rule

APIs

DwmRegisterThumbnail.DWMAPI ref: 00007FFD6D9BA6EC
DwmQueryThumbnailSourceSize.DWMAPI ref: 00007FFD6D9BA6FD
DwmUnregisterThumbnail.DWMAPI ref: 00007FFD6D9BA7DF
DwmRegisterThumbnail.DWMAPI(?), ref: 00007FFD6D9BA893
DwmQueryThumbnailSourceSize.DWMAPI ref: 00007FFD6D9BA8AC
DwmUnregisterThumbnail.DWMAPI ref: 00007FFD6D9BA8B6
DwmUnregisterThumbnail.DWMAPI(?), ref: 00007FFD6D9BAAE7
DwmQueryThumbnailSourceSize.DWMAPI(?), ref: 00007FFD6D9BABB9
DwmQueryThumbnailSourceSize.DWMAPI(?), ref: 00007FFD6D9BAC2E
DwmUpdateThumbnailProperties.DWMAPI ref: 00007FFD6D9BAFAD

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Thumbnail$QuerySizeSource$Unregister$Register$PropertiesUpdate
String ID:
API String ID: 3108602342-0
Opcode ID: f18ce4ecb7d5584a72fe5b3af655532a1fc6869fdc1c023dbaf405e095f5fe85
Instruction ID: 0fd5a699bf69077f1a33ccd5cd4541f4c5d735cf9801ccb455f083efd9f7fb7c
Opcode Fuzzy Hash: f18ce4ecb7d5584a72fe5b3af655532a1fc6869fdc1c023dbaf405e095f5fe85
Instruction Fuzzy Hash: AA729F72B18A41CBD769CF39E150B6EB7A1FB54784F018236DB4A53A54EB78F861CB00

Function 00007FFD6D9C3DA0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 50windowCOMMON

Download Yara Rule

APIs

FindWindowExW.USER32 ref: 00007FFD6D9C3DD5
FindWindowExW.USER32 ref: 00007FFD6D9C3DEF
FindWindowExW.USER32 ref: 00007FFD6D9C3E09

Part of subcall function 00007FFD6D9E8820: SendMessageW.USER32 ref: 00007FFD6D9E886D

SendMessageW.USER32 ref: 00007FFD6D9C3E33

Strings

MSTaskSwWClass, xrefs: 00007FFD6D9C3DFD
Shell_TrayWnd, xrefs: 00007FFD6D9C3DCA
RebarWindow32, xrefs: 00007FFD6D9C3DE3

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: FindWindow$MessageSend
String ID: MSTaskSwWClass$RebarWindow32$Shell_TrayWnd
API String ID: 1134572027-589293716
Opcode ID: f85175f125cf8e8b66d54df70546532ba3cac7d82357f4b638c5a70c5f5e0bf6
Instruction ID: d1405abccc16b225ef0f7845966c0764b1e365c71a55d8e4c094ea2b78846ca7
Opcode Fuzzy Hash: f85175f125cf8e8b66d54df70546532ba3cac7d82357f4b638c5a70c5f5e0bf6
Instruction Fuzzy Hash: 9E114C22F0CF42D2EE549B63B9205752291AFA8BA0F585636DD1D13A95EF3CE544C340

Function 00007FFD6D9CC590 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 00007FFD6D9CC66F
VirtualProtect.KERNEL32 ref: 00007FFD6D9CC69D
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9CC6A5

Part of subcall function 00007FFD6D9BD290: GetModuleHandleExW.KERNEL32 ref: 00007FFD6D9BD2C6
Part of subcall function 00007FFD6D9BD290: ImageDirectoryEntryToDataEx.DBGHELP ref: 00007FFD6D9BD2F9
Part of subcall function 00007FFD6D9BD290: FreeLibrary.KERNEL32 ref: 00007FFD6D9BD32F

IsOS.SHLWAPI ref: 00007FFD6D9CC6DF

Strings

api-ms-win-shcore-sysinfo-l1-1-0.dll, xrefs: 00007FFD6D9CC6BC
IsOS, xrefs: 00007FFD6D9CC6B2

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: HandleModuleProtectVirtual$DataDirectoryEntryFreeImageLibrary
String ID: IsOS$api-ms-win-shcore-sysinfo-l1-1-0.dll
API String ID: 2091478098-2234916554
Opcode ID: 90aedd75e2f73c4d5fa048a15d0dc62dd091b178db12e71bcf6ac739ff8efa06
Instruction ID: a12e222447989bd9d602687f4bac540045db07dbd5c31b39e3cb17c74acee1d6
Opcode Fuzzy Hash: 90aedd75e2f73c4d5fa048a15d0dc62dd091b178db12e71bcf6ac739ff8efa06
Instruction Fuzzy Hash: EC31A061F68A4BC3FF509B29F52067A2750BB99794F40213AEE9E0B755EF3CE4818710

Function 00007FFD6D9F1BB0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFD6D9F1BCC
RtlCaptureContext.KERNEL32 ref: 00007FFD6D9F1BF9
RtlLookupFunctionEntry.NTDLL ref: 00007FFD6D9F1C13
RtlVirtualUnwind.NTDLL ref: 00007FFD6D9F1C54
IsDebuggerPresent.KERNEL32 ref: 00007FFD6D9F1CA8
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFD6D9F1CC5
UnhandledExceptionFilter.KERNEL32 ref: 00007FFD6D9F1CD0

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 09076511699ef5ef74060427187c7e6db0eee248322bd6f4937530ef4b7182e2
Instruction ID: 62dc6071f61840ec131941c069792ca75c464298eacfb74629f7de96862ed36e
Opcode Fuzzy Hash: 09076511699ef5ef74060427187c7e6db0eee248322bd6f4937530ef4b7182e2
Instruction Fuzzy Hash: 85314772708F81CAEB609F61F8603A96365FB95758F44403ADA4E57A98EF38D648C710

Function 00007FFD6DA0BA88 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFD6DA0BB01
RtlLookupFunctionEntry.NTDLL ref: 00007FFD6DA0BB19
RtlVirtualUnwind.NTDLL ref: 00007FFD6DA0BB54
IsDebuggerPresent.KERNEL32 ref: 00007FFD6DA0BB8D
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFD6DA0BB97
UnhandledExceptionFilter.KERNEL32 ref: 00007FFD6DA0BBA2

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 7253d5bdfff678339f4a1ef049d7022eb7dc495c8b4fe437de2009ca25dbded9
Instruction ID: 94ad5cd9ba22c8b255103b95e878d51bc52362b777b9c0bad78681caa8e6e242
Opcode Fuzzy Hash: 7253d5bdfff678339f4a1ef049d7022eb7dc495c8b4fe437de2009ca25dbded9
Instruction Fuzzy Hash: 65312A32718F81C6EB60CB25F8506AA73A4FB99758F540236EA9D43B99EF3CD545CB00

Function 00007FFD6D9BDAC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32 ref: 00007FFD6D9BDB30

Part of subcall function 00007FFD6DA07C0C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA07C35

FindFirstFileW.KERNEL32 ref: 00007FFD6D9BDB71
FindClose.KERNEL32 ref: 00007FFD6D9BDB83

Strings

\ExplorerPatcher\, xrefs: 00007FFD6D9BDB36

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Find$CloseFileFirstFolderPath_invalid_parameter_noinfo
String ID: \ExplorerPatcher\
API String ID: 409097378-431723071
Opcode ID: 283c731b37bd69c156596517ea4f6aff2093caf7b51a4191099135315fcbb9ff
Instruction ID: 610afe0e6179470f2b074801b7c4f42d946ea5e7c66d2bd12d759c0fb8f8c5f0
Opcode Fuzzy Hash: 283c731b37bd69c156596517ea4f6aff2093caf7b51a4191099135315fcbb9ff
Instruction Fuzzy Hash: 58214864B1DE82C1EBA09B14F8697BA23A1FBD5334F844236C5AE466D5FE3CE405CB50

Function 00007FFD6D9BF4C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22windowtimeCOMMON

Download Yara Rule

APIs

FindWindowW.USER32 ref: 00007FFD6D9BF4D9
SendMessageTimeoutW.USER32 ref: 00007FFD6D9BF50A

Strings

Shell_TrayWnd, xrefs: 00007FFD6D9BF4D2
EnsureXAML, xrefs: 00007FFD6D9BF4E8

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: FindMessageSendTimeoutWindow
String ID: EnsureXAML$Shell_TrayWnd
API String ID: 268879178-954582075
Opcode ID: bc3035862facb520a34d482c511542335a9f8f46059ef51329d527d37712b2b1
Instruction ID: cf820a83b8a5091cf6fd9dae1c29ae6b95547419a179f2f00cc5ee8d5aebe783
Opcode Fuzzy Hash: bc3035862facb520a34d482c511542335a9f8f46059ef51329d527d37712b2b1
Instruction Fuzzy Hash: 0DF0F87671CA81C2EB00CB52F9147AAA261FB987D4F588035E98A06B68EF7CD5498B04

Function 00007FFD6DA157F0 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FFD6DA15856
memcpy_s.LIBCPMT ref: 00007FFD6DA15881

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 54df691b28dde9a3de2a0b1b7d4322a8dab56d24a2e0dd98c6a87ab6e9c6fd8f
Instruction ID: c540eef362bc5dfaaef0487a39d60e2074d35c36db6f4359cf008f2b79fe9f8e
Opcode Fuzzy Hash: 54df691b28dde9a3de2a0b1b7d4322a8dab56d24a2e0dd98c6a87ab6e9c6fd8f
Instruction Fuzzy Hash: 01C1C472B1CA86C7D7248F19B45467AB7B1F7A4B84F449135DB4A47B84EB3DE801CB40

Function 00007FFD6D9D3CF0 Relevance: 4.7, APIs: 3, Instructions: 203threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FFD6D9D3E0E
IsDebuggerPresent.KERNEL32 ref: 00007FFD6D9D3F28
OutputDebugStringW.KERNEL32 ref: 00007FFD6D9D3F9C

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CurrentDebugDebuggerOutputPresentStringThread
String ID:
API String ID: 4268342597-0
Opcode ID: ec7e7ce26103cf8ad4d8aea865a5af35fba2799d5aa3011a64b43c727a631eed
Instruction ID: 48b6ebd2d198442e6d733eea0e24a19121d9ce85770511eba39a2b64b3b026b2
Opcode Fuzzy Hash: ec7e7ce26103cf8ad4d8aea865a5af35fba2799d5aa3011a64b43c727a631eed
Instruction Fuzzy Hash: C9914822B09F86C9EB649F39B46036967A0FF89B85F08813ACA4D47794EF3CE444C750

Function 00007FFD6DA19A98 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FFD6DA19CE7
RaiseException.KERNEL32 ref: 00007FFD6DA19CF8

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: eab9330a22c4c34c323091f24480dba8776dedf0fec1dbe0b26ed1431483609e
Instruction ID: a1cc6efef1cf9ab02806775a8921c38f7cc28f080735af231eabf2f14f14f2ae
Opcode Fuzzy Hash: eab9330a22c4c34c323091f24480dba8776dedf0fec1dbe0b26ed1431483609e
Instruction Fuzzy Hash: B3B15A73608B89CBEB19CF29D9963683BE0F794B48F158931DAAD837A4DB39D451C700

Function 00007FFD6DA04B84 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD6DA04CF2
, xrefs: 00007FFD6DA04F34

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 5dd73a5ff55aa7fb69a681fb2924f00fc1f6981111a5f6561d5cca2f991ce290
Instruction ID: b31e7ed97ce81d7632d9fb808f1370ab2447c3ec1427c75617ab08d195762677
Opcode Fuzzy Hash: 5dd73a5ff55aa7fb69a681fb2924f00fc1f6981111a5f6561d5cca2f991ce290
Instruction Fuzzy Hash: 87E19E72B0DE46C6EB688A29A16017933A0FB7DB8CF245235DA0E07794EF79E851C740

Function 00007FFD6DA0ED14 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FFD6DA0EE9E
e+000, xrefs: 00007FFD6DA0EE21

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 401ca3d791ec56ee7fb3f1ebf025869707402de53eaa05fa8685b2422944ba93
Instruction ID: a98ffc9d9ae6db77faa6a0068f47dba6922698e65d2801d73ee250992fb1acf2
Opcode Fuzzy Hash: 401ca3d791ec56ee7fb3f1ebf025869707402de53eaa05fa8685b2422944ba93
Instruction Fuzzy Hash: 86515A23B1CAC5C6E7248A35F9607697B91E764B98F488231CBA887BC5EF3DD545C700

Function 00007FFD6D9DAD70 Relevance: 2.6, APIs: 2, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFD6D9DADBA
HeapFree.KERNEL32 ref: 00007FFD6D9DADC7

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 5f3712283bebcfaa07857be9d7e7844275f4fe0ed32efbe75bdbda25f2a19b70
Instruction ID: 4347fae4abd869ef93156b23379122cbc433e38e464d0446c4255dad734c7471
Opcode Fuzzy Hash: 5f3712283bebcfaa07857be9d7e7844275f4fe0ed32efbe75bdbda25f2a19b70
Instruction Fuzzy Hash: 8E11E631F09F41CBEB509A29752037952609FA5B90F288336EA5C47285FF2CE8A58380

Function 00007FFD6DA13948 Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ceb359c16e3308f38870657cc43ca3efa4c93385bfb9dafedaf6c1d576affb
Instruction ID: ad0be8bf6a91db12ad7d957b398845516b1513426dfb39560c3068986614da0d
Opcode Fuzzy Hash: 98ceb359c16e3308f38870657cc43ca3efa4c93385bfb9dafedaf6c1d576affb
Instruction Fuzzy Hash: 2151B622B0CA81D5EB209F72B8506AE7BA5AB54798F144135EE9C67B99EE3CD401C700

Function 00007FFD6DA04FE8 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

0, xrefs: 00007FFD6DA051E1

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: dc9a1d564b958f82b3a747b52dcdfebb8512a0aced85e88ba0782a50f5d02d6d
Instruction ID: 5dbb038b50806030e269c4829fc55e2bc2ea57b71704944c0251478cfa606a67
Opcode Fuzzy Hash: dc9a1d564b958f82b3a747b52dcdfebb8512a0aced85e88ba0782a50f5d02d6d
Instruction Fuzzy Hash: 92E1AD62B0CA06C6EB688F26A17053E27A1FF65B4CF245635DA0E076D4EF3DE852C741

Function 00007FFD6D9CA5A0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SHBindToObject.SHELL32 ref: 00007FFD6D9CA5B9

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: BindObject
String ID:
API String ID: 761158930-0
Opcode ID: c0904f1775784fbdffb0825d8212574418776d9953f8ca2ed613c08eb1ad7e77
Instruction ID: d0107dce72dc3d0e542e80627562ba6c362d6a1ba1d962e8996143ebfe6779f5
Opcode Fuzzy Hash: c0904f1775784fbdffb0825d8212574418776d9953f8ca2ed613c08eb1ad7e77
Instruction Fuzzy Hash: 6DC01225B28E91C2DA149F18F81159633A0FB94308FD00136D64D01630DF3CC216CA04

Function 00007FFD6DA0E880 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FFD6DA0EBC2

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: 70f8c48eb3b96df17cdead0ea80b4940e16c5ac34578a3ba7d8409ccceca1c7b
Instruction ID: aa772f598e1bd86d406f8501ed45daecd4e7a152bdb7b10af3cc0194d22c79be
Opcode Fuzzy Hash: 70f8c48eb3b96df17cdead0ea80b4940e16c5ac34578a3ba7d8409ccceca1c7b
Instruction Fuzzy Hash: D0A13862B0CBC5C6EB21CB29B4607A97B91EB65BC8F048132DE8D87785EE3DD605D701

Function 00007FFD6DA01FDC Relevance: 1.5, Strings: 1, Instructions: 250COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD6DA021E6

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ef908d49defdeecee50d3da7e537f4c07f43aba96ae6a3cb168878c6caae1050
Instruction ID: 0c8526633832a489d230aa7061128981f79845a0aaf63ad775ebcc92ceb57146
Opcode Fuzzy Hash: ef908d49defdeecee50d3da7e537f4c07f43aba96ae6a3cb168878c6caae1050
Instruction Fuzzy Hash: 69B16A72A0CB82C6E7748F29E0A026D3BA4EB69B4CF594135DB4D47399EF39D880C741

Function 00007FFD6DA046C0 Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe1221e2acf0ae6bf989f2213628dd87e3d5c1a39ea450b01547ba6e59fff52
Instruction ID: 08e6d645f5b293a38bf99820c9ad61480f20db5edfab6d6fb4890e380809decb
Opcode Fuzzy Hash: 5fe1221e2acf0ae6bf989f2213628dd87e3d5c1a39ea450b01547ba6e59fff52
Instruction Fuzzy Hash: 7CE1AF26B0CA42C6EB68DE25A16023D27A1FF7AB4CF158135DA4D073D9EFB9E855C340

Function 00007FFD6DA03E84 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a9d73a3657478697baa0050b1ae7ad0124e82b0b711e51a0fda7133b53a316
Instruction ID: 80521c5f209257e1d1ad228d2beeef8d6e137dc48f423a742040dfbdc3c8c408
Opcode Fuzzy Hash: a8a9d73a3657478697baa0050b1ae7ad0124e82b0b711e51a0fda7133b53a316
Instruction Fuzzy Hash: 66E1AC72B0CE42C6EB648A28E57477927A1BB79B5CF148235CE4D066D9EF7DE842C700

Function 00007FFD6D9F6530 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5928575681f851bd86756db403d3da97f1196c8ac83e938697ac036f80151180
Instruction ID: 832496de39fb123afd0e32a35806a4d92b87bb4c056684bb198c6de023c43f81
Opcode Fuzzy Hash: 5928575681f851bd86756db403d3da97f1196c8ac83e938697ac036f80151180
Instruction Fuzzy Hash: 63E1BBB3B18B52C6EA248F25E4B4A7933A1EB11B54F94853BD64E026D4FF2CE455D380

Function 00007FFD6DA026F8 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1188edb522b859df7e5dcf667770e6cd2adaf91aa135349a904e24ff44a07b20
Instruction ID: f235038137e50f96d9abe7236f152de27c768e31b468c5c743313436d5d67fd7
Opcode Fuzzy Hash: 1188edb522b859df7e5dcf667770e6cd2adaf91aa135349a904e24ff44a07b20
Instruction Fuzzy Hash: BCB16A76A0CB85CAE7758F29E06023C3BA0E769B8CF284136CA4E47399EF39D445C754

Function 00007FFD6DA0AC6C Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 87826663fb88d95eb3373e8dcf29249e2651c96390ffb61b889701d1ece7043f
Instruction ID: 76e971a498c8cf903f1b78733e5d97bddcfba1f2b411525696e0b353859b0cf8
Opcode Fuzzy Hash: 87826663fb88d95eb3373e8dcf29249e2651c96390ffb61b889701d1ece7043f
Instruction Fuzzy Hash: C861F523F1CA92C6F7648A28A474B7D7682AFA0768F144639DB2D477C5FE7DE8008740

Function 00007FFD6DA01058 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98cadb3ecddfe53d952c1005e767854cec27c968e993e315b75ea3231beb4779
Instruction ID: 4e1e6ddfc206d5a26c54eb6b96604ce78f9548e4167f63770a22617d81dc67e3
Opcode Fuzzy Hash: 98cadb3ecddfe53d952c1005e767854cec27c968e993e315b75ea3231beb4779
Instruction Fuzzy Hash: 3D519172B2CA52C6E7648E29E0647F82390EB2575CF144235EE8D876D5EF7EE442C701

Function 00007FFD6DA00A14 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d19385dae3ee497be5c6220881483c20414a6632c9a0f1815bec3b458b80aa1c
Instruction ID: d6f0d2cda0cc52e9c92db8ca70b330158bc29c666a4b0e0e44bce190c64f5426
Opcode Fuzzy Hash: d19385dae3ee497be5c6220881483c20414a6632c9a0f1815bec3b458b80aa1c
Instruction Fuzzy Hash: 38519472B2CA52C6E7648E2AE0647B827A0EF2175CF144131DE8D476D5EF7DE842C704

Function 00007FFD6DA00E4C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45cfc8f3d66b23b604d29949c39df706330583ea5add7a420aff299b0c38cec5
Instruction ID: f118a92e767ee0030768d39203b6ba174c02c9068e293b8ba78da93ee8d571a6
Opcode Fuzzy Hash: 45cfc8f3d66b23b604d29949c39df706330583ea5add7a420aff299b0c38cec5
Instruction Fuzzy Hash: C9517236B1DE55C6E7248F2AE06027833A0EB68B9CF248131DA4D57794EB3AE843C744

Function 00007FFD6DA00808 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a39131b1ea9c855f919021bf4e12638fc87ba38f04dc641b8aacd00c666a4f
Instruction ID: beb2de7f9df37375ff4a720b7e2de69eb7bae9bf515e36a07506b667a0d2ac89
Opcode Fuzzy Hash: 32a39131b1ea9c855f919021bf4e12638fc87ba38f04dc641b8aacd00c666a4f
Instruction Fuzzy Hash: 79517276B1CE51C6E7248F2AE06023937A0FB64B6CF244231CE4D57795EB3AE856C784

Function 00007FFD6D9FFFC0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51aaf4873c05abffa460ff0bd214f66616c7fce314d1f5b4d1403479c50517f3
Instruction ID: aee5e903086dc7d38c142ef632f9a9b62a3cecd0e492b3ffdd72c9e2e19ccec9
Opcode Fuzzy Hash: 51aaf4873c05abffa460ff0bd214f66616c7fce314d1f5b4d1403479c50517f3
Instruction Fuzzy Hash: 42517F36B1CA51C6E7648F2AE06023927A0EB65B5CF248131CA4D577D9EF3AE843C744

Function 00007FFD6DA00C48 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 319b059e51119dd7ca2ba7bc6433294d2e2860165ba38e928dbb13911a44b794
Instruction ID: 51ae09db86b6b9b063a63541c7bb0438437581ce7e40c652f8e7d1c30966b825
Opcode Fuzzy Hash: 319b059e51119dd7ca2ba7bc6433294d2e2860165ba38e928dbb13911a44b794
Instruction Fuzzy Hash: 77518D76B1CE51C6E7248F2AE06063927A0EB68B5CF244131DE4D577A4EF3AE852C784

Function 00007FFD6DA00604 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16617ee0fc7f8c144c525315531aa15f76cd011324c60239c481cbad41e7e036
Instruction ID: 22ecf63d63b4c7bc01c38cba2f40426488b041e19f17a57804d809150ec755df
Opcode Fuzzy Hash: 16617ee0fc7f8c144c525315531aa15f76cd011324c60239c481cbad41e7e036
Instruction Fuzzy Hash: 4E51A436B1CE51C6E7248F2AE06023937A1EBA4B5CF244131CA8C57795DF7AE942CB84

Function 00007FFD6DA0CBAC Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: e3bc225cf9a7469c8edd3899941f86e556285fe38dffac699714a6fd19fe6231
Instruction ID: fca086f6229286faf2627b86ec310fe27e644e5303614a704afd06a543f72818
Opcode Fuzzy Hash: e3bc225cf9a7469c8edd3899941f86e556285fe38dffac699714a6fd19fe6231
Instruction Fuzzy Hash: 5141D572718E5582EF04CF6AE96456973A2FB98FD8B599036DE0D97B58EE3CD0418300

Function 00007FFD6D9FEE04 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd18c2af8978401385c3a4d18cc3c4cea6f6c2de30805c37561c0fbe2471736
Instruction ID: b1a4f329414bb91da4e8f9055d7573026f4d92e2a6110d3b92d7a0ae5aecaca5
Opcode Fuzzy Hash: 2dd18c2af8978401385c3a4d18cc3c4cea6f6c2de30805c37561c0fbe2471736
Instruction Fuzzy Hash: 2B318F72619A81C6DB608F29F0502BD77A0F798B4CF64413ADB8D4B751EF3AD492C704

Function 00007FFD6D9FECF8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a81995dc725e745c91ef68e5add537126b3069e5817d0a70891599fc14a6951d
Instruction ID: 31b3007f1c3aff718ccbfbe7e9daf2a3fba4fa06883edf8f4083057fea514234
Opcode Fuzzy Hash: a81995dc725e745c91ef68e5add537126b3069e5817d0a70891599fc14a6951d
Instruction Fuzzy Hash: BF31B172608B95C6EB608F29E4902BD77A4F798B4CF244236DB4C4BB51EF3AD092C704

Function 00007FFD6D9FF01C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 278fe365c858ff99949403c195d27c57a5d22d36bc9c8edbcf4e63079c5c0eda
Instruction ID: 760d78da37094cca99af2dcccb8b3dede7b32681513c660b6184206f2905a16e
Opcode Fuzzy Hash: 278fe365c858ff99949403c195d27c57a5d22d36bc9c8edbcf4e63079c5c0eda
Instruction Fuzzy Hash: 04319E72708A41C6DB608F29E0506BD77A4F798B4CF644136DB8C4B751EF3AD496CB00

Function 00007FFD6D9FEF10 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ccecc71070cc14715429f8e7223a718524ce6fa26fcc918487281457b7642b
Instruction ID: 27ca1438af3534c1f23a5de9b0e557956cb1075423f3137c317a22bf574dcd8e
Opcode Fuzzy Hash: 31ccecc71070cc14715429f8e7223a718524ce6fa26fcc918487281457b7642b
Instruction Fuzzy Hash: 31316F72708A81C6EB608F29E4902AD77A4F798B4CF644136DB8D4B761EF3AD092C704

Function 00007FFD6D9FEBEC Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cea8fc9d3c35b4ba6e35f22513a86051617c937147c9f35d60e5822ca5229d8
Instruction ID: 53636e653316fdb8636fa563a5c59d93e6a239a9f564b2286826e695d703ef5c
Opcode Fuzzy Hash: 2cea8fc9d3c35b4ba6e35f22513a86051617c937147c9f35d60e5822ca5229d8
Instruction Fuzzy Hash: EF31A472608B85C5DB649F29E0902BD7BA1F799B4CF244136EB8D4B751EF3AD092C704

Function 00007FFD6D9FEAE0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be54d3e76ecebf5695559a9301ce031daf8649420322fd1321f7c4f9ba610e9
Instruction ID: ea28bdde700310a25be215f956314966c8e1c033ad107d6c2056394fcac058ee
Opcode Fuzzy Hash: 0be54d3e76ecebf5695559a9301ce031daf8649420322fd1321f7c4f9ba610e9
Instruction Fuzzy Hash: 21319372608B85C6DB608F2AE0902BD77A1F798B4DF644136DB8D4B751EF3AD152C704

Function 00007FFD6DA198E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195988422cc5ef70a7ee6d9ad1aca3d6b47b5a683996a9da026234b27e064550
Instruction ID: 8f59fd88a02093fea33d363a1c7dbeeb0ac3ecfedb4f8bc122a4c9d4b0424575
Opcode Fuzzy Hash: 195988422cc5ef70a7ee6d9ad1aca3d6b47b5a683996a9da026234b27e064550
Instruction Fuzzy Hash: B3F04FF2B1C6958ADBA48F28B91262D77A0F718380F808139D68987A14EB3C90618F05

Function 00007FFD6D9B96F0 Relevance: 64.9, APIs: 36, Strings: 1, Instructions: 195synchronizationwindowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00007FFD6D9B9777
CloseHandle.KERNEL32 ref: 00007FFD6D9B9784
CloseHandle.KERNEL32 ref: 00007FFD6D9B97A3
CloseHandle.KERNEL32 ref: 00007FFD6D9B97AD
CloseHandle.KERNEL32 ref: 00007FFD6D9B97B7
CloseHandle.KERNEL32 ref: 00007FFD6D9B97C0
FreeLibrary.KERNEL32 ref: 00007FFD6D9B97CA
#386.COMCTL32 ref: 00007FFD6D9B9860
UnhookWinEvent.USER32 ref: 00007FFD6D9B9875
DestroyWindow.USER32 ref: 00007FFD6D9B987F
SetEvent.KERNEL32 ref: 00007FFD6D9B9890
WaitForSingleObject.KERNEL32 ref: 00007FFD6D9B98A2
CloseHandle.KERNEL32 ref: 00007FFD6D9B98AF
CloseHandle.KERNEL32 ref: 00007FFD6D9B98BC
SetEvent.KERNEL32 ref: 00007FFD6D9B98C9
WaitForSingleObject.KERNEL32 ref: 00007FFD6D9B98DB
CloseHandle.KERNEL32 ref: 00007FFD6D9B98E8
CloseHandle.KERNEL32 ref: 00007FFD6D9B98F5
BufferedPaintUnInit.UXTHEME ref: 00007FFD6D9B98FB
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9B9903
UnregisterClassW.USER32 ref: 00007FFD6D9B9913
DeleteObject.GDI32 ref: 00007FFD6D9B9920
DeleteObject.GDI32 ref: 00007FFD6D9B992D
DeleteObject.GDI32 ref: 00007FFD6D9B993A
DeleteObject.GDI32 ref: 00007FFD6D9B9947
CloseThemeData.UXTHEME ref: 00007FFD6D9B9954
GdiplusShutdown.GDIPLUS ref: 00007FFD6D9B9961
DestroyIcon.USER32 ref: 00007FFD6D9B997F
FreeLibrary.KERNEL32 ref: 00007FFD6D9B9998
FreeLibrary.KERNEL32 ref: 00007FFD6D9B99B1
FreeLibrary.KERNEL32 ref: 00007FFD6D9B99CA
FreeLibrary.KERNEL32 ref: 00007FFD6D9B99E3
FreeLibrary.KERNEL32 ref: 00007FFD6D9B99FC
FreeLibrary.KERNEL32 ref: 00007FFD6D9B9A15
RoUninitialize.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFD6D9B9A46
CoUninitialize.OLE32 ref: 00007FFD6D9B9A52

Strings

SimpleWindowSwitcher_{BEA057BB-66C7-4758-A610-FAE6013E9F98}, xrefs: 00007FFD6D9B990C

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CloseHandle$FreeLibrary$Object$Delete$DestroyEvent$SingleUninitializeWaitWindow$#386BufferedClassDataGdiplusIconInitModulePaintShutdownThemeUnhookUnregister
String ID: SimpleWindowSwitcher_{BEA057BB-66C7-4758-A610-FAE6013E9F98}
API String ID: 4090220598-648101266
Opcode ID: 98c7c728332a5a33e4d8148f38c98bed50188b555d3f95d3e9ce0e48d3a1a1dd
Instruction ID: 4e7bcb28ddc2367a29ed683968926896ad679c297e4d1daf8f2b37a873d142ee
Opcode Fuzzy Hash: 98c7c728332a5a33e4d8148f38c98bed50188b555d3f95d3e9ce0e48d3a1a1dd
Instruction Fuzzy Hash: 25B1C226B1DE82D2EB449F21F9642793360FFA8B94F045236DA4E476A4EF2CA495C310

Function 00007FFD6D9DDBE0 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 291COMMON

Download Yara Rule

APIs

WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9DDD36
WindowsCreateString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9DDD50
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9DDD8F
WindowsCreateString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9DDDAF
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9DDDE0
WindowsCreateString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9DDDFA

Strings

StartTileData.dll, xrefs: 00007FFD6D9DDE97
StartPin, xrefs: 00007FFD6D9DDD49
Segoe Fluent Icons, xrefs: 00007FFD6D9DDF39
StartMenuSettings.cpp, xrefs: 00007FFD6D9DDC77, 00007FFD6D9DDCBA, 00007FFD6D9DDD13, 00007FFD6D9DDD67, 00007FFD6D9DDDCA, 00007FFD6D9DDE11, 00007FFD6D9DDE70, 00007FFD6D9DDF5B, 00007FFD6D9DDF81, 00007FFD6D9DDFDA, 00007FFD6D9DE027, 00007FFD6D9DE071
StartUnpin, xrefs: 00007FFD6D9DDDF3

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: StringWindows$CreateDelete
String ID: Segoe Fluent Icons$StartMenuSettings.cpp$StartPin$StartTileData.dll$StartUnpin
API String ID: 2860812039-2445808327
Opcode ID: baa3f9c2e6e2c1a1cb9cc57c3e5a8550cb42cd4a2bea42cc7b9909ac16d2a957
Instruction ID: 81cd338f063d47ea205507f1cd92dc8aef1a7c3b0b170da000f7f80bb2921384
Opcode Fuzzy Hash: baa3f9c2e6e2c1a1cb9cc57c3e5a8550cb42cd4a2bea42cc7b9909ac16d2a957
Instruction Fuzzy Hash: A2D13B2570CF42D2EB159B65F8606AA6361FBA8B95F404133CA8D83794FF7CE559C700

Function 00007FFD6D9CB9F0 Relevance: 37.0, APIs: 12, Strings: 9, Instructions: 208memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 00007FFD6D9CBA77
VirtualProtect.KERNEL32 ref: 00007FFD6D9CBA9B
VirtualProtect.KERNEL32 ref: 00007FFD6D9CBADD
VirtualProtect.KERNEL32 ref: 00007FFD6D9CBB2B
VirtualProtect.KERNEL32 ref: 00007FFD6D9CBB4F
VirtualProtect.KERNEL32 ref: 00007FFD6D9CBB8D
VirtualProtect.KERNEL32 ref: 00007FFD6D9CBBB1
VirtualProtect.KERNEL32 ref: 00007FFD6D9CBC58
VirtualProtect.KERNEL32 ref: 00007FFD6D9CBC78

Part of subcall function 00007FFD6D9B2890: GetModuleHandleW.KERNEL32 ref: 00007FFD6D9B28AF
Part of subcall function 00007FFD6D9B2890: GetProcAddress.KERNEL32 ref: 00007FFD6D9B28C8
Part of subcall function 00007FFD6D9B2890: RegOpenKeyExW.KERNEL32 ref: 00007FFD6D9B293F
Part of subcall function 00007FFD6D9B2890: RegQueryValueExW.KERNEL32 ref: 00007FFD6D9B296F

VirtualProtect.KERNEL32 ref: 00007FFD6D9CBCE4
VirtualProtect.KERNEL32 ref: 00007FFD6D9CBD2E
VirtualProtect.KERNEL32 ref: 00007FFD6D9CBD51

Strings

xx?xxx??x, xrefs: 00007FFD6D9CBBE6
xx?xxx??xx, xrefs: 00007FFD6D9CBC01
xxxxxxxxxx, xrefs: 00007FFD6D9CBCAC
xx??xx??x, xrefs: 00007FFD6D9CBA49, 00007FFD6D9CBAA4
xxxxxxx????x, xrefs: 00007FFD6D9CBD00
xx?xx?xx?x, xrefs: 00007FFD6D9CBBBA
xx??xxx????xxxxxx????xx??x, xrefs: 00007FFD6D9CBAFD
xx??xxxxxxxx????x????xx??x, xrefs: 00007FFD6D9CBB58
xx?xxxx?xxxx, xrefs: 00007FFD6D9CBC2A

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ProtectVirtual$AddressHandleModuleOpenProcQueryValue
String ID: xx??xx??x$xx??xxx????xxxxxx????xx??x$xx??xxxxxxxx????x????xx??x$xx?xx?xx?x$xx?xxx??x$xx?xxx??xx$xx?xxxx?xxxx$xxxxxxx????x$xxxxxxxxxx
API String ID: 1029361184-2251541617
Opcode ID: c0f5cabbf1a32ee3b6176216b1df96f48f7c6491b6a961a7982f5f7654c393e4
Instruction ID: 4495ab687e8af24fc2a2b1982f975364e835196cabb31b19f35d1ac402c99f4a
Opcode Fuzzy Hash: c0f5cabbf1a32ee3b6176216b1df96f48f7c6491b6a961a7982f5f7654c393e4
Instruction Fuzzy Hash: C1A11F61B0CE46D1FB10DF62F8246AA63A0EB94788F48443ADA4D07799FF7CE649C750

Function 00007FFD6D9B39F0 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 265COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32 ref: 00007FFD6D9B3A38
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9B3A91
LoadStringW.USER32 ref: 00007FFD6D9B3AAF
SetWindowTextW.USER32 ref: 00007FFD6D9B3E8F
NotifyWinEvent.USER32 ref: 00007FFD6D9B3EAA

Strings

%s: %d of %d, xrefs: 00007FFD6D9B3E65
Desktop, xrefs: 00007FFD6D9B3ABA
ExplorerFrame.dll, xrefs: 00007FFD6D9B3A8A
\rundll32.exe, xrefs: 00007FFD6D9B3AE7
%s - 1 running window, xrefs: 00007FFD6D9B3DCC
%s - %d running windows, xrefs: 00007FFD6D9B3DC3

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: TextWindow$EventHandleLoadModuleNotifyString
String ID: %s - %d running windows$%s - 1 running window$%s: %d of %d$Desktop$ExplorerFrame.dll$\rundll32.exe
API String ID: 686194620-3935714908
Opcode ID: b880c9bd746a490f488efd879543b3d33134a7e7ca7e9e401e271823b9c10c1d
Instruction ID: c99fac27d6699f642aebfe48e30440a316d2ed77be6157323a371e94315f7656
Opcode Fuzzy Hash: b880c9bd746a490f488efd879543b3d33134a7e7ca7e9e401e271823b9c10c1d
Instruction Fuzzy Hash: 30D15E22B08E82D3EB64DB21F4A47BA2360FB94B48F514137DA4E476A4EF3CE549C750

Function 00007FFD6D9D08D0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 107registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD6D9D0370: SetProcessDpiAwarenessContext.USER32 ref: 00007FFD6D9D039F
Part of subcall function 00007FFD6D9D0370: GetModuleFileNameW.KERNEL32 ref: 00007FFD6D9D03E2
Part of subcall function 00007FFD6D9D0370: GetCurrentDirectoryW.KERNEL32 ref: 00007FFD6D9D0407
Part of subcall function 00007FFD6D9D0370: GetModuleHandleW.KERNEL32 ref: 00007FFD6D9D0413

GetModuleFileNameW.KERNEL32 ref: 00007FFD6D9D090D
GetLastError.KERNEL32 ref: 00007FFD6D9D0917
RegOpenKeyW.ADVAPI32 ref: 00007FFD6D9D0936
RegDeleteTreeW.ADVAPI32 ref: 00007FFD6D9D098C
RegCloseKey.ADVAPI32 ref: 00007FFD6D9D0999
RegDeleteTreeW.ADVAPI32 ref: 00007FFD6D9D09B1
PathRemoveExtensionW.SHLWAPI ref: 00007FFD6D9D09BC
PathRemoveExtensionW.SHLWAPI ref: 00007FFD6D9D09C7
RegOpenKeyW.ADVAPI32 ref: 00007FFD6D9D09F6
RegDeleteTreeW.ADVAPI32 ref: 00007FFD6D9D0A24
RegCloseKey.ADVAPI32 ref: 00007FFD6D9D0A31
RegDeleteTreeW.ADVAPI32 ref: 00007FFD6D9D0A4D
RegOpenKeyW.ADVAPI32 ref: 00007FFD6D9D0A66
RegDeleteTreeW.ADVAPI32 ref: 00007FFD6D9D0A83
RegCloseKey.ADVAPI32 ref: 00007FFD6D9D0A90
RegDeleteTreeW.ADVAPI32 ref: 00007FFD6D9D0AAC

Strings

SOFTWARE\Classes\CLSID\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}, xrefs: 00007FFD6D9D092F, 00007FFD6D9D09A3
SOFTWARE\Classes\Drive\shellex\FolderExtensions\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}, xrefs: 00007FFD6D9D0A5F, 00007FFD6D9D0A9E
.IA-32.dll, xrefs: 00007FFD6D9D09CD
SOFTWARE\WOW6432Node\Classes\CLSID\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}, xrefs: 00007FFD6D9D09EF, 00007FFD6D9D0A3F

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: DeleteTree$CloseModuleOpen$ExtensionFileNamePathRemove$AwarenessContextCurrentDirectoryErrorHandleLastProcess
String ID: .IA-32.dll$SOFTWARE\Classes\CLSID\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$SOFTWARE\Classes\Drive\shellex\FolderExtensions\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$SOFTWARE\WOW6432Node\Classes\CLSID\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}
API String ID: 3360383582-326433317
Opcode ID: d1090110595d7ed25386fd62041a315776606c023702d981da3c0f0a4840e47e
Instruction ID: 152f87fb320de6d44ab2daf292c80cd5f35462b2247d0c4459b3b15b138b770b
Opcode Fuzzy Hash: d1090110595d7ed25386fd62041a315776606c023702d981da3c0f0a4840e47e
Instruction Fuzzy Hash: 96510965B1CF43C2FB209B61F8A837562A1BFA4764F404236DA6E422E5EF7CE509C640

Function 00007FFD6D9B4910 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 219COMMON

Download Yara Rule

APIs

DwmSetWindowAttribute.DWMAPI ref: 00007FFD6D9B49A4
DwmExtendFrameIntoClientArea.DWMAPI ref: 00007FFD6D9B49BA
DwmSetWindowAttribute.DWMAPI ref: 00007FFD6D9B4A19
DwmSetWindowAttribute.DWMAPI ref: 00007FFD6D9B4A4B
GetWindowLongPtrW.USER32 ref: 00007FFD6D9B4AE2
SetWindowLongPtrW.USER32 ref: 00007FFD6D9B4B09
DeleteObject.GDI32 ref: 00007FFD6D9B4C60
CreateSolidBrush.GDI32 ref: 00007FFD6D9B4C80
DeleteObject.GDI32 ref: 00007FFD6D9B4C99
CreateSolidBrush.GDI32 ref: 00007FFD6D9B4CAF

Strings

, xrefs: 00007FFD6D9B4B1A
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView\AltTabViewHost, xrefs: 00007FFD6D9B4AB5
&, xrefs: 00007FFD6D9B49EF
[sws] Refreshing theme: %d, xrefs: 00007FFD6D9B497C
_, xrefs: 00007FFD6D9B4A89
Grid_backgroundPercent, xrefs: 00007FFD6D9B4A95

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Window$Attribute$BrushCreateDeleteLongObjectSolid$AreaClientExtendFrameInto
String ID: $&$Grid_backgroundPercent$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView\AltTabViewHost$[sws] Refreshing theme: %d$_
API String ID: 97799080-1950453067
Opcode ID: 5fdbd1bf21e689674204297fb426cfcb0a4c556c6c4522e396c916aed4e14734
Instruction ID: 6b5e2c5c1fbf6d16a7268d4b566fb42c9a79a977904224c88845ff19289f2366
Opcode Fuzzy Hash: 5fdbd1bf21e689674204297fb426cfcb0a4c556c6c4522e396c916aed4e14734
Instruction Fuzzy Hash: 11B15872B09E52C9EB10CF65E8646AD33A1FB98B58F140136CA0E5B698EF3CD584CB50

Function 00007FFD6D9B2A90 Relevance: 30.1, APIs: 20, Instructions: 145windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 00007FFD6D9B2AB4
GetWindowLongPtrW.USER32 ref: 00007FFD6D9B2ACA
GetWindow.USER32 ref: 00007FFD6D9B2ADB
IsWindow.USER32 ref: 00007FFD6D9B2AE7
GetWindowRect.USER32 ref: 00007FFD6D9B2AF9
IsWindowVisible.USER32 ref: 00007FFD6D9B2B02
IsRectEmpty.USER32 ref: 00007FFD6D9B2B14
GetWindowRect.USER32 ref: 00007FFD6D9B2B3E
IsWindowVisible.USER32 ref: 00007FFD6D9B2B47
IsRectEmpty.USER32 ref: 00007FFD6D9B2B5A
GetWindow.USER32 ref: 00007FFD6D9B2B97
GetWindowLongPtrW.USER32 ref: 00007FFD6D9B2BA8
GetWindow.USER32 ref: 00007FFD6D9B2BCB
GetWindowLongPtrW.USER32 ref: 00007FFD6D9B2BDC
GetWindowLongPtrW.USER32 ref: 00007FFD6D9B2BEE
GetWindowLongPtrW.USER32 ref: 00007FFD6D9B2C00
GetWindow.USER32 ref: 00007FFD6D9B2C30
GetWindowLongPtrW.USER32 ref: 00007FFD6D9B2C48
IsWindowVisible.USER32 ref: 00007FFD6D9B2C5E
GetWindow.USER32 ref: 00007FFD6D9B2C7E

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Window$Long$Rect$Visible$Empty
String ID:
API String ID: 2906060442-0
Opcode ID: 419c00d529e0a94eea6e223434b28f52fa59218365ffe15604fbb9a15ccfb801
Instruction ID: 718e45e2a5aee7756400ab5183703b6ae173341d024837df03d3c4cfefa8a488
Opcode Fuzzy Hash: 419c00d529e0a94eea6e223434b28f52fa59218365ffe15604fbb9a15ccfb801
Instruction Fuzzy Hash: B651F624B1CE13C2FE64AB26B83823A62A5AFD6B91F094435DD0F4B795EF3CE505C214

Function 00007FFD6D9C2680 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 129COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00007FFD6D9C26B4
GetAncestor.USER32 ref: 00007FFD6D9C26C2
MapWindowPoints.USER32 ref: 00007FFD6D9C26DB
GetParent.USER32 ref: 00007FFD6D9C26F4
GetWindowTextW.USER32 ref: 00007FFD6D9C2708

Part of subcall function 00007FFD6DA07DF4: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA07E11

RemovePropW.USER32 ref: 00007FFD6D9C2740
GetAncestor.USER32 ref: 00007FFD6D9C2778
GetPropW.USER32 ref: 00007FFD6D9C2789
FindWindowExW.USER32 ref: 00007FFD6D9C27A9
DwmExtendFrameIntoClientArea.DWMAPI ref: 00007FFD6D9C27BE
SetPropW.USER32 ref: 00007FFD6D9C27D4
DwmSetWindowAttribute.DWMAPI ref: 00007FFD6D9C286A

Strings

Windows.UI.Composition.DesktopWindowContentBridge, xrefs: 00007FFD6D9C279D
EP_METB, xrefs: 00007FFD6D9C2736, 00007FFD6D9C27CA
FloatingWindow, xrefs: 00007FFD6D9C270E

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Window$Prop$Ancestor$AreaAttributeClientExtendFindFrameIntoParentPointsRectRemoveText_invalid_parameter_noinfo
String ID: EP_METB$FloatingWindow$Windows.UI.Composition.DesktopWindowContentBridge
API String ID: 1583271118-1647979291
Opcode ID: 6ad8c5d54b7c915d18190ae5b89fc7542a186da1f3257d4e9719786e05f8b4b7
Instruction ID: 80b6b03385f00209cd78b1a013b844844d0fd2f2609867ce81f2c4b5b2a2fb9f
Opcode Fuzzy Hash: 6ad8c5d54b7c915d18190ae5b89fc7542a186da1f3257d4e9719786e05f8b4b7
Instruction Fuzzy Hash: 4C51FB75B0CE42C6FB24CB15F87466A63A2EB98B80F545136D94E47A98FF3CE945CB00

Function 00007FFD6D9B46F0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 118windowCOMMON

Download Yara Rule

APIs

FindWindowExW.USER32 ref: 00007FFD6D9B4758
PostMessageW.USER32 ref: 00007FFD6D9B476C
GetWindow.USER32 ref: 00007FFD6D9B47E8
GetLastActivePopup.USER32 ref: 00007FFD6D9B47F8
GetWindow.USER32 ref: 00007FFD6D9B484B
GetClassNameW.USER32 ref: 00007FFD6D9B485F
GetWindow.USER32 ref: 00007FFD6D9B488D
GetLastActivePopup.USER32 ref: 00007FFD6D9B489D
IsWindowVisible.USER32 ref: 00007FFD6D9B48A9
SwitchToThisWindow.USER32 ref: 00007FFD6D9B48CA
ShowWindow.USER32 ref: 00007FFD6D9B48DE

Strings

[sws] Last active popup: %s, xrefs: 00007FFD6D9B482B
[sws] Chosen window: %s, xrefs: 00007FFD6D9B47C5
Shell_TrayWnd, xrefs: 00007FFD6D9B4741
[sws] Owner of window: %s, xrefs: 00007FFD6D9B486A

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Window$ActiveLastPopup$ClassFindMessageNamePostShowSwitchThisVisible
String ID: Shell_TrayWnd$[sws] Chosen window: %s$[sws] Last active popup: %s$[sws] Owner of window: %s
API String ID: 4254927367-3099396148
Opcode ID: e58f540687b648bce5fbf70db1b5a43db5114e58f026e382351965d45dabb4aa
Instruction ID: 373e813170a26ef876ceab198fa02d040466183d11fb8686c779fcfa28cfdb42
Opcode Fuzzy Hash: e58f540687b648bce5fbf70db1b5a43db5114e58f026e382351965d45dabb4aa
Instruction Fuzzy Hash: 5C514C65709F42C6EE24DF12F8A426A63A1FB99B84F45543ACA4E0B764EF3CE446C740

Function 00007FFD6D9C9B50 Relevance: 25.6, APIs: 17, Instructions: 134COMMON

Download Yara Rule

APIs

DrawThemeTextEx.UXTHEME ref: 00007FFD6D9C9BC1
GetBkColor.GDI32 ref: 00007FFD6D9C9BE7
GetTextColor.GDI32 ref: 00007FFD6D9C9BF3
SetBkMode.GDI32 ref: 00007FFD6D9C9C07
GetForegroundWindow.USER32 ref: 00007FFD6D9C9C11
GetWindowTextW.USER32 ref: 00007FFD6D9C9C28
GetSysColor.USER32 ref: 00007FFD6D9C9C7F
SetTextColor.GDI32 ref: 00007FFD6D9C9C8A
SystemParametersInfoW.USER32 ref: 00007FFD6D9C9CAA
CreateFontIndirectW.GDI32 ref: 00007FFD6D9C9CD3
SelectObject.GDI32 ref: 00007FFD6D9C9CF1
DrawTextW.USER32 ref: 00007FFD6D9C9D16
SelectObject.GDI32 ref: 00007FFD6D9C9D22
DeleteObject.GDI32 ref: 00007FFD6D9C9D2B
SetBkColor.GDI32 ref: 00007FFD6D9C9D37
SetTextColor.GDI32 ref: 00007FFD6D9C9D44
SetBkMode.GDI32 ref: 00007FFD6D9C9D51

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ColorText$Object$DrawModeSelectWindow$CreateDeleteFontForegroundIndirectInfoParametersSystemTheme
String ID:
API String ID: 112896650-0
Opcode ID: 5dde7413916a40b8e82376ffe39756d33cc58c8d4a541e762e445745405450ae
Instruction ID: f2cc90ef9d581b06317f0a7ff3c3269188eade262e2a6e9f4f038f0a9e92f52c
Opcode Fuzzy Hash: 5dde7413916a40b8e82376ffe39756d33cc58c8d4a541e762e445745405450ae
Instruction Fuzzy Hash: C6512875B0CA81C6EB609B11B9643BA77A1FB98B95F404435DE8E43B58EF3CD445CB04

Function 00007FFD6D9CAD40 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 112registryCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00007FFD6D9CAD89
SetRect.USER32 ref: 00007FFD6D9CADB7
SetRect.USER32 ref: 00007FFD6D9CADE0
GetSystemMetrics.USER32 ref: 00007FFD6D9CADED
SetRect.USER32 ref: 00007FFD6D9CAE0D
GetSystemMetrics.USER32 ref: 00007FFD6D9CAE1D
RegGetValueW.ADVAPI32 ref: 00007FFD6D9CAE7E
MonitorFromRect.USER32 ref: 00007FFD6D9CAEA6
GetMonitorInfoW.USER32 ref: 00007FFD6D9CAED0

Strings

Settings, xrefs: 00007FFD6D9CAE48
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StuckRectsLegacy, xrefs: 00007FFD6D9CAE61
(, xrefs: 00007FFD6D9CAEC3
0, xrefs: 00007FFD6D9CAE84
0, xrefs: 00007FFD6D9CAE8B

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Rect$MetricsSystem$Monitor$FromInfoValue
String ID: ($0$0$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StuckRectsLegacy$Settings
API String ID: 2079259257-2463101083
Opcode ID: 86ba576f1cc1592d9bc9463654c92b9e48c18665b4d514e460bda456097f7eca
Instruction ID: d6341827bfbefbab32164924d81782d43ac2eb067679002caa73256babe5cb72
Opcode Fuzzy Hash: 86ba576f1cc1592d9bc9463654c92b9e48c18665b4d514e460bda456097f7eca
Instruction Fuzzy Hash: 9C515032B0CA52C6E7608B25F86077A76A0FF95754F540236DA8E47A94EF7CE884CB40

Function 00007FFD6D9C2990 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

#412.COMCTL32 ref: 00007FFD6D9C29CE
GetParent.USER32 ref: 00007FFD6D9C29E2
GetWindowTextW.USER32 ref: 00007FFD6D9C29F6
GetAncestor.USER32 ref: 00007FFD6D9C2A2C
GetPropW.USER32 ref: 00007FFD6D9C2A3D
FindWindowExW.USER32 ref: 00007FFD6D9C2A56
#413.COMCTL32 ref: 00007FFD6D9C2AFF

Strings

Windows.UI.Composition.DesktopWindowContentBridge, xrefs: 00007FFD6D9C2A4A
FloatingWindow, xrefs: 00007FFD6D9C29FC
ReBarWindow32, xrefs: 00007FFD6D9C2AC1

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Window$#412#413AncestorFindParentPropText
String ID: FloatingWindow$ReBarWindow32$Windows.UI.Composition.DesktopWindowContentBridge
API String ID: 2039485610-463711336
Opcode ID: 21dda20734f63fb840f4285c51d69559543658d0345348177d9202d05b6083e9
Instruction ID: 6bcae8744fd137b97cb6e6a464cda9d9cd7fcf3e8441a40f47fdc77ff19cd79c
Opcode Fuzzy Hash: 21dda20734f63fb840f4285c51d69559543658d0345348177d9202d05b6083e9
Instruction Fuzzy Hash: FF412721F0CE83D5FE749B16B8647B92391AFA5B94F442032D90E06AA4FFBCE549D200

Function 00007FFD6D9E0020 Relevance: 24.1, APIs: 16, Instructions: 146memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObjectEx.KERNEL32 ref: 00007FFD6D9E0069
GetLastError.KERNEL32 ref: 00007FFD6D9E009E
CloseHandle.KERNEL32 ref: 00007FFD6D9E00A9
SetLastError.KERNEL32 ref: 00007FFD6D9E00BE
GetLastError.KERNEL32 ref: 00007FFD6D9E00D6
CloseHandle.KERNEL32 ref: 00007FFD6D9E00E1
SetLastError.KERNEL32 ref: 00007FFD6D9E00F6
GetLastError.KERNEL32 ref: 00007FFD6D9E010A
ReleaseMutex.KERNEL32 ref: 00007FFD6D9E0115
SetLastError.KERNEL32 ref: 00007FFD6D9E012A
CloseHandle.KERNEL32 ref: 00007FFD6D9E0143
CloseHandle.KERNEL32 ref: 00007FFD6D9E015F
CloseHandle.KERNEL32 ref: 00007FFD6D9E017B
GetProcessHeap.KERNEL32 ref: 00007FFD6D9E018A
HeapFree.KERNEL32 ref: 00007FFD6D9E0198
ReleaseMutex.KERNEL32 ref: 00007FFD6D9E01A8

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ErrorLast$CloseHandle$HeapMutexRelease$FreeObjectProcessSingleWait
String ID:
API String ID: 3542600547-0
Opcode ID: 551c2509b4e5d8d206bb6c90f4462f240fd683e699c726661b2073c7c2156c2a
Instruction ID: cd2d33684a8152444ec5565d610bfbf760b64df6d3b7578b8848017e6a0eb856
Opcode Fuzzy Hash: 551c2509b4e5d8d206bb6c90f4462f240fd683e699c726661b2073c7c2156c2a
Instruction Fuzzy Hash: ED517E21B0DE02CAFF549B66F86073963A0EF99B94F080136D91D8779AEF3CE945C601

Function 00007FFD6D9CB5E0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 101windowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD6D9F07D0: RegOpenKeyExW.KERNEL32(?,?,?,?,?,?,?,00007FFD6D9BE4B6), ref: 00007FFD6D9F080D
Part of subcall function 00007FFD6D9F07D0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00007FFD6D9BE4B6), ref: 00007FFD6D9F0821

GetParent.USER32 ref: 00007FFD6D9CB63C
GetPropW.USER32 ref: 00007FFD6D9CB64C
GetParent.USER32 ref: 00007FFD6D9CB65A
GetClassWord.USER32 ref: 00007FFD6D9CB668
RegisterWindowMessageW.USER32 ref: 00007FFD6D9CB678
GetParent.USER32 ref: 00007FFD6D9CB685
GetClassWord.USER32 ref: 00007FFD6D9CB693
RegisterWindowMessageW.USER32 ref: 00007FFD6D9CB6A3
GetMenuItemInfoW.USER32 ref: 00007FFD6D9CB727

Strings

DesktopWindow, xrefs: 00007FFD6D9CB645
Progman, xrefs: 00007FFD6D9CB699
P, xrefs: 00007FFD6D9CB70F
WorkerW, xrefs: 00007FFD6D9CB66E

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Parent$ClassMessageRegisterWindowWord$CloseInfoItemMenuOpenProp
String ID: DesktopWindow$P$Progman$WorkerW
API String ID: 441032011-3530101500
Opcode ID: 73863012d50b2bd1d21eae4375196a3a5b19108d03dced183ceb9fe1bdf8281c
Instruction ID: 0965a6ebf99816252f792c6b9115810d520344275f917fdaef37497651dfe30d
Opcode Fuzzy Hash: 73863012d50b2bd1d21eae4375196a3a5b19108d03dced183ceb9fe1bdf8281c
Instruction Fuzzy Hash: C3413D21B0CE82C6EB609B16FD6477972A1AF95B95F400536DD4E47BA4EF3CE449C600

Function 00007FFD6D9D7FA0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 216COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9D7FE0
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFD6D9D800A
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9D8076
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9D809E
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFD6D9D80C8
WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9D8163
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9D8180
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9D819C
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9D82E8

Strings

Windows.UI.Xaml.Media.VisualTreeHelper, xrefs: 00007FFD6D9D8097
StartDocked.StartSizingFrame, xrefs: 00007FFD6D9D816C
Windows.UI.Xaml.Window, xrefs: 00007FFD6D9D7FC8

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: StringWindows$Delete$ActivationCreateFactoryReference$Buffer
String ID: StartDocked.StartSizingFrame$Windows.UI.Xaml.Media.VisualTreeHelper$Windows.UI.Xaml.Window
API String ID: 2896072117-1951327480
Opcode ID: d1014c74c9aa46d70de0fe1835659f50d467b45d2cc35f00221e843b0bae9a20
Instruction ID: f9f6afa8fbedec7b82ef0859514f3397bc422168e05180710b64cc8bb64544a6
Opcode Fuzzy Hash: d1014c74c9aa46d70de0fe1835659f50d467b45d2cc35f00221e843b0bae9a20
Instruction Fuzzy Hash: A7B1E526B08F52C5EB04DBA1E8A42AD37B5FB94B99F055436CE0E57B58EF38E449C300

Function 00007FFD6D9E66E0 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 191registrylibraryloaderCOMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9E672B
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFD6D9E6748
RegGetValueW.ADVAPI32 ref: 00007FFD6D9E67DB
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9E6812
GetProcAddress.KERNEL32 ref: 00007FFD6D9E6825
RegGetValueW.ADVAPI32 ref: 00007FFD6D9E68A5

Strings

ColorPrevalence, xrefs: 00007FFD6D9E67C6
dcomp.dll, xrefs: 00007FFD6D9E680B
SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize, xrefs: 00007FFD6D9E67CD, 00007FFD6D9E6897
EnableTransparency, xrefs: 00007FFD6D9E6890
WindowsUdk.UI.Themes.SystemVisualTheme, xrefs: 00007FFD6D9E6724
Taskbar10.cpp, xrefs: 00007FFD6D9E675A, 00007FFD6D9E6786

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Value$ActivationAddressCreateFactoryHandleModuleProcReferenceStringWindows
String ID: ColorPrevalence$EnableTransparency$SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize$Taskbar10.cpp$WindowsUdk.UI.Themes.SystemVisualTheme$dcomp.dll
API String ID: 342590677-1899219526
Opcode ID: 3c9b4e9b9acc2d63674af36005109daad2ed71ec6303830d23cf5222d9514225
Instruction ID: e44169aeac6c358b5a560cf723efe5d74db7c1104fc1302f1bedec9f1ce7d453
Opcode Fuzzy Hash: 3c9b4e9b9acc2d63674af36005109daad2ed71ec6303830d23cf5222d9514225
Instruction Fuzzy Hash: 12913572B08F42DAFB108F65E4606B973A6BF54748F404936DA4C87A94EF3DE658C780

Function 00007FFD6D9C8EF0 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 175COMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 00007FFD6D9C8F38
GetParent.USER32 ref: 00007FFD6D9C8F41
GetAncestor.USER32 ref: 00007FFD6D9C9099
GetClassNameW.USER32 ref: 00007FFD6D9C90B0
GetClassNameW.USER32 ref: 00007FFD6D9C9179

Strings

SysTreeView32, xrefs: 00007FFD6D9C903E
CabinetWClass, xrefs: 00007FFD6D9C90C1
NotifyIconOverflowWindow, xrefs: 00007FFD6D9C8FB7
Shell_TrayWnd, xrefs: 00007FFD6D9C9187
ReBarWindow32, xrefs: 00007FFD6D9C912A
TrayNotifyWnd, xrefs: 00007FFD6D9C8F6D
SysListView32, xrefs: 00007FFD6D9C9001

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ClassName$AncestorParent
String ID: CabinetWClass$NotifyIconOverflowWindow$ReBarWindow32$Shell_TrayWnd$SysListView32$SysTreeView32$TrayNotifyWnd
API String ID: 1386181033-4244482235
Opcode ID: 01cffd51aa0df596225cab90e13dbf21b5d1fa2c8c3e4bd38b864b1563dda7c3
Instruction ID: bc948163f57b1854fe3b4207d1d2566219297ae043af41eba0386c90fb9cac96
Opcode Fuzzy Hash: 01cffd51aa0df596225cab90e13dbf21b5d1fa2c8c3e4bd38b864b1563dda7c3
Instruction Fuzzy Hash: A7714056B08952D6EA749B05A4352B933A2FBA5F75FC44133EE8E02198FF3C9D85C341

Function 00007FFD6D9C5780 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 122windowCOMMON

Download Yara Rule

APIs

TryEnterCriticalSection.KERNEL32 ref: 00007FFD6D9C57B8
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9C5853
LoadStringW.USER32 ref: 00007FFD6D9C5871
SendMessageW.USER32 ref: 00007FFD6D9C58C3
LeaveCriticalSection.KERNEL32 ref: 00007FFD6D9C58DD
LeaveCriticalSection.KERNEL32 ref: 00007FFD6D9C58EF
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9C5909
LoadStringW.USER32 ref: 00007FFD6D9C5922
SendMessageW.USER32 ref: 00007FFD6D9C597C

Strings

(null), xrefs: 00007FFD6D9C5836
pnidui.dll, xrefs: 00007FFD6D9C584C
H, xrefs: 00007FFD6D9C593B

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CriticalSection$HandleLeaveLoadMessageModuleSendString$Enter
String ID: (null)$H$pnidui.dll
API String ID: 3318607081-2376156319
Opcode ID: 2adcfd1bc7f7106be87062b26d09ee880211e94a2488b4e2af3a87a323da4b34
Instruction ID: 23f7a22639f952a3e56232b2b4ff19522fdf211dd44bb820dcbc39f9d478f2b4
Opcode Fuzzy Hash: 2adcfd1bc7f7106be87062b26d09ee880211e94a2488b4e2af3a87a323da4b34
Instruction Fuzzy Hash: 77512A32B1CF86C6EB60CB25F86066A63A1FB98744F544136DA8E47B64EF3CD545CB00

Function 00007FFD6D9C15C0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32 ref: 00007FFD6D9C15F4
FindWindowExW.USER32 ref: 00007FFD6D9C1610
MonitorFromWindow.USER32 ref: 00007FFD6D9C1621
MonitorFromPoint.USER32 ref: 00007FFD6D9C163B
GetMonitorInfoW.USER32 ref: 00007FFD6D9C1649
FindWindowExW.USER32 ref: 00007FFD6D9C1662
MonitorFromWindow.USER32 ref: 00007FFD6D9C1673
GetMonitorInfoW.USER32 ref: 00007FFD6D9C1681
GetWindowRect.USER32 ref: 00007FFD6D9C1692

Strings

Shell_TrayWnd, xrefs: 00007FFD6D9C1657
(, xrefs: 00007FFD6D9C15E4
Shell_SecondaryTrayWnd, xrefs: 00007FFD6D9C1604

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Monitor$Window$From$FindInfoPoint$Rect
String ID: ($Shell_SecondaryTrayWnd$Shell_TrayWnd
API String ID: 1776394408-174554928
Opcode ID: df920bce5273e1608d508747b8fe0297b18f257e25a8b55d9d9880311595257d
Instruction ID: d925f395f1920065fc1b382546267582b7380a74d2482b26cfdff5a7ef2c4f7b
Opcode Fuzzy Hash: df920bce5273e1608d508747b8fe0297b18f257e25a8b55d9d9880311595257d
Instruction Fuzzy Hash: B641E135B1DE42C6EB608B21FA2477A6361FB9AB90F544132DD4E53B54EF3CE8818B00

Function 00007FFD6D9DD4A0 Relevance: 19.6, APIs: 6, Strings: 5, Instructions: 334registryCOMMON

Download Yara Rule

APIs

RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFD6D9DD505
RegGetValueW.ADVAPI32 ref: 00007FFD6D9DD664
RegGetValueW.ADVAPI32 ref: 00007FFD6D9DD6BA
RegGetValueW.ADVAPI32 ref: 00007FFD6D9DD70A
RegGetValueW.ADVAPI32 ref: 00007FFD6D9DD7C0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFD6D9DD9AF

Strings

VisiblePlaces, xrefs: 00007FFD6D9DD6DD, 00007FFD6D9DD7A1
ShowRecentList, xrefs: 00007FFD6D9DD68A
ShowFrequentList, xrefs: 00007FFD6D9DD634
WindowsInternal.Shell.CDSProperties.StartGlobalProperties, xrefs: 00007FFD6D9DD4CF
SOFTWARE\Microsoft\Windows\CurrentVersion\Start, xrefs: 00007FFD6D9DD64B, 00007FFD6D9DD6A1, 00007FFD6D9DD6F7, 00007FFD6D9DD7B4

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Value$ActivationFactory_invalid_parameter_noinfo_noreturn
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Start$ShowFrequentList$ShowRecentList$VisiblePlaces$WindowsInternal.Shell.CDSProperties.StartGlobalProperties
API String ID: 3131312478-3545454060
Opcode ID: 2fc7de9be2258553e5e4356f05f1f3693b5da9eac1552d1f13d45b0a0d89c943
Instruction ID: 96310fddf9c9d8c3f118eb6545da57545a07cf03b1f20e7da96cd8a86058123e
Opcode Fuzzy Hash: 2fc7de9be2258553e5e4356f05f1f3693b5da9eac1552d1f13d45b0a0d89c943
Instruction Fuzzy Hash: 0CF12772B09F02DAEB109F61E8602AC33B5FB98B98F444136DA5D53B98EF39D519C740

Function 00007FFD6D9BFA30 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 96windowCOMMON

Download Yara Rule

APIs

LoadMenuW.USER32 ref: 00007FFD6D9BFA53
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9BFA5E
GetSubMenu.USER32 ref: 00007FFD6D9BFA94
GetModuleHandleW.KERNEL32 ref: 00007FFD6D9BFACF
LoadStringW.USER32 ref: 00007FFD6D9BFAE6
GetMenuItemCount.USER32 ref: 00007FFD6D9BFB9F
InsertMenuItemW.USER32 ref: 00007FFD6D9BFBB6

Strings

b, xrefs: 00007FFD6D9BFB74
ExplorerFrame.dll, xrefs: 00007FFD6D9BFAC8
P, xrefs: 00007FFD6D9BFB6C
D/, xrefs: 00007FFD6D9BFB7D

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Menu$HandleItemLoadModule$CountInsertString
String ID: D/$ExplorerFrame.dll$P$b
API String ID: 1491413557-2753148976
Opcode ID: cb57456159519526353e6bf3a2bb8b5a1e720a5af21d89da3ae0cb547cec1ac3
Instruction ID: 0a0e620cc29ef7442908128f7bd366d61a3dbada0257c41e995fa3769457bc58
Opcode Fuzzy Hash: cb57456159519526353e6bf3a2bb8b5a1e720a5af21d89da3ae0cb547cec1ac3
Instruction Fuzzy Hash: A2416966B0DE46C6EA208F15F86436AB3A0FB94B54F44413ADA8D47BA4EF3DE405CB00

Function 00007FFD6D9B9560 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 86synchronizationwindowCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FFD6D9B9596
QueryPerformanceFrequency.KERNEL32 ref: 00007FFD6D9B95D1
QueryPerformanceCounter.KERNEL32 ref: 00007FFD6D9B95E0
GetTickCount.KERNEL32 ref: 00007FFD6D9B95FB
QueryPerformanceFrequency.KERNEL32 ref: 00007FFD6D9B9610
QueryPerformanceCounter.KERNEL32 ref: 00007FFD6D9B961F
GetTickCount.KERNEL32 ref: 00007FFD6D9B9637
IsWindowVisible.USER32 ref: 00007FFD6D9B9655
DwmSetWindowAttribute.DWMAPI ref: 00007FFD6D9B9677
WaitForSingleObject.KERNEL32 ref: 00007FFD6D9B9689

Strings

[sws] Delayed showing by %lld ms due to: user configuration., xrefs: 00007FFD6D9B9642

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: PerformanceQuery$CountCounterFrequencyObjectSingleTickWaitWindow$AttributeVisible
String ID: [sws] Delayed showing by %lld ms due to: user configuration.
API String ID: 3340259983-850836316
Opcode ID: eee99174ebf16011e2978f944a6c15408638f1653af43da11766b6f1d2f25f0c
Instruction ID: 184c6f2693d68d9522104a62e11269495adc9fa7b268c41a2f8c7e04239889a9
Opcode Fuzzy Hash: eee99174ebf16011e2978f944a6c15408638f1653af43da11766b6f1d2f25f0c
Instruction Fuzzy Hash: 12313C22B1DE42C6EB549F25F86412A73A4EFA4B94F550132DA5E866A8EF3CE441CB10

Function 00007FFD6D9BF6F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 137registrywindowtimeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32 ref: 00007FFD6D9BF747
GetMessagePos.USER32 ref: 00007FFD6D9BF765
MonitorFromPoint.USER32 ref: 00007FFD6D9BF784
GetMonitorInfoW.USER32 ref: 00007FFD6D9BF7AC
RegGetValueW.ADVAPI32 ref: 00007FFD6D9BF881
RegSetKeyValueW.ADVAPI32 ref: 00007FFD6D9BF8BB
SetTimer.USER32 ref: 00007FFD6D9BF8DB

Strings

(, xrefs: 00007FFD6D9BF7A5
TaskbarAl, xrefs: 00007FFD6D9BF851, 00007FFD6D9BF8A3
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced, xrefs: 00007FFD6D9BF868, 00007FFD6D9BF8AD

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: MonitorValue$ClientFromInfoMessagePointScreenTimer
String ID: ($SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$TaskbarAl
API String ID: 2953988541-3876653080
Opcode ID: 8f5c143c421f264fdeb3e6b0909a287875635cf8cd460ed4f2bf51121d7b3ea3
Instruction ID: b72d34e7f6266caf27c3ca80f06c77ce06c5acc3345c8981d9951577390d0476
Opcode Fuzzy Hash: 8f5c143c421f264fdeb3e6b0909a287875635cf8cd460ed4f2bf51121d7b3ea3
Instruction Fuzzy Hash: 45517C36F18E21CAF710CB64E8A06BD33A1FB54758F540136DA0A53A98EF3DE984C750

Function 00007FFD6D9C9950 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

GetThemeMargins.UXTHEME ref: 00007FFD6D9C99C3
FindWindowExW.USER32 ref: 00007FFD6D9C9A7D
GetWindowLongW.USER32 ref: 00007FFD6D9C9A98
SetWindowLongW.USER32 ref: 00007FFD6D9C9AAF
SetWindowLongW.USER32 ref: 00007FFD6D9C9AC4
FindWindowExW.USER32 ref: 00007FFD6D9C9ADF
GetWindowLongW.USER32 ref: 00007FFD6D9C9AF5
SetWindowLongW.USER32 ref: 00007FFD6D9C9B0C

Strings

Shell_TrayWnd, xrefs: 00007FFD6D9C9A72
Shell_SecondaryTrayWnd, xrefs: 00007FFD6D9C9AD3

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Window$Long$Find$MarginsTheme
String ID: Shell_SecondaryTrayWnd$Shell_TrayWnd
API String ID: 3366318519-1433838494
Opcode ID: 6c3b219180e076513845b3c049b895ca65444178e0c7c508d63c8a2057085693
Instruction ID: fb1fdf2eb910c437c81ca6479e63e1e30f97dd4fd5d7e19ec6bbe5bd61db9995
Opcode Fuzzy Hash: 6c3b219180e076513845b3c049b895ca65444178e0c7c508d63c8a2057085693
Instruction Fuzzy Hash: 56519272B09F91D6EB208F25F8203297695FB58BA9F048136DA4D07798EF3DD855C700

Function 00007FFD6D9C0C20 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 74windowCOMMON

Download Yara Rule

APIs

#412.COMCTL32 ref: 00007FFD6D9C0C55
#413.COMCTL32 ref: 00007FFD6D9C0C66
FindWindowW.USER32 ref: 00007FFD6D9C0CAA
FindWindowW.USER32 ref: 00007FFD6D9C0CD8
FindWindowExW.USER32 ref: 00007FFD6D9C0D18
FindWindowExW.USER32 ref: 00007FFD6D9C0D29
PostMessageW.USER32 ref: 00007FFD6D9C0D43

Strings

Shell_TrayWnd, xrefs: 00007FFD6D9C0D01
Windows.UI.Core.CoreWindow, xrefs: 00007FFD6D9C0CD1
ClockFlyoutWindow, xrefs: 00007FFD6D9C0CA3

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: FindWindow$#412#413MessagePost
String ID: ClockFlyoutWindow$Shell_TrayWnd$Windows.UI.Core.CoreWindow
API String ID: 103836485-3485964848
Opcode ID: 0d9e66e093212fad9395b21c2358fdc69485eddafdd0524c220b3703c5596bd7
Instruction ID: 381b5e3c4eccbefaf6bf1b7b5d359af1d001ba9a30842ef6de83b6ed0d14ae16
Opcode Fuzzy Hash: 0d9e66e093212fad9395b21c2358fdc69485eddafdd0524c220b3703c5596bd7
Instruction Fuzzy Hash: 4B314BA4F4CE42C1FB20AB53B9742792651AFA4B80F548437D90E07695FF2CE585C700

Function 00007FFD6D9C9DA0 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 65COMMON

Download Yara Rule

APIs

CompareStringOrdinal.KERNEL32 ref: 00007FFD6D9C9E25
CompareStringOrdinal.KERNEL32 ref: 00007FFD6D9C9E72

Strings

::{8E908FC9-BECC-40F6-915B-F4CA0E70D03D}, xrefs: 00007FFD6D9C9DEA
::{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}, xrefs: 00007FFD6D9C9DC9
Advanced, xrefs: 00007FFD6D9C9E00
::{17CD9488-1228-4B2F-88CE-4298E93E0966}, xrefs: 00007FFD6D9C9DDB
::{7B81BE6A-CE2B-4676-A29E-EB907A5126C5}, xrefs: 00007FFD6D9C9DB4
::{A8A91A66-3A7D-4424-8D24-04E180695C7A}, xrefs: 00007FFD6D9C9E0B
::{7007ACC7-3202-11D1-AAD2-00805FC1270E}, xrefs: 00007FFD6D9C9DF5
::{BB06C0E4-D293-4F75-8A90-CB05B6477EEE}, xrefs: 00007FFD6D9C9DC2

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CompareOrdinalString
String ID: ::{17CD9488-1228-4B2F-88CE-4298E93E0966}$::{7007ACC7-3202-11D1-AAD2-00805FC1270E}$::{7B81BE6A-CE2B-4676-A29E-EB907A5126C5}$::{8E908FC9-BECC-40F6-915B-F4CA0E70D03D}$::{A8A91A66-3A7D-4424-8D24-04E180695C7A}$::{BB06C0E4-D293-4F75-8A90-CB05B6477EEE}$::{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}$Advanced
API String ID: 2409332303-3644713213
Opcode ID: 0bddf4f8cf2fe53f5b2b67e9ca6550e7cca2cebb951c42f5df0ff5165daec25b
Instruction ID: 047a68d2ea0bdf9c19f173918f8770fc7e162edf9327a123a9bbae956c41b5d1
Opcode Fuzzy Hash: 0bddf4f8cf2fe53f5b2b67e9ca6550e7cca2cebb951c42f5df0ff5165daec25b
Instruction Fuzzy Hash: 7C314732B0CF81D5EB60CB11F8542A933A9FB68794F550636CA9C57B64EF39EA41C740

Function 00007FFD6D9C1DF0 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FFD6D9C1E10

Part of subcall function 00007FFD6D9BD290: GetModuleHandleExW.KERNEL32 ref: 00007FFD6D9BD2C6
Part of subcall function 00007FFD6D9BD290: ImageDirectoryEntryToDataEx.DBGHELP ref: 00007FFD6D9BD2F9
Part of subcall function 00007FFD6D9BD290: FreeLibrary.KERNEL32 ref: 00007FFD6D9BD32F

GetCurrentProcess.KERNEL32 ref: 00007FFD6D9C1E3E
K32GetModuleInformation.KERNEL32 ref: 00007FFD6D9C1E55

Strings

xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx, xrefs: 00007FFD6D9C1E5F
Setup sndvolsso functions done, xrefs: 00007FFD6D9C1ECC
TrackPopupMenuEx, xrefs: 00007FFD6D9C1E20
api-ms-win-core-registry-l1-1-0.dll, xrefs: 00007FFD6D9C1EC0
user32.dll, xrefs: 00007FFD6D9C1E2A
sndvolsso.dll, xrefs: 00007FFD6D9C1E09
RegGetValueW, xrefs: 00007FFD6D9C1EB9

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: LibraryModule$CurrentDataDirectoryEntryFreeHandleImageInformationLoadProcess
String ID: RegGetValueW$Setup sndvolsso functions done$TrackPopupMenuEx$api-ms-win-core-registry-l1-1-0.dll$sndvolsso.dll$user32.dll$xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx
API String ID: 2511907732-965438320
Opcode ID: c30c1a8d63d9375d020e078992e17761724e41e14c68aba1d8570aaa90856591
Instruction ID: 1ea842b605f1a50f6ae4b3ebe5737af1bf30087120e5486c11d6b6145c1d26ff
Opcode Fuzzy Hash: c30c1a8d63d9375d020e078992e17761724e41e14c68aba1d8570aaa90856591
Instruction Fuzzy Hash: 76210761B1CE46D0EA10DB22F9610FA2361AF94794F884133D84E16769FE3CE189C380

Function 00007FFD6D9EA5C0 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 383COMMON

Download Yara Rule

Strings

HorizontalAlign, xrefs: 00007FFD6D9EA796
Position, xrefs: 00007FFD6D9EA679
TwinUIPatches.cpp, xrefs: 00007FFD6D9EA62D, 00007FFD6D9EA700, 00007FFD6D9EA814, 00007FFD6D9EA911, 00007FFD6D9EAA2C, 00007FFD6D9EAA57
VerticalAlign, xrefs: 00007FFD6D9EA897

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID: HorizontalAlign$Position$TwinUIPatches.cpp$VerticalAlign
API String ID: 0-1987525340
Opcode ID: f192e1d4ce6da24b30661df487f12e9c0c9414033a8a0d4c05a3f75df6258f84
Instruction ID: d60c2218eb511780121f3c5a1a2797f1eacdb0c8d051c303f5d208742d4023c2
Opcode Fuzzy Hash: f192e1d4ce6da24b30661df487f12e9c0c9414033a8a0d4c05a3f75df6258f84
Instruction Fuzzy Hash: 5CF14036B19E06CEF710CBB5E4606AD2376AF89B98F154132DE0DA7BA4EE38D545C340

Function 00007FFD6D9E69A0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 272keyboardCOMMON

Download Yara Rule

APIs

AccessibleObjectFromWindow.OLEACC ref: 00007FFD6D9E69FB
AccessibleChildren.OLEACC ref: 00007FFD6D9E6A41
SetPropW.USER32 ref: 00007FFD6D9E6B06
GetKeyState.USER32 ref: 00007FFD6D9E6D60
GetForegroundWindow.USER32 ref: 00007FFD6D9E6D6B
SetPropW.USER32 ref: 00007FFD6D9E6D9D
GetKeyState.USER32 ref: 00007FFD6D9E6DAD
GetForegroundWindow.USER32 ref: 00007FFD6D9E6DB8

Strings

EPTBLEN, xrefs: 00007FFD6D9E6AFC, 00007FFD6D9E6D93

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Window$AccessibleForegroundPropState$ChildrenFromObject
String ID: EPTBLEN
API String ID: 242652104-515233689
Opcode ID: 8196e59e1628c75b8aec546691e374d9eec50224df19f4f1f561869d8ec1c2e6
Instruction ID: 8e7766135f4380cf75d074dc96ba469b389b0f6f505bfc075f7f599e1bf82c24
Opcode Fuzzy Hash: 8196e59e1628c75b8aec546691e374d9eec50224df19f4f1f561869d8ec1c2e6
Instruction Fuzzy Hash: D9D13932B08A42CAE714CF79E8502AD77B1FB84798F605236DB4957A68EF38E545CB40

Function 00007FFD6D9DC940 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 237COMMON

Download Yara Rule

APIs

OpenSemaphoreW.KERNEL32 ref: 00007FFD6D9DCA43
GetLastError.KERNEL32 ref: 00007FFD6D9DCA56
OpenSemaphoreW.KERNEL32 ref: 00007FFD6D9DCB3F
CloseHandle.KERNEL32 ref: 00007FFD6D9DCBA7

Part of subcall function 00007FFD6D9DC790: WaitForSingleObject.KERNEL32 ref: 00007FFD6D9DC7B1

CloseHandle.KERNEL32 ref: 00007FFD6D9DCBC4
CloseHandle.KERNEL32 ref: 00007FFD6D9DCBF2
CloseHandle.KERNEL32 ref: 00007FFD6D9DCC6C

Strings

wil, xrefs: 00007FFD6D9DCA6D, 00007FFD6D9DCAAC, 00007FFD6D9DCB5A, 00007FFD6D9DCB8D
_p0, xrefs: 00007FFD6D9DC9FE

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CloseHandle$OpenSemaphore$ErrorLastObjectSingleWait
String ID: _p0$wil
API String ID: 2347786691-1814513734
Opcode ID: d440c284a68a6057bf1245fa44a4e400b739cf8b7cfcfe15bc012b933e096ecd
Instruction ID: 5338fea63b5caf4411e02ac5db1a1303731abebe1144fc037fed71772e3125d2
Opcode Fuzzy Hash: d440c284a68a6057bf1245fa44a4e400b739cf8b7cfcfe15bc012b933e096ecd
Instruction Fuzzy Hash: 14918F62B0DF82C1EE219F65F4642BA63A5EF88B90F944536DA4E47794FE3CE409C710

Function 00007FFD6D9DC790 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FFD6D9DC7B1

Strings

wil, xrefs: 00007FFD6D9DC7C1, 00007FFD6D9DC812, 00007FFD6D9DC877, 00007FFD6D9DC8D2, 00007FFD6D9DC904

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ObjectSingleWait
String ID: wil
API String ID: 24740636-1589926490
Opcode ID: 6cb99dce32a31d1732828c6e927fb19117e6b334bfb23547af7556cf32aa526d
Instruction ID: 90d9e35934fe427ad6b1035518a09da2083438718ea93afe01595ccd45ecf159
Opcode Fuzzy Hash: 6cb99dce32a31d1732828c6e927fb19117e6b334bfb23547af7556cf32aa526d
Instruction Fuzzy Hash: 8E413371B1CE43C2FB609B21F82067A62A5EF98794F604133E94F97A95EE3CE5498601

Function 00007FFD6D9CC9F0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FFD6D9CCA12

Part of subcall function 00007FFD6D9BD290: GetModuleHandleExW.KERNEL32 ref: 00007FFD6D9BD2C6
Part of subcall function 00007FFD6D9BD290: ImageDirectoryEntryToDataEx.DBGHELP ref: 00007FFD6D9BD2F9
Part of subcall function 00007FFD6D9BD290: FreeLibrary.KERNEL32 ref: 00007FFD6D9BD32F

GetCurrentProcess.KERNEL32 ref: 00007FFD6D9CCA69
K32GetModuleInformation.KERNEL32 ref: 00007FFD6D9CCA80

Strings

StartTileData.dll, xrefs: 00007FFD6D9CCA0B
api-ms-win-core-winrt-l1-1-0.dll, xrefs: 00007FFD6D9CCA2C
StartMenuSettings.cpp, xrefs: 00007FFD6D9CCA8F
xxxxxxxxxxxxxxxxx?xxx????xxx????xxxxxxxxx?xx?xx?xx?xxx, xrefs: 00007FFD6D9CCAA6
RoGetActivationFactory, xrefs: 00007FFD6D9CCA22
Failed to hook UnifiedTilePinUnpinVerbProvider::GetVerbs(). rv = %d, xrefs: 00007FFD6D9CCAF4

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: LibraryModule$CurrentDataDirectoryEntryFreeHandleImageInformationLoadProcess
String ID: Failed to hook UnifiedTilePinUnpinVerbProvider::GetVerbs(). rv = %d$RoGetActivationFactory$StartMenuSettings.cpp$StartTileData.dll$api-ms-win-core-winrt-l1-1-0.dll$xxxxxxxxxxxxxxxxx?xxx????xxx????xxxxxxxxx?xx?xx?xx?xxx
API String ID: 2511907732-536516541
Opcode ID: 689f743ca5576d29d84c565fa326903382ce42f1f8c006b96957a654a7496187
Instruction ID: 3dc800c035402d18cc509764ccdef07c18d87637a7a7ce6fdf2ae329403a076b
Opcode Fuzzy Hash: 689f743ca5576d29d84c565fa326903382ce42f1f8c006b96957a654a7496187
Instruction Fuzzy Hash: BB314B60B0CE43D1FA10DBA2F9745BA23A1AF98794F404237D94E566A4FF3CE55AC740

Function 00007FFD6DA08DA8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA08DEB
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA091D8
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA09474

Strings

f, xrefs: 00007FFD6DA08F0D
p, xrefs: 00007FFD6DA08F15
-, xrefs: 00007FFD6DA08E81
:, xrefs: 00007FFD6DA08FA4
p, xrefs: 00007FFD6DA08E9D

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 0fac80845ca2206c325da4620558c9a9b35b740b33f0e8549cdded86d03224de
Instruction ID: e247a3fba8e410fa958ff4e992f419cdd452c7d83ddd31a88625c112eb9e127c
Opcode Fuzzy Hash: 0fac80845ca2206c325da4620558c9a9b35b740b33f0e8549cdded86d03224de
Instruction Fuzzy Hash: E112C571F0C943C6FB605A15F2642BA7256FBA4758F8C4035E69A476C8EF3CE980CB05

Function 00007FFD6D9FF848 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFD6D9FF888
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD6D9FFC50
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD6D9FFEEF

Strings

f, xrefs: 00007FFD6D9FF920
f, xrefs: 00007FFD6D9FF98A
p, xrefs: 00007FFD6D9FF992
f, xrefs: 00007FFD6D9FFAD5
p, xrefs: 00007FFD6D9FF92D

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: bc113c6e72820b98e318c63d88f467cb3010e0423711e0b0b4a3decac008c911
Instruction ID: 9c7b1db12ddf22ed0d944b309ee6eac128556a2bdb5319c766c4b256c63e38d3
Opcode Fuzzy Hash: bc113c6e72820b98e318c63d88f467cb3010e0423711e0b0b4a3decac008c911
Instruction Fuzzy Hash: B9128062F0C983C6FB64AE14F0646B97652FB80758FA44137E699466C8FB7CE588CB10

Function 00007FFD6D9B4CF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

StretchDIBits.GDI32 ref: 00007FFD6D9B4E0C
StretchDIBits.GDI32 ref: 00007FFD6D9B4E68
StretchDIBits.GDI32 ref: 00007FFD6D9B4EC2
StretchDIBits.GDI32 ref: 00007FFD6D9B4F69
StretchDIBits.GDI32 ref: 00007FFD6D9B4FC3
StretchDIBits.GDI32 ref: 00007FFD6D9B5015
StretchDIBits.GDI32 ref: 00007FFD6D9B5065

Strings

, xrefs: 00007FFD6D9B501B

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: BitsStretch
String ID:
API String ID: 350495539-3916222277
Opcode ID: 16169dae19ceeb75348473d394cbf06ec6f314e1e1cb273dfbed35b0081e99fd
Instruction ID: 1529f6bc5eb65ba8fd3afab8a5f09ab4553f08d007085c38c90180e170a59a89
Opcode Fuzzy Hash: 16169dae19ceeb75348473d394cbf06ec6f314e1e1cb273dfbed35b0081e99fd
Instruction Fuzzy Hash: 90A121B2618BC08ED7108F65F48465EBBB4F789398F205229EA8963B69DB7DD055CF00

Function 00007FFD6D9C17A0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 196windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD6D9BD750: QueryPerformanceFrequency.KERNEL32 ref: 00007FFD6D9BD768
Part of subcall function 00007FFD6D9BD750: QueryPerformanceCounter.KERNEL32 ref: 00007FFD6D9BD777

GetClassNameW.USER32 ref: 00007FFD6D9C1818
WindowFromPoint.USER32 ref: 00007FFD6D9C18AA
GetClassNameW.USER32 ref: 00007FFD6D9C18C1
GetCursorPos.USER32 ref: 00007FFD6D9C193D
EnumPropsA.USER32 ref: 00007FFD6D9C1A34
TrackPopupMenuEx.USER32 ref: 00007FFD6D9C1A84

Strings

Shell_TrayWnd, xrefs: 00007FFD6D9C1842
Shell_SecondaryTrayWnd, xrefs: 00007FFD6D9C1825, 00007FFD6D9C18CF

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ClassNamePerformanceQuery$CounterCursorEnumFrequencyFromMenuPointPopupPropsTrackWindow
String ID: Shell_SecondaryTrayWnd$Shell_TrayWnd
API String ID: 1660317238-1433838494
Opcode ID: 128fb20ece10c7a3924be445a59ad679d9d991228480f978e37881e9e63ea3d7
Instruction ID: cf1e7a718610fa7f0440bd59d74f6f4e55e314bd6468a7650070ea66114f0360
Opcode Fuzzy Hash: 128fb20ece10c7a3924be445a59ad679d9d991228480f978e37881e9e63ea3d7
Instruction Fuzzy Hash: 93917462B0CA42C6EB649F05F46027973A1FB96B90F944137EA4E22694FF3CE885C745

Function 00007FFD6D9DFE10 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 125synchronizationCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FFD6D9DFE3F
CreateMutexExW.KERNEL32 ref: 00007FFD6D9DFE7C
CloseHandle.KERNEL32 ref: 00007FFD6D9DFE9E
WaitForSingleObjectEx.KERNEL32 ref: 00007FFD6D9DFEE5
ReleaseMutex.KERNEL32 ref: 00007FFD6D9DFFAE

Part of subcall function 00007FFD6D9DC1C0: GetLastError.KERNEL32 ref: 00007FFD6D9DC1CB

Strings

x, xrefs: 00007FFD6D9DFE4D
Local\SM0:%lu:%lu:%hs, xrefs: 00007FFD6D9DFE55
wil, xrefs: 00007FFD6D9DFF32, 00007FFD6D9DFF4E, 00007FFD6D9DFF6A, 00007FFD6D9DFFE8

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Mutex$CloseCreateCurrentErrorHandleLastObjectProcessReleaseSingleWait
String ID: Local\SM0:%lu:%lu:%hs$wil$x
API String ID: 908355122-984673096
Opcode ID: d964f013290470198f31b6882e51c7cbeb86e784c1be97d68529b4bb9367cec1
Instruction ID: 48707a8a1436560487ef361d2451333134566b9d28ff0884a075b5186bb8e48f
Opcode Fuzzy Hash: d964f013290470198f31b6882e51c7cbeb86e784c1be97d68529b4bb9367cec1
Instruction Fuzzy Hash: E1518F2671DE82C2EB609F15F8657AA6360EF98794F544132EA8E87B95EE3CD409C700

Function 00007FFD6D9EF870 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73threadtimeCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(00000000), ref: 00007FFD6D9EF8A7
GetWindowThreadProcessId.USER32 ref: 00007FFD6D9EF8BB
K32EnumProcesses.KERNEL32 ref: 00007FFD6D9EF8DB
OpenProcess.KERNEL32 ref: 00007FFD6D9EF916
K32GetProcessImageFileNameW.KERNEL32 ref: 00007FFD6D9EF935
GetProcessTimes.KERNEL32 ref: 00007FFD6D9EF957
CloseHandle.KERNEL32 ref: 00007FFD6D9EF972

Strings

Shell_TrayWnd, xrefs: 00007FFD6D9EF8A0

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Process$Window$CloseEnumFileFindHandleImageNameOpenProcessesThreadTimes
String ID: Shell_TrayWnd
API String ID: 205820467-2988720461
Opcode ID: 26c329ef98d414851a520803d946491ad072e31d61edd74cb2aa498bf721253a
Instruction ID: 152fbdacbbc9f42722b158086860c3cf6ed9826ce44e75ed407864c164985f49
Opcode Fuzzy Hash: 26c329ef98d414851a520803d946491ad072e31d61edd74cb2aa498bf721253a
Instruction Fuzzy Hash: 9731393260DB81D6EB50DF51F85809A73A5FB88B94F445132EA9E03B98EF3CD546CB00

Function 00007FFD6D9EB950 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00007FFD6D9EB981
RoInitialize.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFD6D9EB98C
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9EB9AE
RoActivateInstance.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFD6D9EB9C4

Strings

Windows.Data.Xml.Dom.XmlDocument, xrefs: 00007FFD6D9EB9A7
updates.cpp, xrefs: 00007FFD6D9EB9D7, 00007FFD6D9EBA12, 00007FFD6D9EBA5F, 00007FFD6D9EBAE2

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Initialize$ActivateCreateInstanceReferenceStringWindows
String ID: Windows.Data.Xml.Dom.XmlDocument$updates.cpp
API String ID: 2774375269-421020656
Opcode ID: c02239335eb48da2ae9e6bb245c480840aefc64f40c6d5bbac14a6c608c79e4b
Instruction ID: e5b6d9762637fd2a7b675e65b62f46ee30e6414284c6117c32353550b01fda29
Opcode Fuzzy Hash: c02239335eb48da2ae9e6bb245c480840aefc64f40c6d5bbac14a6c608c79e4b
Instruction Fuzzy Hash: A7610B26B08F06C9EB009BB2E8A05BD27B1BF58B98B545536CE0DA3B95EF3CD5458350

Function 00007FFD6D9CD5F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 00007FFD6D9CD75A
VirtualProtect.KERNEL32 ref: 00007FFD6D9CD780
VirtualProtect.KERNEL32 ref: 00007FFD6D9CD79A
VirtualProtect.KERNEL32 ref: 00007FFD6D9CD7C3

Strings

[SSO] pssoEntryTarget = %llX, xrefs: 00007FFD6D9CD723
[SSO] pguidTarget = %llX, xrefs: 00007FFD6D9CD6C9
.rdata, xrefs: 00007FFD6D9CD66B

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ProtectVirtual
String ID: .rdata$[SSO] pguidTarget = %llX$[SSO] pssoEntryTarget = %llX
API String ID: 544645111-3803262335
Opcode ID: d2b8e568679feff86666d4be83de231450fff1bd35202fdf3eefbc7c793453fe
Instruction ID: f8150c8c9222405e984e11d8d6d10922d5af806a42e90c83f4dc151a9638e731
Opcode Fuzzy Hash: d2b8e568679feff86666d4be83de231450fff1bd35202fdf3eefbc7c793453fe
Instruction Fuzzy Hash: 05518E72B08E42C6EB608F21F56027AA3A5FB94B84F448132DA5E57798FF3CE546C710

Function 00007FFD6DA0DC18 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FFD6DA0DF3E), ref: 00007FFD6DA0DD94
GetProcAddress.KERNEL32(?,?,?,00007FFD6DA0DF3E), ref: 00007FFD6DA0DDA0

Strings

ext-ms-, xrefs: 00007FFD6DA0DCF1
api-ms-, xrefs: 00007FFD6DA0DCDE

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 9381c14dff99c8d3c9214572172b4c7912450ffc32c4b2aea7fbb97b670f4f56
Instruction ID: c4ab150e474d779ef177378a3173cbc4eff2d21e4aa878d559a89744b74d47c5
Opcode Fuzzy Hash: 9381c14dff99c8d3c9214572172b4c7912450ffc32c4b2aea7fbb97b670f4f56
Instruction Fuzzy Hash: AE41BF23B1EE02C5FE168B16B8206762291BFA6BA4F095535DD0D47B98FE3CE446C340

Function 00007FFD6D9CAF10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 100registryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFD6D9CAF5C
RegisterHotKey.USER32 ref: 00007FFD6D9CAF7C
RegisterHotKey.USER32 ref: 00007FFD6D9CB058
RegisterHotKey.USER32 ref: 00007FFD6D9CB072
RegisterHotKey.USER32 ref: 00007FFD6D9CB08C

Strings

D, xrefs: 00007FFD6D9CAF9D
Registered Win+A, Win+B, and Win+N, xrefs: 00007FFD6D9CB092

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Register$ErrorLast
String ID: D$Registered Win+A, Win+B, and Win+N
API String ID: 2374893891-229114993
Opcode ID: 405d0e7ac9f317716e0189d4acb723e7eab44efead935b94bccd9452f712eb0a
Instruction ID: a99d6acca8766be28232377d52a6c348502775a233e7b533556bf568c96a73d7
Opcode Fuzzy Hash: 405d0e7ac9f317716e0189d4acb723e7eab44efead935b94bccd9452f712eb0a
Instruction Fuzzy Hash: 0D4127A0F1CE02C6FB608B11F97473A32A0AF65785F404436DA1D5AA98FF7DE985CB04

Function 00007FFD6D9B14C0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 83COMMON

Download Yara Rule

Strings

Here is the stack trace:, xrefs: 00007FFD6D9B1611
Description: %s, xrefs: 00007FFD6D9B15EA
General failure, xrefs: 00007FFD6D9B15D6
====================================, xrefs: 00007FFD6D9B1622
====================================An error occured in the application.Error number: 0x%x, xrefs: 00007FFD6D9B150E

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID:
String ID: ====================================$====================================An error occured in the application.Error number: 0x%x$Description: %s$General failure$Here is the stack trace:
API String ID: 0-2550951133
Opcode ID: f7c5315cf93a45d3cdabed7aba7039f98d7f8a499b29b0271d80430d8c238334
Instruction ID: eb0cf15c2ac677137861b9edda1af982c196ad1ec1a6d36114389496ba5a833e
Opcode Fuzzy Hash: f7c5315cf93a45d3cdabed7aba7039f98d7f8a499b29b0271d80430d8c238334
Instruction Fuzzy Hash: 25318C32F1CE42C2FA04DB15F8715BA6362AF96780F990136EA4E5369AFF2CE5518700

Function 00007FFD6D9D9FF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00007FFD6D9DA025
GetMessagePos.USER32 ref: 00007FFD6D9DA07B
EnumDisplayMonitors.USER32 ref: 00007FFD6D9DA0C5
MonitorFromPoint.USER32 ref: 00007FFD6D9DA0E4
CallNextHookEx.USER32 ref: 00007FFD6D9DA104

Strings

!! %d %d, xrefs: 00007FFD6D9DA084
Position Start, xrefs: 00007FFD6D9DA055

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CallDisplayEnumFromHookMessageMetricsMonitorMonitorsNextPointSystem
String ID: !! %d %d$Position Start
API String ID: 2363114125-3643933998
Opcode ID: ef589ef906c47f2ecabb322dcae2e99e5f48589088c0db06b745eebe8f4690ad
Instruction ID: caaacafc5c648789f7584e83f225386ad3f06cca56a6c128df4878f865cb8569
Opcode Fuzzy Hash: ef589ef906c47f2ecabb322dcae2e99e5f48589088c0db06b745eebe8f4690ad
Instruction Fuzzy Hash: 5E31A135B0CE42C6FB248F25F86027A72A1FFE4794F544536DA4E42754EF3CE4558A00

Function 00007FFD6D9C28A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

GetAncestor.USER32 ref: 00007FFD6D9C28F6
GetPropW.USER32 ref: 00007FFD6D9C2907
FindWindowExW.USER32 ref: 00007FFD6D9C2920
#412.COMCTL32 ref: 00007FFD6D9C2951

Strings

Windows.UI.Composition.DesktopWindowContentBridge, xrefs: 00007FFD6D9C2914
DarkMode, xrefs: 00007FFD6D9C28D3
NavbarComposited, xrefs: 00007FFD6D9C292A

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: #412AncestorFindPropWindow
String ID: DarkMode$NavbarComposited$Windows.UI.Composition.DesktopWindowContentBridge
API String ID: 341881220-2358444603
Opcode ID: c96de4054d296ec24a28e7a285d9b23ee387dccd2102aebddb4fb688bdff5fc0
Instruction ID: 7d0e4ccbe7065d7981dbd3143bf585a506d2e9dd5db38f5c0aaf657c1777c526
Opcode Fuzzy Hash: c96de4054d296ec24a28e7a285d9b23ee387dccd2102aebddb4fb688bdff5fc0
Instruction Fuzzy Hash: 16213B21B0CF42C5EA24DB12B9602A96391BF99BC4F585036DE4E47B59EF3CD646C340

Function 00007FFD6D9CAA00 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46memorystringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32 ref: 00007FFD6D9CAA2E
VirtualProtect.KERNEL32 ref: 00007FFD6D9CAA4B
lstrcpyW.KERNEL32 ref: 00007FFD6D9CAA5F
VirtualProtect.KERNEL32 ref: 00007FFD6D9CAA77
OpenRegStream.SHELL32 ref: 00007FFD6D9CAA89

Strings

TaskbarWinXP, xrefs: 00007FFD6D9CAA1E
TaskbarWinEP, xrefs: 00007FFD6D9CAA55

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ProtectVirtual$OpenStreamlstrcmpilstrcpy
String ID: TaskbarWinEP$TaskbarWinXP
API String ID: 3070759360-188097361
Opcode ID: 162360ac477a0676fee82137a553ef7e48d57f50bbd1000f0f5f293ff195958c
Instruction ID: efb7fbc6f64fd3ef28d07b4d16de020ec004d899fb1fb0262e222ca0c2b9a30f
Opcode Fuzzy Hash: 162360ac477a0676fee82137a553ef7e48d57f50bbd1000f0f5f293ff195958c
Instruction Fuzzy Hash: A8012D61B08A56C1FA209F22BC205766751AB99BE4F884136DD4E47754EE3CE589C700

Function 00007FFD6D9DE690 Relevance: 12.1, APIs: 8, Instructions: 76COMMON

Download Yara Rule

APIs

WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9DE721
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9DE735
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9DE749
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9DE75D
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9DE76E
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9DE77C
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9DE78A
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FFD6D9DE798

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: DeleteStringWindows
String ID:
API String ID: 3152741638-0
Opcode ID: 220ed1f342998a80439a4c618c8cb02c5339f846fd9f4f2c159e7e9e8fb559cd
Instruction ID: 13a5fae88ec17207b92c5faab15f649209939dc12c1f87191095636c5b735919
Opcode Fuzzy Hash: 220ed1f342998a80439a4c618c8cb02c5339f846fd9f4f2c159e7e9e8fb559cd
Instruction Fuzzy Hash: B131C636B18E52C5EB50AF31E8642692365FB95F89F484036DE4E4BBA9DF3CD415C300

Function 00007FFD6D9FB564 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FFD6D9FB5C1

Part of subcall function 00007FFD6D9FD8C8: __GetUnwindTryBlock.LIBCMT ref: 00007FFD6D9FD90B
Part of subcall function 00007FFD6D9FD8C8: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FFD6D9FD930

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFD6D9FB699
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FFD6D9FB8E7

Strings

csm, xrefs: 00007FFD6D9FB6BC
csm, xrefs: 00007FFD6D9FB5DB
csm, xrefs: 00007FFD6D9FB642

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchState
String ID: csm$csm$csm
API String ID: 1826822863-393685449
Opcode ID: e2a4c342c4d421d5c73be41df65f2b5ec1998bf278118c1d66828454b570aa30
Instruction ID: 3db765414d82c8feaf18ed575c1c2ab797aa5ccc7dbca0cb2976c85506938de9
Opcode Fuzzy Hash: e2a4c342c4d421d5c73be41df65f2b5ec1998bf278118c1d66828454b570aa30
Instruction Fuzzy Hash: 45D14E62B08B41C6EB209F65E4A03AD77B0FB9579CF144136EA8D57B96EF38E191C700

Function 00007FFD6DA10DC8 Relevance: 10.8, APIs: 7, Instructions: 290COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA111F5

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: b52de193dcd97822f851048e7139e83e243a94adfbbac5a678cd008b0d4c604a
Instruction ID: c8ab695d51b5c7edad1ab54310717a8831b892649a71111a59ee75e4db6d6402
Opcode Fuzzy Hash: b52de193dcd97822f851048e7139e83e243a94adfbbac5a678cd008b0d4c604a
Instruction Fuzzy Hash: 55C1D122B0CE87D1EA609B25A8202BE7B95EBB0B84F550135DA4D077D2FE7CE859C341

Function 00007FFD6D9DAA90 Relevance: 10.7, APIs: 7, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFD6D9DAB6D
GetProcessHeap.KERNEL32 ref: 00007FFD6D9DABE6
HeapFree.KERNEL32 ref: 00007FFD6D9DABF3
GetProcessHeap.KERNEL32 ref: 00007FFD6D9DAC21
HeapFree.KERNEL32 ref: 00007FFD6D9DAC30
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD6D9DACA6

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Heap$Process$Free$_invalid_parameter_noinfo
String ID:
API String ID: 1838106010-0
Opcode ID: ffbf21c3c1c78b9a5056675af18fac93b281483319eb5a5325da7da4157d5a13
Instruction ID: db41dac5b63367278c4e490626c9026e7875fe99f9f3ff4971bfcbd07c4511b9
Opcode Fuzzy Hash: ffbf21c3c1c78b9a5056675af18fac93b281483319eb5a5325da7da4157d5a13
Instruction Fuzzy Hash: 0881AC32B0DF02C6EA549F25F46067973A2EFA4B90F594136DA4C477A5EF3CE8568700

Function 00007FFD6D9DAF20 Relevance: 10.7, APIs: 7, Instructions: 178memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetErrorInfo.OLEAUT32(?,?,?,?,?,00000000,?,00007FFD6D9DB8AB), ref: 00007FFD6D9DAF6C
SysFreeString.OLEAUT32 ref: 00007FFD6D9DAFF7
SysStringLen.OLEAUT32 ref: 00007FFD6D9DB071
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD6D9DB0E4
GetProcessHeap.KERNEL32(?,?,?,?,?,00000000,?,00007FFD6D9DB8AB), ref: 00007FFD6D9DB10B
HeapFree.KERNEL32(?,?,?,?,?,00000000,?,00007FFD6D9DB8AB), ref: 00007FFD6D9DB118
SysFreeString.OLEAUT32 ref: 00007FFD6D9DB126

Part of subcall function 00007FFD6D9DA7B0: GetProcessHeap.KERNEL32(?,?,?,?,?,?,00000000,00007FFD6D9DB0AF,?,?,?,?,?,00000000,?,00007FFD6D9DB8AB), ref: 00007FFD6D9DA7D3

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: FreeHeapString$Process$ErrorInfo_invalid_parameter_noinfo
String ID:
API String ID: 3392872171-0
Opcode ID: 5b259aadf21749ff7b54a7856b8fa865fa8408316d9d4e4e40c68ef755b10296
Instruction ID: 8bf08ca6ae4b8d0d3d014b340666ac31babb584e10e5f6f9dfaf4f7b182d861b
Opcode Fuzzy Hash: 5b259aadf21749ff7b54a7856b8fa865fa8408316d9d4e4e40c68ef755b10296
Instruction Fuzzy Hash: 37614762B09E02C5EF149F66E8611BD27B0BF54B98F488836DE1D57799EE3CE44A8340

Function 00007FFD6D9FDE1C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,00000000,00007FFD6D9FE023,?,?,?,00007FFD6D9FAB36,?,?,?,00007FFD6D9FAAF1), ref: 00007FFD6D9FDEA1
GetLastError.KERNEL32(?,?,00000000,00007FFD6D9FE023,?,?,?,00007FFD6D9FAB36,?,?,?,00007FFD6D9FAAF1), ref: 00007FFD6D9FDEAF
LoadLibraryExW.KERNEL32(?,?,00000000,00007FFD6D9FE023,?,?,?,00007FFD6D9FAB36,?,?,?,00007FFD6D9FAAF1), ref: 00007FFD6D9FDED9
FreeLibrary.KERNEL32(?,?,00000000,00007FFD6D9FE023,?,?,?,00007FFD6D9FAB36,?,?,?,00007FFD6D9FAAF1), ref: 00007FFD6D9FDF47
GetProcAddress.KERNEL32(?,?,00000000,00007FFD6D9FE023,?,?,?,00007FFD6D9FAB36,?,?,?,00007FFD6D9FAAF1), ref: 00007FFD6D9FDF53

Strings

api-ms-, xrefs: 00007FFD6D9FDEC1

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 395a31ccfc8d9580cbc22548a9da8417bb1a8a367a659b40465e7ae359179efb
Instruction ID: 9f4902dd556b479ffd93c4181a73d792fde94af51721894285c5ecd2a0b1ea1a
Opcode Fuzzy Hash: 395a31ccfc8d9580cbc22548a9da8417bb1a8a367a659b40465e7ae359179efb
Instruction Fuzzy Hash: A9318B21B2AE42D1EE229B02B8205792294FF99BA0F594636DD6D0B794FF3CE451C350

Function 00007FFD6D9D29B0 Relevance: 10.6, APIs: 7, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFD6D9D29EC
HeapFree.KERNEL32 ref: 00007FFD6D9D29FA
GetProcessHeap.KERNEL32 ref: 00007FFD6D9D2A1B
HeapAlloc.KERNEL32 ref: 00007FFD6D9D2A2A
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD6D9D2A57
GetProcessHeap.KERNEL32 ref: 00007FFD6D9D2A82
HeapFree.KERNEL32 ref: 00007FFD6D9D2A90

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Heap$Process$Free$Alloc_invalid_parameter_noinfo
String ID:
API String ID: 823393853-0
Opcode ID: 3a0ac66b48d763161c945fc8f967d90a6f21e7856d1ded11d3105ed477521b75
Instruction ID: a8205fa3c2cc02b81aced6062461d1892d20867f938f8b0bc9460d0bcf40a66a
Opcode Fuzzy Hash: 3a0ac66b48d763161c945fc8f967d90a6f21e7856d1ded11d3105ed477521b75
Instruction Fuzzy Hash: 1D316632B09F42C6EA248F62AA6036973A0FF95B90F088532DA6D47795EF3CE4158740

Function 00007FFD6D9B2E80 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62timeCOMMON

Download Yara Rule

APIs

GetPropW.USER32 ref: 00007FFD6D9B2ED1
GetPropW.USER32 ref: 00007FFD6D9B2EE6
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFD6D9B2F1B
#334.COMCTL32 ref: 00007FFD6D9B2F43

Strings

Microsoft.Windows.ShellManagedWindowAsNormalWindow, xrefs: 00007FFD6D9B2EC7
valinet.ExplorerPatcher.ShellManagedWindow, xrefs: 00007FFD6D9B2EDC

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: PropTime$#334FileSystem
String ID: Microsoft.Windows.ShellManagedWindowAsNormalWindow$valinet.ExplorerPatcher.ShellManagedWindow
API String ID: 1774183415-1567022081
Opcode ID: 682a32bd1a4ffcdedc7673070bddc3ff769cef1f179f5946235f418a49c7597a
Instruction ID: a88aa2f3a90a320382c97481712bb044c6eac569d37405883e9322a94339b996
Opcode Fuzzy Hash: 682a32bd1a4ffcdedc7673070bddc3ff769cef1f179f5946235f418a49c7597a
Instruction Fuzzy Hash: E0213A21B0DF42C2EB649B22B86027A23A1FF99B80F095439DA1E47794FF3CE4558310

Function 00007FFD6D9E7C60 Relevance: 9.1, APIs: 6, Instructions: 79COMMON

Download Yara Rule

APIs

SetWindowLongPtrW.USER32 ref: 00007FFD6D9E7CB5
DefWindowProcW.USER32 ref: 00007FFD6D9E7CC6

Part of subcall function 00007FFD6D9BC200: GetCursorPos.USER32 ref: 00007FFD6D9BC25F
Part of subcall function 00007FFD6D9BC200: GetForegroundWindow.USER32 ref: 00007FFD6D9BC265
Part of subcall function 00007FFD6D9BC200: SetForegroundWindow.USER32 ref: 00007FFD6D9BC273
Part of subcall function 00007FFD6D9BC200: CreatePopupMenu.USER32 ref: 00007FFD6D9BC279
Part of subcall function 00007FFD6D9BC200: PathUnquoteSpacesW.SHLWAPI ref: 00007FFD6D9BC2BC
Part of subcall function 00007FFD6D9BC200: PathRemoveExtensionW.SHLWAPI ref: 00007FFD6D9BC2C6
Part of subcall function 00007FFD6D9BC200: PathStripPathW.SHLWAPI ref: 00007FFD6D9BC2D0
Part of subcall function 00007FFD6D9BC200: wsprintfW.USER32 ref: 00007FFD6D9BC2E8
Part of subcall function 00007FFD6D9BC200: InsertMenuW.USER32 ref: 00007FFD6D9BC30B
Part of subcall function 00007FFD6D9BC200: InsertMenuW.USER32 ref: 00007FFD6D9BC32E
Part of subcall function 00007FFD6D9BC200: TrackPopupMenu.USER32 ref: 00007FFD6D9BC388
Part of subcall function 00007FFD6D9BC200: SetForegroundWindow.USER32 ref: 00007FFD6D9BC3A8

DefWindowProcW.USER32 ref: 00007FFD6D9E7CDF

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Window$MenuPath$Foreground$InsertPopupProc$CreateCursorExtensionLongRemoveSpacesStripTrackUnquotewsprintf
String ID:
API String ID: 1129523998-0
Opcode ID: 5536128b1daad23b82ad7d33954240776bfc4c408024a79fe10b42f1552ac7ac
Instruction ID: eb1c54f33c481254056ef80630a6141d8fedc365a1af054eec6441eee2bb2384
Opcode Fuzzy Hash: 5536128b1daad23b82ad7d33954240776bfc4c408024a79fe10b42f1552ac7ac
Instruction Fuzzy Hash: B731C321F09F66C5FA208B56B8206796394BF95FD0F184536DE4E13BA5EE3CE642C300

Function 00007FFD6D9BB020 Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FFD6D9BB042
DeleteObject.GDI32 ref: 00007FFD6D9BB04F
DwmUnregisterThumbnail.DWMAPI ref: 00007FFD6D9BB089
DestroyIcon.USER32 ref: 00007FFD6D9BB0BD
#329.COMCTL32 ref: 00007FFD6D9BB0CF
CoTaskMemFree.OLE32 ref: 00007FFD6D9BB0E1

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: DeleteObject$#329DestroyFreeIconTaskThumbnailUnregister
String ID:
API String ID: 3142863258-0
Opcode ID: e6018795a24b9db1a800e38da2b6e0ff680ac7719e53eb0589287f1e19d59398
Instruction ID: 1023c5394942d0becea03ce2443a4c3b27b6053d89389495041c5ffd6ae6cf1d
Opcode Fuzzy Hash: e6018795a24b9db1a800e38da2b6e0ff680ac7719e53eb0589287f1e19d59398
Instruction Fuzzy Hash: 34311621B1EE42C1EE549F62F4A467A2370FF94B88F094436DA5E03694EF3CE4918320

Function 00007FFD6D9C59C0 Relevance: 9.1, APIs: 6, Instructions: 58windowCOMMON

Download Yara Rule

APIs

TryEnterCriticalSection.KERNEL32 ref: 00007FFD6D9C59D7
IsWindowVisible.USER32 ref: 00007FFD6D9C5A1D
GetForegroundWindow.USER32 ref: 00007FFD6D9C5A27
LeaveCriticalSection.KERNEL32 ref: 00007FFD6D9C5A73

Part of subcall function 00007FFD6D9C4090: GetWindowRect.USER32 ref: 00007FFD6D9C40CC
Part of subcall function 00007FFD6D9C4090: GetWindowRect.USER32 ref: 00007FFD6D9C40E5
Part of subcall function 00007FFD6D9C4090: MonitorFromPoint.USER32 ref: 00007FFD6D9C413E
Part of subcall function 00007FFD6D9C4090: GetMonitorInfoW.USER32 ref: 00007FFD6D9C415B
Part of subcall function 00007FFD6D9C4090: SetWindowPos.USER32 ref: 00007FFD6D9C4240

SwitchToThisWindow.USER32 ref: 00007FFD6D9C5A66
LeaveCriticalSection.KERNEL32 ref: 00007FFD6D9C5A8D

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Window$CriticalSection$LeaveMonitorRect$EnterForegroundFromInfoPointSwitchThisVisible
String ID:
API String ID: 16346285-0
Opcode ID: beaf14696a95606fc22185abad0cff0595deedd78670263d3d7f3d916f67bdac
Instruction ID: e52e1f366433abd74f45f4a5a91972ea6dc9701abb25cb195103992fccf20143
Opcode Fuzzy Hash: beaf14696a95606fc22185abad0cff0595deedd78670263d3d7f3d916f67bdac
Instruction Fuzzy Hash: 4321ECA1B1DE02D1EE449B66F9B01782360AFA4F81F481432CD1E8B3A1FF6CE594C710

Function 00007FFD6D9B7A80 Relevance: 9.1, APIs: 6, Instructions: 52threadtimewindowCOMMON

Download Yara Rule

APIs

SetThreadDesktop.USER32 ref: 00007FFD6D9B7A91
IsHungAppWindow.USER32 ref: 00007FFD6D9B7A9A
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFD6D9B7AC0
#339.COMCTL32 ref: 00007FFD6D9B7AF3
EndTask.USER32 ref: 00007FFD6D9B7B06
PostMessageW.USER32 ref: 00007FFD6D9B7B27

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Time$#339DesktopFileHungMessagePostSystemTaskThreadWindow
String ID:
API String ID: 68357764-0
Opcode ID: 74732654a46c6b59671d7c8f09a52709d2d9a909a4e8639682ebaddd6807aab8
Instruction ID: 4e78bbb50d48b9eae52e1921e3b5f4106ddc8291c36a6ff19546e1b5a3e12526
Opcode Fuzzy Hash: 74732654a46c6b59671d7c8f09a52709d2d9a909a4e8639682ebaddd6807aab8
Instruction Fuzzy Hash: F6111722B18E52C2EB509B35F96427A37A0FBD8B94B154532DA1E87BA4EF3CD455CB00

Function 00007FFD6D9CA980 Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 31stringCOMMON

Download Yara Rule

APIs

lstrcmpW.KERNEL32 ref: 00007FFD6D9CA9AA
lstrcmpW.KERNEL32 ref: 00007FFD6D9CA9C7

Strings

MMStuckRects3, xrefs: 00007FFD6D9CA99D
MMStuckRectsLegacy, xrefs: 00007FFD6D9CA9B4
StuckRectsLegacy, xrefs: 00007FFD6D9CA9CF
StuckRects3, xrefs: 00007FFD6D9CA9BD

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: lstrcmp
String ID: MMStuckRects3$MMStuckRectsLegacy$StuckRects3$StuckRectsLegacy
API String ID: 1534048567-4175609545
Opcode ID: 9fb8edcb90e2730a04ffb7ad82442e983a88d147ab9faa8d48eec604537e2f27
Instruction ID: 1bfd4bcc805033af313eae5f46a14c47744079c2dc3e073bcf3c6997691083ae
Opcode Fuzzy Hash: 9fb8edcb90e2730a04ffb7ad82442e983a88d147ab9faa8d48eec604537e2f27
Instruction Fuzzy Hash: 58F01D61B1CE81D1EA00CF16FC604A5A365BBA4FD0F484432DE4D47B68EFACD550C740

Function 00007FFD6D9CA900 Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 31stringCOMMON

Download Yara Rule

APIs

lstrcmpW.KERNEL32 ref: 00007FFD6D9CA92A
lstrcmpW.KERNEL32 ref: 00007FFD6D9CA947

Strings

MMStuckRects3, xrefs: 00007FFD6D9CA91D
MMStuckRectsLegacy, xrefs: 00007FFD6D9CA934
StuckRectsLegacy, xrefs: 00007FFD6D9CA94F
StuckRects3, xrefs: 00007FFD6D9CA93D

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: lstrcmp
String ID: MMStuckRects3$MMStuckRectsLegacy$StuckRects3$StuckRectsLegacy
API String ID: 1534048567-4175609545
Opcode ID: 4ab586abd352989450cda7c71142aadd67c1c274c1d4c7e8076eacca5eae3e9a
Instruction ID: 9630a4d72b7aa2a71b07bd633a3b1795df5649041593b393edc436585b220d6d
Opcode Fuzzy Hash: 4ab586abd352989450cda7c71142aadd67c1c274c1d4c7e8076eacca5eae3e9a
Instruction Fuzzy Hash: 56F01D71B0CF42D1EA00CB16BC604657765ABA4FD0F484532DE4D87B28EF6CE144C740

Function 00007FFD6D9BC8E0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 131memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FFD6D9BC921
SymGetLineFromAddr64.DBGHELP ref: 00007FFD6D9BCA24

Strings

(, xrefs: 00007FFD6D9BCA17
Memory pool exhausted., xrefs: 00007FFD6D9BC97C
Allocation too large!, xrefs: 00007FFD6D9BC958

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Addr64AllocFromLineVirtual
String ID: ($Allocation too large!$Memory pool exhausted.
API String ID: 3708110707-2461089917
Opcode ID: 13ac20d9234b61871ece71be233b3b372da1651ef9c7f27287658315a9182a81
Instruction ID: e5606371237e300646e325bff5258da4cecd8b50bd3456f4a7d935e666aa64d0
Opcode Fuzzy Hash: 13ac20d9234b61871ece71be233b3b372da1651ef9c7f27287658315a9182a81
Instruction Fuzzy Hash: BA516C72B08E82C6EB04DB25F46027A33A1FB98B94F148236DA5D4779AEF3CE455C750

Function 00007FFD6D9BED40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

RoInitialize.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFD6D9BEDF2
EnumDisplayMonitors.USER32 ref: 00007FFD6D9BEEA2
RoUninitialize.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FFD6D9BEEB2

Strings

TaskbarAl, xrefs: 00007FFD6D9BED9E
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced, xrefs: 00007FFD6D9BEDB5

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: DisplayEnumInitializeMonitorsUninitialize
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$TaskbarAl
API String ID: 3377822461-945323219
Opcode ID: 478e00b8775ee4d72d0e0fe872277ce1c2615b7ab29c70126ad11a32c3cf8a0d
Instruction ID: b63f4ccc27f4874311ef43600cec942decc5092c712ed45031b3f8fa05d1ac4f
Opcode Fuzzy Hash: 478e00b8775ee4d72d0e0fe872277ce1c2615b7ab29c70126ad11a32c3cf8a0d
Instruction Fuzzy Hash: AA414C32B0CA42C6E750CF64B9A426AB7A4FB94750F45053AEA8D87A94EF7CE444CB40

Function 00007FFD6D9BF920 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72registrywindowCOMMON

Download Yara Rule

APIs

#412.COMCTL32 ref: 00007FFD6D9BF956
#413.COMCTL32 ref: 00007FFD6D9BF98F
GetClassWord.USER32 ref: 00007FFD6D9BF9C9
RegisterWindowMessageW.USER32 ref: 00007FFD6D9BF9D9

Strings

PeopleBand, xrefs: 00007FFD6D9BF9CF

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: #412#413ClassMessageRegisterWindowWord
String ID: PeopleBand
API String ID: 1253488571-1317317948
Opcode ID: d4a5d9a656dc0dfb6cb376e03d94b7ddcd87e15661ce4c57f4fcdbdbc7b92b7f
Instruction ID: 6f1730fe0573259d3450c31fe5a0a5ffd223005d329412d8391a71a2352e9073
Opcode Fuzzy Hash: d4a5d9a656dc0dfb6cb376e03d94b7ddcd87e15661ce4c57f4fcdbdbc7b92b7f
Instruction Fuzzy Hash: CC31A235F08E52E6EA54CF19B56027AA3A0FF98798F050032DA5E53A94EF3DE851C750

Function 00007FFD6D9C0DB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 00007FFD6D9C0DE7
GetMenuItemInfoW.USER32 ref: 00007FFD6D9C0E20
SetMenuItemInfoW.USER32 ref: 00007FFD6D9C0E4C

Strings

[ROD]: Level %d Position %d/%d Status %d, xrefs: 00007FFD6D9C0E55
P, xrefs: 00007FFD6D9C0E05

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ItemMenu$Info$Count
String ID: P$[ROD]: Level %d Position %d/%d Status %d
API String ID: 4286743509-735391699
Opcode ID: 6451132ca86e06dc631eb131f6f5d0e61dcf05cd418e0a723914f833352977ac
Instruction ID: 4d42be32c32cee584c434e63c6941714be965336ab9f8b31fb555f466370e4f1
Opcode Fuzzy Hash: 6451132ca86e06dc631eb131f6f5d0e61dcf05cd418e0a723914f833352977ac
Instruction Fuzzy Hash: 1E216D71B1CA41C6EB508F26F8A476A76A1FB89BC4F405035EA4E87B45EF3DD4498B40

Function 00007FFD6D9E8AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47registrystringCOMMON

Download Yara Rule

APIs

RegGetValueW.ADVAPI32 ref: 00007FFD6D9E8AF3
lstrcmpW.KERNEL32 ref: 00007FFD6D9E8B05
SetEvent.KERNEL32 ref: 00007FFD6D9E8B36
CloseHandle.KERNEL32 ref: 00007FFD6D9E8B43

Strings

AltTabSettings, xrefs: 00007FFD6D9E8AF9

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CloseEventHandleValuelstrcmp
String ID: AltTabSettings
API String ID: 3692967019-1137623902
Opcode ID: 361467e69324b3a07a93a0faa6710845adbf392744fb75028bc0b832c83d2175
Instruction ID: 817f3f41ab0b1aca42c643ed3e7e088d670378815546ddd55c70d735b714276b
Opcode Fuzzy Hash: 361467e69324b3a07a93a0faa6710845adbf392744fb75028bc0b832c83d2175
Instruction Fuzzy Hash: 30113772B0CF42C6EB548B51F960229A3A0FF98B94F084135DA9D47728EF7CE994CB40

Function 00007FFD6D9B29E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFD6D9B2A05
GetProcAddress.KERNEL32 ref: 00007FFD6D9B2A1A

Strings

ntdll.dll, xrefs: 00007FFD6D9B29FE
RtlGetVersion, xrefs: 00007FFD6D9B2A10
)J, xrefs: 00007FFD6D9B2A38

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: )J$RtlGetVersion$ntdll.dll
API String ID: 1646373207-687753697
Opcode ID: ab253f68af50f51000ef66b8a7b6f8b7ce895d9ba1b84bba73b40d60ce3ca9be
Instruction ID: 3631f62c889f7cfb7a07a6479ddd552b7154239746c8139d6d18dba2ac01553e
Opcode Fuzzy Hash: ab253f68af50f51000ef66b8a7b6f8b7ce895d9ba1b84bba73b40d60ce3ca9be
Instruction Fuzzy Hash: B6112A21B1CA42D5FE329B11F8343BA2291EF98B44F090136C95D46399FF3CE5458621

Function 00007FFD6DA08778 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FFD6DA0879D
GetProcAddress.KERNEL32 ref: 00007FFD6DA087B3
FreeLibrary.KERNEL32 ref: 00007FFD6DA087DA

Strings

CorExitProcess, xrefs: 00007FFD6DA087AC
mscoree.dll, xrefs: 00007FFD6DA08794

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cab22331426e636fbbe918391b0261f4ead487ada66e5c9c54806ba359c7b5ed
Instruction ID: 26739aab142f744519d4c02af26640342cab59ce9d731078084bbeb4043f76b2
Opcode Fuzzy Hash: cab22331426e636fbbe918391b0261f4ead487ada66e5c9c54806ba359c7b5ed
Instruction Fuzzy Hash: B5F06D61B1DF06C1EE109B24F86533A6370EFAA765F540739CAAE466E8EF2CD045C700

Function 00007FFD6D9FAE34 Relevance: 7.8, APIs: 5, Instructions: 290COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FFD6D9FAF57
__AdjustPointer.LIBCMT ref: 00007FFD6D9FAFA2

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: dbfc47f3c3864c2e196648dc36e94fb640cbc95c6c031ea35a22b63f29b1c6fd
Instruction ID: dbbd7c00258bec293f2a08fd71757951289c9d14bef474935111a4e13debbc39
Opcode Fuzzy Hash: dbfc47f3c3864c2e196648dc36e94fb640cbc95c6c031ea35a22b63f29b1c6fd
Instruction Fuzzy Hash: 4AB18162B0EF42C1EA659F15B5A0A7D63A0EF54BC8F098537DA5D4B799FE3CE4818300

Function 00007FFD6D9E07E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD6D9DC0B0: GetProcessHeap.KERNEL32 ref: 00007FFD6D9DC0C4
Part of subcall function 00007FFD6D9DC0B0: HeapAlloc.KERNEL32 ref: 00007FFD6D9DC0D5
Part of subcall function 00007FFD6D9DC0B0: GetModuleHandleW.KERNEL32 ref: 00007FFD6D9DC0F9
Part of subcall function 00007FFD6D9DC0B0: GetProcAddress.KERNEL32 ref: 00007FFD6D9DC10E

CloseHandle.KERNEL32 ref: 00007FFD6D9E0926
CloseHandle.KERNEL32 ref: 00007FFD6D9E093D
GetProcessHeap.KERNEL32 ref: 00007FFD6D9E0951
HeapFree.KERNEL32 ref: 00007FFD6D9E095F

Part of subcall function 00007FFD6D9DC430: ReleaseMutex.KERNEL32 ref: 00007FFD6D9DC45C

Part of subcall function 00007FFD6D9DC430: CreateSemaphoreExW.KERNEL32 ref: 00007FFD6D9DC5C0

Strings

wil, xrefs: 00007FFD6D9E0839, 00007FFD6D9E0884

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Heap$Handle$CloseProcess$AddressAllocCreateFreeModuleMutexProcReleaseSemaphore
String ID: wil
API String ID: 3215620834-1589926490
Opcode ID: a29d3fe7bb71c2c65fe5e28e0561425ce3c6b24ace175b7d8d8cc9ed5e2b8374
Instruction ID: ec57506e777994b3f0c3bfc7578e90b2d3634272a23a3e9ffa78f87fee07a429
Opcode Fuzzy Hash: a29d3fe7bb71c2c65fe5e28e0561425ce3c6b24ace175b7d8d8cc9ed5e2b8374
Instruction Fuzzy Hash: A5514322B18F81C6E7608F22E95127A67A0FB98794F055236EE8D47B55FF3CE5A48700

Function 00007FFD6D9B2D20 Relevance: 7.6, APIs: 5, Instructions: 73windowtimeCOMMON

Download Yara Rule

APIs

GetShellWindow.USER32 ref: 00007FFD6D9B2D39
SendMessageTimeoutW.USER32 ref: 00007FFD6D9B2D98
SendMessageTimeoutW.USER32 ref: 00007FFD6D9B2DD7
SendMessageTimeoutW.USER32 ref: 00007FFD6D9B2E09
SendMessageTimeoutW.USER32 ref: 00007FFD6D9B2E33

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: MessageSendTimeout$ShellWindow
String ID:
API String ID: 1795729329-0
Opcode ID: 8cb80d24ea8f3896bc2fb9eb5dbe75fbf6513dd04a35cf45ae4084f419bbd67d
Instruction ID: 6f7d36b6a3a76a0484738462d233053ef06d09ad3b83b13db9377231f3dd3f30
Opcode Fuzzy Hash: 8cb80d24ea8f3896bc2fb9eb5dbe75fbf6513dd04a35cf45ae4084f419bbd67d
Instruction Fuzzy Hash: 1D312832618B8183E7608B15F85061EB6A5FB89BB4F541336E6BD46AE8DF7CD5418B00

Function 00007FFD6D9C47E0 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

TryEnterCriticalSection.KERNEL32 ref: 00007FFD6D9C4806
LeaveCriticalSection.KERNEL32 ref: 00007FFD6D9C486A
MulDiv.KERNEL32 ref: 00007FFD6D9C48A5
LeaveCriticalSection.KERNEL32 ref: 00007FFD6D9C48B8
LeaveCriticalSection.KERNEL32 ref: 00007FFD6D9C48DB

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: d3125fde60b9e8771b2d5ec27363712c6d896e149078600850c9f6d35f10f85b
Instruction ID: fec2a82c8df590d39e0dcab94c14a4ef5a944e8624741edf6b5050d4d6dbd724
Opcode Fuzzy Hash: d3125fde60b9e8771b2d5ec27363712c6d896e149078600850c9f6d35f10f85b
Instruction Fuzzy Hash: 0A316F65F1CE52C2FB608B15B9A427563A1EBA8B50F04003ADA4E477A4FF7CF984CB40

Function 00007FFD6D9D39E0 Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFD6D9D3A25
HeapFree.KERNEL32 ref: 00007FFD6D9D3A33
GetProcessHeap.KERNEL32 ref: 00007FFD6D9D3A63
HeapFree.KERNEL32 ref: 00007FFD6D9D3A71
__std_exception_destroy.LIBVCRUNTIME ref: 00007FFD6D9D3A93

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Heap$FreeProcess$__std_exception_destroy
String ID:
API String ID: 107506009-0
Opcode ID: 39a43892ce0a82a51cb2549d34675976e607dbb987d2fb642ed0502e631ff034
Instruction ID: 8b038e6b2af81ed2a7592285eec0e8829d687ac6a053022577a92793879c837e
Opcode Fuzzy Hash: 39a43892ce0a82a51cb2549d34675976e607dbb987d2fb642ed0502e631ff034
Instruction Fuzzy Hash: 29216D32B09F91C2EA489B66F990369B361FB85B90F184135DB6D13B61EF3CE466C300

Function 00007FFD6DA196D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFD6DA19700
_set_statfp.LIBCMT ref: 00007FFD6DA1971B
_set_statfp.LIBCMT ref: 00007FFD6DA19737
_set_statfp.LIBCMT ref: 00007FFD6DA19773

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: eadc0d291c5273aee62fee762b2c8752fd44abce979ab78f1edd623807b5e355
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 7D111C36F5CE0781FA681928FF7A37921447F79364F184734EA7E466DAAF2CA941C204

Function 00007FFD6D9D1FD0 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD6D9D1F40: FindWindowExW.USER32 ref: 00007FFD6D9D1F59
Part of subcall function 00007FFD6D9D1F40: FindWindowExW.USER32 ref: 00007FFD6D9D1F77
Part of subcall function 00007FFD6D9D1F40: FindWindowExW.USER32 ref: 00007FFD6D9D1FAD

GetParent.USER32 ref: 00007FFD6D9D1FEA
SendMessageW.USER32 ref: 00007FFD6D9D2009
SendMessageW.USER32 ref: 00007FFD6D9D2021
SendMessageW.USER32 ref: 00007FFD6D9D2038
SendMessageW.USER32 ref: 00007FFD6D9D2053

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: MessageSend$FindWindow$Parent
String ID:
API String ID: 2087735068-0
Opcode ID: f9ebecd665a18c49aa767cb12b92951465b36a616f935c5b42ecfedfb94529a4
Instruction ID: 74943732b4c4e0c027bb04f1c6feb0635bb171bb127182eb2091e0e86a6c11eb
Opcode Fuzzy Hash: f9ebecd665a18c49aa767cb12b92951465b36a616f935c5b42ecfedfb94529a4
Instruction Fuzzy Hash: 0F014CA0B0DE42C2FF648B66BC60B621650AFD9B89F081435CE4D0BF95EE3EE1498704

Function 00007FFD6D9B3950 Relevance: 7.5, APIs: 5, Instructions: 42timesynchronizationCOMMON

Download Yara Rule

APIs

CreateWaitableTimerW.KERNEL32 ref: 00007FFD6D9B3976
SetWaitableTimer.KERNEL32 ref: 00007FFD6D9B39A5
CloseHandle.KERNEL32 ref: 00007FFD6D9B39B2
WaitForSingleObject.KERNEL32 ref: 00007FFD6D9B39C1
CloseHandle.KERNEL32 ref: 00007FFD6D9B39CA

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CloseHandleTimerWaitable$CreateObjectSingleWait
String ID:
API String ID: 2007961542-0
Opcode ID: 19e249f91e8205a81f9ca46890e77b60959b33bb9a24ccc6b0cae427d30687bd
Instruction ID: f1b029ee6c167d934aef59c926814d2f7926a283eedafc4756b2cb5563f897ff
Opcode Fuzzy Hash: 19e249f91e8205a81f9ca46890e77b60959b33bb9a24ccc6b0cae427d30687bd
Instruction Fuzzy Hash: 00012D22B2CF92C3EB508B65B82152A7390EF987D4F542136E99E46B94FE3CD0458A10

Function 00007FFD6D9B1582 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32 ref: 00007FFD6D9B15FD

Strings

One or more of the parameters supplied is invalid, xrefs: 00007FFD6D9B1582
Here is the stack trace:, xrefs: 00007FFD6D9B1611
Description: %s, xrefs: 00007FFD6D9B15EA
====================================, xrefs: 00007FFD6D9B1622

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: FreeLocal
String ID: ====================================$Description: %s$Here is the stack trace:$One or more of the parameters supplied is invalid
API String ID: 2826327444-753373920
Opcode ID: 57d92739c943383f487e8aad127fe836a316f76a8aee9071388e787f9f5ccaec
Instruction ID: 82350083115a74756ebcf93a932ff90d67c25a8ed98d80ffe776b9138ed5ade1
Opcode Fuzzy Hash: 57d92739c943383f487e8aad127fe836a316f76a8aee9071388e787f9f5ccaec
Instruction Fuzzy Hash: 5A011D21F4CD42C6FE04EB15F8710BA6361AF96780F490032E90E57296FF2CE9508310

Function 00007FFD6D9B1592 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32 ref: 00007FFD6D9B15FD

Strings

Here is the stack trace:, xrefs: 00007FFD6D9B1611
Description: %s, xrefs: 00007FFD6D9B15EA
THIS IS NOT A BUG, A DELIBERATE STACK TRACE REQUEST HAS BEEN MADE, xrefs: 00007FFD6D9B1592
====================================, xrefs: 00007FFD6D9B1622

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: FreeLocal
String ID: ====================================$Description: %s$Here is the stack trace:$THIS IS NOT A BUG, A DELIBERATE STACK TRACE REQUEST HAS BEEN MADE
API String ID: 2826327444-1300954401
Opcode ID: 094fdff2345a0c94fabe491c30469eadf7f62fa1b520f33c43d2eec3d4b9a49f
Instruction ID: 39e55198bd0e92c524237632562aced0c93ab5265588a2b4684445c2419b870f
Opcode Fuzzy Hash: 094fdff2345a0c94fabe491c30469eadf7f62fa1b520f33c43d2eec3d4b9a49f
Instruction Fuzzy Hash: AE011D21F4CD43C6FE04EB15F8710BA6261AF96780F490432E90E57296FF2CE9508310

Function 00007FFD6D9B1567 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32 ref: 00007FFD6D9B15FD

Strings

Here is the stack trace:, xrefs: 00007FFD6D9B1611
The requested library is not available, xrefs: 00007FFD6D9B1567
Description: %s, xrefs: 00007FFD6D9B15EA
====================================, xrefs: 00007FFD6D9B1622

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: FreeLocal
String ID: ====================================$Description: %s$Here is the stack trace:$The requested library is not available
API String ID: 2826327444-2487367941
Opcode ID: b8279ea2e1ecaa382c76e5dd2a8dd76fd49d7a807dd7b784d35500ad861355f6
Instruction ID: 462327ef7a12d50928523146aa887186754b07cfef9301bb8d1526031c22b70e
Opcode Fuzzy Hash: b8279ea2e1ecaa382c76e5dd2a8dd76fd49d7a807dd7b784d35500ad861355f6
Instruction Fuzzy Hash: F5011D21F4CD42C6FE04EB15F8710BA6261AF96780F490032E90E57296FF2CE9508310

Function 00007FFD6D9B155E Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32 ref: 00007FFD6D9B15FD

Strings

Here is the stack trace:, xrefs: 00007FFD6D9B1611
Description: %s, xrefs: 00007FFD6D9B15EA
====================================, xrefs: 00007FFD6D9B1622
Functionality is not initialized, xrefs: 00007FFD6D9B155E

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: FreeLocal
String ID: ====================================$Description: %s$Functionality is not initialized$Here is the stack trace:
API String ID: 2826327444-176991105
Opcode ID: 9d2f6f6e5c4b935e0afa657d3989a29f14cc898d3c40961d0e06287540375967
Instruction ID: 0614ad7c5b9cb1e4eb7f2a28b73b2cb28a94fa509e141e38221cd8e6af3f91f6
Opcode Fuzzy Hash: 9d2f6f6e5c4b935e0afa657d3989a29f14cc898d3c40961d0e06287540375967
Instruction Fuzzy Hash: 23011D21F4CD43C6FE04EB15F8710BA6261AF96780F490032E90E57296FF2CE9508310

Function 00007FFD6D9B1579 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32 ref: 00007FFD6D9B15FD

Strings

Here is the stack trace:, xrefs: 00007FFD6D9B1611
Unable to set the requested DPI awareness context, xrefs: 00007FFD6D9B1579
Description: %s, xrefs: 00007FFD6D9B15EA
====================================, xrefs: 00007FFD6D9B1622

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: FreeLocal
String ID: ====================================$Description: %s$Here is the stack trace:$Unable to set the requested DPI awareness context
API String ID: 2826327444-4207243742
Opcode ID: 1c759120464eae8a3dfd40e143e61aee020819421ebba5d5df205c6f478d071d
Instruction ID: 0c7e208cde1b336f43b20af5dd7396f783514c578f08e50f8162a70e732a0604
Opcode Fuzzy Hash: 1c759120464eae8a3dfd40e143e61aee020819421ebba5d5df205c6f478d071d
Instruction Fuzzy Hash: B4011D21F4CD42C6FE04EB15F8710BA6261AF96780F490032E90E5729AFF2CE9508310

Function 00007FFD6D9B1570 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32 ref: 00007FFD6D9B15FD

Strings

The requested procedure was not found, xrefs: 00007FFD6D9B1570
Here is the stack trace:, xrefs: 00007FFD6D9B1611
Description: %s, xrefs: 00007FFD6D9B15EA
====================================, xrefs: 00007FFD6D9B1622

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: FreeLocal
String ID: ====================================$Description: %s$Here is the stack trace:$The requested procedure was not found
API String ID: 2826327444-1242647813
Opcode ID: ac912d8c425cbd945c5e0694cec1acd767dc1722b92c3396fa499c4eff202359
Instruction ID: 13b024ce7810a1ccabf9698b37bf8caeacb0feee57a2f293a81412bd2d0b69b1
Opcode Fuzzy Hash: ac912d8c425cbd945c5e0694cec1acd767dc1722b92c3396fa499c4eff202359
Instruction Fuzzy Hash: C9011D21F4CD43C6FE04EB15F8710BA6261AF96780F4A0032E90E57296FF2CE9508310

Function 00007FFD6D9B1549 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32 ref: 00007FFD6D9B15FD

Strings

Here is the stack trace:, xrefs: 00007FFD6D9B1611
A generic error has occured, xrefs: 00007FFD6D9B1549
Description: %s, xrefs: 00007FFD6D9B15EA
====================================, xrefs: 00007FFD6D9B1622

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: FreeLocal
String ID: ====================================$A generic error has occured$Description: %s$Here is the stack trace:
API String ID: 2826327444-2479978688
Opcode ID: ab06ad014e610d05b9484c7bc501dcdc5c098e4437d39cfb0460cc1ef07967f8
Instruction ID: 1e23f5dc80ca245ea99290c131fabf4065b3618b00b0bc2b979ac857c171eb47
Opcode Fuzzy Hash: ab06ad014e610d05b9484c7bc501dcdc5c098e4437d39cfb0460cc1ef07967f8
Instruction Fuzzy Hash: BB011D21F4CD42C6FE04EB15F8710BA6261AF96780F490032E90E57296FF2CE9508310

Function 00007FFD6D9B1555 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32 ref: 00007FFD6D9B15FD

Strings

Here is the stack trace:, xrefs: 00007FFD6D9B1611
Description: %s, xrefs: 00007FFD6D9B15EA
====================================, xrefs: 00007FFD6D9B1622
Insufficient memory. Please close some applications and try again, xrefs: 00007FFD6D9B1555

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: FreeLocal
String ID: ====================================$Description: %s$Here is the stack trace:$Insufficient memory. Please close some applications and try again
API String ID: 2826327444-3218687599
Opcode ID: a8d89cdaedfc96f800cdde96c88b38e6c6ac512ba1e5b1a7f11915d10778d1ab
Instruction ID: 8d0687085a91060113b62f530dcc790e540ed9f9a8a2570f35952c737c5d42e3
Opcode Fuzzy Hash: a8d89cdaedfc96f800cdde96c88b38e6c6ac512ba1e5b1a7f11915d10778d1ab
Instruction Fuzzy Hash: 9A011D21F4CD42C6FE04EB15F8710BA6261AF96780F490032E90E57296FF2CE9508310

Function 00007FFD6D9FBA34 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 319COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFD6D9FBBD2

Strings

csm, xrefs: 00007FFD6D9FBB19
csm, xrefs: 00007FFD6D9FBBF9
csm, xrefs: 00007FFD6D9FBB7B

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Is_bad_exception_allowed
String ID: csm$csm$csm
API String ID: 2758241748-393685449
Opcode ID: 55570b6f889b96ae8e32fc245c04903d539c5b5d8a6a1a9194831d8fabc5b9b3
Instruction ID: c6d079d8ab0b6111975e637a8dcc28eebb5827ea9312f72a0fb601b772fc6b12
Opcode Fuzzy Hash: 55570b6f889b96ae8e32fc245c04903d539c5b5d8a6a1a9194831d8fabc5b9b3
Instruction Fuzzy Hash: A6E1AD73B08B82CAE7209F65E4A12AD37B1FB4575CF144236DA8D57696EF38E485CB00

Function 00007FFD6DA0A664 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA0A943

Part of subcall function 00007FFD6DA0BFF0: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA0C00D

Strings

ccs, xrefs: 00007FFD6DA0A87E
UTF-8, xrefs: 00007FFD6DA0A8C2
UTF-16LEUNICODE, xrefs: 00007FFD6DA0A8E1

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 039c3f1fe8e93366c3df745e1d82cca0f290aaad0d53f647cbcc453f401cfce4
Instruction ID: bc52ec71f9aed30dbccafca46f4d2f7fd189e947fe8e6c50cb40c8a9039271b0
Opcode Fuzzy Hash: 039c3f1fe8e93366c3df745e1d82cca0f290aaad0d53f647cbcc453f401cfce4
Instruction Fuzzy Hash: 8C81C172F0CE02C5FB658F25E174A7826A2EB31B8CF558034DA0A57285FB2DE8469741

Function 00007FFD6D9FA6E4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFD6D9FA70F
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FFD6D9FA7A6
RtlUnwindEx.KERNEL32 ref: 00007FFD6D9FA800

Strings

csm, xrefs: 00007FFD6D9FA78D

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 6a18b9169671f8b03adf3f6befaec6df78fd3a8f22c2917404d2314da2dd3802
Instruction ID: 4cbddd33b8ab2c0ad81a078d9a38a7957bec23e987333f91ee780108f97cd456
Opcode Fuzzy Hash: 6a18b9169671f8b03adf3f6befaec6df78fd3a8f22c2917404d2314da2dd3802
Instruction Fuzzy Hash: 7E519232B19A02CADB14CF15F464E7877A1EB44B98F158532DA5E47788EFBCE842C700

Function 00007FFD6D9E0EB0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FFD6D9E0F41
IsDebuggerPresent.KERNEL32 ref: 00007FFD6D9E103F
OutputDebugStringW.KERNEL32 ref: 00007FFD6D9E10CA

Strings

D:\a\ExplorerPatcher\ExplorerPatcher\packages\Microsoft.Windows.ImplementationLibrary.1.0.230824.2\include\wil\resource.h, xrefs: 00007FFD6D9E0F4B

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CurrentDebugDebuggerOutputPresentStringThread
String ID: D:\a\ExplorerPatcher\ExplorerPatcher\packages\Microsoft.Windows.ImplementationLibrary.1.0.230824.2\include\wil\resource.h
API String ID: 4268342597-2916856121
Opcode ID: bcde0d27a4bf0524c82db8c9b074d4c79e847261e0127de3b34dacdaa07e7b6a
Instruction ID: a841e3a1f506fd885a3f0b5bbc5f9f25ef6edb71885881f641e01127fec6bffb
Opcode Fuzzy Hash: bcde0d27a4bf0524c82db8c9b074d4c79e847261e0127de3b34dacdaa07e7b6a
Instruction Fuzzy Hash: BA614062B1DB82C9EB608F65F4603A967E4FF99744F44413AE98C567A4EF3CE640CB00

Function 00007FFD6D9FBF38 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FFD6D9FBF97
_CallSETranslator.LIBVCRUNTIME ref: 00007FFD6D9FBFE3

Strings

RCC, xrefs: 00007FFD6D9FBFB3
MOC, xrefs: 00007FFD6D9FBFAB

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 807a69a1358ba75010b30bf6b7bb50d6dc0fa58478e433c6cdcfe16154d59e82
Instruction ID: 692ab3f54eebb9bdca3858af7919cfe09ebbe205871860863b6a7362e72c8b9e
Opcode Fuzzy Hash: 807a69a1358ba75010b30bf6b7bb50d6dc0fa58478e433c6cdcfe16154d59e82
Instruction Fuzzy Hash: 85615232A08B85C5D7619F15F4907AAB7A0FB85B98F048236EB9C17B95EF7CD194CB00

Function 00007FFD6D9FC728 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFD6D9FC750
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFD6D9FC838

Strings

csm, xrefs: 00007FFD6D9FC772
csm, xrefs: 00007FFD6D9FC88A

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 77f46826cfc93509138ec7aa49e68eedde8716a4db2b7bd8a706ca1eb4480f8e
Instruction ID: eefdfb09fba1049f41973a7e18ae3736318923758c459c736954d1946bb7f88f
Opcode Fuzzy Hash: 77f46826cfc93509138ec7aa49e68eedde8716a4db2b7bd8a706ca1eb4480f8e
Instruction Fuzzy Hash: 33518132B08B82CAEB748F25A4A436877A0EB54B94F149137DA9D47BD9DF3CE491C701

Function 00007FFD6D9E8EC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121comCOMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 00007FFD6D9E8EFF
CoCreateInstance.OLE32 ref: 00007FFD6D9E8F2E
GetMonitorInfoW.USER32 ref: 00007FFD6D9E8FAF

Strings

TwinUIPatches.cpp, xrefs: 00007FFD6D9E8FDF

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Monitor$CreateFromInfoInstanceRect
String ID: TwinUIPatches.cpp
API String ID: 3092215291-2263794832
Opcode ID: fd72ad892b60cb4b192143d18d2786066c9edca3094d0eeaf860f3a83c203d3c
Instruction ID: 9115a7b670e04980d980438569bfc0ff7199e829d76ae84f42d843da50ef7e60
Opcode Fuzzy Hash: fd72ad892b60cb4b192143d18d2786066c9edca3094d0eeaf860f3a83c203d3c
Instruction Fuzzy Hash: 0D512D32B09E42DAEB00CF75E4A06AD7371FB94B88B454532DE0D67A24EF38D659C340

Function 00007FFD6D9C9FF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00007FFD6D9CA093
ShellExecuteExW.SHELL32 ref: 00007FFD6D9CA0DC

Strings

Microsoft.System, xrefs: 00007FFD6D9CA0A6
ms-settings:about, xrefs: 00007FFD6D9CA02B

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CreateExecuteInstanceShell
String ID: Microsoft.System$ms-settings:about
API String ID: 2410647072-638507620
Opcode ID: 3e9752d7902744fd2bb80f0ffa230f214af1a2990300676bbc2cc13131fb27fe
Instruction ID: 864fb591b618fbcb6ee79024d3bead1a871c4bc234829ee19aeace5fe1e004ee
Opcode Fuzzy Hash: 3e9752d7902744fd2bb80f0ffa230f214af1a2990300676bbc2cc13131fb27fe
Instruction Fuzzy Hash: 242136A6B18E42C2FB54CB55F46077963A0FFA9B90F885032DA4F06B64EF3DD584D600

Function 00007FFD6D9CAB70 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57registrystringCOMMON

Download Yara Rule

APIs

lstrcmpW.KERNEL32 ref: 00007FFD6D9CABCF
RegSetValueExW.ADVAPI32 ref: 00007FFD6D9CAC2E

Part of subcall function 00007FFD6D9B2890: GetModuleHandleW.KERNEL32 ref: 00007FFD6D9B28AF
Part of subcall function 00007FFD6D9B2890: GetProcAddress.KERNEL32 ref: 00007FFD6D9B28C8
Part of subcall function 00007FFD6D9B2890: RegOpenKeyExW.KERNEL32 ref: 00007FFD6D9B293F
Part of subcall function 00007FFD6D9B2890: RegQueryValueExW.KERNEL32 ref: 00007FFD6D9B296F

Strings

TaskbarDa, xrefs: 00007FFD6D9CABEE, 00007FFD6D9CAC09
ShowCortanaButton, xrefs: 00007FFD6D9CABC5

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Value$AddressHandleModuleOpenProcQuerylstrcmp
String ID: ShowCortanaButton$TaskbarDa
API String ID: 4138643572-1008683796
Opcode ID: f027ce8b59f22231994bff4a6b4169ecdaa66d1b2a2c873bc886feb9d329e488
Instruction ID: 60918219753135d2b3b9ae16c6a75e2ab1bbdc990aa6d719757da760915f7bb2
Opcode Fuzzy Hash: f027ce8b59f22231994bff4a6b4169ecdaa66d1b2a2c873bc886feb9d329e488
Instruction Fuzzy Hash: CF218E71B0CE42C6FB209B12F860A6A73A0BBA4794F445436EA4E47755FF3CE845CB00

Function 00007FFD6D9C0A00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50registryCOMMON

Download Yara Rule

APIs

RegGetValueW.ADVAPI32 ref: 00007FFD6D9C0AB6

Part of subcall function 00007FFD6DA07DF4: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA07E11

SHRegGetValueFromHKCUHKLM.SHLWAPI ref: 00007FFD6D9C0A81

Strings

Software\Microsoft\Windows NT\CurrentVersion\MTCUVC, xrefs: 00007FFD6D9C0A33
EnableMTCUVC, xrefs: 00007FFD6D9C0A46

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Value$From_invalid_parameter_noinfo
String ID: EnableMTCUVC$Software\Microsoft\Windows NT\CurrentVersion\MTCUVC
API String ID: 1239731142-1716574372
Opcode ID: dea8b8bf73e660cfd3424ad47cc209f9be4646aad1e7527ee6828e3e2a8b07c6
Instruction ID: 4ea8847b23cd2b2198d8900199de64b5fb19dbddc5611a9688f6fe1a0487408a
Opcode Fuzzy Hash: dea8b8bf73e660cfd3424ad47cc209f9be4646aad1e7527ee6828e3e2a8b07c6
Instruction Fuzzy Hash: 17115E65B0CF81C2EB108B56F85426AB3A4FB98BD4F544236EE8C47B69EF3CD0448B04

Function 00007FFD6D9C0EB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 00007FFD6D9C0ED9
GetMenuItemInfoW.USER32 ref: 00007FFD6D9C0F10

Strings

", xrefs: 00007FFD6D9C0F03
P, xrefs: 00007FFD6D9C0EF5

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ItemMenu$CountInfo
String ID: "$P
API String ID: 115949281-1577843662
Opcode ID: 3ef0aec19ddb13bf6dbc20b388400d78e5ef382ade09f42a0f9c5b26a207f3e8
Instruction ID: ceabf8c05d836aff15849a9e884798b435c13a650b5ee102834da095aa6876d4
Opcode Fuzzy Hash: 3ef0aec19ddb13bf6dbc20b388400d78e5ef382ade09f42a0f9c5b26a207f3e8
Instruction Fuzzy Hash: 3F112171B1DE42C6F760CB26F46472A6694FB88BA4F544132EA8C83B54EF7DE545CB00

Function 00007FFD6D9C2F10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44registrystringCOMMON

Download Yara Rule

APIs

lstrcmpW.KERNEL32 ref: 00007FFD6D9C2F3A
SHRegGetValueFromHKCUHKLM.SHLWAPI ref: 00007FFD6D9C2F78
RegGetValueW.ADVAPI32 ref: 00007FFD6D9C2FAA

Strings

UseWin32BatteryFlyout, xrefs: 00007FFD6D9C2F2A

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Value$Fromlstrcmp
String ID: UseWin32BatteryFlyout
API String ID: 276759952-619460319
Opcode ID: 9c31c1ec46318fd0dcf7d8ebed1bb683ba3457409a7120f29b473207099455e4
Instruction ID: 5f1602cb798a0142da6f6b0d44460b32901c851886f0de4649a11b70e69e49ff
Opcode Fuzzy Hash: 9c31c1ec46318fd0dcf7d8ebed1bb683ba3457409a7120f29b473207099455e4
Instruction Fuzzy Hash: CF11C536B08F85C1DA608B16B85055AB7A4FB98BD4F584136EE8D47B28EF3CD5548B40

Function 00007FFD6D9D1F40 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

FindWindowExW.USER32 ref: 00007FFD6D9D1F59
FindWindowExW.USER32 ref: 00007FFD6D9D1F77

Part of subcall function 00007FFD6D9D1F40: FindWindowExW.USER32 ref: 00007FFD6D9D1FAD

Strings

TravelBand, xrefs: 00007FFD6D9D1F4D, 00007FFD6D9D1F8A

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: FindWindow
String ID: TravelBand
API String ID: 134000473-3549115983
Opcode ID: 94b3cc1da5b487970714b2595b8a7650c9926a57d44b27393959184cb2d7814d
Instruction ID: f2782158a98ce8eeb75281d22e738009bfd82eddeb3eeadbc0ec22b375fa0975
Opcode Fuzzy Hash: 94b3cc1da5b487970714b2595b8a7650c9926a57d44b27393959184cb2d7814d
Instruction Fuzzy Hash: 21018F26B1EF52C1FF55976A7A30A76A292DFA9BE4B081032DD0D13F54FF2CE4858600

Function 00007FFD6D9C3EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34threadCOMMON

Download Yara Rule

APIs

FindWindowExW.USER32 ref: 00007FFD6D9C3F08
GetWindowThreadProcessId.USER32 ref: 00007FFD6D9C3F13
EnumThreadWindows.USER32 ref: 00007FFD6D9C3F28

Strings

ApplicationManager_ImmersiveShellWindow, xrefs: 00007FFD6D9C3EFD

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ThreadWindow$EnumFindProcessWindows
String ID: ApplicationManager_ImmersiveShellWindow
API String ID: 274631990-213675812
Opcode ID: 98ec561c95098a4f667614e3b679b6cc1d91feedc0642a792968fb84ba97afac
Instruction ID: 56287b23851efc6987999770324e1103ad434e0a0e2623bdd613869a640b672f
Opcode Fuzzy Hash: 98ec561c95098a4f667614e3b679b6cc1d91feedc0642a792968fb84ba97afac
Instruction Fuzzy Hash: 0EF04F61B1CE42C1FF649B36B9645795262AF98BC0F489836D90E4BB59EF3CD4848300

Function 00007FFD6D9B2CC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

FindWindowExW.USER32 ref: 00007FFD6D9B2CDC
FindWindowExW.USER32 ref: 00007FFD6D9B2CF6

Strings

SHELLDLL_DefView, xrefs: 00007FFD6D9B2CCD
WorkerW, xrefs: 00007FFD6D9B2CEA

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: FindWindow
String ID: SHELLDLL_DefView$WorkerW
API String ID: 134000473-2583568628
Opcode ID: a02ce4a47e3722e1ce5a4372299e297887f462741f6c8008b449c0fe13cb0ebb
Instruction ID: 0bc1e644e562d199510dd5b13ea3f02bfb9b55617fb7be8f8130ce365677a727
Opcode Fuzzy Hash: a02ce4a47e3722e1ce5a4372299e297887f462741f6c8008b449c0fe13cb0ebb
Instruction Fuzzy Hash: 26E030A1B0DF42D1FF698B62FA64AA62361EF98B94F4C9436C90D06B54ED3CD484C300

Function 00007FFD6D9BE760 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24windowregistryCOMMON

Download Yara Rule

APIs

GetClassWord.USER32 ref: 00007FFD6D9BE77A
RegisterWindowMessageW.USER32 ref: 00007FFD6D9BE78A
PostMessageW.USER32 ref: 00007FFD6D9BE7A2

Strings

WorkerW, xrefs: 00007FFD6D9BE780

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Message$ClassPostRegisterWindowWord
String ID: WorkerW
API String ID: 18795929-1267966093
Opcode ID: bfad77c09892389c4485814dd7a8db84c2d6af64fb75877e7e8f6b2b871da546
Instruction ID: 04f42922a6c3e786aebdce91c7e2582866be36078bf11942440fd56b85ecd129
Opcode Fuzzy Hash: bfad77c09892389c4485814dd7a8db84c2d6af64fb75877e7e8f6b2b871da546
Instruction Fuzzy Hash: 9AF0A020B0CE92C2FB408B62BD9053A2620EBD8BD4F544131EE4E43B98EF2CD892C300

Function 00007FFD6D9D2D00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFD6D9D2D1F
GetProcAddress.KERNEL32 ref: 00007FFD6D9D2D2F

Strings

RaiseFailFastException, xrefs: 00007FFD6D9D2D28
kernelbase.dll, xrefs: 00007FFD6D9D2D15

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RaiseFailFastException$kernelbase.dll
API String ID: 1646373207-919018592
Opcode ID: 33f4f61da59ededdea6aefb74e35cd82206a814675d91858146eca4abc1f1d82
Instruction ID: e09f437ff26841bc31e87579e4cb2b7aab80e45f53df553fd685d3c28b1f8471
Opcode Fuzzy Hash: 33f4f61da59ededdea6aefb74e35cd82206a814675d91858146eca4abc1f1d82
Instruction Fuzzy Hash: 48E03921B1DB91C1EB548F52F890029A261FFA8BC0B889135EA5D47B28EF3CD542C740

Function 00007FFD6DA11608 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FFD6DA11687
WriteFile.KERNEL32 ref: 00007FFD6DA1194F
WriteFile.KERNEL32 ref: 00007FFD6DA11995
GetLastError.KERNEL32 ref: 00007FFD6DA11A4B

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 52c33f0f4fc68b1f3c2a3842e8bed91f01aab6976232962e0bdb7bd8e8fc79e4
Instruction ID: e68b112a71111f7cb965ab257375ac402c615eee27ad1a2029faa33f1a601d2a
Opcode Fuzzy Hash: 52c33f0f4fc68b1f3c2a3842e8bed91f01aab6976232962e0bdb7bd8e8fc79e4
Instruction Fuzzy Hash: BBD1C272B1CA81C9E711CF65E8602BC3BB1FB65798B048236CE5D97B99EE38D406C340

Function 00007FFD6DA11FC8 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00007FFD6DA11FB3), ref: 00007FFD6DA120E4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00007FFD6DA11FB3), ref: 00007FFD6DA1216F

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: af5d92c1cace1781b7f55f6834ddc705f2db52580a797490cce788124f166c46
Instruction ID: 186e351f8413559d027ba97daabc82adf59ce4431070814f154d658838141738
Opcode Fuzzy Hash: af5d92c1cace1781b7f55f6834ddc705f2db52580a797490cce788124f166c46
Instruction Fuzzy Hash: 5791B472F1CE52C5FB60CF65A8612BD2BA4BB66B88F544139DE0E57694EF38D442C700

Function 00007FFD6D9DCC90 Relevance: 6.2, APIs: 4, Instructions: 211memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00000000), ref: 00007FFD6D9DCD8D
HeapFree.KERNEL32(?,?,?,00000000), ref: 00007FFD6D9DCD9B
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD6D9DCE92
_invalid_parameter_noinfo.LIBCMT ref: 00007FFD6D9DCF06

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Heap_invalid_parameter_noinfo$FreeProcess
String ID:
API String ID: 3364316771-0
Opcode ID: 161acb2dc217c73e48788f21060d856e356ab8a03b65c34d3ecce736ef945018
Instruction ID: 5df4851364c69e5483755ef0ceac0113082cd800d3c9f6a1b204e96f063d0826
Opcode Fuzzy Hash: 161acb2dc217c73e48788f21060d856e356ab8a03b65c34d3ecce736ef945018
Instruction Fuzzy Hash: D081A6A6B09F42C5EB558F15B614279A7A6FB18B94F588132DE0D07784EF3DE89AC300

Function 00007FFD6D9C1EF0 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD6D9BD750: QueryPerformanceFrequency.KERNEL32 ref: 00007FFD6D9BD768
Part of subcall function 00007FFD6D9BD750: QueryPerformanceCounter.KERNEL32 ref: 00007FFD6D9BD777

GetCursorPos.USER32 ref: 00007FFD6D9C1F5B
#410.COMCTL32 ref: 00007FFD6D9C2014
TrackPopupMenuEx.USER32 ref: 00007FFD6D9C2032
#412.COMCTL32 ref: 00007FFD6D9C2060

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: PerformanceQuery$#410#412CounterCursorFrequencyMenuPopupTrack
String ID:
API String ID: 2611046820-0
Opcode ID: 6d359dba38e38f0fd8d26714c50724da7b3f6c699e98e932916bf970f0605276
Instruction ID: fb4c6c181e5b07fba6afe466d3b03e4f9a0c66120e52fda9378ef30860ab1b67
Opcode Fuzzy Hash: 6d359dba38e38f0fd8d26714c50724da7b3f6c699e98e932916bf970f0605276
Instruction Fuzzy Hash: F9416C22B1DE42C6FA608B55F86067AB7A0FB96790F504037EA4D13794EF3CE941CB44

Function 00007FFD6D9BEBF0 Relevance: 6.1, APIs: 4, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

QISearch.SHLWAPI ref: 00007FFD6D9BEC0D
VirtualProtect.KERNEL32 ref: 00007FFD6D9BEC60
VirtualProtect.KERNEL32 ref: 00007FFD6D9BECDE
VirtualProtect.KERNEL32 ref: 00007FFD6D9BED20

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ProtectVirtual$Search
String ID:
API String ID: 1061791571-0
Opcode ID: 609fb0610ea1e04da7f606b497a7e1f23212641d960228f46bd12f0ca4b232b1
Instruction ID: ed8ab4b540c8e61305841985519892cea1cd551bf0efc8a6e7dcfcda49204015
Opcode Fuzzy Hash: 609fb0610ea1e04da7f606b497a7e1f23212641d960228f46bd12f0ca4b232b1
Instruction Fuzzy Hash: E3411776B08E06C2EB608F02F56437667A5FB98B94F114536DA0D877A4EF3CE8A5C710

Function 00007FFD6D9DF790 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 00007FFD6D9DF7B3
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFD6D9DF7CA
AcquireSRWLockExclusive.KERNEL32 ref: 00007FFD6D9DF845
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFD6D9DF86E

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 06dff6111a6ab23d7a8e5ebc3c04aa834feb7d5774efce5f54b4225c2b0d95b7
Instruction ID: a9c8b206fbbfb7f563d1beae836ad8d4778f90ada75c2f793b21d2049796db86
Opcode Fuzzy Hash: 06dff6111a6ab23d7a8e5ebc3c04aa834feb7d5774efce5f54b4225c2b0d95b7
Instruction Fuzzy Hash: 95215E26718F85C1EB40DF21F5A12AD63A4FB98B88F584432EA8D83B59EF3CD556C700

Function 00007FFD6D9EF9C0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

RmStartSession.RSTRTMGR ref: 00007FFD6D9EF9EF

Part of subcall function 00007FFD6D9EF870: FindWindowW.USER32(00000000), ref: 00007FFD6D9EF8A7
Part of subcall function 00007FFD6D9EF870: GetWindowThreadProcessId.USER32 ref: 00007FFD6D9EF8BB
Part of subcall function 00007FFD6D9EF870: K32EnumProcesses.KERNEL32 ref: 00007FFD6D9EF8DB
Part of subcall function 00007FFD6D9EF870: OpenProcess.KERNEL32 ref: 00007FFD6D9EF916
Part of subcall function 00007FFD6D9EF870: K32GetProcessImageFileNameW.KERNEL32 ref: 00007FFD6D9EF935
Part of subcall function 00007FFD6D9EF870: GetProcessTimes.KERNEL32 ref: 00007FFD6D9EF957
Part of subcall function 00007FFD6D9EF870: CloseHandle.KERNEL32 ref: 00007FFD6D9EF972

RmRegisterResources.RSTRTMGR ref: 00007FFD6D9EFA3E
RmGetList.RSTRTMGR ref: 00007FFD6D9EFA6B
RmShutdown.RSTRTMGR ref: 00007FFD6D9EFA86

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Process$Window$CloseEnumFileFindHandleImageListNameOpenProcessesRegisterResourcesSessionShutdownStartThreadTimes
String ID:
API String ID: 1342731755-0
Opcode ID: 4fcac14c115dabf85868f5efbe11492551832147eb8b9f5c6124662002a6e051
Instruction ID: 5d12f20a75dc7cddd3b9af75d8f0830e9cdcdf68a8cd307cf33b8a614c156b90
Opcode Fuzzy Hash: 4fcac14c115dabf85868f5efbe11492551832147eb8b9f5c6124662002a6e051
Instruction Fuzzy Hash: 3621E632B1CE82CAE710DF24F8646AAB3A5FBD8354F804136E58D42A64EF7CE545CB40

Function 00007FFD6D9F1CF8 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFD6D9F1D24
GetCurrentThreadId.KERNEL32 ref: 00007FFD6D9F1D32
GetCurrentProcessId.KERNEL32 ref: 00007FFD6D9F1D3E
QueryPerformanceCounter.KERNEL32 ref: 00007FFD6D9F1D4E

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: eaa7e7bcf4fe3d42ae821e93649fc0302fd8afae25b3f1e7eaa4f26d506a1ee0
Instruction ID: 375e65a365e894347b26482e268fb94710c4c9d5639b55cdc756be9f5e719229
Opcode Fuzzy Hash: eaa7e7bcf4fe3d42ae821e93649fc0302fd8afae25b3f1e7eaa4f26d506a1ee0
Instruction Fuzzy Hash: BD11E826B19F01CAEB008F60E8652B833A4FB69768F441E35DA6D867A4EF7CD194C340

Function 00007FFD6D9B158B Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32 ref: 00007FFD6D9B15FD

Strings

Here is the stack trace:, xrefs: 00007FFD6D9B1611
Description: %s, xrefs: 00007FFD6D9B15EA
====================================, xrefs: 00007FFD6D9B1622

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: FreeLocal
String ID: ====================================$Description: %s$Here is the stack trace:
API String ID: 2826327444-530566993
Opcode ID: 742889035a95c695de0fc6dc59468db5742407c6e23b87f76239f04dfde54a1d
Instruction ID: c79804b1b641593189c0d033060ad0c7e5316573723a5fcf1313b890f3595b8c
Opcode Fuzzy Hash: 742889035a95c695de0fc6dc59468db5742407c6e23b87f76239f04dfde54a1d
Instruction Fuzzy Hash: C7F03121F0CE43C6FE04EB15F8711BE6251AF96780F490132E94E57296FF2CE9508310

Function 00007FFD6D9FC960 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFD6D9FC98A

Strings

csm, xrefs: 00007FFD6D9FCB1E
csm, xrefs: 00007FFD6D9FC9AF

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: eb29d8f8ac2b9e2bb578eed863ed3d463ed30fac0522db9aeb9dee633dc4dcf3
Instruction ID: 8e6f092da9d189d368fd548dae4dc4d077a500843236c1b85e89c965d110ff68
Opcode Fuzzy Hash: eb29d8f8ac2b9e2bb578eed863ed3d463ed30fac0522db9aeb9dee633dc4dcf3
Instruction Fuzzy Hash: DD717077B08A82C6DB608F25A4A47797BA0EB44B95F14C137DE8C57A89EF3CD4A1C740

Function 00007FFD6D9FCF9C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFD6D9FD046
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFD6D9FD06F

Strings

csm, xrefs: 00007FFD6D9FD16F

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 13fd3154715085dd0f014c0e559fa7e9ca83d2e20f6c5694adf46d1fc6ce1f7f
Instruction ID: d99a542a0bc851202cbd85fb0374c70b3f105969430ade707f2177346c0b5711
Opcode Fuzzy Hash: 13fd3154715085dd0f014c0e559fa7e9ca83d2e20f6c5694adf46d1fc6ce1f7f
Instruction Fuzzy Hash: 76515E33718B41C6E620AB56F59066E77A5FB89BA0F140136EB8D07B55DF3CE4A0CB00

Function 00007FFD6D9E3EA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFD6D9E404D
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFD6D9E4053

Strings

.dll, xrefs: 00007FFD6D9E3FC0, 00007FFD6D9E4013

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: .dll
API String ID: 73155330-2738580789
Opcode ID: 12411074d2cd6ca8ba2ce2916a210b49fc3f65ce1fd5002901eef068f33d6cd6
Instruction ID: 3cfcd7e37ef225d3fad21a4b3e4c1a6faec9615986df0f387489a0e316575e14
Opcode Fuzzy Hash: 12411074d2cd6ca8ba2ce2916a210b49fc3f65ce1fd5002901eef068f33d6cd6
Instruction Fuzzy Hash: AC41A162B18E41D5EA249B26F5242ADA362EF48BE1F944732DA7D07BD5EE3CE145C300

Function 00007FFD6DA0C760 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA0C792

Part of subcall function 00007FFD6DA0DBDC: RtlFreeHeap.NTDLL(?,?,834800000B7CE800,00007FFD6DA1743A,?,?,?,00007FFD6DA17477,?,?,00000000,00007FFD6DA15459,?,?,00007FFD6DA0CF3A,00007FFD6DA1538B), ref: 00007FFD6DA0DBF2
Part of subcall function 00007FFD6DA0DBDC: GetLastError.KERNEL32(?,?,834800000B7CE800,00007FFD6DA1743A,?,?,?,00007FFD6DA17477,?,?,00000000,00007FFD6DA15459,?,?,00007FFD6DA0CF3A,00007FFD6DA1538B), ref: 00007FFD6DA0DBFC

Strings

y, xrefs: 00007FFD6DA0C7BA
C:\Windows\explorer.exe, xrefs: 00007FFD6DA0C7A3

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ErrorFreeHeapLast_invalid_parameter_noinfo
String ID: y$C:\Windows\explorer.exe
API String ID: 2724796048-2209748193
Opcode ID: c12cf84ce52d74157eb6110d6a415d6e8a0aaa45f84cbad5a239e489c0262790
Instruction ID: d49c2ea492d8aa98bafec4d362013defea486940f7e63fc6ba44aaea13553fdb
Opcode Fuzzy Hash: c12cf84ce52d74157eb6110d6a415d6e8a0aaa45f84cbad5a239e489c0262790
Instruction Fuzzy Hash: F4416876B0CE02CAEB149F21B9601BD37A4EB64B98F544035EA4E47B96EF3CE481C350

Function 00007FFD6DA11CA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FFD6DA11DB7
GetLastError.KERNEL32 ref: 00007FFD6DA11DD9

Strings

U, xrefs: 00007FFD6DA11D63

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4ef2fec41d66e7b0c39bf9e201830508b86a8f97eaffa894a0546182e11c999c
Instruction ID: e4ac14cae4a0e70e6feee9fb476e71adda3659bf52c8bc8be0bcb8b6608d1efd
Opcode Fuzzy Hash: 4ef2fec41d66e7b0c39bf9e201830508b86a8f97eaffa894a0546182e11c999c
Instruction Fuzzy Hash: 68418062B1DA41C6EB208F25F8543B967A5FBA8794F544031EA4E87798FF3CD441C750

Function 00007FFD6D9C9EC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 82comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00007FFD6D9C9F74

Strings

Microsoft.System, xrefs: 00007FFD6D9C9F8F
Microsoft.ProgramsAndFeatures, xrefs: 00007FFD6D9C9F9A

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CreateInstance
String ID: Microsoft.ProgramsAndFeatures$Microsoft.System
API String ID: 542301482-3255149969
Opcode ID: 76c8e444b27fe39e4f4f7cd7c979516f31864d3a5ec44ce31dd305f303e53b5e
Instruction ID: 1ca598aa6b37131f40c4ff570322e39afab8c83c3350b655139bc98ae61c0f4b
Opcode Fuzzy Hash: 76c8e444b27fe39e4f4f7cd7c979516f31864d3a5ec44ce31dd305f303e53b5e
Instruction Fuzzy Hash: 02318D22B1CE02D5FB508B16F8A077963A1BBA4B99F554032ED0E47A64FF7CE985C700

Function 00007FFD6D9C0F90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 00007FFD6D9C0FE4

Strings

Shell_TrayWnd, xrefs: 00007FFD6D9C0FF3
Shell_SecondaryTrayWnd, xrefs: 00007FFD6D9C103B

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ClassName
String ID: Shell_SecondaryTrayWnd$Shell_TrayWnd
API String ID: 1191326365-1433838494
Opcode ID: 7d690eed00541a1a3ff21cdf48d907f9b93627d4f5d46ef50a0d13f3d631b697
Instruction ID: 342d40d30e600815663415f8c949d5f6fc30d7218396d192b80e70f2ccc692ae
Opcode Fuzzy Hash: 7d690eed00541a1a3ff21cdf48d907f9b93627d4f5d46ef50a0d13f3d631b697
Instruction Fuzzy Hash: 6221B922B09991C2F764DB16B4246B97361FBA9BA0F844133DD4E12795FF3CD445C704

Function 00007FFD6D9CB4B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32 ref: 00007FFD6D9CB560

Part of subcall function 00007FFD6DA07DF4: _invalid_parameter_noinfo.LIBCMT ref: 00007FFD6DA07E11

SHFlushSFCache.SHELL32 ref: 00007FFD6D9CB527

Strings

Attributes, xrefs: 00007FFD6D9CB4F9

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: CacheFlushValue_invalid_parameter_noinfo
String ID: Attributes
API String ID: 3611136396-2126945696
Opcode ID: 61f8949d13c83116c11eca864c0a5fa46b1603fb9721b1164daadc07d62b2ca3
Instruction ID: 789fcfde5994644df2c660f878a7389c4550f9bdaa54e7ad78696df281595046
Opcode Fuzzy Hash: 61f8949d13c83116c11eca864c0a5fa46b1603fb9721b1164daadc07d62b2ca3
Instruction Fuzzy Hash: 1D113D62B1DF81C6EB60CB15B96066677A0BBA8798F440136ED4E87B55FF3CE445CB00

Function 00007FFD6D9C8590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 00007FFD6D9C8624
VirtualProtect.KERNEL32 ref: 00007FFD6D9C8664

Part of subcall function 00007FFD6D9B2890: GetModuleHandleW.KERNEL32 ref: 00007FFD6D9B28AF
Part of subcall function 00007FFD6D9B2890: GetProcAddress.KERNEL32 ref: 00007FFD6D9B28C8
Part of subcall function 00007FFD6D9B2890: RegOpenKeyExW.KERNEL32 ref: 00007FFD6D9B293F
Part of subcall function 00007FFD6D9B2890: RegQueryValueExW.KERNEL32 ref: 00007FFD6D9B296F

Strings

xx????xxx????xxxxx, xrefs: 00007FFD6D9C85EB

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ProtectVirtual$AddressHandleModuleOpenProcQueryValue
String ID: xx????xxx????xxxxx
API String ID: 1029361184-12075917
Opcode ID: ac8d19c21730da1544376e4b0af706d3be0a68a0644757958af984dd8afef0e5
Instruction ID: 49fb0c58e07b8bc04265c09474d5a57643e88eedb192ef45f47143240f7a4e48
Opcode Fuzzy Hash: ac8d19c21730da1544376e4b0af706d3be0a68a0644757958af984dd8afef0e5
Instruction Fuzzy Hash: AD2128A1B1CE82C6FF64DF21FA2467A23A0BBA5745F885436DA4D06694FF3CE544CB10

Function 00007FFD6D9FA974 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFD6D9D4E0F), ref: 00007FFD6D9FA9C4
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFD6D9D4E0F), ref: 00007FFD6D9FAA05

Strings

csm, xrefs: 00007FFD6D9FA9F2

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 294f5191e1270741e06cf4524307e68c3614810c006c3ab0fad37d690a8a813c
Instruction ID: 459c6b266fd6b730faf74021fe319f5d85f23b0f43a2539fc15fef6050778b0e
Opcode Fuzzy Hash: 294f5191e1270741e06cf4524307e68c3614810c006c3ab0fad37d690a8a813c
Instruction Fuzzy Hash: D8111936618F4182EB218F15F450269B7E4FB88B94F594231EACD07B58EF3CD591CB00

Function 00007FFD6D9CFCB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FFD6D9CFD00
RegOpenKeyExW.ADVAPI32 ref: 00007FFD6D9CFD25

Strings

$start.tilegrid$windows.data.curatedtilecollection.tilecollection\Current, xrefs: 00007FFD6D9CFCCE

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Open
String ID: $start.tilegrid$windows.data.curatedtilecollection.tilecollection\Current
API String ID: 71445658-2485209836
Opcode ID: 31070c82b62bc71c7a479a78f4de297f3264b8cf6f54855808b177f40f462745
Instruction ID: 3299ca188f98917dcdef8894b2c3295aed65ad34026956c43a2a5b7cc95e51c1
Opcode Fuzzy Hash: 31070c82b62bc71c7a479a78f4de297f3264b8cf6f54855808b177f40f462745
Instruction Fuzzy Hash: 2A01E935B0CF95C1DA108F02B85002AB3A5FB99BD4F145136EE8D47B69EF7CD5118B00

Function 00007FFD6D9CD7F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32registrystringCOMMON

Download Yara Rule

APIs

RegGetValueW.ADVAPI32 ref: 00007FFD6D9CD823
lstrcmpW.KERNEL32 ref: 00007FFD6D9CD835

Strings

ReplaceVan, xrefs: 00007FFD6D9CD829

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Valuelstrcmp
String ID: ReplaceVan
API String ID: 372169353-130473729
Opcode ID: a9a3f3f434d355c5e894d57583558c5d7c681a3fa1c53be222b2ad6a79273646
Instruction ID: 54f6d10a8588c83431219747c5dc955a333c3fbb627e4e88cc727403055ef54b
Opcode Fuzzy Hash: a9a3f3f434d355c5e894d57583558c5d7c681a3fa1c53be222b2ad6a79273646
Instruction Fuzzy Hash: 33F0A832B08B81C2EA608B16F44011AA7A4F7D8BD4F584135EB9D53B28EF7CD596CB04

Function 00007FFD6D9BEF20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29windowregistryCOMMON

Download Yara Rule

APIs

PostQuitMessage.USER32 ref: 00007FFD6D9BEF4E
RegisterWindowMessageW.USER32 ref: 00007FFD6D9BEF5D

Strings

TaskbarCreated, xrefs: 00007FFD6D9BEF56

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Message$PostQuitRegisterWindow
String ID: TaskbarCreated
API String ID: 1640695409-2362178303
Opcode ID: 0187cf86c33bd5104ffbeaa3c57ac9d82481bac32a614074400ec315c58d9dac
Instruction ID: a93aa284eea859c432ae1e03fbc0a82f097802b7242c2c3f6c841bb05c7d8624
Opcode Fuzzy Hash: 0187cf86c33bd5104ffbeaa3c57ac9d82481bac32a614074400ec315c58d9dac
Instruction Fuzzy Hash: BCF04931B1CF51C6E714CB12FAA002AA764FBA4BC0F184436EA4E43B68EE3CE854C740

Function 00007FFD6D9EFC20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD6D9EF9C0: RmStartSession.RSTRTMGR ref: 00007FFD6D9EF9EF
Part of subcall function 00007FFD6D9EF9C0: RmRegisterResources.RSTRTMGR ref: 00007FFD6D9EFA3E
Part of subcall function 00007FFD6D9EF9C0: RmGetList.RSTRTMGR ref: 00007FFD6D9EFA6B
Part of subcall function 00007FFD6D9EF9C0: RmShutdown.RSTRTMGR ref: 00007FFD6D9EFA86

RmRestart.RSTRTMGR ref: 00007FFD6D9EFC34
RmEndSession.RSTRTMGR ref: 00007FFD6D9EFC52

Strings

RmRestart error: %d, xrefs: 00007FFD6D9EFC40

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Session$ListRegisterResourcesRestartShutdownStart
String ID: RmRestart error: %d
API String ID: 4293926141-2348054958
Opcode ID: 5bdc35369df023c40205556229e892c215e7e27d4d256e3d465624c2cc494c0c
Instruction ID: e70a6eb32e7ddbed5b8bf2818c0fc4f6d441a8750482943053245690250c896d
Opcode Fuzzy Hash: 5bdc35369df023c40205556229e892c215e7e27d4d256e3d465624c2cc494c0c
Instruction Fuzzy Hash: DEE0C222F2CD02C6F704AF35BCA163232A1AFA4310B540236C00D862A0FE2CB482C704

Function 00007FFD6D9BE7C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14threadCOMMON

Download Yara Rule

APIs

FindWindowExW.USER32 ref: 00007FFD6D9BE7D2
GetWindowThreadProcessId.USER32 ref: 00007FFD6D9BE7DD

Strings

ApplicationManager_ImmersiveShellWindow, xrefs: 00007FFD6D9BE7C7

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Window$FindProcessThread
String ID: ApplicationManager_ImmersiveShellWindow
API String ID: 3928697162-213675812
Opcode ID: 785884996038eb07269ece9f2aac681ad31a3c997a130d15eced3052a72fa19b
Instruction ID: 4e98c68d53a6da9b62292ccfef00cdd3b1d7e403bb4a33674af89748273b3d72
Opcode Fuzzy Hash: 785884996038eb07269ece9f2aac681ad31a3c997a130d15eced3052a72fa19b
Instruction Fuzzy Hash: E0D01765F0DF12C2EB28EB22BC606762262ABE9740F848836C80E46654EE3C9249C340

Function 00007FFD6D9D3AD0 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFD6D9D3B0C
HeapFree.KERNEL32 ref: 00007FFD6D9D3B1A
GetProcessHeap.KERNEL32 ref: 00007FFD6D9D3B4A
HeapFree.KERNEL32 ref: 00007FFD6D9D3B58

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: f937c6682dcf3a9ff0302a6433372f0880cab65868d56d15823227cbf0c0e19e
Instruction ID: 05ecc52538831c9caee4dffb534e11591df0efb8296ebd83cae742bc37ffeee5
Opcode Fuzzy Hash: f937c6682dcf3a9ff0302a6433372f0880cab65868d56d15823227cbf0c0e19e
Instruction Fuzzy Hash: A2117C36B0AF91C6EA088F26F950269B361FB98B90F084135CB6D03750EF3CE425C340

Function 00007FFD6D9DCF60 Relevance: 5.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFD6D9DCF97
HeapFree.KERNEL32 ref: 00007FFD6D9DCFA5
GetProcessHeap.KERNEL32 ref: 00007FFD6D9DCFC3
HeapFree.KERNEL32 ref: 00007FFD6D9DCFD1

Memory Dump Source

Source File: 0000000A.00000002.11863396591.00007FFD6D9B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFD6D9B0000, based on PE: true

Associated: 0000000A.00000002.11863376055.00007FFD6D9B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863442901.00007FFD6DA1D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863468031.00007FFD6DA4A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863486944.00007FFD6DA4B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863689118.00007FFD6DA50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863729111.00007FFD6DA52000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863753316.00007FFD6DA58000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.11863774147.00007FFD6DA5B000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd6d9b0000_explorer.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: d32006554449b9a559cd97bd1e0149a2bcec8fc36393850d245d1d8738b88866
Instruction ID: 061e28b78f1be0e5bb522f0a16f1a6e33852f7323b1eddbd1805d2b64c940c80
Opcode Fuzzy Hash: d32006554449b9a559cd97bd1e0149a2bcec8fc36393850d245d1d8738b88866
Instruction Fuzzy Hash: 26013976B08E51C6EB148F66FA400A97761FBA8BD4B194031DB5D23B28EF38D467C340

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system. References to various COM objects are stored in the Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ep_setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll

C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll

C:\Program Files\ExplorerPatcher\StartUI\Assets\Fonts\BitMDL2.ttf

C:\Program Files\ExplorerPatcher\StartUI\Assets\Fonts\SkypeUISymbol-Regular.ttf

C:\Program Files\ExplorerPatcher\StartUI\Assets\officehub150x150.png

C:\Program Files\ExplorerPatcher\StartUI\Assets\officehub71x71.png

C:\Program Files\ExplorerPatcher\StartUI\Assets\onenote150x150.png

C:\Program Files\ExplorerPatcher\StartUI\Assets\onenote71x71.png

C:\Program Files\ExplorerPatcher\WebView2Loader.dll

C:\Program Files\ExplorerPatcher\Windows.UI.ShellCommon.pri

C:\Program Files\ExplorerPatcher\ep_dwm.exe

C:\Program Files\ExplorerPatcher\ep_gui.dll

C:\Program Files\ExplorerPatcher\ep_setup.exe

C:\Program Files\ExplorerPatcher\ep_setup.exe:Zone.Identifier

C:\Program Files\ExplorerPatcher\ep_taskbar.2.dll

C:\Program Files\ExplorerPatcher\ep_weather_host.dll

C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll

C:\Program Files\ExplorerPatcher\pris\Windows.UI.ShellCommon.en-US.pri

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnk

Windows Analysis Report
ep_setup.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre